Internet Denial of Service: Attack and Defense Mechanisms Paperback – Dec 30 2004
|New from||Used from|
No Kindle device required. Download one of the Free Kindle apps to start reading Kindle books on your smartphone, tablet, and computer.
Getting the download link through email is temporarily not available. Please check back later.
To get the free app, enter your mobile phone number.
From the Inside Flap
It is Monday night and you are still in the office, when you suddenly become aware of the whirring of the disks and network lights blinking on the Web server. It seems like your company's Web site is quite well visited tonight, which is good because you are in e-business, selling products over the Internet, and more visits mean more earnings. You decide to check it out too, but the Web page will not load. Something is wrong.
A few minutes later, network operations confirm your worst fears. Your company's Web site is under a denial-of-service attack. It is receiving so many requests for a Web page that it cannot serve them all--50 times your regular load. Just like you cannot access the Web site, none of your customers can. Your business has come to a halt.
You all work hard through the night trying to devise filtering rules to weed out bogus Web page requests from the real ones. Unfortunately, the traffic you are receiving is very diverse and you cannot find a common feature that would make the attack packets stand out. You next try to identify the sources that send you a lot of traffic and blacklist them in your firewall. But there seem to be hundreds of thousands of them and they keep changing. You spend the next day bringing up backup servers and watching them overload as your earnings settle around zero. You contact the FBI and they explain that they are willing to help you, but it will take them a few days to get started. They also inform you that many perpetrators of denial-of-service attacks are never caught, since they do not leave enough traces behind them.
All you are left with are questions: Why are you being attacked? Is it for competitive advantage? Is an ex-employee trying to get back at you? Is this a very upset customer? How long can your business be offline and remain viable? How did you get into this situation, and how will you get out of it? Or is this just a bug in your own Web applications, swamping your servers accidentally?
This is a book about Denial-of-Service attacks, or DoS for short. These attacks aim at crippling applications, servers, and whole networks, disrupting legitimate users' communication. They are performed intentionally, easy to perpetrate, and very, very hard to handle. The popular form of these attacks, Distributed Denial-of-Service (DDoS) attacks, employs dozens, hundreds, or even well over 100,000 compromised computers, to perform a coordinated and widely distributed attack. It is immensely hard to defend yourself against a coordinated action by so many machines.
This book describes DoS and DDoS attacks and helps you understand this new threat. It also teaches you how to prepare for these attacks, preventing them when possible, dealing with them when they do occur, and learning how to live with them, how to quickly recover and how to take legal action against the attackers.1.1 DoS and DDoS
The goal of a DoS attack is to disrupt some legitimate activity, such as browsing Web pages, listening to an online radio, transferring money from your bank account, or even docking ships communicating with a naval port. This denial-of-service effect is achieved by sending messages to the target that interfere with its operation, and make it hang, crash, reboot, or do useless work.
One way to interfere with a legitimate operation is to exploit a vulnerability present on the target machine or inside the target application. The attacker sends a few messages crafted in a specific manner that take advantage of the given vulnerability. Another way is to send a vast number of messages that consume some key resource at the target such as bandwidth, CPU time, memory, etc. The target application, machine, or network spends all of its critical resources on handling the attack traffic and cannot attend to its legitimate clients.
Of course, to generate such a vast number of messages the attacker must control a very powerful machine--with a sufficiently fast processor and a lot of available network bandwidth. For the attack to be successful, it has to overload the target's resources. This means that an attacker's machine must be able to generate more traffic than a target, or its network infrastructure, can handle.
Now let us assume that an attacker would like to launch a DoS attack on example.com by bombarding it with numerous messages. Also assuming that example.com has abundant resources, it is then difficult for the attacker to generate a sufficient number of messages from a single machine to overload those resources. However, suppose he gains control over 100,000 machines and engages them in generating messages to example.com simultaneously. Each of the attacking machines now may be only moderately provisioned (e.g., have a slow processor and be on a modem link) but together they form a formidable attack network and, with proper use, will be able to overload a well-provisioned victim. This is a distributed denial-of-service--DDoS.
