I. What is Denial of Service Attack?
DoS attacks are a class of attacks initiated by individual or group of individuals exploiting aspects of the internet Protocol to deny other users from legitimate access to systems and information. If an attacker can force a router to stop forwarding packets, then all hosts behind the router are effectively disconnected. Recently though more forms of attacks are crafted to attack web servers, mail servers and other services.
II. What is DDoS Attack?
DDoS attacks aim to disrupt the service of information systems by overwhelming the processing capacity of systems or by flooding the network bandwidth of the targeted business. In modern web applications, the web client makes a request which takes very little effort to compose, but when it reaches the server, the application has to process lots of data and compose the response with a lot of effort. This disparity in the computation efforts of the server and the client is usually of an order of magnitude and works very well in the favour of an attacker when he modifies a web client to launch an application level attack against a server. Hence a single compromised machine can inflict a lot of problem on the server end and a bunch of such compromised machines in the hands of an attacker can easily launch a denial of service attack against even the biggest server farms and succeed.
In this Figure Attacker/s has compromised several systems by installing his malicious program in the systems. When the attacker sends command to these systems, they will start sending enormous number of requests to the victim machine which brings victim machine down and it is no more available for a legitimate user. In modern web application, when the web client makes a request it takes a little effort to compose it, but causes the server to process a lots of data and compose the response. This variation in computation efforts between the server and the client makes the DDoS attack successful. Various categories of DDoS include:-
- HTTP Flood
- SYN Flood
- UDP Flood
- ICMP Flood
- TCP Data Flood
- DDoS on DNS
Out of these listed attack, HTTP flood, which is an Application Level DDoS is the most threatening one.
HTTP flood is the most popular (88.9%: As per the statistics of survey done by Kaspersky Labs Q2 2011) method of attacking a website: a huge number of HTTP requests are sent to the targeted site over a short period. In most cases they look just like regular user requests, making it difficult to filter them out. This makes this type of DDoS attack more popular among cybercriminals than others. A NEW and very lethal form of Layer 7 attack technique, which uses slow HTTP POST connections, was discovered by Onn Chee and his team. An attacker sends properly crafted HTTP POST headers, which contains a legitimate “Content-Length” field to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up precious server resources.
III. Types of DDOS Attack
- Bandwidth Attacks: During load of any site, it takes certain time to “load”. This “loading” consumes some amount of memory. Every site is given with a particular amount of bandwidth by its hosting, for example, 100GB. Now if we get more visitors who consumes all the 100GB bandwidth, the hosting of the site can be banned. So now if the attackers do the same, they can open 100 pages of a site and keep on refreshing and consume all the bandwidth and thus it goes out of service.
- Logic Attacks: These kinds of attack can exploit vulnerabilities in network software such as web server or the underlying TCP/IP stack.
- Protocol Attacks: Exploiting a specific feature or implementation bug of some protocol installed at the victim in order to consume excess amounts of its resources is known as Protocol attack. Protocols here are rules that are to be followed to send data over network.
IV. Symptoms of DoS/DDoS Attack
The USCERT defines the following symptoms:
- Unusually slow network performance (opening files or accessing web sites)
- Unavailability of a particular web site
- Inability to access any web site
- Dramatic increase in the number of spam emails received.
- The services that result from malicious activity are also denial-of-service attacks.
DoS attacks can also lead to problems in the network branches around the actual computer being attacked. For example, the bandwidth of a router between the Internet and a LAN may be consumed by DoS, compromising not only the intended computer, but also the entire network.
V. Solution to DDOS attack:
i. Using Trapdoor Puzzle:
Under a DoS attack, a defending server sends a client a simple puzzle to authenticate the ownership of the service request before allocating any system resource for him. The client has to solve the puzzle in a specified period and send back the solution. Only if the solution is correct, the defending server distributes the resource and continues the rest of the request. Otherwise, the request is dropped immediately.
