Abstract
In the age of Internet, websites are prone to attacks from hackers, hacktivists and rebels who aim at downgrading the website’s reputation, and performance. This may be fueled by monetary benefits, hoping to cripple a competitor’s business, displaying activism, or it can be for political revenge or even plain fun. One of such attacks is the Distributed Denial of Service attack which is presently being widely used. This study proposes to survey one of the popular online stores like Amazon, and find out what security measures are being utilized to prevent an attack like DDoS that can exhaust their services temporarily. The survey will also include students pursuing research in Networking, just to add more reliable perspectives to the data that will be collected. Since this is going to be a mixed method design, the study will also require document reviews that governs the qualitative arm, more importantly the security reports generated by other eservices companies to evaluate the differences amongst the measures taken against DDoS attacks.
Introduction
Have you ever been browsing your favorite website, or watching your favorite online stream, only to have your access slowed or completely cutoff. Then you realize that every other site is working fine, well your initial response might be “What is wrong with this website”. Chances are that their web servers are experiencing higher than usual web traffic but another likely scenario is that the site is being hit by a Distributed Denial of Service attack. DDoS attacks are a type of DoS attack, where several compromised systems are controlled and ordered by an attacker to target a single machine. The motivation behind these attacks can be money driven. Many attackers are sadly available for hire for rate ranging from $5 to $200, depending upon the size and duration of the attack planned. Average duration can lead up to 24 hours. Other possible reasons may be hacktivist groups trying to block access to terrorist or criminal website, even gamers trying to target opponents and increase their ‘ping’ times, to make the server throw them out of the game just so they themselves can win. “Attack frequency is on the rise, with 45 percent experiencing more than 10 attacks per month — a 38 percent year-over- year increase” (“Worldwide Infrastructure Security Report | Arbor Networks,” 2016, p. 10) as mentioned by this report. The last largest known attack weighed in at 400 Gbps which is over 50x the 8Gbps attack a decade ago.
Overview
The Denial of Service (DoS) is a predecessor to the Distributed Denial of Service (DDoS) where the only difference is in terms of the source of the attack. One has a single source of attack, and the other distributes the attack amongst a volume of computers. These attacks are consisting of a group of computers, with well-timed coordinated attacks. The attacking computers often are zombies, which means that the computers are infected and involuntarily are a part of the swarm. These attacks consist of a network with infected computers, (refer the dark clouds in the figure below) called botnets. Most of the users are part of this swarm without ever realizing it. From here, the hacker can provide commands, that attack using those zombies. “The distributed denial-of-service attacks is not unlike the DoS, which is still focused on denying resource availability, but consists of multiple hosts that work collaboratively, often supported by botnets or “zombie” computers to saturate the service until it is no longer accessible” (Noble, 2009, p. 694; Wang & Ramsbrock, 2009, p. 119).
Figure: Shows the hacking process: here blue dots are innocent user traffic, and red dashes are zombie, and generate compromised traffic.
There attacks are of two types amplifications & direct, and are a combination of any of these flavors: tear-drop, nukes and smurf etc. Most operate in the same manner, by utilizing a large network of remote PCs, i.e. botnets to overwhelm a server to the point where it has to deny service requests.
The first type of attack is almost a blitzkrieg kind of attack which directly overwhelms the target system and plugging all of its ports with garbage streams like incessant pings and never ending fragmented packets without building instructions.
The second type of attack is crank calls, attacks that cause further bandwidth and processing congestion by forcing them to respond to their nonsense, can be done by forcing a website and to handshake endlessly with new sys or attempt to validate spam port connection requests before eventually giving out an ICMP destination error. Simply put, it’s the kind in which the attack forwards the Route Requests (PREQs) that lead to hogging of the network bandwidth.
The most dangerous type of DDoS attack
Depending on who we ask, the most dangerous type of attack is subjective. DDoS attacks against customers remain the most commonly experienced threat among service provider respondents (“Worldwide Infrastructure Security Report | Arbor Networks,” 2016, p. 10).
DNS server amplification attack, which I think should be renamed to the “Death Star”, because of it being one of the most dangerous attacks along with attacks like the ones that put a heavy load on traffic may be considered equally dangerous, uses an individual PC’s ability to act as its own domain name server (DNS) to request the same sort of junk from the other techniques and forwarding it to others amplifying the severity of the attacks by up to 70x. This technique made an Attack on a scale of 400Gbps possible, as mentioned in the introduction which is over 50x the scale of the attack a decade ago.