Both DoS and DDoS are a huge threat to the operation of Internet sites, but the DDoS problem is more complex and harder to solve. First, it uses a very large number of machines. This yields a powerful weapon. Any target, regardless of how well provisioned it is, can be taken offline. Gathering and engaging a large army of machines has become trivially simple, because many automated tools for DDoS can be found on hacker Web pages and in chat rooms. Such tools do not require sophistication to be used and can inflict very effective damage. A large number of machines gives another advantage to an attacker. Even if the target were able to identify attacking machines (and there are effective ways of hiding this information), what action can be taken against a network of 100,000 hosts? The second characteristic of some DDoS attacks that increases their complexity is the use of seemingly legitimate traffic. Resources are consumed by a large number of legitimate-looking messages; when comparing the attack message with a legitimate one, there are frequently no telltale features to distinguish them. Since the attack misuses a legitimate activity, it is extremely hard to respond to the attack without also disturbing this legitimate activity.
Take a tangible example from the real world. (While not a perfect analogy to Internet DDoS, it does share some important characteristics that might help you understand why DDoS attacks are hard to handle.) Imagine that you are an important politician and that a group of people that oppose your views recruit all their friends and relatives around the world to send you hate letters. Soon you will be getting so many letters each day that your mailbox will overflow and some letters will be dropped in the street and blown away. If your supporters send you donations through the mail, their letters will either be lost or stuffed in the mailbox among the copious hate mail. To find these donations, you will have to open and sort all the mail received, wasting lots of time. If the mail you receive daily is greater than what you can process during one day, some letters will be lost or ignored. Presumably, hate letters are much more numerous than those carrying donations, so unless you can quickly and surely tell which envelopes contain donations and which contain hate mail, you stand a good chance of losing most of the donations. Your opponents have just performed a real-world distributed denial of service attack on you, depriving you of support that may be crucial to your campaign.
What could you do to defend yourself? Well, you could buy a bigger mailbox, but your opponents can simply increase the number of letters they send, or recruit more helpers. You must still identify the donations in the even larger pool of letters. You could hire more people to go through letters--a costly solution since you have to pay them from diminishing donations. If your opponents can recruit more helpers for free, they can make your processing costs as high as they like. You could also try to make the job of processing mail easier by asking your supporters to use specially colored envelopes. Your processing staff can then simply discard all envelopes that are not of the specified color, without opening them. Of course, as soon as your opponents learn of this tactic they will purchase the same colored envelopes and you are back where you started. You could try to contact post offices around the country asking them to keep an eye on people sending loads of letters to you. This will only work if your opponents are not widely spread and must therefore send many letters each day from the same post office. Further, it depends on cooperation that post offices may be unwilling or unable to provide. Their job is delivering letters, not monitoring or filtering out letters people do not want to get. If many of those sending hate mail (and some sending donations) are in different countries, your chances of getting post office cooperation are even smaller. You could also try to use the postmark on the letters to track where they were sent from, then pay special attention to post offices that your supporters use or to post offices that handle suspiciously large amounts of your mail. This means that you will have to keep a list of all postmarks you have seen and classify each letter according to its postmark, to look for anomalous amounts of mail carrying a certain postmark. If your opponents are numerous and well spread all over the world this tactic will fail. Further, postmarks are fairly nonspecific locators, so you are likely to lose some donations while discarding the hate letters coming to you from a specific postmark.
As stated before, the analogy is not perfect, but there are important similarities. In particular, solutions similar to those above, as well as numerous other approaches specific to the Internet world, have been proposed to deal with DDoS. Like the solutions listed above that try to solve the postal problem, the Internet DDoS solutions often have limitations or do not work well in the real world. This book will survey those approaches, presenting their good and bad sides, and provide pointers for further reference. It will also talk about ways to secure and strengthen your network so it cannot be easily taken offline, steps to take once you are under attack (or an unwitting source of the attack), and what law enforcement can do to help you with a DDoS problem.1.2 Why Should We Care?
Why does it matter if someone can take a Web server or a router offline? It matters because the Internet is now becoming a critical resource whose disruption has financial implications, or even dire consequences on human safety. An increasing number of critical services are using the Internet for daily operation. A DDoS attack may not just mean missing out on the latest sports scores or weather. It may mean losing a bid on an item you want to buy or losing your customers for a day or two while you are under attack. It may mean, as it did for the port of Houston, Texas, that the Web server providing the weather and scheduling information is unavailable and no ships can dock. Lately, a disturbing extortion trend has appeared--online businesses are threatened by DDoS if they do not pay for "protection." Such a threat is frequently backed up by a small demonstration that denies the business service for a few hours.
