School of Computer Science School of Computer Science School of Computer Science University of Windsor University of Windsor University of Windsor Windsor, Ontario, Canada Windsor, Ontario, Canada Windsor, Ontario, Canada li12364@uindsor!ca se"dini@uindsor!ca chod1"@uindsor!ca #$stract Computer and #etor$ infrastructure has %ecome hac$er panic$ed domain that has increased &eometrically over the years ith the &eometric inte&ration and e'pansion of the inte&rated computer netor$ of the &lo%e! (very softare component participatin& in the service of inte&rated &lo%al netor$ ran&in& from )*+ to Super Computer, as ell as, home netor$ to internet are su%"ect to hac$in& threat! One ,and, every moment, hac$ers are discoverin& ne ays and techni-ues to carry an attac$. on the other hand victims are &ettin& e'hausted to face such attac$s! /i$e many of the cate&ories and techni-ues of attac$, *enial of Service 0*oS1 attac$s has %ecome a pro%lem domain for the security, netor$, and other computer professionals, as ell as the service providers and users of different computeri2ed and netor$ systems! *enial of Service 0*oS1 attac$ is coordinated attac$s performed %y hac$ers to disa%le a particular computer service throu&h manipulation of techni-ues those are used to provide the services! Some of the techni-ues used %y hac$ers are %randed as S3# 4loodin&, U*) floodin&, stac$ overflo, etc! 5n this paper, e ill descri%e *oS attac$ models, scope, techni-ues, availa%le tools to e'ecute such an attac$ usin& 6U*) 4loodin&7 and the countermeasures to face such attac$s! %ntrod!ction + *enial of Service 0*oS1 attac$ is an attac$ for preventin& le&itimate users from usin& a specific resource such as e% services, netor$ or a host! 8he hac$er intentionally %loc$s the availa%ility of the resource to its authori2ed users! *oS attac$ usin& U*) floodin& is a techni-ue that e'ecutes the attac$ usin& the U*) pac$ets! *urin& the year 199:;2<<< security specialist discovered 6*oS attac$ ith U*) floodin&7 vulnera%ilities in many of the Systems includin& =icrosoft products! >ulnera%ilities ere discovered in +C(?Server in its port @<<< a&ainst 4ra&&le attac$! Cisco has also discovered vulnera%ilities of its 5OS softare in routers a&ainst dia&nostic port here attac$er used to ports namely dia&nostics ports and char&en port as attac$in& media to attac$ usin& U*) floodin&! +lthou&h *oS attac$s are not ne, there is still a si&nificant ris$ of such attac$s as the ne techni-ue of *oS attac$s is %ein& invented %y the hac$ers! 8his paper discusses e'istin& ta'onomies for understandin& different *oS attac$s, techni-ues and tools, and countermeasures! 8his paper also discusses the setup and installation techni-ues of *oS attac$in& tools! 5n the folloin& sections e descri%e classes of *oS attac$ architectures, cate&ori2ation for *oS attac$s, softare characteristics for *oS attac$in& tools and classification of different *oS countermeasures! 4inally e conclude and referenced in last to sections! &otivation of DoS #ttack 8he motivation for *oS attac$s is not to %rea$ into a system %ut to ma$e the tar&et system deny the le&itimate user &ivin& service! 8his ill typically happen throu&h one of the folloin& aysA Crashin& the tar&et host system! *isa%lin& communication %eteen systems! =a$e the netor$ or the system don or have it operate at a loer speed to reduce productivity! 4ree2e the system, so that there is no automatic re%oot, so that, production is disrupted! *ependin& on the type of *oS attac$s planned, the hac$er first needs to find a sufficiently lar&e num%er of vulnera%le computers to use for attac$in&! 8his process can %e achieved manually or automatically! #oadays, hac$ers use scripts or scannin& tools that automate the entire process for findin& vulnera%le computers to ta$e over! #e't, the hac$er esta%lishes a communication channels %eteen computers, so that they can %e controlled and en&a&ed in a coordinated manner! DoS #ttack lasses 8he main classes of *oS attac$s are 0i1 Bandidth *epletion attac$ 0ii1 Cesource *epletion attac$ (i) 'he (andwidth De)letion attack floods a victim netor$ and there%y prevents authori2ed traffic from reachin& and &ettin& the service of the tar&eted victim! *+ Flood #ttack 5n this $ind of attac$, the netor$ of the victims system is flooded ith a lar&e num%er of pac$ets %y the attac$er to deplete the netor$ %andidth and there%y ma$in& the victimDs systems performance de&radation or sometimes system crash! *ue to saturation of the netor$ %andidth of the victimDs system, the le&itimate users of the system are prevented from accessin& the system! 