Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

*\"DoS Attacks and Password Cracking\" Please respond to the following: Identify

ID: 3766550 • Letter: #

Question

*"DoS Attacks and Password Cracking" Please respond to the following: Identify three (3) DoS attacks and analyze the way in which each attack takes advantage of the interworking of the transport protocols (e.g.,TCP, IP, and UDP) and exploits the protocol’s vulnerabilities. Describe the protocols used for each attack and suggest methods that system / security administrators could use in order to detect the attack and mitigate recurring instances. Explain the manner in which a Distributed DoS attack may be more effective than a DoS in bringing down a large network. From the e-Activity, compare and contrast Linux versus Windows password management methods. Suggest the methodology that you would use in order to make sure that all passwords have different hash values. Provide a rationale to support your response.

Explanation / Answer

1 Introduction

A Denial of Service (DoS) attack can be characterized as an attack with the purpose of preventing legitimate users from using a victim computing system or network resource [1]. A Distributed Denial of Service (DDoS) attack is a large-scale, coordinated attack on the availability of services of a victim system or network resource, launched indirectly through many compromised computers on the Internet.   The services under attack are those of the “primary victim”, while the compromised systems used to launch the attack are often called the “secondary victims.” The use of secondary victims in performing a DDoS attack provides the attacker with the ability to wage a much larger and more disruptive attack, while making it more difficult to track down the original attacker. As defined by the World Wide Web Security FAQ: A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly by harnessing the resources of multiple unwitting accomplice computers which serve as attack platforms.[2]

               

According to the CIAC (Computer Incident Advisory Capability), the first DDoS attacks occurred in the summer of 1999 [3]. In February 2000, one of the first major DDoS attacks was waged against Yahoo.com. This attack kept Yahoo off the Internet for about 2 hours and cost Yahoo a significant loss in advertising revenue [4]. Another recent DDoS attack occurred on October 20, 2002 against the 13 root servers that provide the Domain Name System (DNS) service to Internet users around the world. They translate logical addresses such as www.yahoo.edu into a corresponding physical IP address, so that users can connect to websites through more easily remembered names rather than numbers. If all 13 servers were to go down, there would be disastrous problems accessing the World Wide Web. Although the attack only lasted for an hour and the effects were hardly noticeable to the average Internet user, it caused 7 of the 13 root servers to shut down, demonstrating the vulnerability of the Internet to DDoS attacks [5]. If unchecked, more powerful DDoS attacks could potentially cripple or disable essential Internet services in minutes.  

            The contributions of this paper include the first taxonomies proposed for classifying different DDoS attack networks, attacks, tools and countermeasures. DDoS attacks are relatively new and not at all well understood. For example, this paper is the first to characterize the setup and installation techniques of DDoS attack architectures, identifying both active and passive methods. By showing the types of DDoS attack networks, classifying the types of DDoS attack techniques, and describing the characteristics of the DDoS software tools, we hope to aid significantly in understanding the scope of DDoS attacks. This understanding can help to produce more effective and encompassing DDoS detection, prevention and mitigation mechanisms. We hope that this will lead to more comprehensive solutions to thwart both known attacks and the innumerable derivative attacks. Based on the understanding we derived in constructing these taxonomies to scope the DDoS problem, we have also proposed a taxonomy of DDoS countermeasures. This is a comprehensive set of possible preventive, defensive and forensic mechanisms, which target the DDoS problem before, during and after an actual DDoS attack.

            In Section 2 we describe the main classes of DDoS attack networks. In Section 3 we present our taxonomy for DDoS attacks. In Section 4 we present the software characteristics for DDoS attack tools. We identify how these tools are set up on secondary victim systems, and how communications work within the DDoS attack network. In Section 5 we present an overview of the commands used by the DDoS attack tools. In Section 6 we present a brief description of some of the more common DDoS attack tools. In Section 7 we present a taxonomy of different classes of countermeasures for addressing DDoS attacks. In Section 8 we conclude the paper with a discussion of policy, legal and economic issues, and suggestions for future work on using these taxonomies to develop comprehensive DDoS solutions.

2 DDoS Attack Networks

Figure 1 shows two main types of DDoS attack networks: the Agent-Handler model and the Internet Relay Chat (IRC-Based) model (See Figure 1).

