Ransom DDoS Attacks on VMware based cloud systems and possible counter measures
Added on 2023-06-04
115 Pages22008 Words154 Views
Ransom DDoS Attacks on VMware based cloud systems & possible counter measures
Table of Contents
1. Title.....................................................................................................................................................2
2. Background........................................................................................................................................2
2.1 DDoS Attack...................................................................................................................................2
2.2 SNORT based IDS.........................................................................................................................4
2.3 DDoS attacks in the cloud environment.......................................................................................8
2.4 Counter measures for DDoS attack............................................................................................10
3. Aim...................................................................................................................................................12
4. Objectives.........................................................................................................................................12
5. Research Question...........................................................................................................................12
6. Research Methodology....................................................................................................................13
7. Types of DDoS Attacks....................................................................................................................13
8. Ransom DDoS attacks.....................................................................................................................19
9. ESXi based Cloud Systems..............................................................................................................20
10. Ransom DDoS Attacks on VMware based cloud systems.........................................................21
11. Project Planning..........................................................................................................................29
12. Resources Required.....................................................................................................................36
13. DDoS attacks using Kali Linux and its Test Results.................................................................61
14. Deliverables..................................................................................................................................96
15. Conclusion....................................................................................................................................96
16. References....................................................................................................................................97
1
1. Title.....................................................................................................................................................2
2. Background........................................................................................................................................2
2.1 DDoS Attack...................................................................................................................................2
2.2 SNORT based IDS.........................................................................................................................4
2.3 DDoS attacks in the cloud environment.......................................................................................8
2.4 Counter measures for DDoS attack............................................................................................10
3. Aim...................................................................................................................................................12
4. Objectives.........................................................................................................................................12
5. Research Question...........................................................................................................................12
6. Research Methodology....................................................................................................................13
7. Types of DDoS Attacks....................................................................................................................13
8. Ransom DDoS attacks.....................................................................................................................19
9. ESXi based Cloud Systems..............................................................................................................20
10. Ransom DDoS Attacks on VMware based cloud systems.........................................................21
11. Project Planning..........................................................................................................................29
12. Resources Required.....................................................................................................................36
13. DDoS attacks using Kali Linux and its Test Results.................................................................61
14. Deliverables..................................................................................................................................96
15. Conclusion....................................................................................................................................96
16. References....................................................................................................................................97
1
1. Title
Ransom DDoS Attacks on VMware based cloud systems and possible counter measures
2. Background
2.1DDoS Attack
A DDoS attack is a short form of Distributed Denial of Service. It is a malicious attempt.
It overwhelms the target such as network, service or server with a flood of traffic. The network
consists of a compromised system. Due to this compromised systems, the traffic flow is
increased in the network. It indicates that there are multiple sources for traffic attack (Acharya
and Pradhan, 2017). DDoS attacks create attack traffic to prevent the regular traffic from arriving
at its destination. The DDoS attacks make the online services unavailable. DDoS attacks are used
to force the systems to stop performing its usual services. Various techniques are used for
performing DDoS attacks (Aguiar and Hessel, 2012). Usually, these attacks are compromising
some of the vulnerable systems and forcing them to act on a target (Aswariza, Perdana and
Negara, 2017). As a result, the attacked system will go to the hang state or shutdown state and it
will stop to perform its usual services.
Distributed Denial of service attack
A DDoS attack is a Cyber-attack. In this attack, the attacker prepares a network or
machine resource which performs the disturbance to the denial of services of the connected
systems into the internet (Alleged MPAA DDoS attacks spark retaliatory cyber-attacks, 2010). It
seems to be complex. It overcomes of cloud server by vaccinating the packet of malicious on a
cloud to quickly consume the critical resources (Bose and Sarddar, 2015).
2
Ransom DDoS Attacks on VMware based cloud systems and possible counter measures
2. Background
2.1DDoS Attack
A DDoS attack is a short form of Distributed Denial of Service. It is a malicious attempt.
It overwhelms the target such as network, service or server with a flood of traffic. The network
consists of a compromised system. Due to this compromised systems, the traffic flow is
increased in the network. It indicates that there are multiple sources for traffic attack (Acharya
and Pradhan, 2017). DDoS attacks create attack traffic to prevent the regular traffic from arriving
at its destination. The DDoS attacks make the online services unavailable. DDoS attacks are used
to force the systems to stop performing its usual services. Various techniques are used for
performing DDoS attacks (Aguiar and Hessel, 2012). Usually, these attacks are compromising
some of the vulnerable systems and forcing them to act on a target (Aswariza, Perdana and
Negara, 2017). As a result, the attacked system will go to the hang state or shutdown state and it
will stop to perform its usual services.