4i& 1A Schematic dia&ram for *OS attac$ 4lood attac$s are %ein& launched either ith U*) or 5C=) pac$ets! 5n a U*) 4lood attac$, numerous amounts of U*) pac$ets are sent to either random or specified ports on the victim system! 5n order to determine the re-uested application, the victim system processes the incomin& data! 5n case of a%sence of the re-uested application on the re-uested port, the victim system sends a 6*estination unreacha%le7 messa&e to the sender 0attac$er1! 5n order to hide the identity of the attac$er, the attac$er often spoofs the source 5) address of the attac$in& pac$ets! U*) flood attac$s may also depletes the %andidth of netor$ around the victimDs system! 8here%y, the systems around the victim are also impacted due to the U*) floodin& attac$! ,+ 'he Fraggle #ttack 8his type of attac$ is usually used in U#5E and its family of OS platform, as ell as, in netor$ Couters and similar products! 8here are at least to service ports availa%le 011 (cho 0port FG and 021 Char&en 0port F 191 in this $ind of OS or devices! +ttac$er sends U*) (C,O pac$ets to the port that supports character &eneration 0char&en port1, ith the return address spoofed to the victimDs echo service 0echo port1 creatin& an infinite loop! 8he U*) (C,O pac$et 0called as U*) 4ra&&le pac$et1 tar&ets the character &enerator 0char&en port1 of the systems reached %y the %roadcast address! 8he char&en port &enerates a character and sends the same to the echo service 0echo port1 of the victimDs system! 8he victimDs system echo port then sends an echo pac$et %ac$ to the char&en port ; the process repeats and &enerates a loop! )ac$et &eneration loop created in this fashion &enerates dama&in& traffic and cause severe dama&e in the system! 4i& 3A Schematic dia&ram for 4ra&&le +ttac$ (ii) 'he -eso!rce De)letion #ttack is an attac$ that %ind the resources of the tar&et victimDs system 0such as processor1 ma$in& the victim una%le to process valid re-uests for services! +mon& the other floodin& tools, U*) floodin& is also used to deplete the resources of the victim system! UDP Flooder (hand" attacking tool) U*) flooder is a handy attac$in& tool for Windos )latform! 8he tool can send a numerous num%er of U*) pac$ets 0chosen %y attac$er1 at a selected speed from a host to another host! 5t uses a specific port to attac$ and also uses some ima&inary source address! 4i& 2A U*) flooder tool that is used for attac$! While testin& ith this tool, e have used three thread of the flooder and flooded the tar&et computer ith three different ports! +nd the result as to ays! 1! 8ie;up the C)U that resulted to crash 0shut;don of the victim system1! 2! Ceduced the netor$ speed 0communication %eteen third computer and attac$in& host as very slo1 4i& 4A Schematic dia&ram for U*) flood test %ed! o!nter &eas!res 8he core &oal of the *oS defense is not to stop the *oS attac$in& pac$ets, %ut to ensure that the le&itimate users can continue to perform their normal or$ despite the presence of a *oS attac$! 8herefore, a &ood defense method must achieve that &oal! + &ood *oS defense method should tar&et only true *oS attac$s! )reventive methods should not have the effect of spoilin& other forms of netor$ traffic! Ceactive methods should %e activated only hen a *oS attac$ is under ay! 4alse positives may cause indirect dama&e in many cases, %ut there are other undesira%le methods of hi&h false positive rates! 4or instance, hen a reactive system detects and responds to a *oS attac$, it can send a si&nal to the system administrator of the tar&eted system that it is ta$in& action! 5n the case here most the si&nals proven to %e false, then the system administrator ill start to i&nore them! Some *oS counter measures concentrate on protectin& you a&ainst the *oS! 8hey try to ensure that your netor$ and system ill never suffer the *oS effect! Other counter measures concentrate on detectin& attac$s hen they ta$e place and %y respondin& to them to reduce the *oS effect on your site! 8he folloin& counter measure mechanisms could help in defendin& the system, and one can %uild a more effective overall defense %y com%inin& several of them! Usin& a layered approach that com%ines several types of defenses, at several different locations, can %e more fle'i%le and harder for the hac$er to completely %ypass! 