Professional Documents
Culture Documents
DDoS Exploration
DDoS Exploration
Bruno de Souza Neves, Filipe Mourão Leite, Lucas da Silva Jorge, Rahyan Azin Gondin Paiva,
Juliana de Melo Bezerra and Vitor Venceslau Curtis
Department of Computer Science, ITA, São José dos Campos, Brazil
Abstract: The concern about cyber security has attracted attention by organizations and public services over the last
few years due to the importance of confidentiality, integrity, and availability of services and sensitive data.
Many recent episodes of cyber attacks causing strong impact have been performed using extremely simple
techniques and taking advantage of the hidden weaknesses of current systems. This article has the main
purpose to motivate the academy to mitigate unexpected potential threats from the attacker’s perspective,
exposing the latent weakness of current systems, since the majority of such papers focus only on the defense
perspective. We analyze the potential impact of Denial of Service (DoS), a very popular cyber attack that
affects the availability of a victim server, through different mechanisms and topologies. Specifically, we
simulate and analyze the impact of Distributed DoS (DDoS) using the List and Binary Tree topologies along
with Continuous or Pulsating stream of requests. In order to improve the potential of the analyzed DDoS
methods, we also introduce a new technique to protect them against mitigation from security systems.
1 INTRODUCTION and was able to attack the OVH services with a vol-
ume of network traffic around 1Tbps (Antonakakis
Over the last decade, we have seen technologies as et al., 2017).
streaming, deep learning, IoT, blockchain and big These episodes expose considerable negligence by
data disrupting traditional business and enabling a companies in the past years regarding security, which
prolific market of network-based systems where data now reflects as latent threats to computer systems.
are the principal value. In this context, secure and Forecastings estimate that IoT and small devices will
reliable systems are very important to not tarnish the represent more than 75% of the global Internet reach-
image of a company and crucial in critical systems ing 10 billion in 2020 and representing a true potential
and public services. threat specially because of new connected solutions
A good example of potential damage a network with poor security pop up every day by small business
cyber attack could lead was recently revealed by (Mc- and startups, (Rose et al., 2015), (Columbus, 2018).
Callie et al., 2011). They expose the fragility of the With this scenario, we propose that the academy
Automatic Dependent Surveillance-Broadcast (ADS- encourage more research papers from the attacker’s
B) system of the global air traffic control. Using about perspective rather than the defense to force the expo-
$1,000 worth of radio equipment, a hacker could sim- sure of current hidden weaknesses of computer sys-
ply flood the air traffic control system with as many tems as a measure of prevention from real potential
fake airplanes as it wants. attacks to organization and states.
In 2016, Mirai botnet attacked the Internet Ser- According to (Schatz et al., 2017), the current ter-
vice Provider (ISP) for sites such as Twitter, Amazon, minology to discuss security aspects of digital devices
PayPal, Spotify, Netflix, and others, making them un- and information is cyber security and it is basically
reachable for several hours. In such attacks, a worm defined as the actions and technologies followed by
propagates through networks and systems taking con- organizations and states to protect confidentiality, in-
trol of poorly protected IoT and embedded devices tegrity, and availability of data and assets used in cy-
such as IP cameras, thermostats, Wi-Fi enabled clocks berspace.
and washing machines (Kolias et al., 2017). At its Among the cyber threats, the Denial-of-Service
peak, Mirai infected over 600,000 vulnerable devices (DoS) is a very easy and common kind of cyber at-
460
Neves, B., Leite, F., Jorge, L., Paiva, R., Bezerra, J. and Curtis, V.
Exploring DDoS Mechanisms.