Previous research
There have been many theories and proposals to solve the nuisance that is a DDoS attack. However, till date there is no permanent fix invented yet. One of the studies suggest a one of a kind defense mechanism called D-Ward. They claim that its defense is effective against DDoS attacks but is not able to defend against all types of DDoS attacks (Mirkovic & Reiher, 2004, p. 2). “The great complexity of the DDoS problem suggests that its solution will require the use of multiple defenses, such as filtering, Traceback, and pushback systems” (Mirkovic, Prier, & Reiher, 2004).
Researchers are of the opinion that no kind of current or any proposed technical solutions will succeed at stopping a DDoS attack. A review done by (Zargar, Joshi, & Tipper, 2013) on the current techniques to fight against DDoS attacks has come to a conclusion saying that the technologies are not without faults. They say that these techniques are not accurate enough to be able to identify traffic generated by any DDoS attack. Since it is almost impossible to identify DDoS attack traffic, it is argued that solving a DDoS attack are not as easy as it may seem.
Another study presents several network monitoring tools designed to detect DDoS traffic and makes almost the same discoveries (Hefeeda & Habib, 2011). They have come to a stage where they conclude their network monitoring tools can successfully detect a specific kind of DDoS attack. Their study shows that certain network monitoring tools excels at detecting certain types of DDoS attacks. At the same time, they still claim that there will never be any monitoring tool that can accurately detect all types of DDoS attacks.
Methods of Preventing DDoS Attack
The invention of internet brought to life one of its hard-hitting downside, a DDoS attack. Since these two concepts tie closely together, without the appropriate measures it is impossible to defend against these attacks. It therefore, is very important to have defined techniques to confine the spread and the effect of such attacks, and the tools that help make it possible.
User and System Administrator Actions
Everything depends on the capability of an administrator. It is up to the administrator to employ various techniques to safeguard the network and minimize the risk of comprise and attacks on the system. This can be done by, making sure all the equipment, and the software is up to date and patched of any vulnerability. The administrator is to be monitoring and testing the systems periodically. Making sure that there are no unutilized TCP/UDP ports which could potentially allow limited or full access to the system. Firewall should be deployed as the first defense against intrusion, so that there’s at least packets being filtered and detect potential attack.
Then there’s personal hygiene when it comes to maintaining a system. The admin is supposed to keep the systems as clean as possible, making sure that there’s no unauthorized software or malware present in the system. The system logs should intermittently be monitored by the admin, to uncover any suspicious changes to the databases.
“Administrators are advised to follow best practices and procedures contained in the CERT, ISCA and SANS provisions while conducting their daily duties to prevent possible DDoS attack on their systems” (CERT, 2010).
Local Network Actions
Several measures can be taken by the local network manager to protect the network and internet community from the risk of attacks. They should proactively make sure that each network connected to the internet, performs egress filtering at the router. This would aid the router to cross check the IP Address field of each outgoing packet to ensure the matching of NET_ID. Network administrators should ensure that sites are having a firewall to protect users from outside attacks. The network should be able to block incoming packets addressed to broadcast address because there is no justification for sending broadcast messages to every host on the network (Howard, 1997).
It is essential to turn off any useless directed broadcast capability at the router. All IP addresses that are reserved and those which should not be routed on the internet should be checked and blocked. If the firewall detects common addresses such as RFC that are generally used by attackers and reserved IPA addresses, it should discard them immediately and should never be sent to the internet. All application ports that are not being used and those associated with DDoS attack should be blocked at the firewall itself. Every system needs an intrusion detection system like personal firewall software to help in detecting the attack at individual systems. There needs to be a monitoring system to detect any aberrations in the traffic flow of the system. Educating user on securing their systems, having intelligence gathering systems in the organization and following CERT, ISCA and SANS provisions are necessary for protecting the system and community of users from the risk DDoS attack (CERT, 2010).
ISP Actions
DDoS attack’s ability to mitigate through a large network can be curbed by the Internet Service Provider’s (ISP’s) actions. ISP can easily influence and prevent such attacks in their networks just by following some major practices. They should ensure that their networks are not a carrier of bad packets. It is crucial to note that ISPs cannot be blamed for such attacks happening. Although, the steps that they take to prevent and avoid these attacks are listed as follows.