2.1 Agent-Handler Model

An Agent-Handler DDoS attack network consists of clients, handlers, and agents (see Figure 2). The client platform is where the attacker communicates with the rest of the DDoS attack network. The handlers are software packages located on computing systems throughout the Internet that the attacker uses to communicate indirectly with the agents. The agent software exists in compromised systems that will eventually carry out the attack on the victim system. The attacker communicates with any number of handlers to identify which agents are up and running, when to schedule attacks, or when to upgrade agents. Depending on how the attacker configures the DDoS attack network, agents can be instructed to communicate with a single handler or multiple handlers. Usually, attackers will try and place the handler software on a compromised router or network server that handles large volumes of traffic. This makes it harder to identify messages between the client and handler and between the handler and agents. The communication between attacker and handler and between the handler and agents can be via TCP, UDP, or ICMP protocols. The owners and users of the agent systems typically have no knowledge that their system has been compromised and will be taking part in a DDoS attack. When participating in a DDoS attack, each agent program uses only a small amount of resources (both in memory and bandwidth), so that the users of these computers experience minimal change in performance.

            In descriptions of DDoS tools, the terms handler and agents are sometimes replaced with master and daemons respectively. Also, the systems that have been violated to run the agent software are referred to as the secondary victims, while the target of the DDoS attack is called the (primary) victim.

2.2 IRC-Based DDoS Attack Model

Internet Relay Chat (IRC) is a multi-user, on-line chatting system. It allows computer users to create two-party or multi-party interconnections and type messages in real time to each other [6]. IRC network architectures consist of IRC servers that are located throughout the Internet with channels to communicate with each other across the Internet. IRC chat networks allow their users to create public, private and secret channels. Public channels are channels where multiple users can chat and share messages and files. Public channels allow users of the channel to see all the IRC names and messages of users in the channel [7]. Private and secret channels are set up by users to communicate with only other designated users. Both private and secret channels protect the names and messages of users that are logged on from users who do not have access to the channel [8]. Although the content of private channels is hidden, certain channel locator commands will allow users not on the channel to identify its existence, whereas secret channels are much harder to locate unless the user is a member of the channel.

            An IRC-Based DDoS attack network is similar to the Agent-Handler DDoS attack model except that instead of using a handler program installed on a network server, an IRC communication channel is used to connect the client to the agents. By making use of an IRC channel, attackers using this type of DDoS attack architecture have additional benefits. For example, attackers can use “legitimate” IRC ports for sending commands to the agents [9]. This makes tracking the DDoS command packets much more difficult. Additionally, IRC servers tend to have large volumes of traffic making it easier for the attacker to hide his presence from a network administrator. A third advantage is that the attacker no longer needs to maintain a list of agents, since he can simply log on to the IRC server and see a list of all available agents [9]. The agent software installed in the IRC network usually communicates to the IRC channel and notifies the attacker when the agent is up and running. A fourth advantage is that IRC networks also provide the benefit of easy file sharing. File sharing is one of the passive methods of agent code distribution that we discuss in Section 4. This makes it easier for attackers to secure secondary victims to participate in their attacks.

            In an IRC-based DDoS attack architecture, the agents are often referred to as “Zombie Bots” or “Bots”. In both IRC-based and Agent-Handler DDoS attack models, we will refer to the agents as “secondary victims” or “zombies.”

3. DDoS Attack Taxonomy

There are a wide variety of DDoS attack techniques. We propose a taxonomy of the main DDoS attack methods in Figure 4. There are two main classes of DDoS attacks: bandwidth depletion and resource depletion attacks. A bandwidth depletion attack is designed to flood the victim network with unwanted traffic that prevents legitimate traffic from reaching the (primary) victim system. A resource depletion attack is an attack that is designed to tie up the resources of a victim system. This type of attack targets a server or process on the victim system making it unable to process legitimate requests for service.

There are two main classes of DDoS bandwidth depletion attacks. A flood attack involves the zombies sending large volumes of traffic to a victim system, to congest the victim system’s bandwidth. An amplification attack involves either the attacker or the zombies sending messages to a broadcast IP address, using this to cause all systems in the subnet reached by the broadcast address to send a message to the victim system. This method amplifies malicious traffic that reduces the victim system’s bandwidth.