How likely are you to be a DDoS target? A study evaluated Internet DDoS activity in 2001, looking at a small sample of traffic observable from its network. The authors were able to detect approximately 4,000 attacks per week (for a three week period), against a variety of targets ranging from large companies such as Amazon and Hotmail to small Internet Service Providers (ISPs) and dial-up connections. The method they used was not able to notice all attacks that happened during that period, so 4,000 is an underestimate. Further, since DDoS activity has increased and evolved since then, today's figure is likely to be much bigger. In the 2004 FBI report on cybercrime, nearly a fifth of the respondents who suffered financial loss from an attack had experienced a DoS attack. The total reported costs of DoS attacks were over $26 million. Denial of service was the top source of financial loss due to cybercrime in 2004. It is safe to conclude that the likelihood of being a DDoS target is not negligible.
But DDoS affects not only the target of the attack traffic. Legitimate users of the target's services are affected, too. In January 2001, a DDoS attack on Microsoft prevented about 98% of legitimate users from getting to any of Microsoft's servers. In October 2002, there was an attack on all 13 root Domain Name System (DNS) servers. DNS service is crucial for Web browsers and for many other applications, and those 13 servers keep important data for the whole Internet. Since DNS information is heavily cached and the attack lasted only an hour, there was no large disruption of Internet activity. However, 9 of these 13 servers were seriously affected. Had the attack lasted longer, the Internet could conceivably have experienced severe disruption. The aforementioned attack that disabled the port of Houston, Texas, was actually directed at a South African chat room user, with the port's computers being misused for the attack. DDoS affects all of us directly or indirectly and is a threat that should be taken seriously.1.3 What Is This Book?
This is the first book that is written exclusively about the DoS problem. There have been a number of important shorter treatments of the DDoS problem and solution approaches, but this book greatly expands on and updates these seminal works. It is intended to speak to both technical and nontechnical audiences, informing them about this problem and presenting and discussing potential solutions. Whether you are a CTO of a company, a network administrator, or a computer science student, we are sure you will find the information in this book informative and helpful and will want to learn more about DoS and DDoS. We have provided references to further reading, conferences, and journals that publish papers from this field and organizations that deal with the DoS problem specifically for this purpose.There should be sufficient depth and detail for technical readers, with many citations to provide the added detail this audience demands.
This book will help you understand the problem of DDoS. It will help you in evaluating current defenses and in choosing the right ones for you. It will help you protect your network, minimizing damages and quickly recovering if you do get attacked.
We wrote this book because--surprisingly, considering DDoS has existed as a problem since 1999--there are currently no books that focus exclusively on DDoS. Existing network security books either ignore the topic or devote at most a chapter to it. These works provide enough information for computer practitioners who merely need to be familiar with the concept, but not nearly enough for a network administrator or CTO who needs to protect her network from such attacks and must be prepared to recover from them. There are many academic papers on the subject, but their view is limited to their particular research topic. There are also white papers from companies offering products to ameliorate DDoS attacks, but they are primarily interested in demonstrating the effectiveness and other advantages of their particular product.1.6 Outline of the Remaining Chapters
Since the book is intended for a variety of readers, we divided its content into chapters with different difficulty levels (denoted in italics next to chapter names in the overview below). Chapters marked nontechnical are intended for readers who do not have extensive knowledge of networking and security and who are seeking a gradual introduction to DDoS. These readers may wish to read only the nontechnical chapters. Chapters marked technical are for those readers who are familiar with networking operations, such as system administrators, and who are looking for a quick reference to specific DDoS issues or for a fast technical overview of the problems and potential solutions. These readers may wish to read only the technical chapters. There is also a chapter that bears a nontechnical/technical mark. This chapter has a blend of material that contains both technical and nontechnical items. Both of the above groups should read this chapter. Finally, readers who are specifically seeking to learn about DDoS in order to work in this field in the future, such as students and teachers, will find it useful to read the book from cover to cover, as nontechnical chapters set the stage for technical ones.
- Chapter 2: Understanding Denial of Service. (Nontechnical/technical level) This chapter explains the DDoS phenomenon and illustrates the scope and seriousness of the problem.
- Chapter 3: History of DoS and DDoS. (Nontechnical level) This chapter recounts how and when DoS attacks came about, how they evolved into DDoS attacks, what is behind the DDoS problem, and what aspects of Internet design and management are especially related to this problem.
- Chapter 4: How Attacks Are Waged. (Technical level) This chapter gives a detailed description of the "modus operandi" of a DDoS attack and discusses different DDoS variants.
- Chapter 5: An Overview of DDoS Defenses. (Nontechnical level) This chapter discusses the challenges that DDoS defense is facing. It also discusses different approaches to design a DoS or DDoS defense, and presents some key ideas, found both in research and commercial solutions. These ideas are building blocks of current defenses.
