Distributed Denial of Service

A
SEMINAR REPORT

Submitted in partial Requirement for the degree of

BACHELOR OF ENGINEERING
IN
COMPUTER ENGINEERING

Submitted By
Zakiya Shaikh

Under the Guidance of

Prof. Zafar-ul-Hasan
(Lecture )
Department of Computer Engineering

SANDIP FOUNDATION’S
SANDIP INSTITUTE OF TECHNOLOGY AND RESEARCH
CENTRE
A/P: - MAHIRAVANI, TRIAMBAK ROAD
NASHIK – 422 213
UNIVERSITY OF PUNE
Academic Year 2010 – 11
 CERTIFICATE

This is to certify that the seminar entitled “Distributed Denial of Service” has been

carried out by Zakiya Shaikh under my guidance in partial fulfillment of the

requirement for the degree of Bachelor of Engineering in Computer Engineering
of Pune University ,Nashik during the academic year 2010-11.

Guide Head of the Department Principal

Prof.Zafar-ul-hasan Prof. D.V.Patil
 ACKNOWLEDGEMENT

We take this opportunity to express my sincere gratitude towards our (seminar

coordinator) for his generous assistance, without whose considerate approach and insight, this
report would never have been possible

We are also immensely grateful to our HOD D.V Patil Sir for his encouragement and guidance.

We would like to thank the staff members of S.I.T.R.C who helped us to select this topic and
prepare this report.

We extend my sincere thanks to our college library staff who extended their full co-operation
for obtaining the necessary material for this report.

Our whole hearted thanks to all our friends who helped us by giving their valuable suggestions
in preparing the report .

SAURABH KAMBLE
 CONTENT PAGE NO.

1. INTRODUCTION 1

1.1 What is a Storage Area Network? 6

1.2
1.3 1.2.1 SAN connectivity 7
1.2.2 SAN component
1.4 1.2.3 SAN servers 7
1.5
1.6 1.3 The importance of standards 8
1.7
1.4 Where are SANs heading? 8

9
2. LITERATURE OF SURVEY 10

2.1 Requirements of Server Load Balancing 10

2.2 Server Load Balancing Methods 10

3. STORAGE AREA NETWORK TECHNIQUES 12

3.1 Algorithm of Server Load Balancing 13

4. IMPLEMENTATION/ARCHITECTURE DETAILS

5. APPLICATION OF STORAGE AREA NETWORK 14

6. CONCLUSION 15

7. REFERENCES 16

CHAPTER 1
INTRODUCTION

Distributed Denial of Service (DDoS) attacks are a potent, new form of attack on the
availability of Internet services and resources. A DDoS attack by definition is any act intended to
cause a service to become unavailable or unusable. In a DDoS attack, there are no inherent
limitations in the number of machines that can be used to launch the attack. A DDoS attack
utilizes the distributed nature of the internet, with hosts owned by disparate entities around the
world. These unsuspecting computers are then used to wage a coordinated mass-scale attack
against a particular system or site. In addition, since these attacks are coming from a wide range
of IP addresses, it is much more difficult to block and detect at the firewall level.

In this paper, we will give a brief history of famous DDoS attacks, step by step on how
DDoS attack takes place, and describe several types of DDoS attacks. Some attacks we will go
over are smurfing, UDP flooding, TCP SYN attack, and PUSH + ACK attack. From this paper,
we hope the reader has better understanding of what DDoS attacks are and be able to protect
their system from these types of attacks.

HISTORICAL PERSPECTIVE

In February 2000, one of the first major DDoS attacks was waged against popular search
engine Yahoo. This attack kept Yahoo off the Internet for about 2 hours and cost Yahoo a
significant loss in advertising revenue. Around the same week, CNN, EBay, and Datek websites
were taken down for several hours due to same attack. Another recent DDoS attack occurred on
October 20, 2002 against the 13 root servers that provide the Domain Name System (DNS)
service to Internet users around the world. If all 13 servers were to go down, this would be a
disastrous problem for the Internet. Although the attack only lasted for an hour and the effects
were hardly noticeable to the average Internet user, it caused 7 of the 13 root servers to shut
down, demonstrating the vulnerability of the Internet.

