Denial of Service (DoS) attack with UDP Flood

Li Xiaoming Valon Sejdini Hasan howdh!r"

School of Computer Science School of Computer Science School of Computer Science
University of Windsor University of Windsor University of Windsor
Windsor, Ontario, Canada Windsor, Ontario, Canada Windsor, Ontario, Canada
li12364@uindsor!ca se"dini@uindsor!ca chod1"@uindsor!ca
#$stract
Computer and #etor$ infrastructure has
%ecome hac$er panic$ed domain that has increased
&eometrically over the years ith the &eometric
inte&ration and e'pansion of the inte&rated computer
netor$ of the &lo%e! (very softare component
participatin& in the service of inte&rated &lo%al
netor$ ran&in& from )*+ to Super Computer, as
ell as, home netor$ to internet are su%"ect to
hac$in& threat! One ,and, every moment, hac$ers are
discoverin& ne ays and techni-ues to carry an
attac$. on the other hand victims are &ettin&
e'hausted to face such attac$s!
/i$e many of the cate&ories and techni-ues
of attac$, *enial of Service 0*oS1 attac$s has
%ecome a pro%lem domain for the security, netor$,
and other computer professionals, as ell as the
service providers and users of different computeri2ed
and netor$ systems!
*enial of Service 0*oS1 attac$ is
coordinated attac$s performed %y hac$ers to disa%le a
particular computer service throu&h manipulation of
techni-ues those are used to provide the services!
Some of the techni-ues used %y hac$ers are %randed
as S3# 4loodin&, U*) floodin&, stac$ overflo, etc!
5n this paper, e ill descri%e *oS attac$
models, scope, techni-ues, availa%le tools to e'ecute
such an attac$ usin& 6U*) 4loodin&7 and the
countermeasures to face such attac$s!
%ntrod!ction
+ *enial of Service 0*oS1 attac$ is an attac$ for
preventin& le&itimate users from usin& a specific
resource such as e% services, netor$ or a host! 8he
hac$er intentionally %loc$s the availa%ility of the
resource to its authori2ed users!
*oS attac$ usin& U*) floodin& is a techni-ue that
e'ecutes the attac$ usin& the U*) pac$ets!
*urin& the year 199:;2<<< security specialist
discovered 6*oS attac$ ith U*) floodin&7
vulnera%ilities in many of the Systems includin&
=icrosoft products! >ulnera%ilities ere discovered
in +C(?Server in its port @<<< a&ainst 4ra&&le attac$!
Cisco has also discovered vulnera%ilities of its 5OS
softare in routers a&ainst dia&nostic port here
attac$er used to ports namely dia&nostics ports and
char&en port as attac$in& media to attac$ usin& U*)
floodin&!
+lthou&h *oS attac$s are not ne, there is
still a si&nificant ris$ of such attac$s as the ne
techni-ue of *oS attac$s is %ein& invented %y the
hac$ers! 8his paper discusses e'istin& ta'onomies for
understandin& different *oS attac$s, techni-ues and
tools, and countermeasures! 8his paper also discusses
the setup and installation techni-ues of *oS attac$in&
tools! 5n the folloin& sections e descri%e classes of
*oS attac$ architectures, cate&ori2ation for *oS
attac$s, softare characteristics for *oS attac$in&
tools and classification of different *oS
countermeasures! 4inally e conclude and referenced
in last to sections!
&otivation of DoS #ttack
8he motivation for *oS attac$s is not to %rea$
into a system %ut to ma$e the tar&et system deny the
le&itimate user &ivin& service! 8his ill typically
happen throu&h one of the folloin& aysA
Crashin& the tar&et host system!
*isa%lin& communication %eteen systems!
=a$e the netor$ or the system don or
have it operate at a loer speed to reduce
productivity!
4ree2e the system, so that there is no
automatic re%oot, so that, production is
disrupted!
*ependin& on the type of *oS attac$s planned,
the hac$er first needs to find a sufficiently lar&e
num%er of vulnera%le computers to use for attac$in&!
8his process can %e achieved manually or
automatically! #oadays, hac$ers use scripts or
scannin& tools that automate the entire process for
findin& vulnera%le computers to ta$e over! #e't, the
hac$er esta%lishes a communication channels
%eteen computers, so that they can %e controlled
and en&a&ed in a coordinated manner!
DoS #ttack lasses
8he main classes of *oS attac$s are
0i1 Bandidth *epletion attac$
0ii1 Cesource *epletion attac$
(i) 'he (andwidth De)letion attack floods a victim
netor$ and there%y prevents authori2ed traffic from
reachin& and &ettin& the service of the tar&eted
victim!