In a DDoS flood attack the zombies flood the victim system with IP traffic. The large volume of packets sent by the zombies to the victim system slows it down, crashes the system or saturates the network bandwidth. This prevents legitimate users from accessing the victim. Figures 2 and 3 indicate a flood attack for an Agent-Handler attack network and an IRC-based attack network.

UDP Flood Attacks. User Datagram Protocol (UDP) is a connectionless protocol. When data packets are sent via UDP, there is no handshaking required between sender and receiver, and the receiving system will just receive packets it must process. A large number of UDP packets sent to a victim system can saturate the network, depleting the bandwidth available for legitimate service requests to the victim system.

            In a DDoS UDP Flood attack, the UDP packets are sent to either random or specified ports on the victim system. Typically, UDP flood attacks are designed to attack random victim ports. This causes the victim system to process the incoming data to try to determine which applications have requested data. If the victim system is not running any applications on the targeted port, then the victim system will send out an ICMP packet to the sending system indicating a “destination port unreachable” message [3].

            Often, the attacking DDoS tool will also spoof the source IP address of the attacking packets. This helps hide the identity of the secondary victims and it insures that return packets from the victim system are not sent back to the zombies, but to another computer with the spoofed address.

            UDP flood attacks may also fill the bandwidth of connections located around the victim system (depending on the network architecture and line-speed). This can sometimes cause systems connected to a network near a victim system to experience problems with their connectivity.

ICMP Flood Attacks. Internet Control Message Protocol (ICMP) packets are designed for network management features such as locating network equipment and determining the number of hops or round-trip-time to get from the source location to the destination. For instance, ICMP_ECHO_REPLY packets (“ping”) allow the user to send a request to a destination system and receive a response with the roundtrip time.

            A DDoS ICMP flood attack occurs when the zombies send large volumes of ICMP_ECHO_REPLY packets to the victim system. These packets signal the victim system to reply and the combination of traffic saturates the bandwidth of the victim’s network connection [3]. As for the UDP flood attack, the source IP address may be spoofed.  

The Windows NT operating system was developed by Microsoft Inc. and was first released in 1992. Windows NT has support for processes, threads, symmetric multiprocessing, distributed computing, and uses an object model to manage its resources. The structure of Windows NT is a hybrid between the layered model and the client/server model [5]. The former is used in the executive, which is the only part executing in kernel mode, while the latter is used to (1) provide the user with multiple operating system environments, e.g. Windows, MS-DOS, OS/2 and POSIX[1] and (2) implement parts of the operating system.

The UNIX operating system was first developed in the early seventies at AT&T Bell research laboratories. It is traditionally implemented as a single monolithic kernel, that runs in kernel mode, while all user programs run in user mode. The kernel contains code for the file system, device drivers as well as code for process management [1] , [16]. However, UNIX has always managed large parts of many system functions, such as networking etc, outside the kernel, in user mode processes.

In the following of this section is presented a number of security mechanisms for UNIX and Windows NT. These mechanisms have primarily been taken from the TCSEC [25] with some modifications. The mechanisms represent different aspects of security and are meant to provide a broad coverage of the area. Differences and similarities between the security mechanisms of the two operating systems are discussed in a concluding subsection.

Related Questions

*USE JAVA (THIS IS A GPA CALCULATOR AND SHOULD BE ABLE TO HANDLE MULTIPLE CLIENT
Question #3728315
*USE JAVA (THIS IS A GPA CALCULATOR AND SHOULD BE ABLE TO HANDLE MULTIPLE CLIENT
Question #3732366
*USE \"ReDim\" *THIS IS VBA CODE IN EXCEL Write a byref sub for swap, that accep
Question #3738296
*USING C CODING LANGUAGE* Modify above code such that there are now five compone
Question #3790282
*USING C LANGUAGE with no errors detected String Manipulation: Reverse. Write a
Question #3858098
*Units must be converted to meters A train enters a curved horizontal section of
Question #1859832
*Use C (Pls indicate which is libmaxarray.h and libmaxarray.c) Write a function
Question #3860948
*Use C (Pls indicate which is libmaxarray.h and libmaxarray.c) Write a function
Question #3861114

Navigate

Previous
*Your algorithms group has been tasked with creating an app that performs specia
Next
*a. Which of the following actions would result in a change in the drag force ac

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.