DOI: 10.5220/0007835304600467
In Proceedings of the 14th International Conference on Software Technologies (ICSOFT 2019), pages 460-467
ISBN: 978-989-758-379-7
Copyright
c 2019 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
Exploring DDoS Mechanisms
461
ICSOFT 2019 - 14th International Conference on Software Technologies
Classification by
degree of automation (DA)
Manual (DA-1)
Semi-automatic (DA-2)
Classification by
communication mechanism (CM) Classification by
persistence of agent set (PAS)
Direct (CM-1)
Constant set (PAS-1)
Indirect (CM-2)
Classification by
exploited weakness (EW)
Variable (PAS-2)
Classification by
host scanning strategy (HSS) Semantic (EW-1) Classification by
Random (HSS-1) victim type (VT)
Brute-force (EW-2)
Hitlist (HSS-2) Classification by Application (VT-1)
attack rate dynamics (ARD)
Signpost (HSS-3) Host (VT-2)
Constant rate (ARD-1)
Permutation (HSS-4) Classification by Resource (VT-3)
source address validity (SAV)
Variable rate (ARD-2)
Local subnet (HSS-5) Network (VT-4)
Spoofed (SAV-1) Classification by
Classification by vulnerability rate change mechanism (RCM) Infrastructure (VT-5)
scanning strategy (VSS) Classification by
address routability (AR) Increasing (RCM-1)
Horizontal (VSS-1) Classification by
Routable (AR-1) Fluctuating (RCM-2)
Vertical (VSS-2) impact on the victim (IV)
Non-routable (AR-2) Classification by Disruptive (IV-1)
Coordinated (VSS-3)
Classification by possibility of characterization (PC)
Classification by
Stealthy (VSS-4) spoofing technique (ST) Characterizable (PC-1) possibility of
Classification by Random (ST-1) Classification by
dynamic recovery (PDR)
propagation mechanism (PM)
Subnet (ST-2) relation of attack Self-recoverable (PDR-1)
Central (PM-1) to victim services (RAVS)
Back-chaining (PM-2) En route (ST-3) Filterable (RAVS-1) Human-recoverable (PDR-2)
462
Exploring DDoS Mechanisms
• Hierarchical topology: bots organized in layers of and in fluctuating rate, the botnet performs any other
C&C servers; waveform, including occasional changes.
• Random topology: Peer-to-Peer (P2P) communi-
cation among bots.
The star topology was chosen to facilitate the im-
plementation of the semi-automatic attack, since there
is a central server that can receive manual input from
a user and then transmit a flow of commands in the
direction from the root to leaves.
A weakness of this topology is the possibility of a
security system to explore the center of each start. Us-
ing this vulnerability, it is possible to reach the C&C
and make it unavailable. In order to avoid this type
of mitigation and still preserve the manual control of
the attack, in section 5, we propose a new method of
automation which controls the botnet with resilience,
where zombies have only partial information about
the topology.
3 SIMULATIONS OF DDOS
Figure 3: Typical FDoS waveforms. In this work, the two common mechanisms of ARD
described in Section 2.2 are analyzed, each using two
Flood DoS (FDoS), as showed in Figure 3, has network topologies: a tree-based, where each node in
three typical types of a waveform based on the ARD: the botnet has some children, and list-based network,
classical constant rate flood, increasing rate flood, where each node can forward an attack only to one
fluctuating rate flood. In constant rate, the botnet next node.
attacks the target with full force; in increasing rate In order to simulate the experiments, we
flood, the botnet gradually increases the attack rate implemented programs in GoLang supported by
resulting to slow exhaustion of victim’s resources; lightweight threads to achieve a high scale for the bot-
463
ICSOFT 2019 - 14th International Conference on Software Technologies
net simulation. Basically, the simulations are com- All the codes are available open-source for further
posed by three programs: researches. Please, contact the authors for getting ac-
• Server: It is basically the C&C server, responsible cess to it.
for the botnet commands and for tracking when a
node first joined the botnet;
• Client: It is the zombie node, a node in a bot- 4 RESULTS
net network, capable of autonomously discover-
ing other zombies and handling attacks; This section presents the main results of our simu-
• Targeted Server: It represents the target infras- lations for the tree-based and list-based topologies
tructure and stores the attack data for further anal- using continuous stream and pulse wave pattern of
ysis. DDoS attacks. From the logs obtained by the simu-
lation, the most relevant measurements extracted are
All programs communicate with each other the package loss and the attack propagation delay.
by UDP packets and the Client implements dis- The tests were performed in different machines
tributed solutions to handle the network topology au- configurations and the results were similar. In the
tonomously. All the information about the simula- following sections, we preferred to show the results
tion is retrieved from logs and the packets exchanged for a single regular Windows PC with the following
among the nodes of the network. More specifically, configuration and tools: Windows 10 O.S., Intel Core
each packet contains: i7 processor, 8GB(RAM). The amount of lightweight
• Sent to the Targeted Server: an identification of threads is described in each experiment.
the sender, a timestamp of a sent packet, and a
sequence number to help identifying lost packets; 4.1 Attack Propagation Delay
• Ordering a attack (to zombies): the Targeted
Server identification, the type of the attack, and In a real scenario, a central server of a star topology
a timestamp identifying the initial attack time in usually contaminates zombies around it in a tree-like
case of a pulse DDoS pattern; structure. Thus, in order to simulate this approach,
we implemented the system with a binary tree topol-
• Regarding the botnet construction: identification
ogy. Furthermore, to observe the effects of having a
of the new Client (zombie).
large number of levels in the tree architecture with a
Using data of the packages sent to the Targeted reasonable number of nodes, we use a botnet with list
Server it is possible to acquire information regarding structure, which in practice is unlikely to happen but
the packet loss, packet delay and transmition delay it is enough to observe results.
throughout the botnet. We use these data to imple-
ment two kinds of attack patterns: constant (Clients
begin the attack as soon as they receive the mes-
sage), and the pulse-like (a timestamp states when the 2,000
Elapsed time (in ms)
464
Exploring DDoS Mechanisms
300 Figure 5 and Figure 7, show how the nodes are grad-
ually mobilized by the attack wave, exposing the hi-
200 erarchy of a network with many layers. Particularly,
the propagation delay using constant DDoS and list
100 topology, Figure 7, results in perfect straight line once
the information in the list is passed from node to node
0 with a similar delay.