Avoiding routing private addresses such as RFC 1918, that are commonly used by hackers. It is ideal to discard these addresses alongside the destination and reserved addresses. They need to detect every single packet entering their network and trace it properly using Ingress and Egress address filtering. It can later be matched to their respective customer network ID.
To filter packets to the upstream and ISPs, Egress can be used. This can cause a slight degradation of the performance as it would need additional configuration at the router. This will be well worth the efforts that will be put in.
Another crucial ISP action will be disabling IP directed broadcasts. This will need the ISP to pay close attention to high profile systems. Customers should choose ISPs that provides few of the above-mentioned protections.
Preventions tools under development or consideration
For building an intelligent and distributed traffic monitor, developing internet IDS is considered critical. There are many technologies under construction and many have been tried and tested. The traffic monitor for one needs round the clock surveillance by ISPs, main host servers and peers. It is then required that each packet be examined including its contents using a multilayer statistical analysis of the incoming traffic. Capable intelligent systems will be needed to be able to detect every change in traffic level. These changes will then be classified as being normal or not. Any unusual activity would lead the shutting off of the traffic at its source.
One of the next developments was done by the RSA laboratories. They have proposed to use cryptographic methods for DDoS attack prevention. Here a client puzzle will be used to allow servers to stop traffic from hacktivists while opening doors for only legitimate clients. This approach will allow any traffic to the connect to the server under usual scenario. If it detects a possible attack, selection method will then be used to classify incoming traffic. Clients who respond correctly in a range of regular TCP timeout will be able to connect to the network server. They can stay in contact even during the attack albeit experiencing some delays.
Another potential tool that is under consideration is the IP Traceback. This will be based on the fact that these attacks stem from multiple hosts. In the Traceback mechanism, a sample would be used by the routers to scrutinize the attendance of attack packets. What this will do is, allow the target to find the exact source of the attacker without any other help. As mentioned earlier these are just proposal samples that were used in research to determine the solution of handling DDoS attacks. This can be summarized as follows: the first approach suggests including a new additional hardware to the network, second proposal needs an upgrade of Web browsers. The last proposal deliberates increasing intelligent system software in the routers.
Research Questions
Research Q1: Overarching – How can DDoS attacks be prevented?
Research Q2: Qualitative – What are the factors, for an attack like DDoS to take place?
Research Q3: Quantitative – What would need to be changed to reduce the probability that it would occur?
This research aims at providing hope to answer the above questions. Today, there is no method that exists to specifically deal reliably against the DDoS attacks. Several research techniques as discussed above have received mixed receptions. This leads to the resolution of the research which is determining any solutions if available that can successfully defend against DDoS attacks. These attacks are now far often and are only increasing in volumes, thus it is really high time we find an answer to these attacker’s misdoing.
The Use of Theory
This study uses the Constructivist philosophical worldview approach. A mixed method design is planned to inspect the test of DDoS prevention and also its detection. Using both document reviews and surveys, the Grounded Theory model allows the researcher to “derive a general, abstract theory of a process, action or interaction grounded in the views of participants. This process involves using multiple stages of data collection and the refinement and interrelationship of categories of information” (Charmaz, 2006, Strauss and Corbin, 1990, 1998).
This study will be using the already developed Networked Grounded Theory. My research method of choice for DDoS detection and prevention was Grounded Theory for two main reasons. First, I was looking for a theory development method. The network security is a new field, following the exponential growth of the “everything online” push. Although many instructors assigned editing assignments to their students, there was no theory about what happens when the attacks are taking place, more importantly, how do the companies deal with it. The study needed not to test an existing hypothesis; it needed a theory development tool. The second reason for choosing Grounded Theory was that it is favors qualitative work.
Research Method
The purpose of the research determines the selection of method for the study. In order to prevent the threat of DDoS attacks, the primary focus of the study would be the experiences and viewpoints gained from security experts and the students pursuing research in the field. The study therefore calls for a mixed method with a convergent parallel strategy of inquiry. The survey data collection method will be chosen for the quantitative research design because it is optimal for gathering participant’s backgrounds, experiences and perspectives. The answers will be weighted relative to the participant’s experiences and expertise in this field.