*+ Flood #ttack
5n this $ind of attac$, the netor$ of the victims
system is flooded ith a lar&e num%er of pac$ets %y
the attac$er to deplete the netor$ %andidth and
there%y ma$in& the victimDs systems performance
de&radation or sometimes system crash! *ue to
saturation of the netor$ %andidth of the victimDs
system, the le&itimate users of the system are
prevented from accessin& the system!
4i& 1A Schematic dia&ram for *OS attac$
4lood attac$s are %ein& launched either ith
U*) or 5C=) pac$ets!
5n a U*) 4lood attac$, numerous amounts of
U*) pac$ets are sent to either random or specified
ports on the victim system! 5n order to determine the
re-uested application, the victim system processes
the incomin& data! 5n case of a%sence of the
re-uested application on the re-uested port, the
victim system sends a 6*estination unreacha%le7
messa&e to the sender 0attac$er1! 5n order to hide the
identity of the attac$er, the attac$er often spoofs the
source 5) address of the attac$in& pac$ets! U*) flood
attac$s may also depletes the %andidth of netor$
around the victimDs system! 8here%y, the systems
around the victim are also impacted due to the U*)
floodin& attac$!
,+ 'he Fraggle #ttack
8his type of attac$ is usually used in U#5E and its
family of OS platform, as ell as, in netor$ Couters
and similar products! 8here are at least to service
ports availa%le 011 (cho 0port FG and 021 Char&en
0port F 191 in this $ind of OS or devices! +ttac$er
sends U*) (C,O pac$ets to the port that supports
character &eneration 0char&en port1, ith the return
address spoofed to the victimDs echo service 0echo
port1 creatin& an infinite loop!
8he U*) (C,O pac$et 0called as U*) 4ra&&le
pac$et1 tar&ets the character &enerator 0char&en port1
of the systems reached %y the %roadcast address!
8he char&en port &enerates a character and sends the
same to the echo service 0echo port1 of the victimDs
system! 8he victimDs system echo port then sends an
echo pac$et %ac$ to the char&en port ; the process
repeats and &enerates a loop! )ac$et &eneration loop
created in this fashion &enerates dama&in& traffic and
cause severe dama&e in the system!
4i& 3A Schematic dia&ram for 4ra&&le +ttac$
(ii) 'he -eso!rce De)letion #ttack is an attac$ that
%ind the resources of the tar&et victimDs system 0such
as processor1 ma$in& the victim una%le to process
valid re-uests for services!
+mon& the other floodin& tools, U*) floodin& is also
used to deplete the resources of the victim system!
UDP Flooder (hand" attacking tool)
U*) flooder is a handy attac$in& tool for
Windos )latform! 8he tool can send a numerous
num%er of U*) pac$ets 0chosen %y attac$er1 at a
selected speed from a host to another host! 5t uses a
specific port to attac$ and also uses some ima&inary
source address!
4i& 2A U*) flooder tool that is used for attac$!
While testin& ith this tool, e have used three
thread of the flooder and flooded the tar&et computer
ith three different ports! +nd the result as to
ays!
1! 8ie;up the C)U that resulted to crash 0shut;don
of the victim system1!
2! Ceduced the netor$ speed 0communication
%eteen third computer and attac$in& host as
very slo1
4i& 4A Schematic dia&ram for U*) flood test %ed!
o!nter &eas!res
8he core &oal of the *oS defense is not to stop the
*oS attac$in& pac$ets, %ut to ensure that the
le&itimate users can continue to perform their normal
or$ despite the presence of a *oS attac$! 8herefore,
a &ood defense method must achieve that &oal!
+ &ood *oS defense method should tar&et only
true *oS attac$s! )reventive methods should not
have the effect of spoilin& other forms of netor$
traffic! Ceactive methods should %e activated only
hen a *oS attac$ is under ay! 4alse positives may
cause indirect dama&e in many cases, %ut there are
other undesira%le methods of hi&h false positive
rates! 4or instance, hen a reactive system detects
and responds to a *oS attac$, it can send a si&nal to
the system administrator of the tar&eted system that it
is ta$in& action! 5n the case here most the si&nals
proven to %e false, then the system administrator ill
start to i&nore them!
Some *oS counter measures concentrate on
protectin& you a&ainst the *oS! 8hey try to ensure
that your netor$ and system ill never suffer the
*oS effect! Other counter measures concentrate on
detectin& attac$s hen they ta$e place and %y
respondin& to them to reduce the *oS effect on your
site!
8he folloin& counter measure mechanisms could
help in defendin& the system, and one can %uild a
more effective overall defense %y com%inin& several
of them! Usin& a layered approach that com%ines
several types of defenses, at several different
locations, can %e more fle'i%le and harder for the
hac$er to completely %ypass! 8hese mechanisms
include filterin&, monitorin&, port %loc$in& and other
ade-uate resources!
