We studied distributed denial of service attacks in the Internet such as the widely publicized, distributed attacks on Yahoo!, Amazon.com, CNN.com, and other major Web sites in February 2000. Even though denial of service attacks have existed for some time, their recent distributed formats have made these attacks more difficult to prevent. In this paper we first summarize the methods involved in denial of service attacks, list possible defenses, and discuss in more depth the attack on Yahoo!. We then use a network simulator to study distributed denial of service attacks. Our simulation study examines how various queuing services in network routers may alleviate the problem of denying bandwidth to legitimate users during the denial of service attack. Finally, we use simulation results to recommend certain queuing algorithms that may protect users in cases of distributed denial of service attacks.
2. Characteristics of Distributed Denial of Service Attacks
A denial of service attack is characterized by an explicit attempt by an attacker to prevent legitimate users of a service from using the desired resources. Examples of denial of service attacks include : . attempts to “flood” a network, thereby preventing legitimate network traffic attempts to disrupt connections between two machines, thereby preventing access to a service . attempts to prevent a particular individual from accessing a service . attempts to disrupt service to a specific system or person. The distributed format adds the “many to one” dimension that makes these attacks more difficult to prevent . A distributed denial of service attack is composed of four elements, as shown in Figure 1 . First, it involves a victim, i.e., the target host that has been chosen to receive the brunt of the attack. Second, it involves the presence of the attack daemon agents. These are agent programs that actually conduct the attack on the target victim. Attack daemons are usually deployed in host computers. These daemons affect both the target and the host computers. The task of deploying these attack daemons requires the attacker to gain access and infiltrate the host computers. The third component of a distributed denial of service attack is the control master program. Its task is to coordinate the attack. Finally, there is the real attacker, the mastermind behind the attack. By using a control master program, the real attacker can stay behind the scenes of the attack. The following steps take place during a distributed attack : 1. The real attacker sends an “execute” message to the control master program. The control master program receives the “execute” message and propagates the command to the attack daemons under its control. 3. Upon receiving the attack command, the attack daemons begin the attack on the victim.
Although it seems-that the real attacker has little to do but sends out the “execute” command, helshe actually has to plan the execution of a successful distributed denial of service attack. The attacker must infiltrate all the host computers and networks where the daemon attackers are to be deployed. The attacker must study the target’s network topology and search for bottlenecks and vulnerabilities that can be exploited dilring the attack. Because of the use of attack daemons and control master programs, the real attacker is not directly involved during the attack, whch makes it difficult to trace who spawned the attack. In the following-subsections, we review some well-known attack methods (Smurf, SYN Flood, and User Datagram Protocol (UDP) Flood) and the current distributed denial of service methods (Trinoo, Tribe Flood Network, Stacheldraht, Shaft! and TFN2K).
2.1 Methods of.Denia1 of Service Attacks
We described below some widely known basic denial of service attack methods that are employed by the attack daemons. Smurj-attack involves an attacker sending a large amount of Internet Control Message Protocol (ICMP) echo traffic to a set of Internet Protocol (IP) broadcast addresses. The ICMF’ echo packets are specified with a source address of the target victim (spoofed address) . Most hosts on an IP network will accept ICMP echo requests  and reply to them with an echo reply to the source address, in this case, the target victim. This multiplies the traffic by the number of responding hosts. On a broadcast network, there could potentially be hundreds of machmes to reply to each ICMP packet. The process of using a network to elicit many responses to a single packet has been labeled as an “amplifier” . There are two parties who are hurt by this
type of attack: the inte mediate broadcast devices (amplifiers) and the spoofed source address target (the victim). The victim is the target of a large amount of traffic that the amplifiers generate. ‘This attack has the potential to overload an entire network. SYN FZood attack is also known as the Transmission Control Protocol (TCP) SEW attack, and is based on exploiting the standard TCP three-way handshake. The TCP three-way handshake requires a three-packet exchange to be performed before a client can officially use the service. A server, upon receiving an initial SYN (synchronize/start) request firom a client, sends back a SYNIACK (synchronize/acknowledge) packet and waits for the client to send the final ACK (acknowledge). However, it is possible to send a barmge of initial SYN’s without sending the corresponding ACK’s, essentially leaving the server waiting for the non-existent ACK’s . Considering that the server only has a limited buffer queue for new connections, SYN Flood results in the server being unable to process other incoming connections as the queue gets overloaded . UDP Flood attack is based on UDP echo and character generator services provided by most computers on a network. The attacker uses forged UDP packets to connect the echo service on one machine to the character generator (chargen) service on another nuchme. The result is that the two services consume all available network bandwidth between the machmes as they exchange characters between themselves. A variation of this attack called ICMP Flood, floods a machine with ICMP packets instead of UDP packets.
2.2 Methods of Distributed Denial of Service Attacks
In this section, we describe the: distributed denial of service methods employed by an attacker. These techniques help an attacker coordinate and execute the attack. These types of attacks plagued the Internet in February 2000. However, these distributed attack techniques still rely on the previously described attack methods to carry out the attacks. The techniques are listed in chronological order. It can be observed that as time has passed, the distributed techniques (Trinoo, TFN, Stacheldraht, Shaft, and TFN2K) have become technically more advanced and, hence, more difficult to detect. Trinoo uses TCP to communicate between the attacker and the control master program. The master program communicates with the attack daemons using UDP packets. Trinoo’s attack daemons implement UDP Flood attacks against the target victim [ 101. Tribe Flood Network (TFN) uses a command line interface to communicate between the attacker and the control master
program. Communication between the control master and attack daemons is done via ICMP echo reply packets. TF”s attack daemons implement Smurf, SYN Flood, UDP Flood, and ICMP Flood attacks [ 101. Stacheldraht (German term for “barbed wire”) is based on the TFN attack. However, unlike TFN, Stacheldraht uses an encrypted TCP connection for communication between the attacker and master control program. Communication between the master control program and attack daemons is conducted using TCP and ICMP, and involves an automatic update technique for the attack daemons. The attack daemons for Stacheldraht implement Smurf, SYN Flood, UDP Flood, and ICMP Flood attacks [ 101. Shaft is modeled after Trinoo. Communication between the control master program and attack daemons is achieved using UDP packets. The control master program and the attacker communicate via a simple TCP telnet connection. A distinctive feature of Shaft is the ability to switch control master servers and ports in real time, hence making detection by intrusion detection tools difficult [ 1 13. TFN2K uses TCP, UDP, ICMP, or all three to communicate between the control master program and the attack daemons. Communication between the real attacker and control master is encrypted using a key-based CAST-256 algorithm [l]. In addition, TFN2K conducts covert exercises to hide itself from intrusion detection systems. TFN2K attack daemons implement Smurf, SYN, UDP, and ICMP Flood attacks .