Distributed Denial of service attack
A DDoS attack is a Cyber-attack. In this attack, the attacker prepares a network or
machine resource which performs the disturbance to the denial of services of the connected
systems into the internet (Alleged MPAA DDoS attacks spark retaliatory cyber-attacks, 2010). It
seems to be complex. It overcomes of cloud server by vaccinating the packet of malicious on a
cloud to quickly consume the critical resources (Bose and Sarddar, 2015).
2
Challenges
The challenges are described below (Bugnion et al., 2012).
Server resources
If the DDoS attack happens, then the following properties of the server will get severely
attack. These properties are bandwidth, memory, and CPU. Also, the connection is opened until
the session has been expired (Chaolong, Hanning and Lili, 2016).
Open architecture
This tool is arranged by the machine attacker to perform flooding of attacks at a high rate.
The collaborative and open architecture of the internet is demoralized to contaminate the
internetworked devices and machines (GAO et al., 2012). The network for health is preserved if
the polluting machine is repaired and removed.
High speed
The parameters of the attack such as the number of nodes, strength of the attack, and
protocol are unpredictable when the attack is dispersed. (Grimes, 2005). The solution for
protection should be reactive high. So the block of traffic malicious is more in high-speed
networks.
Attack signatures
The attack signatures are used to preserve the list of distributed denial of services. The attack
signatures are mostly covered all the variants which are possible in the real-time (Guo et al.,
2015). The traffic depends on the behavior of the network which is targeted and also a different
way when setting up in another cloud network.
Denial of service
The Denial of service is also considered as the attack. The DoS attack contains the many
forms such as
1. Transmission control protocol SYN flood
2. TCP Dos mitigation strategy.
3
The challenges are described below (Bugnion et al., 2012).
Server resources
If the DDoS attack happens, then the following properties of the server will get severely
attack. These properties are bandwidth, memory, and CPU. Also, the connection is opened until
the session has been expired (Chaolong, Hanning and Lili, 2016).
Open architecture
This tool is arranged by the machine attacker to perform flooding of attacks at a high rate.
The collaborative and open architecture of the internet is demoralized to contaminate the
internetworked devices and machines (GAO et al., 2012). The network for health is preserved if
the polluting machine is repaired and removed.
High speed
The parameters of the attack such as the number of nodes, strength of the attack, and
protocol are unpredictable when the attack is dispersed. (Grimes, 2005). The solution for
protection should be reactive high. So the block of traffic malicious is more in high-speed
networks.
Attack signatures
The attack signatures are used to preserve the list of distributed denial of services. The attack
signatures are mostly covered all the variants which are possible in the real-time (Guo et al.,
2015). The traffic depends on the behavior of the network which is targeted and also a different
way when setting up in another cloud network.
Denial of service
The Denial of service is also considered as the attack. The DoS attack contains the many
forms such as
1. Transmission control protocol SYN flood
2. TCP Dos mitigation strategy.
3
Transmission control protocol SYN flood
The Transmission control protocol SYN flood is found by internet global. The TCP is
used to transfer the file from source to destination. It provides a reliable order. The data must be
reliable which is sent by the user. The TCP is developed the remind internet which is a private
collection of security and computer. The transmission control protocol has some features. The
TCP is exploited to perform the denial of service attack. The flooding is based on the attacks and
other resource systems such as the Central Processing Unit (CPU).
TCP denial of service mitigation strategy
It is used in the firewall to limit the number of SYN packets regarding the Transmission
Control Protocol (TCP). The multiple hosts are frequently involved in the attack. That is called
distributed Dos. The many composite solutions are met with the success of the network host and
the end of the host. The network is based on the firewall proxies. It is used to forward the
connection request to the client side for getting acknowledgment which is received from the user.
2.2SNORT based IDS
SNORT based Intrusion Detection System can be designed to stop and study the DDoS attacks.
Snort
It is a signature-based intrusion detection system. It enables to monitor the network. It
examines all the traffic network to observe that whether the intrusion is present or not. It
implements the detection engine that enables responding, warning, and registering earlier defined
to some kind of attack. It is free and it is lower than Linux/GNU and Windows (Halton et al.,
2017). Snort is the most commonly used tool. It has the number of continuous updates and
predefined signature. Snort is having some basics component in its architecture (Kennedy, 2011).
A decoder is one of the components in Snort and that is responsible for creating the structure of
data to recognize the network protocols. And it has the preprocessor that enables the
functionality of a system to extend and also has the engine detection that examines the package
4
The Transmission control protocol SYN flood is found by internet global. The TCP is
used to transfer the file from source to destination. It provides a reliable order. The data must be
reliable which is sent by the user. The TCP is developed the remind internet which is a private
collection of security and computer. The transmission control protocol has some features. The
TCP is exploited to perform the denial of service attack. The flooding is based on the attacks and
other resource systems such as the Central Processing Unit (CPU).