0 100 200 300 400 500
Reached nodes
4.2 Package Loss in Target Server
Figure 6: Propagation delay within a botnet with 500 nodes
using pulse DDoS in binary tree topology. The graphs on Figures 9-12 show that the binary tree
topology is much more effective in damaging the traf-
fic of the target server. Even considering a margin on
a simulation where a tree-based topology has 5 times
more node than a list-based topology, 500 nodes ver-
10,000
Elapsed time (in ms)
5,000 8,000
Amount of lost packages
6,000
0
0 20 40 60 80 100 4,000
Reached nodes
Figure 7: Propagation delay within a botnet with 100 nodes 2,000
using constant DDoS in list topology.
0
the height tends to be proportional to log2 n, we use
0 20 40 60 80 100 120 140
500 nodes in the simulation to get more levels and Elapsed time (in ms)
make the effect of the topology clear in the results.
The results are presented in Figures 5-8. Figure 9: Package loss for each ten thousand packages us-
ing constant DDoS in Binary Tree topology.
Using pulse DDoS mechanism, Figure 6 and Fig-
ure 8, it can be noticed that almost all nodes attack
at the same time, delay near 0ms, except for outliers 10,000
that do not attack immediately for some unexpected
Amount of lost packages
8,000
6,000
4,000
Elapsed time (in ms)
2,000
2,000
1,000 0
0 20 40 60 80 100
Elapsed time (in ms)
0 Figure 10: Package loss for each ten thousand packages us-
ing pulse DDoS in Binary Tree topology.
0 20 40 60 80 100
Reached nodes
Figure 8: Propagation delay within a botnet with 100 nodes This can be interpreted as a consequence of the
using pulse DDoS in list topology. small delay in propagating commands from the C&C
465
ICSOFT 2019 - 14th International Conference on Software Technologies
600 patterns, like the ones from the Figures 9 and 11, it is
possible to identify the increasing workload and take
action to protect the servers before it is too late.
Amount of lost packages
400
5 PROTECTION AGAINST
200
MITIGATION
In a real botnet over the Internet, zombie nodes may
0
be turned off at any time. As the transmission of the
0 100 200 300 400 C&C commands is forwarded node by node on the
Elapsed time (in ms) topology, it may brake the botnet. Usually, botnets
Figure 11: Package loss for each ten thousand packages us- solve it by implementing some distributed solution to
ing constant DDoS in List topology. autonomously adapt the topology on such cases.
Security systems may take advantage of this sit-
uation by infiltrating a zombie spy in the botnet and
600 blocking the other nodes in such a way to push it as
Amount of lost packages
0 grand
parent
0 50 100 150 200
Elapsed time (in ms)
Figure 12: Package loss for each ten thousand packages us- ... parent
to far nodes in the botnet for a smaller number of lev- child 1 child 2 ... child 3
els. In the list, even though the DDoS algorithm or-
ders that all nodes attack at the same time, the delay Figure 13: Child detects the absence of it failed parent.
of the propagation makes the attacks to reach the tar-
get asynchronously resulting in a very ineffective ap-
grand
proach. parent
As it can be seen in both topologies, Figure 9 and
Figure 11, respectively, the tree-based and list-based ... child 2
topologies, the constant rate DDoS presents a consid-
erable delay before achieving a stable rate of package
loss. It is the time necessary to mobilize all the nodes
in the botnet. child 1 ... child 3
On the other hand, Figure 10 and Figure 12 show Figure 14: Oldest child (2) replaces the missing parent.
that the pulse DDoS presents a stable rate since the
first time of the attack, given that the C&C orders that Next, we describe a solution to protect the botnet
all nodes attack at the same clock time, and resulting against this kind of security systems. If a node detects
in a more powerful capacity for using it against big that its parent is missing, it starts an election process
infrastructures. to decide a new one. In the adopted strategy, exempli-
Thus, we may conclude that that the shorter the fied in the Figures 13 and 14, the oldest child of the
attack propagation delay is, the worse are the impacts. missing parent takes its place.
