4.3.1 Definition
A distributed service (DDoS) attack is an adaptation of the broader denial-of-service term. A DDoS attack is characterized by many agents that are coordinated to attack the target system through the network. The agents are usually part of a botnet (see Figure 3, although there have been successful DDoS attacks performed by humans accessing a web-site in a coordinated manner. Bandwidth DDoS attacks are classified into human coordinated bandwidth attacks (e.g. F5 -key flood, LOIC-tool or a flash crowd event), automated or semi-automated bandwidth attacks (amplification e.g. Smurf or fraggle attack, reflection attacks or botnet-based attacks).
The 4chan-originated hacker group Anonymous has been responsible for orchestrating a DDoS attack against anti-Wikileaks companies, such as financial organizations and
DNS-Botmaster
C&C server
Bot 2 . . .
Bot 1 Bot n
Victim
Figure 3. A distributed denial-of-service attack using a botnet
providers. In order to conduct this attack, they used a program called Low Orbit Ion Cannon.
They asked people to download the application, choose a target and start the attack. A group of people joined a voluntary botnet to launch a collective DoS. (Mansfield-Devine 2011, 5.) This incident is related to another type of event, a flash crowd event, when a DoS happens involuntarily.
The Slashdot effect or the flash crowd event got its name from a science article site called Slashdot, which featured links to websites with inadequate capacity to handle high volume of surfers. The large crowd of readers of Slashdot often accessed the link simultaneously rendering the site unable to respond to new requests. The readers did not want to crash the site, but essentially they consumed the server completely. (Raghavan and Dawson 2011, 13.) A distributed denial-of-service attack is performed in multiple steps. The first step is to ac-quire a botnet or agents that can be commanded by the attacker. Botnets can be bought on the black market for money or the attacker can build a botnet from scratch. In the next phase, the attacker accesses the C&C (Command & Control) server of the botnet and sends a command to the agents to start sending a certain type of data to the target machine. Depending on the purpose of the attack, a time window is chosen carefully, especially if the attacker is paying
2002 2004 2006 2008 2010 2012 2014 2016 0
100 200 300 400 500
600 >600 Gbps
2 3 4 10 18 23 40 49
100
60 60 309
400 500
Gbps
Figure 4. Bandwidth of the volumetric attacks reported yearly since 2002 (Arbor Networks 2011, 15.) (Arbor Networks 2016, 24.) (Krebs 2016)
an hourly fee for the usage of the botnet. IP spoofing techniques are used to cover the tracks to the agents and especially to the C&C server. After the goal of the attack has been reached, the agents stop sending the packets and the service returns to normal operation. (Mirkovic and Reiher 2004, 40.)
4.3.2 Current situation
In the year 2000 and onward, the number of attacks kept on rising and by the year 2010, the magnitude of volumetric attacks had reached 10 Gbps as the new norm. The biggest attacks reached 100 Gbps Arbor Networks (2011, 5) reported in their yearly security report.
A new wave of Application layer (also known as Layer 7 attacks) started to emerge and more complicated multivector attacks where volumetric attack has Application layer attack vectors included. Main motives for a large scale attacks were ideology/political, gaming related or vandalism in 2012. (Arbor Networks 2011, 5.)
According to the report Arbor Networks (2011, 16), much of the reported bandwidth within
incident. In the Arbor Networks (2013, 25) report, attacks against encrypted services rose to 54% of all the answers to the survey.
In the year 2013, the largest bandwidth attack had risen to 309 Gbps and 2014 the same figure was already 400 Gbps according to Arbor Networks (2015), and in 2015 the largest attack was already 500 Gbps as stated by Arbor Networks (2016). Krebs (2016) wrote that the bandwidth attacks are already in the range of 600 Gbps and more for the year 2016.
According to the 2016 report majority of the attacks (74%) are still less than 500 Mbps in size (Arbor Networks 2016). Still, this is a significant amount against targets without a sufficient DDoS mitigation infrastructure. See Figure 4 to get an idea of how fast magnitude of attacks has risen.
In 2014, volumetric attacks are the most prevalent attack method, at 2/3 of the attacks con-suming bandwidth as their primary objective. Amplification or reflection attacks have been the leading cause of this surge in volume of traffic. (Arbor Networks 2015, 34-40.) While HTTP and DNS remain the most targeted protocols, HTTPS rose to about 50% of respon-dents reporting attacks in HTTPS services. (Arbor Networks 2015, 41.)
Mobile networks are seeing an increase in DDoS attacks as well. However, the difficulty of detecting a single source of traffic in a mobile network remains to be an issue. With the rise of LTE technologies and a NAT sitting between the possible targets and the source. (Arbor Networks 2015, 81.)
One average, a DDoS attack lasts less 30 minutes and costs a target organization $1.5 million (Jaffee 2016). The average loss for an Internet-based business is so high, that investing in a DDoS mitigation system pays off already if the company can fight off the most pathetic attempts.
Defense methods against DDoS attacks can be divided into three types: preventative, reactive and source-tracking (Nagaratna, Prasad, and Kumar 2009, 753). Many companies are offer-ing their services to fight off the DDoS attacks with several detection and prevention methods that they rarely fully disclose in fear of competitors and attackers gaining an advantage.
4.3.3 Example attacks
A TCP SYN flood attack exploits the TCP three-way handshake. During the attack, the attackers sends a SYN packet, the server responds with a SYN-ACK packet and puts the connection to a half-open state table. The final ACK packet never comes, and the connection is left half-open until timeout. (Linge, Hope, et al. 2007, 55.)
A slow denial-of-service attack takes an advantage of how certain application layer protocols have been implemented and sends malformed or normal packets at a slow pace and low bandwidth. The connection tables of the server program fill up blocking any potential new connections. Examples of these attacks are Slowloris, SlowReq, SlowRead and Slow Next attacks. Slowloris opens the connection and sends an HTTP-request very slowly, but never completing it. The server is simply receiving packets and waiting for the end of the request to be able to fulfill it. SlowReq also opens connection to the HTTP-server, but sends tiny packets which do not comply with the protocol, e.g. one space. In the SlowRead attack, the responses to normal HTTP-requests are processed at a sluggish pace forcing the server to keep the connection open. Slow Next uses the Wait Timeout function of the connection after each normal request to occupy the connection table. (Aiello et al. 2014, 1-2.)
4.4 Summary
Volumetric distributed denial-of-service attacks are more powerful since more than one host executes them. Most of the services nowadays can combat simple denial-of- service attacks with ease. However, with the emergence of application layer attacks, where a single attacker can disable a server farm with simple incomplete HTTP-packets, the scheme has changed.
When these stealthy attacks are coupled with a small undetectable botnet, the damage is still happening and needs more research. (Sourav and Mishra 2012, 749.)
So far the thesis has discussed network security and DDoS attacks. The next chapter intro-duces anomaly detection to get closer to the detection of DDoS attacks.
5 Anomaly detection
Anomaly detection chapter introduces the underlying mechanisms of machine learning, data mining and anomaly detection that are crucial for the methods presented and studied in this thesis. The chapter starts by defining data mining and machine learning and then explaining the context in which anomaly detection methods are based. It then introduces most common anomaly detection methods. Lastly, the chapter covers receiver operating characteristics (ROC) graphs as a means of comparing results of different classification algorithms.