TCP denial of service mitigation strategy
It is used in the firewall to limit the number of SYN packets regarding the Transmission
Control Protocol (TCP). The multiple hosts are frequently involved in the attack. That is called
distributed Dos. The many composite solutions are met with the success of the network host and
the end of the host. The network is based on the firewall proxies. It is used to forward the
connection request to the client side for getting acknowledgment which is received from the user.
2.2SNORT based IDS
SNORT based Intrusion Detection System can be designed to stop and study the DDoS attacks.
Snort
It is a signature-based intrusion detection system. It enables to monitor the network. It
examines all the traffic network to observe that whether the intrusion is present or not. It
implements the detection engine that enables responding, warning, and registering earlier defined
to some kind of attack. It is free and it is lower than Linux/GNU and Windows (Halton et al.,
2017). Snort is the most commonly used tool. It has the number of continuous updates and
predefined signature. Snort is having some basics component in its architecture (Kennedy, 2011).
A decoder is one of the components in Snort and that is responsible for creating the structure of
data to recognize the network protocols. And it has the preprocessor that enables the
functionality of a system to extend and also has the engine detection that examines the package
4
according to the signatures. The plugin detection in the snort enables the changes of the
functionality of engine detection and the signatures of the files where the well-known attacks are
distinct to the detection. The plugins of output are used for defining in where, how and what the
observant are saved. Finally, the capture of the module of the traffic that enables to capture all
the packages of the network is done. (Kandias and Gritzalis, 2013). For the case, the
representations of traffic HTTP improves the snort functionality repeatedly to generate the
pattern of the attacked data, and the network traffic models asset the events and it is looking for
irregularities of these events.
Intrusion Detection System
According to the National Institute of Standard and Technology (NIST), the IDS system
is the method of event monitoring. The events which happen in network or computer system are
monitored and also these are identified (Khawaja, 2018). The intrusion detection system is based
on two main types. They are anomaly-based intrusion detection system and signature-based
intrusion detection system. The anomaly-based IDS attempts to identify the apprehensive activity
on the computer system. At the first stage of the intrusion detection system, the system is trained
and the knowledge about what is reflected in legitimate and normal is obtained. (Marshall et al.,
2015). Afterward, the computer system will notify nearby apprehensive activity (Kim, Lee and
Jang, 2012). The user can identify the various techniques in detection which is used to define
what activities are in the normal stage (L. Pritchett, 2013). Both anomaly-based and signature-
based intrusion detection system has pros and cons.
The signature-based intrusion detection system examines the traffic network. The signatures are
collected with different elements. This will help to find the traffic (Liebowitz, Kusek and Spies,
2014). To define whether none of the traffic networks relates to the well-known signature, the
intrusion detection system used as a design appreciation method. The snort is used in IDS. It has
the following policies (Liu, n.d.). They are recorder network, network intrusion detection, snort,
and security network monitor.
5
functionality of engine detection and the signatures of the files where the well-known attacks are
distinct to the detection. The plugins of output are used for defining in where, how and what the
observant are saved. Finally, the capture of the module of the traffic that enables to capture all
the packages of the network is done. (Kandias and Gritzalis, 2013). For the case, the
representations of traffic HTTP improves the snort functionality repeatedly to generate the
pattern of the attacked data, and the network traffic models asset the events and it is looking for
irregularities of these events.
Intrusion Detection System
According to the National Institute of Standard and Technology (NIST), the IDS system
is the method of event monitoring. The events which happen in network or computer system are
monitored and also these are identified (Khawaja, 2018). The intrusion detection system is based
on two main types. They are anomaly-based intrusion detection system and signature-based
intrusion detection system. The anomaly-based IDS attempts to identify the apprehensive activity
on the computer system. At the first stage of the intrusion detection system, the system is trained
and the knowledge about what is reflected in legitimate and normal is obtained. (Marshall et al.,
2015). Afterward, the computer system will notify nearby apprehensive activity (Kim, Lee and
Jang, 2012). The user can identify the various techniques in detection which is used to define
what activities are in the normal stage (L. Pritchett, 2013). Both anomaly-based and signature-
based intrusion detection system has pros and cons.
The signature-based intrusion detection system examines the traffic network. The signatures are
collected with different elements. This will help to find the traffic (Liebowitz, Kusek and Spies,
2014). To define whether none of the traffic networks relates to the well-known signature, the
intrusion detection system used as a design appreciation method. The snort is used in IDS. It has
the following policies (Liu, n.d.). They are recorder network, network intrusion detection, snort,
and security network monitor.
