Understanding ddos attack & its Effect in Cloud Environment
Yüklə 333,78 Kb. Pdf görüntüsü
|
|
Rashmi V. Deshmukh and Kailas K. Devadkar / Procedia Computer Science 49 ( 2015 ) 202 – 210 Fig. 1. Constituents of DDoS 1.3. DDoS Constituents Recently, Botnets are been used widely to perform DDoS attacks. This section explains botnet architectures and the tools that have been used to launch DDoS flooding attacks. Many computers are used for launching a DDoS Attack. It makes use of client server technology. In general, DDoS attack comprises of Master, Handler, Agents and victim (as show in Fig. 1). The zombies (agents or bots) are the one used by the master to form a botnet. Larger the number of zombies, more disruptive the attack will be 8 . The Master communicates with agents via handlers. For Example, handlers can be programs installed on a set of compromised devices (e.g., network servers) that attackers communicate with to send commands. Attacker sends command and controls their agent through handlers. Bots are devices that have been compromised by the handlers. The bots actually carry out the attack on the victim’s system. Attacker uses many scanning techniques for finding a vulnerable machine 19 . Random Scan is a simplest strategy which randomly scans whole IPv4 address space as the worm doesn’t know where the host is present. It e ff ective only for IPv4 as address space space of IPv6 is too vast. Hitlist Scan has a list which contains IP address vulnerable hosts in the Internet. The scanning is done in this list. When it makes another machine a host, part of the initial hit list will be sent to that machine 20 . Route-based Scan reduces the search addresses BGP routing prefixes are used and this prefixes information can reduce the search space drastically 21 . In Divide-and-conquer Scan technique the scanning is done by di ff erent hosts on di ff erent part of address space hence saving the resources. Apart from these there are other strategies too like Permutation Scan, Local Preference Scan and Topological Scan. Once host is found after scanning, vulnerabilities of that host need to be found to gain its control. More information about these vulnerabilities is available on internet. For example Common Vulnerabilities and Exposures refer 22 . 1.4. Classification The variety of DDoS attacks are sprouting in the computing world. The major types include Bandwidth based and resource based attacks. Both types consume the entire bandwidth and resources of the network that’s been exploited. Through the analysis made, taxonomy has been depicted in the Fig. 2. Depending upon the exploited vulnerability it can be further divided into di ff erent types. Bandwidth Depletion Attacks: This type of attack consumes the bandwidth of the victim or target system by flooding the unwanted tra ffi c to prevent the legitimate tra ffi c from reaching the victim network. Tools like Trinoo are usually used to perform these attacks. Bandwidth depletion attacks are categorized further as: 205 Rashmi V. Deshmukh and Kailas K. Devadkar / Procedia Computer Science 49 ( 2015 ) 202 – 210 Fig. 2. Taxonomy of DDoS Attacks • Flood Attacks: This attack is launched by an attacker sending huge volume of tra ffi c to the victim with the help of zombies that clogs up the victim’s network bandwidth with IP tra ffi c. The victim system undergoes a saturated network bandwidth and slows down rapidly preventing the legitimate tra ffi c to access the network. This is instigated by UDP (User Datagram packets) and ICMP (Internet Control Message Protocol) packets. An UDP flood attack is initiated by following steps: 1. An attacker sends a large number of UDP packets to the victim system’s random or specified ports with the help of zombies. 2. On receiving the packets, the victim system looks the destination ports to identify the applications waiting on the port. 3. When there is no application, it generates an ICMP packet with a message “destination unreachable”. 4. The return packets from the victim are sent to the spoofed address and not to the zombies. As a result the available bandwidth has been depleted without servicing the legitimate users. This impacts the connections and systems located near the victim. Other variations of this attack include Fragmentation, DNS flood attack, VoIP flood attack, Media data flood attack etc. An ICMP flood attack involves following steps: 1. An attacker sends a large number of ICMP ECHO REPLY i.e. ping packets to the victim system with the help of zombies. This kind of packets requires a response message from the victim. 2. The victim sends the responses to the packets received. 3. Now the network is clogged with request response tra ffi c. The spoofed IP address may be used in the ICMP packet. The bandwidth of the victim network connections is saturated and depleted rapidly without servicing the legiti- mate users. Fragmentation, DNS flood and Ping flood are the other variations of ICMP flood attacks. • Amplification attacks: The attacker sends a large number of packets to a broadcast IP address. In turn causes the systems in the broadcast address range to send a reply to the victim system thereby resulting in a malicious tra ffi c. This type of attack exploits the broadcast address feature found in most of the internetworking devices like routers. This kind of DDoS attack can be launched either the attacker directly or with the help of zombies. The well-known attacks of this kind are Smurf and Fraggle attacks. The Smurf attack is caused by following steps: |