- Chapter 6: Detailed Defense Approaches. (Technical level) This chapter explains practical approaches to strengthen your network and make it resist and recover from DDoS attacks. It discusses how to analyze DDoS incidents and gather detailed information that will help respond to the attack and, later, take legal action against perpetrators.
- Chapter 7: Survey of Research Defense Approaches. (Technical level) This chapter gives an overview of many research approaches to DoS and DDoS defense. . Chapter 8: Legal Issues. (Nontechnical level) This chapter speaks about laws that are applicable to DoS and DDoS, and steps you can take to bring legal action against attackers.
- Chapter 9: Conclusions. (Nontechnical level) This chapter offers a prognosis for DDoS defense and conclusions, along with useful pointers to Web pages, mailing lists, conferences, and journals that publish DDoS-related information.
- Appendix A: Glossary. (Technical level) This appendix contains a glossary of technical terms used throughout the book, with detailed explanation and organized as an easy reference.
- Appendix B: Survey of Commercial Defense Approaches. (Technical level) This appendix offers a survey of several commercial DDoS solutions to inform the reader of design decisions implemented in these solutions, and functionalities that can be found in the market.
- Appendix C: DDoS Data. (Technical level) This appendix offers a survey of available quantitative studies of the DDoS phenomenon, detailing the frequency and type of observed attacks, how they are performed, and the damages incurred.
From the Back Cover
Suddenly your Web server becomes unavailable. When you investigate, you realize that a flood of packets is surging into your network. You have just become one of the hundreds of thousands of victims of a denial-of-service attack, a pervasive and growing threat to the Internet. What do you do?
Internet Denial of Service sheds light on a complex and fascinating form of computer attack that impacts the confidentiality, integrity, and availability of millions of computers worldwide. It tells the network administrator, corporate CTO, incident responder, and student how DDoS attacks are prepared and executed, how to think about DDoS, and how to arrange computer and network defenses. It also provides a suite of actions that can be taken before, during, and after an attack.
Inside, you'll find comprehensive information on the following topics
- How denial-of-service attacks are waged
- How to improve your network's resilience to denial-of-service attacks
- What to do when you are involved in a denial-of-service attack
- The laws that apply to these attacks and their implications
- How often denial-of-service attacks occur, how strong they are, and the kinds of damage they can cause
- Real examples of denial-of-service attacks as experienced by the attacker, victim, and unwitting accomplices
The authors' extensive experience in handling denial-of-service attacks and researching defense approaches is laid out clearly in practical, detailed terms.
See all Product Description
Most Helpful Customer Reviews on Amazon.com (beta)
I certainly enjoyed reading this book, in fact I started looking at it during the work day and couldn't wait for everyone to leave at quitting time so I could finish it. It seems to have a bit of trouble finding its niche, most of the time it has the feel of a research paper, but from time to time there are amazingly practical tidbits. If you are looking for a how to stop denial of service, step by step, buy the cup of coffee from Borders and leaf through the book and make your decision carefully. If you are a researcher in the USA interested in Internet protocols and US law and response, this is a must read, must have. If you are truly seeking to understand what zombie style distributed denial of service is and is capable of, buy the book and read it three times. My response team worked closely with one of the authors, David Dittrich from 1999 - 2001 and if there is a "been there, done that" individual when it comes to malicious code, he would be that person.
This is not a book for a novice, but if you know your way around a network and know a bit about routing, there are a number of helpful illustrations and code segments that drive the points home.
I realize I gave the book three stars even though I liked it a lot and that is primarily because the book is much weaker in the two final chapters, 8 and 9. You just can't throw issues like law, ethics, jurisdiction, evidence collection, and estimation of damages on the table, write a couple paragraphs and zoom on, someone could get hurt. For the right reader, this can be a wonderful resource.
IDOS features some of the best minds on DoS research available. Everyone has heard of Dave Dittrich, but I found the work of lead author Jelena Mirkovic to be particularly valuable. Peter Reiher and long-time DoS researcher Sven Dietrich also give the project considerable weight. All four authors work for or with universities, and IDOS reflects this academic connection by frequently citing papers and DoS research. For example, chapter 7 describe DoS mitigation approaches and Appendix C examines the best available data on DoS techniques. I would encourage other authors to make similar references to the academic community and not write in a literary vacuum.