The research method will be a combination of surveys and literature reviews. Since this is a popular subject, there’s constant changes and additional nonacademic papers will be used to get a broader view. Databases from Google Scholar, RIT library & company websites and publications from security experts and more importantly reports from different security companies will be used to get an estimate on factors like, the scale, number and frequency of attacks, they report each month. The documents for the literature review will be publicly available resources, which may include minutes of meetings, journals diaries or letters. If need be, the company will be contacted, for the purposes of obtaining consent to use private documents.
To get surveys, well-known company, Amazon will be contacted online. Also, students who share the same field and have appropriate knowledge will be surveyed. The survey sample size would be no more than 50 for both the company and the students at RIT. For compiling as much accurate information as possible, we will be asking close-ended questions, along with a few open-ended questions. The survey will include questions that are easy to follow and legible with no room for misinterpretation. To ensure there’s no bias, there will be no assumptions leading into the questions. As we develop the study, there will be follow-up questions during the survey. The study may require justification from the participants to get an insight of why or what they chose to do. The survey questions will be peer-reviewed to ensure their validity. The following will be few of the questions in the survey:
- Which type of DDoS attack is the most dangerous one?
- What do you think the future of DDoS attacks will look like?
- Do you have any firsthand experience with DDoS attacks?
- How do you think we can solve the DDoS problem on a global scale?
- What type of companies do you think are more threatened by DDoS attacks?
- Which precautions do you take to protect yourself against DDoS attacks?
- What do you think are the motives behind the attacks?
Survey Protocol
The survey questionnaire will include questions regarding participant’s background, family history and personal opinions about the repercussions of DDoS attacks. At the end of the survey, participants will be asked if they have any more information to add relating to DDoS attacks that they feel are left out of the survey. The research is going to follow the American Research Councils guidelines:
- Information requirement- The purpose of the study will be shared with the participants.
- Consent requirement- Reminds participants that they have a right to opt out of the study.
- Confidentiality requirement- Reminds the participants that all information provided is protected under confidentiality laws.
“Confidentiality entails information security so that data is not disclosed without prior authorization” (Goodrich & Tamsin, 2010, p. 4).
Data Analysis
“Where open-form and other verbal responses occur alongside numerical data it is often sensible to use a quantitative tool” (Stern, 2004, p. 253), therefore this study will be using quantitative tool to analyze the survey outcomes. Several different statistical tests will be conducted including a one-way ANOVA test, a three-way ANOVA test, and two Chi-square tests.
Themes will be developed after scanning the set of responses, and the themes will mirror the points noted in the scanning process. During the code development phase, scanning a large range of response would ensure that majority of the themes have been covered. Developing further into each theme, cracking down on the exhaustive categories, and exploring the unambiguous and the mutually exhaustive categories so that there’s consistency in mapping one-to-one codes. Finally, a ‘codebook’ will be prepared which lists all the categories and codes assigned to them. Codes will be recorded only after the entire material body has been reviewed. Exploring new material, would lead to a rise in items that need to be added in to the codebook.
Validation threats
There are a few threats this study may be exposed to. One can be that the surveyed don’t have the same understanding of the DDoS concept as a whole. There’s also an added risk that, data on purpose is withheld during the survey due to proprietary reasons. A company’s integrity is valued most if they were to share the data. Analyzing data will have its own risks with our method of collecting data. Since it’s a mixed methods approach being used for interpretation of the data, and the idea of DDoS being more subjective than being verifiable.
There are several risks in our way of collecting and analyzing data. Since its a qualitative method being used to interpret the data and is always going to be more subjective than a quantitative method. To have our solutions validated, we are going to compare the results of both to the empirical study and the literature review with each other. This study will require some attention from the experts to have a look at the conclusions to validate them. Which will only strengthen the validity of the paper. The study might require the researcher to dive head first into the document review to find information from the nook and crannies. Transcribing the documents can be another challenge. Incomplete documents are another factor that can limit the potential of document review process.
The Future of DDoS attacks
It is believed that the number of attacks will grow but the size of the attacks won’t comparatively. The internet as a service has to be reworked, if not we won’t be able to get rid of DDoS. And the number of attacks will forever be growing in size. A report published by (“WORLDWIDE INFRASTRUCTURE SECURITY REPORT | Arbor Networks,” 2016, p14) shows that companies lose over $500/minute and some indicating even greater expense. Which means that people are increasing getting aware of the avenues to make money from these attacks. Since we won’t have a remodeled internet, more security breaches will be found in old protocols which serve the current internet thereby increasing the DDoS attacks in both size and number.