As it can be seen in Figure 10 and Figure 12, it is very The timestamp on the system clock, when the
likely that no action could be taken before the server zombie joined the botnet, is used to compare the zom-
is down, the worse case scenario. In constant attacks bie nodes and to decide who is the oldest brother. This
466
Exploring DDoS Mechanisms
is sufficient to avoid an invader from forging its own curity against mitigation from security systems. The
time by pretending to be older in order to substitute proposed method theoretically meets the objective of
a missing parent. Since the malware in a real system preventing the botnet mitigation by outside invaders.
could take hours or even days to spread, the invader However, since the simulation of a real scenario of se-
has to wait for a time of the same order of magnitude curity system attacking botnets is not trivial, we pre-
to ascend a substantial level in the hierarchy. Mean- ferred to explore such simulations in future projects.
while, the other branches of the tree grow indepen- As DDoS from the attacker perspective is not a
dently of what the security system is doing in the spy common topic in the academia, we expect that this
branch. This is more than enough for the botnet to work can be used as material to new computer net-
make substantial damage to the server. work and distributed system courses in order to im-
It is important to notice that, in our botnet con- prove the security discussions.
figuration, each node is only able to get information
about its adjacent nodes: child, parent, and some
close nodes (siblings and grandparent) due to the elec- REFERENCES
tion procedure. This prevents a possible attacker to
have easy access to the control server and allows a Antonakakis, M., April, T., Bailey, M., Bernhard, M.,
semi-automatic Degree of Automation. Bursztein, E., Cochran, J., Durumeric, Z., Halderman,
Another approach to avoid the vulnerability of J. A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever,
having a centralized server taken down is to change C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sul-
the hierarchy to peer-to-peer, in which each node livan, N., Thomas, K., and Zhou, Y. (2017). Under-
standing the mirai botnet. In 26th USENIX Security
would be exposed only to its adjacent bots and ev-
Symposium, pages 1093–1110, Vancouver, BC.
ery node can be a command center. However, this
Bhardwaj, A., Subrahmanyam, G. V. B., Avasthi, V., Sastry,
would forbid the manual control by the Server: time, H., and Goundar, S. (2016). DDoS attacks, new DDoS
rate and the dynamic. Thus, the implemented topol- taxonomy and mitigation solutions - A survey. In 2016
ogy is similar to a P2P in the way nodes join the bot- Inter. Conf. on Signal Proc., Commun., Power and
net and communicate with neighbors, but it is similar Embedded System (SCOPES), pages 793–798. IEEE.
to a hierarchical network in the way command flows Columbus, L. (2018). 2018 Roundup of internet of things
throughout the level of the topology. forecasts and market estimates. Forbes.
Kolias, C., Kambourakis, G., Stavrou, A., and Voas, J.
(2017). DDoS in the IoT: Mirai and other botnets.
Computer, 50(7):80–84.
6 CONCLUSION Liu, X., Cheng, G., Li, Q., and Zhang, M. (2012). A
comparative study on flood DoS and low-rate DoS at-
The simulation of DDoS mechanisms implemented in tacks. The Journal of China Universities of Posts and
this work achieved interesting results preserving the Telecommunications, 19:116–121.
functionality of a real DDoS and clarifying the dis- McCallie, D., Butts, J., and Mills, R. (2011). Security anal-
ysis of the ADS-B implementation in the next genera-
semination of information within a botnet along with
tion air transportation system. International l Journal
its interacting behavior. of Critical Infrastructure Protection, 4(2):78–87.
The list-based implementation exposed the differ- Mirkovic, J. and Reiher, P. (2004). A taxonomy of ddos at-
ences in each ARD mechanism, since it generated tack and ddos defense mechanisms. SIGCOMM Com-
many levels of hierarchy in the topology using a rel- put. Commun. Rev., 34(2):39–53.
atively small number of nodes. Thus, phenomena as Rose, K., Eldridge, S., and Chapin, L. (2015). The internet
the network propagation delay can be noticed easier: of things: An overview. The Internet Society (ISOC),
the time to mobilize all bots in the network is more pages 1–50.
expressive and the two mechanisms of attack gener- Schatz, D., Bashroush, R., and Wall, J. (2017). Towards a
ate very different results. more representative definition of cyber security. Jour-
In terms of package loss in the targeted system, nal of Digital Forensics, Security and Law, 12(2):8.
both mechanisms (Continuous and Pulsating) gener- Soltanian, M. R. K. and Amiri, I. S. (2016). Theoretical and
Experimental Methods for Defending Against DDoS
ated similar outputs. This is expected for a limited Attacks. Syngress, first edition.
target infrastructure and it can be interpreted as the
botnet having more network bandwidth capacity than
the target.
We also proposed a new election strategy to man-
age the dynamic structure of the botnet network, when
zombie nodes detect failed parents, improving the se-
467