The Plugin developed for the same is called the DDoS Defence is at Application Level. This plugin will help throttle the DDoS attack by using this method. Here, the server which would be the victim will generate a huge integer and send it through to the clients attacking it. The clients to establish connection with the server have to send back the factors of the integer. If not so or if the answers are wrong the connection would not be established. This method helps reduce some amount of traffic from the malicious client and help establish connection only with authentic clients.
The puzzle used for this purpose, for example, is the integer factorization. When there is request from the client, the server sends an integer to be factorized. The client in turn, if not malicious, will return the factors of the integer as the solution. If the solution is correct, then the connection is established else not. This method may help reduce the malicious DoS client requests.
ii. Malicious IP Restrictions
The Dynamic IP Restrictions Extension for IIS provides a configurable module that helps block Denial of Service Attacks by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.
This can be done by inspecting the source IP of the requests and identifying patterns that could signal an attack. When an attack pattern is detected, the module will place the offending IP temporarily in a deny list and will avoid responding to the requests for a predetermined amount of time.
iii. Use of Content Delivery Network
For a Capacity based attack, can have more capacity than the attacker. The easy way of getting additional capacity beyond the means of any DDOS attacker is by the use of a Content Delivery Network. A CDN is a proxy solution that can be used to deliver content close to a target group which offloads traffic from your website. There’s a number of services available like Akamai, Amazon CloudFront or MaxCDN. If a CDN is being used and your site is being attacked with a DDoS attack, then it is the CDN which is being attacked, not the site. And, since the CDN has tons and tons of capacity, no normal DDoS will be able to saturate.
iv. Use of Plugins available for WordPress to protect against DDoS
Bad Behavior complements other link spam solutions by acting as a gatekeeper, preventing spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place. This keeps your site’s load down, makes your site logs cleaner, and can help prevent denial of service conditions caused by spammers.
Bad Behavior also transcends other link spam solutions by working in a completely different, unique way. Instead of merely looking at the content of potential spam, Bad Behavior analyzes the delivery method as well as the software the spammer is using. In this way, Bad Behavior can stop spam attacks even when nobody has ever seen the particular spam before. Bad Behavior is designed to work alongside existing spam prevention services to increase their effectiveness and efficiency. Whenever possible, you should run it in combination with a more traditional spam prevention service.
Reference link: http://wordpress.org/extend/plugins/bad-behavior/
It prevents 32-bit PHP versions from hanging when processing a request containing 2.2250738585072011e-308 value. As a string, 2.2250738585072011e-308 causes no problems; it’s when it’s treated as a numeric value that the bug hits. If the value 2.2250738585072011e-308 is assigned to a variable, e.g. $d = 2.2250738585072011e-308, PHP hangs (loops).
2.2250738585072011e-308 represents the largest subnormal double-precision floating-point number; written as a hexadecimal floating-point constant, it’s 0×0.fffffffffffffp-1022. 2.2250738585072011e-308 is one of five 17-digit decimal values that convert (correctly) to 0×0.fffffffffffffp-1022:
Only 2.2250738585072011e-308 causes the problem. It happens to be the largest of the five decimal values.
VI. Other Prevention and response methods for DDoS
Firewalls can help to allow or deny protocols, ports or IP addresses using simple rules. Some DoS attacks are too complex for today’s firewalls, for example, if there is an attack on port 80 (web service), firewalls cannot prevent that attack as they will be unable to distinguish good traffic from DoS attack traffic. Also, firewalls are too deep in the network hierarchy. Routers may get affected much before a firewall gets the traffic. Nonetheless, firewalls can prevent users from launching simple flooding type attacks effectively from machines behind the firewall.
Most of the switches have some rate-limiting and Access Control List capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering.
These schemes will work as long as the DoS attacks are something that can be prevented by using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS can be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as the rate-thresholds have been set correctly and granularly.
iii. Application front end hardware
Application front end hardware is a hardware which is placed on the network before traffic reaches the servers. It can be used on networks along with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then classifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. Hardware acceleration is key to bandwidth management.
iv. Blackholing and sinkholing
With blackholing, all the traffic to the attacked DNS or IP address is sent to a “black hole” (null interface, non-existent server). To be more efficient and avoid affecting your network connectivity, it can be managed by the ISP. Sinkholing routes to a valid IP address which analyzes traffic and rejects bad ones. Sinkholing is not efficient for most severe attacks.