8hese mechanisms include filterin&, monitorin&, port %loc$in& and other ade-uate resources! *+ Filter .forged so!rce addressed / s)oofed %P0 )acket with 1etwork %ngress Filtering 5n this type of filterin&, the attac$erDs pac$et ith spoofed 5) is cau&ht and discarded at the first hand %efore reachin& to another netor$! 4i& @A 5n&ress filterin& +l&orithm of in&ress filterin& may %e li$e thisA 54, the source address of the incomin& pac$et in the router of the attac$er destined to the netor$ of the victim is ithin 192!1G6!1<!<?24 8,(# forard appropriate port (/S( forard the pac$et to some other place as a Hsuspicious pac$et for actionD or discard it! ,+ Disa$le the service )ort ()ort 23) and chargen )ort ()ort 2 *4) and filter the chargen and echo services / Fraggle attack! 4ra&&le attac$ e'ploited usin& the char&en or echo services! 4or most of the e-uipments and computers, these ports are usually not used for services! 8herefore, it is recommended that these services 0i!e! portFG and port F 191 %e disa%led! 5+ Disa$le and filter all !n!sed UDP services U*) floodin& is done usin& specific or random ports of the victims system! 8herefore, it is recommended thatA +ll unused U*) services on hosts %e disa%led! 4ireall is confi&ured ith all U*) ports less than 9<< %e %loc$ed e'cept some specific services, such as *#S 0port @31! 6+ &onitor "o!r network+ 5n case, U*) services are accessi%le from e'ternal netor$, it is recommended that proper pac$et and flo monitorin& is in place to learn hich systems are usin& the U*) services and to monitor for any misuse %y the e'ternal systems! =onitorin& could %e done usin& Snort, tcpdump, and netlo&, etc! While monitorin& ith the Snort, suspicious pac$et may %e detected usin& pac$et sniffer 0e used ireshar$1 and filtered accordin&ly! 8hreshold for netor$ flo may %e fi'ed and alert is &enerated accordin&ly! oncl!sion *oS attac$s ith U*) floodin& are one of the many techni-ues hac$erDs uses to ma$e the attac$! Such attac$s are made to ma$e the netor$ and related services non;operational and there%y restrictin& the le&itimate user from usin& the system! 5n our paper e have presented the pro%lems and the solution for those that are presently availa%le and developed on the %asis of the attac$ emer&ed at past! 4uture conse-uences of such $ind of attac$ could %e more critical and dama&in& to the technolo&y and economy of the service providin& system and or&ani2ation! +s more amoral and not satisfied users of the 5nternet o%serve the success of *oS attac$s, the chances for the fre-uency and severity of *oS attac$s ill increase! Until e find a reasona%le defense a&ainst some type of *oS attac$s, e can e'pect to see their occurrence, poer, and &ravity to increase! 8hat is %ecause of the netor$ %andidth, C)U speed, and num%er of availa%le resources that can %e hac$ed and compromised hich all continue to increase, as does the advancement of hac$in& tools for compromisin& computers and usin& them to attac$! 8herefore, it is a prime responsi%ility of the technolo&ists, %usiness manDs as ell as the users of the computeri2ed and netor$ed system of the &lo%e to invent effective solution to prevent such an attac$ at present and future! -eferences7 1! 6*enial;of;Service attac$sA Understandin& netor$ vulnera%ilities7, httpA??!93@!i%m!com?services?in?its%?pdf?pId enial;of;service!pdf 2! Stephen Specht and Cu%y /ee, 6*istri%uted *enial of ServiceA 8a'onomies of #etor$s, +ttac$s, 8ools, and Countermeasures,7 )rinceton University, *epartment of (lectrical (n&ineerin& 8echnical Ceport 3!Jelena =ir$ovic, Sven *ietrich, *avid *ittrich, )eter Ceiher A 65nternet *enial of ServiceA +ttac$ and *efense =echanisms7 )u%lisherA )rentice ,all )8C 4! Cyan Cussell 0(ditor1, *an Kamins$y 0+uthor1, Cain 4orest )uppy 0+uthor1, Joe Lrand 0+uthor1, K2 0+uthor1, *avid +hmad 0+uthor1, ,al 4lynn 0+uthor1, 5do *u%ras$y 0+uthor1, Steve W! =an2ui$ 0+uthor1, Cyan )ermeh 0+uthor1 A 6,ac$ )roofin& 3our #etor$ 02 nd edition17