*+ Filter .forged so!rce addressed / s)oofed %P0
)acket with 1etwork %ngress Filtering
5n this type of filterin&, the attac$erDs pac$et ith
spoofed 5) is cau&ht and discarded at the first hand
%efore reachin& to another netor$!
4i& @A 5n&ress filterin&
+l&orithm of in&ress filterin& may %e li$e thisA
54, the source address of the incomin& pac$et in the
router of the attac$er destined to the netor$ of
the victim is ithin 192!1G6!1<!<?24
8,(# forard appropriate port
(/S( forard the pac$et to some other place as a
Hsuspicious pac$et for actionD or discard it!
,+ Disa$le the service )ort ()ort 23) and chargen
)ort ()ort 2 *4) and filter the chargen and echo
services / Fraggle attack!
4ra&&le attac$ e'ploited usin& the char&en or
echo services! 4or most of the e-uipments and
computers, these ports are usually not used for
services! 8herefore, it is recommended that these
services 0i!e! portFG and port F 191 %e disa%led!
5+ Disa$le and filter all !n!sed UDP services
U*) floodin& is done usin& specific or random
ports of the victims system! 8herefore, it is
recommended thatA
+ll unused U*) services on hosts %e disa%led!
4ireall is confi&ured ith all U*) ports less
than 9<< %e %loc$ed e'cept some specific
services, such as *#S 0port @31!
6+ &onitor "o!r network+
5n case, U*) services are accessi%le from e'ternal
netor$, it is recommended that proper pac$et and
flo monitorin& is in place to learn hich systems
are usin& the U*) services and to monitor for any
misuse %y the e'ternal systems! =onitorin& could %e
done usin& Snort, tcpdump, and netlo&, etc! While
monitorin& ith the Snort, suspicious pac$et may %e
detected usin& pac$et sniffer 0e used ireshar$1 and
filtered accordin&ly! 8hreshold for netor$ flo may
%e fi'ed and alert is &enerated accordin&ly!
oncl!sion
*oS attac$s ith U*) floodin& are one of the many
techni-ues hac$erDs uses to ma$e the attac$! Such
attac$s are made to ma$e the netor$ and related
services non;operational and there%y restrictin& the
le&itimate user from usin& the system! 5n our paper
e have presented the pro%lems and the solution for
those that are presently availa%le and developed on
the %asis of the attac$ emer&ed at past! 4uture
conse-uences of such $ind of attac$ could %e more
critical and dama&in& to the technolo&y and economy
of the service providin& system and or&ani2ation!
+s more amoral and not satisfied users of the 5nternet
o%serve the success of *oS attac$s, the chances for
the fre-uency and severity of *oS attac$s ill
increase! Until e find a reasona%le defense a&ainst
some type of *oS attac$s, e can e'pect to see their
occurrence, poer, and &ravity to increase! 8hat is
%ecause of the netor$ %andidth, C)U speed, and
num%er of availa%le resources that can %e hac$ed and
compromised hich all continue to increase, as does
the advancement of hac$in& tools for compromisin&
computers and usin& them to attac$!
8herefore, it is a prime responsi%ility of the
technolo&ists, %usiness manDs as ell as the users of
the computeri2ed and netor$ed system of the &lo%e
to invent effective solution to prevent such an attac$
at present and future!
-eferences7
1! 6*enial;of;Service attac$sA Understandin&
netor$ vulnera%ilities7,
httpA??!93@!i%m!com?services?in?its%?pdf?pId
enial;of;service!pdf
2! Stephen Specht and Cu%y /ee, 6*istri%uted *enial
of ServiceA 8a'onomies of #etor$s, +ttac$s,
8ools, and Countermeasures,7 )rinceton
University, *epartment of (lectrical (n&ineerin&
8echnical Ceport
3!Jelena =ir$ovic, Sven *ietrich, *avid *ittrich,
)eter Ceiher A 65nternet *enial of ServiceA +ttac$ and
*efense =echanisms7
)u%lisherA )rentice ,all )8C
4! Cyan Cussell 0(ditor1, *an Kamins$y 0+uthor1,
Cain 4orest )uppy 0+uthor1, Joe Lrand 0+uthor1, K2
0+uthor1, *avid +hmad 0+uthor1, ,al 4lynn
0+uthor1, 5do *u%ras$y 0+uthor1, Steve W!
=an2ui$ 0+uthor1, Cyan )ermeh 0+uthor1 A 6,ac$
)roofin& 3our #etor$ 02
nd
edition17