With no such drastic measures, more and more critical services will be targeted. Only because the services which once were on the private intranet, are not available to everybody online. It has started with the United States and will continue to increase worldwide. It doesn’t matter where it began, it matters only that this now a worldwide phenomenon.
Summary
Distributed Denial of Service attacks are an ever-increasing cause of concern in the networking sector. Its growing importance is primarily attributed to its relationship with severity of the attacks. The study will make use of both quantitative and qualitative based approach. Survey method will be used to gauge students and the experts’ perceptions regarding DDoS avoidance best practices, and how it relates to the real-world techniques studied in the document review. Results will be analyzed through descriptive and inferential statistics by using a software called Statistical Package for Social Sciences (SPSS). The findings of the study will have important implications for the networking sector. The study can lead to a better understanding of how DDoS attacks impact the sector. This in turn, can be used to widespread the solution to the problem. Thus, exploring the relation of DDoS prevention techniques being utilized in theory and practicality, can yield important outcomes for ISPs, network analysts, and students alike.
References
Chaba, Y., Singh, Y., & Aneja, P. (2009). Performance Analysis of Disable IP Broadcast Technique for Prevention of Flooding-Based DDoS Attack in MANET. Journal of Networks, 4(3). doi:10.4304/jnw.4.3.178-183
In this paper, a technique is proposed to specifically prevent the DDoS attack. The study uses Ad hoc On Demand Vector (AODV) as its routing protocol, which then helps to find a solution to deal with the flooding attack.
Goodrich, M., Shin, M., Straub, C., & Tamassia, R. (n.d.). Distributed data authentication. Proceedings DARPA Information Survivability Conference and Exposition. doi:10.1109/discex.2003.1194915
Hefeeda, M., & Habib, A. (2011). DETECTING DOS ATTACKS AND SERVICE VIOLATIONS IN QOS-ENABLED NETWORKS. Handbook of Security and Networks, 191-220. doi:10.1142/9789814273046_0007
This paper provides a way to detect DoS attacks in the early stages, by the help of network monitoring tools which detect service violations. Also provides guidelines for s electing appropriate defense scheme based on the requirements.
Mirkovic, J., Prier, G., & Reiher, P. (2002). Attacking DDoS at the source. 10th IEEE International Conference on Network Protocols, 2002. Proceedings. doi:10.1109/icnp.2002.1181418
This paper has a different approach to dealing with DDoS, where a mechanism call D- WARD is deployed at source-end networks, which is where the traffic originates from, thereby detecting and stopping those attacks. This is achieved by monitoring the two-way traffic constantly between the source and the network.
Mirkovic, J., & Reiher, P. (2004). A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review, 34(2), 39. doi:10.1145/997150.997156
This paper points out that a single defense mechanism doesn’t last long in defending against DDoS attacks. It seconds the suggestion that it should have multiple techniques to overcome the risks of these attacks. The researchers have made note of the various characteristics of DDoS attacks, all the models involved in these attacks and a timeline depicting their improvements in the defense mechanism to combat DDoS attacks. They have also proposed using MapReduce programming model.
Zargar, S. T., Joshi, J., & Tipper, D. (2013). A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks. IEEE Communications Surveys & Tutorials, 15(4), 2046-2069. doi:10.1109/surv.2013.031413.00127
The above-mentioned research paper studied the history of botnets, along with techniques used for detecting them. The researchers showed that honeypots, the traditional detection method is not an effective way for detecting decentralized and peer- to-peer botnets. They also focused on how these connected botnets communicate with each other.
Zomlot, L., Sundaramurthy, S. C., Luo, K., Ou, X., & Rajagopalan, S. R. (2011). Prioritizing intrusion analysis using Dempster-Shafer theory. Proceedings of the 4th ACM workshop on Security and artificial intelligence – AISec ’11. doi:10.1145/2046684.2046694
In this paper, the researchers have presented an approach to handle network uncertainties without having to utilize any prior knowledge or information with the help of Dempster- Shafer theory.
WORLDWIDE INFRASTRUCTURE SECURITY REPORT | Arbor Networks. (2016). Retrieved from http://arbornetworks.com