HOW DOES DDOS ATTACK TAKE PLACE

 Here we will go step by step on how DDoS attack takes place. The main point is that
DDoS attacks work in a way that the attack and attacker are well concealed from being caught
for their actions.

Step 1

The DDoS attack operates through a client machine by hacking into weakly
secured computers. This is done by searching and finding well-known defects in
standard network service programs and commonly weak configurations in known
operating systems. But before that attacker can start, the attacker scans these
systems looking for vulnerabilities. Unfortunately, this phase very much favors the
attackers. The attacker uses computer systems and network port openings to gain
access. The more ports that are open, the more points of vulnerability.

To determine which ports are open on a given system, a program called port
scanner is used. A port scanner runs through a series of ports to see which ones are
open. Usually a machine in TCP/IP stack has 65,535 TCP ports and 65,535 UDP
ports. The number of ports combined has a potential doorway into the system.
Normally, major services listen on fixed port number with the list of open ports on
a target system. Using this information, the attacker can get an idea of which
services are in use by checking RFC 1700, “Assigned numbers”.

In the Windows environment, one good scanner is called Scan port. This is a
fairly basic port scanner but it enables the attacker to specify both the range of
addresses and range of ports to scan. On the Unix side, the best scanner is Nmap.
This program scans for open ports by sending packets to the target system to
interact with each port. What type of packets is sent and how does interaction
happen depend on type of scan being conducted. Some of the types of scan are as
follows.

TCP Connect: Completes the three-way handshake with each scanned port.
TCP Syn: Only sends the initial SYN and awaits SYN-ACK response to
determine if the port is open.
UDP scan: Sends a UDP packet to target ports to determine if a UDP service
is
listening.
Ping: Sends ICMP Echo request to every machine on the target network, for
locating live hosts.
 After the vulnerability scan is done on the target system, a list of
vulnerabilities is given to the attacker could exploit. The reason behind the
scan is to automate the process of connecting to a target system and
checking to see if the vulnerabilities are present.

Another scan tool called Nessus scans random IP addresses to find a known vulnerability.
After the scan, a list of victim systems is created that shares the same common vulnerability.

Step 2

After the scan, the attacker chooses a number of machines to be involved in

the attack. These systems are also known as handlers or masters. Now the attacker
can find a way to gain access and have significant control over these machines.
Most common method is using Stack Based buffer overflow attack. Any
application or operating system component that is poorly written could have this
problem. A buffer overflow attack happens when an attacker tries to store too
much information in an undersized receptacle. Buffer overflow takes advantage of
the way in which data is stored by computer programs. When a program calls a
subroutine, the function variable and the subroutine returns address pointers stored
in a logical data structure known as stack. A stack is a portion of memory, which
stores information about the current program needs and contains the address where
the program returns after the subroutine has completed execution.

When the buffer is overflowed, the data placed there goes into neighboring
variable space and eventually into the pointers space. To cause the attacker’s code
to be executed, the attacker precisely tunes the amount and content of data to cause
buffer overflow and stack to crash. The data the attacker sends usually consists of
machine specific byte code to execute a command plus a new address for return
pointer. This address points back into the address space of stack, causing the
program to run the attackers instruction when it returns from the subroutine. To
help improve the odds that the return pointer will jump to a good place to begin
executing the attacker’s code, attackers will often prepend a series of NOP (no
processing) instruction to their machine level code. A key point is that attacker
code will run at whatever privileges the software that is exploited is running at. In
most cases, attacker tries to exploit program running as root or administrator
privilege. So attacker can easily install backdoor on a system in this way.

The captured machines are now instructed to control another set of captured
machines. These are called the agents or daemons. By doing this, it ensures a
measure of cautiousness on the part of the attacker. Now it is very difficult and
impossible to track and find the actual attacker on the Internet. The attacker
comprises more systems until the risk of being captured is almost impossible. At
the end, the attacker knows the addresses of all the nodes and stores them in a file
on his control system. This is later used to attack the victim.