By making references to outside works, IDOS successfully avoids repeating material published elsewhere. Chapter 6 was probably my favorite section, including much distilled wisdom and advice on responding to DoS attacks. I welcomed the authors' frequent recommendations to collect session and full content data. It is often impossible to detect and respond to attacks without this sort of network-based evidence. This point is often lost on vendors or consultants who lack experience performing incident response.
I had minor problems with the book. First, I would have liked more technical detail in chapter 6. For example, it would have been nice to see examples of system metrics from nodes or routers under DoS attack. Specific advice on host tuning techniques would also have been useful, e.g., make changes X, Y, or Z on FreeBSD or Cisco IOS to better resist DoS conditions. I was also slightly disappointed the authors did not base their discussions of commercial products in Appendix B on hands-on evaluations. I understand the problem with meeting this objective, however.
I did not have any problems with the legal or concluding chapters (8 & 9). I think the earlier three-star reviewer found himself on the wrong side of the 1999 "RST scan" controversy discussed on p. 52 and may not have been happy by the (correct) stance taken by IDOS.
I highly recommend every security professional read IDOS. It's a convenient and illuminating discussion of a problem that will never disappear. This book will prepare you to do battle with DoS attacks, and for that I am thankful.
You should have a reasonable background in understanding TCP/IP, to appreciate the book's technical discussions. For example, if you see mention of the TTL field in a header, you should already know what it means.
The book explains several postulated countermeasures to DDoS. Nifty ideas like traceback and pushback. Or perhaps doing an entropy count of good and bad packets, to help distinguish between them. The problem is that none of these are truly effective. DDoS is an unsolved problem. So if you are a cracker, this is good news. Not so for sysadmins.
But there is something else. Perhaps DDoS is fundamentally insolvable, under the current IPv4 and current router capabilities. But maybe this field is still young. What is a problem for many could be a chance for you, as a researcher or inventor.
Chapter list: Introduction; Understanding Denial of Service; History of DoS and DDos; How Attacks Are Waged; An Overview of DDoS Defenses; Detailed Defense Approaches; Survey of Research Defense Approaches; Legal Issues; Conclusions; Glossary; Survey of Commercial Defense Approaches; DDoS data; References; Index
Going into this book, I can say I knew about the basics of a Denial of Service (DoS) and Distributed Denial of Service (DDoS) attack. What I didn't understand is how sophisticated they've become. The book covers (in deep detail) how bot or zombie networks are developed and utilized to launch these types of attacks. I didn't realize that it's relatively easy to acquire a bot network of over 100000 clients who can flood a site with packets. And it's not even necessary to use them all at once. Attacks can start with a fraction of the clients, and then escalate as the victim attempts to filter packets or add bandwidth. It's a scary thing. The authors also cover the various issues involved in the defense of these types of attacks. Filtering might work, but it can be difficult to find the correct filtering parameters that don't also drop legitimate traffic. And due to the distributed nature of the attack, it can be nearly impossible to find the culprit, and worse, to prevent it from happening again.
Walking away from this book, you don't get a warm, fuzzy feeling about the current situation. Regardless of what steps you take, there is no current sure-fire method for defending these attacks. But by reading Internet Denial of Service, you'll be far more prepared to understand what's going on and what realistic options do exist. Better yet, it also gives you the steps you need to take to prepare your site for this type of incursion beforehand. If you've mapped out your plan ahead of time, you can definitely minimize (to some extent) the damage that can occur.
This is a good read for any security professional tasked with security and availability of an organizational website. Reading this now could save your job later...
Look for similar items by category
- Books > Computers & Technology > Certification Central > Exams > Security+
- Books > Computers & Technology > Databases > Distributed Databases
- Books > Computers & Technology > Hardware > Microprocessors & System Design > Computer Design
- Books > Computers & Technology > History & Culture > Privacy
- Books > Computers & Technology > Internet & Social Media > Hacking
- Books > Computers & Technology > Networking & Cloud Computing > Data in the Enterprise > Client-Server Systems
- Books > Computers & Technology > Networking & Cloud Computing > Internet, Groupware, & Telecommunications
- Books > Computers & Technology > Networking & Cloud Computing > Networks, Protocols & APIs > LAN
- Books > Computers & Technology > Networking & Cloud Computing > Networks, Protocols & APIs > Networks
- Books > Computers & Technology > Programming
- Books > Computers & Technology > Security & Encryption > Privacy & Online Safety
- Books > Computers & Technology > Web Development > Security & Encryption > Encryption
- Books > Qualifying Textbooks - Fall 2007 > Computers & Internet
- Books > Textbooks > Computer Science & Information Systems > Networking