VII. Web Stress Tools
Several tools are available that can used to simulate load for Web applications. By simulating load for the application, concurrency issues can be tested as well as better understand how the application behaves under stress. With these tools stress test can be done on the Web server to see how it reacts when several hundred users access the application at peak times. Testing load and concurrency by refreshing a browser is not considered a valid test.
Some of the Web Stress Tools are:
i. Webserver Stress Tool:
Webserver Stress Tool is a powerful HTTP-client/server test application which is designed to identify critical performance issues in your web site or web server that may prevent optimal experience for your site’s visitors. It can simulate large number of users accessing a website via HTTP/HTTPS. This stress and load test tool provides graphs and data in a number of different formats including: Easy to use graphs, Text log summary, Detailed text log, User text log (one for each user) etc.
ii. HP LoadRunner software:
HP LoadRunner software is an automated performance and testing product from Hewlett-Packard for examining system behaviour and performance, while generating actual load. HP LoadRunner can emulate hundreds or thousands of concurrent users to put the application through the rigors of real-life user loads, while collecting information from key infrastructure components (Web servers, database servers etc).
iii. NeoLoad – Load Testing Tool:
NeoLoad is a load testing software designed for Web applications, which also simulates user activity and analyze server behavior. NeoLoad records and replays browser requests to the server. It can simulate requests made by components such as plug-ins, Java applets, ActiveX, Flash animations etc.
Other Stress tools that can used are WebLoad – Load Generation Engine, Microsoft WAS Tool, Apache JMeter, FWPTT – Fast Web Performance Test Tool, JCrawler – Stress Testing Tool, Curl-loader.
The drawbacks of these tools are that these tools are not tuneable. So what we suggest is to use HTTP Attack tool which can be downloaded from here.
HTTP Attack tool is an open source web stress tool developed in Information Security lab, Department of computer engineering, National institute of technology Karnataka. HTTPattack tool is used to simulate the number of clients accessing the website simultaneously in a given instant of time. Its source code is available for research communities so that they can use it and modify it according to their requirement. They can easily understand its source code as it is written in C#.Net with the naming guidelines taken from MSDN and with proper comments. It can be used to simulate a heavy load on a server to test its strength or to analyse overall performance under different load types. It can also be used to test the amount to which the website can withstand DDoS under heavy load. It will accept input as a set of URLs (uniform resource locator) and then it starts sending requests to each URL in circular fashion. It does not wait for the response after sending the request rather it simply switches to send next request, but it will create one thread to receive that response, so for each request the corresponding thread is created and that is responsible to receive the response. In the similar fashion, it can send maximum number of request in less time interval (technically it is sending Asynchronous requests). Efforts have been made to make the tool interactive. When tool starts running after every 5 seconds, it shows the updated value and draws the graph. This helps the user to analyse whether the success rate is high or failure rate is high in a given duration of time and whether the tool is running properly or not. There is an IPC (inter process communication) problem in logging the requests and responses. The responses may arrive at any time and may try to access the log file concurrently. So we made an effort to solve this problem using the queue concept. Whenever the response or request arrived, which has to be logged, first it will be pushed to the queue rather than directly writing it to the log file. Later at regular intervals all the entries from the queue are written to the log file. The same method is used to trace the file.
DoS and DDoS attacks are a difficult problem. They present a very real threat to online business, even more so when the availability of the service is an essential business function. These can be reduced to some extent by use of the trapdoor puzzles. Firewalls and sensible security at the border gateway as discussed above can provide some degree of protection against low bandwidth attacks. But more and more attacks are using flooding techniques to saturate the bandwidth of online companies, thereby denying legitimate users access to their services. By careful planning and understanding the nature of the attack, it is possible to throttle this type of attack using different methods, some of which were discussed above.