Step 3

After the attacker breaks into the system, they want to be able to get back
into victim’s system whenever they want. They could achieve this by installing a
backdoor entry as in step 2 or by installing a rootkit (very common in Unix
operating system). A rootkit is like a trojan key system files on an operating
system. The attacker can replace the login program by overwriting it, but it would
be obvious someone messed up the system so a legitimate user could not gain
access. To avoid this, the attacker could add some feature into existing login
program like allowing someone to have root access without prompting for a
password; it would be hard for the administrator to detect their system has been
comprised. In general, rootkit provide false information or lie to the administrator
to hide what the attacker is doing. The rootkit masks attack activity going on the
background.

So finally the actual attack takes place. The attacker on his computer using
client software sends instructions to the handlers or nodes to launch a particular
attack. These attacks come from variety of different flooding attacks against
specific victim.

TYPES OF DDOS ATTACKS

SMURFING

In a smurfing attack, a network amplifier is used create a flood of traffic to

target a victim system. The attack begins with a ping packet sent to some system,
which supports direct broadcast messages known as a network amplifier. A
network amplifier is usually a system on the Internet with an incorrect configured
network. The source address of the packet is spoofed to be that of the victim
system. Spoofing is a way for the attacker to send messages to IP address, which
says that the message was from a trusted host. By doing this, all the ping
responses are sent to the victim system. Using the network amplifier with 50 hosts,
50 packets can be sent to the victim by just sending one packet. Network amplifier
will receive packet by packet until the maximum amount of traffic is sent. This is
because the network amplifier itself has a fixed bandwidth connection to the
Internet. At the end, the attack will be traced back to the network amplifier and not
the attacker.
 
Smurf attacks rely on a directed broadcast to create a flood of traffic for a
victim on a particular IP address. An IP address is made of host address and
network address. If the host part of address is all 1’s then the packet is destined for
broadcast address of the network. For example, if the network IP address of the
network were 10.1.0.0 with net mask of 255.255.0.0, the broadcast IP address for
the network would be 10.1.255.255. Using 255 consecutively means there is a
message for network IP address because host contains 16 consecutive 1s. This in
turn will cause every machine on destination LAN to read the packet and send a
response.
 
The packets sent by the attacker are ICMP ECHO REQUESTS. Normally if
the packet’s destination network router allows direct broadcasts, all destination
LANs will receive the packet. Once received, these machines will then send a ping
response. By sending 1 packet, thousands of response packets can be sent. If the
first ping response were from spoofed address then all ping responses from the
network would be sent to the spoofed address. The number of response packets
will increase with more machines on the network that allow direct broadcasting.
Using this idea an attacker can conduct a smurfing attack.

A similar attack to smurfing is the fraggle attack. Fraggle is similar that the
attacker sends packets through network amplifier but differ by using UDP ECHO
packets rather than ICMP ECHO packets. The attack begins with packets sent to
IP broadcast address. The destination is UDP port set to a service, which can send
the response. The service that receives the packet just sends the packet back
exactly as received. By doing this, all machines will echo UDP traffic back
causing a flood of the victim’s system.
 
UDP FLOODING

User Datagram Protocol (UDP) is a connectionless protocol. When

sending data packets through UDP, no handshake is required between the sender
and receiver. The receiving party will receive packets to process. If a large number
of UDP packets are sent, this could cause the victim system to be saturated. This in
turn would reduce the bandwidth amount available for legitimate users on the
system.

When the attacker uses UDP flood attack, UDP packets are sent to either
random or specified ports on a victim system. Most of the time they are sent to
random ports. When the packets are sent, it causes the victim system to process the
incoming data. The system then has to determine which application sent the
request. If no applications were running on targeted port, the victim system would
send out ICMP packet indicating the destination port is unreachable. As with
smurfing, UDP flooding uses spoofed IP address when sending the attacking
packet. By doing this, the return packets are sent to another system with spoofed
address and not sent back to zombie systems. Another side effect of UDP flood
attacks is that these attacks can fill the bandwidth connection around the victim
system causing those systems to experience problems with their connectivity.

