ed research area. it helps to "think like" someone designing a DoS attack. if we get insight into design then we get more good chances to mitigate it.
DDoS attacks are categorized as :
Degree of Automation
Agent Recruitment Strategies
Exploited Weakness
Source Address Validity
Attack Rate Dynamics
Possibility of Characterization
Persistence of Agent Set
Victim Type
Impact on the Victim
Degree of Automation:
This attack classified as Manual and Fully Automated. In manual automation attacker manually scans for targets and breaks into the system manually, Next step is to install attack codes in the victim system and gives direction for the attack. Early DDoS attacks launched by this method and it is more stealth way to launch an attack.In Fully Automated attacks both recruitment and attack phase launch automatically, in this type of DDoS attacks everything is preprogrammed in advance and there is no further need communication between master and agent nodes. Advantage gained by the attacker in this type of attack is minimal exposure of attacker, but it is inflexible than Manual automation because everything is hard coded and attacker does not get a chance to configure the agent during the attack, this type of attack is further divided into semi automatic and fully automatic. Fully automatic leaves no space for further modification but semi automatic attacks have the ability for the modification of the backdoor. In semi automatic attacks recruitment phase are automated but attack phase is controlled manually and requires communication between master and the agent nodes. In semi automatic attacks attacker exposure effected by direct communication and indirect communication between master and agent node.
Agent Recruitment Strategies:
These types of DDoS attacks depends on the strategies adopted by an attacker to recruit agents on different victim machines. These strategies include Scanning strategy, Vulnerability scanning strategy and Attack code propagation. In scanning strategy attacker scans different techniques like Random, Hit List, Permutation and Sign Post Scanning.In Vulnerability scanning attacker scans for the vulnerabilities in the target system. Horizontal vulnerability scanning looks for specific vulnerable ports in victim's machine. These vulnerabilities may be already known by the attacker. Vertical vulnerability scanning looks for multiple ports on the same system. Co-ordinated vulnerability scanning looks for multiple machines on the same network for a specific vulnerability. In Hybrid scanning technique all of the above techniques in Vulnerability scanning can be used for more stealthy attacks.
Attack code propagation done by different techniques like Central Server in which all nodes can be controlled by single server and all attacks codes are downloaded from a single server to launch an attack. in this techniques agents are discovered and shutdown easily. Back Chaining method can also be used for Attack code propagation technique in which each attack code downloaded from machine that was used to exploit the new host.
Exploited Weakness:
This attack mechanism can also split in Semantics Attacks and Brute Force attacks. In Semantics attacks like (TCP SYN) attacker exploits a specific feature or bug of a protocol or application for the purpose of agent propagation in order to consume excessive amounts of its resources. These attacks can be mitigated by deploying modified protocols and applications.Brute Force attacks initiated because intermediate networks has more resources than victim and can deliver higher volume of packets than victim can handle. Overwhelms victim resources using seemingly legitimate packets and require higher volume of attack packets. Hard to filter due to seemingly legitimate packets.
Source Address Validity:
These attacks depends on the validity of the source address from where attacker initiate attacks on the victim machine or net. An attacker can use Spoofed address and Valid source address depends on the requirement of attack and agents an attacker uses for DDoS. Spoofed address avoids detection and accountability, spoofed address techniques requires for Reflector attacks and makes DDoS attacks harder to detect, otherwise could manage intelligently allocating resources devoted to various flows.Some attacks like (Naptha) requires valid source address because attack mechanism requires several request/reply exchanges between agent and victim. Windows NT didn't allow user-level processes to modify packet header.
Spoofed Address attacks further divides into classes like Routable Spoofed Address and Non-Routable Spoofed Address, Random Address and Subnet. Fixed Address technique used for Reflector attacks and an attacker try to place blame on 3rd party. Subnet choose a random address from a subnet as agent to avoid ingress filtering. subnet where an agent is located may be able to detect and filter.
Attack Rate Dynamics:
This attack mechanism can be expressed in Constant Rate and Variable Rate. In constant rate technique attacker sends fake packets to victim machine constantly as fast as they can after attack is started but large packet stream can aid detection.To avoid detection an attacker sends fake packets to the victims machine with variable rate. In increasing rate technique agents sends packets to the victim's machine at slow rate initially and gradually increase the flow rate to choke bandwidth but as the speed increases it leads to the detection but in fluctuating rate an attacker pulse the attack intensely and respond to victim behavior or can be configured with the timing. In these types of attacks agents could co-ordinate pulsing so attack intensity is steady but set of agents attacking at any one time varies. This technique harder to detect and mitigate at the source network of the agent.
Possibility of Characterization:
Possibility of Characterization consists of Characterizable and Non-Characterizable attacks. We Characterize attacks on the properties of Filterable and Non-Filterable packets that are used for DDoS attacks. Filterable packets may be malformed and protocols and applications are not targeted with these packets. these packets consists of UDP packets against a web server or HTTP flood against SMTP server, these packets are filterable but good enough to overflow the stack of a firewall.Non-Filterable packets are well formed and looks legitimate packets for the services. HTTP flooding attack is part of it.
Non-Characterizable attack packets uses variety of protocols/applications to attack on multiple protocols and applications. These packets may be randomly generated to bombard on a single victim.
No comments:
Post a Comment