TCP SYC ATTACK

A TCP SYC attack is a denial of service attack in which attacker deliberately

violates the three way handshake and open a large number of half open TCP/IP
connections. Potential targets for this attack are any system connected to Internet
that provides TCP based network services. Some examples include a web server,
FTP server, or mail server.

When a TCP connection is made to a system providing a service (server),

the client and server exchange a set sequence of message known as three-way
handshake. The client’s system begins by sending SYN (synchronization) message
to the server. The server then acknowledges the message by sending SYN-ACK
message to client. The client then finishes establishing the connection by
responding with an ACK message.

Problems arise when the server system has sent an acknowledgment (SYN-
ACK) back to client, but has not received the final ACK message. This is called
the half opened connection. In memory, the server has a built in data structure
describing all pending connection. This data structure is finite size and can be
made to overflow by creating lots of partially opened connections. When a large
volume of SYN requests are being processed by a server and none of the
ACK+SYN responses are returned, the server begins to run out of processor and
memory resources

In a TCP SYN attack, the attacker instructs the zombies to send some bogus
TCP SYN request to a victim server in order to tie up the server’s processor
resources. This in turn, prevents the server from responding to legitimate requests.
The source address of SYN packet sent by the attacker is spoofed thus hiding the
identity of the attacker.

PUSH + ACK ATTACK

In the TCP protocol, packets that are sent to a destination are buffered within
the TCP stack and when the stack is full, the packets get sent on to the receiving
system. However, the sender can request the receiving system to unload the
contents of the buffer before the buffer becomes full by sending a packet with the
PUSH bit set to one. PUSH is a one-bit flag within the TCP header. TCP stores
incoming data in large blocks for passage on to the receiving system in order to
minimize the processing overhead required by the receiving system each time it
must unload a non-empty buffer.

The PUSH + ACK attack is similar to a TCP SYN attack in that its goal is to
deplete the resources of the victim system. The attacking agents send TCP packets
with the PUSH and ACK bits set to one. These packets instruct the victim system
to unload all data in the TCP buffer (regardless of whether or not the buffer is full)
and send an acknowledgement when complete. If this process is repeated with
multiple agents, the receiving system cannot process the large volume of incoming
packets and it will crash.

SUMMARY & CONCLUSION

DDoS attacks uses advanced methods of attacking a network system to

make it unusable to legitimate network users. These attacks are an annoyance at a
minimum, and if they are against a critical system, they can be severely damaging.
Loss of network resources costs money, delay of work, and cuts off
communication between network users. The negative effects of a DDoS attack
make it important that solutions and security measures be developed to prevent
these types of attacks.

Detecting, preventing, and mitigating DDoS attacks is important for national

security. In the same manner that the Internet has become more user friendly over
the last 10 years, and more individuals, businesses, and government agencies make
use of it, so has hacking and disrupting network traffic. DDoS attacks are easy for
attackers and script kiddies to obtain and the potential for other attacks like the
recent attack against the 13 root servers is quite high. Finding methods for
preventing and stopping DDoS attacks will be important for national security.
Understanding DDoS attacks and tools is a first step towards this, and the main
contribution of this paper.

REFERENCES

Boswell, Steven and Calvert, Ben and Campbell, Paul. Security+ Guide to Network

Security Fundamentals. Thomas Course Technology: Canada, 2003.

Cole, Eric. Hackers Beware. New Riders Publishing: Indiana, 2002.

Harrison, Ann. “Denial of Service Aftermath.” CNN. 14 Feb 2000. 10 Mar 2005.
<http://archives.cnn.com/2000/TECH/computing/02/14/dos.aftermath.idg/>

Navratilova, Viki. “A Brief History of Distributed Denial of Service Attacks.”

Uniform Chicago. 22 Aug 2000. 10 Mar 2005.
 http://uniforum.chi.il.us/slides/ddos/sld005.htm

One, Aleph. “Smacking the Stack for Fun and Profit.” Phrack. 15 Apr 2003.

19 Mar 2005. <http://www.phrack.org/phrack/49/P49-14>.

Skoudis, Ed. Counter Hack A Step by Step Guide to Computer Attacks and Effective

Defenses. Prentice Hall: Canada, 2002.