5
Evaluation methodology
The resolution of the work examines the snort in the positions of presentation lower than
various hardware configurations. In DDoS attacks of managing TCP flooding, the assessment
has been agreed on a test refined using advanced and limited hardware (Lowe et al., 2013). In
this process, a simulation will be completed for background and attack traffic. The ability of
snort in detection and presentation is prominent under the different traffic loads in the unit of
time. The different traffic loads are evaluation metrics, test benches, and attack scenarios
(Marshall and Lowe, 2014).
Evaluation metrics
It is related straightly to the snort performance and the ability of detection with the
increasing time. The Metrics are described below briefly.
Packet rate in maximum
This metric is used to measure the ability of snort. It processes the traffic in a specific
hardware pattern. This is dignified with the maximum traffic in snort that can be examined and
handled. It started the snort to descent packets and also measured a benchmark. The metrics are
the implication. Because in every test bench, packets are produced within the constraint of
packet benchmark rate.
Resource availability
All the systems have finite resources. The attack DoS aims to override the finite
resources. So, that these resources are not existing in the legitimate users. The memory and CPU
exploitation of snort to the system resources in CPU exploitation of snort energies in first test
bench as 79%, the second test bench as 74% and the third test bench as 76%. From the above-
mentioned values, it is obtained that the snort is done better on a second test bench.
Throughput
A throughput specifies the UDP and ICMP packets' part loss in all the test benches. It can
be perceived that each time, the packet is 100% lost while the target server undergoes from DoS.
6
The resolution of the work examines the snort in the positions of presentation lower than
various hardware configurations. In DDoS attacks of managing TCP flooding, the assessment
has been agreed on a test refined using advanced and limited hardware (Lowe et al., 2013). In
this process, a simulation will be completed for background and attack traffic. The ability of
snort in detection and presentation is prominent under the different traffic loads in the unit of
time. The different traffic loads are evaluation metrics, test benches, and attack scenarios
(Marshall and Lowe, 2014).
Evaluation metrics
It is related straightly to the snort performance and the ability of detection with the
increasing time. The Metrics are described below briefly.
Packet rate in maximum
This metric is used to measure the ability of snort. It processes the traffic in a specific
hardware pattern. This is dignified with the maximum traffic in snort that can be examined and
handled. It started the snort to descent packets and also measured a benchmark. The metrics are
the implication. Because in every test bench, packets are produced within the constraint of
packet benchmark rate.
Resource availability
All the systems have finite resources. The attack DoS aims to override the finite
resources. So, that these resources are not existing in the legitimate users. The memory and CPU
exploitation of snort to the system resources in CPU exploitation of snort energies in first test
bench as 79%, the second test bench as 74% and the third test bench as 76%. From the above-
mentioned values, it is obtained that the snort is done better on a second test bench.
Throughput
A throughput specifies the UDP and ICMP packets' part loss in all the test benches. It can
be perceived that each time, the packet is 100% lost while the target server undergoes from DoS.
6
Attack scenario
The Apache 2 web server have been arranged on the target server. The machine attacking
have been arranged to conduct TCP SYN packet flooding by using hping3 tool with the source in
random to option for IP addresses. This process has two scenarios. They are,
Attack scenario – 1
This scenario is used to performance analyzing of the snort. Then, in the unit of time, the
target server goes to unresponsive.
Attack scenario – 2
It is a mixed traffic and it has been agreed to send both backgrounds and attack traffic
and it is also examining the loss of packet legitimate in per unit of time. The snort performance
and the target packet and the ability in the detection of snort also been examined.
Test benches
In test benches, three tools have been chosen and it is containing the various hardware
structure. The NIDS displays the presentation as limited while the virtual platform is running as
specified in our test bench to encompass the actual environment and all four systems are
containing to lead the experiments. In test benches, a Linux operating system is the superior as
equaled to windows OS in positions of execution in snort. All the systems have been installed by
the Linux operating system. There are various tools present for test benches.
DDoS simulation attack tools
In this tool, Hping3 have been preferred due to its ability to make shaped TCP packets
that are generated. It is informal to simulate flooding TCP for the DDoS attack. The Hping3 tool
is permitted to control the number of packets per second, TCP session for a flag, source address
and destination address.
Generation tools for background traffic
The Hping3 tool and ostinato are used in the generation of background traffic. The loss of
packet rate in background traffic has been identified using the Wire Shark. In Order to examine
7
The Apache 2 web server have been arranged on the target server. The machine attacking
have been arranged to conduct TCP SYN packet flooding by using hping3 tool with the source in
random to option for IP addresses. This process has two scenarios. They are,
Attack scenario – 1
This scenario is used to performance analyzing of the snort. Then, in the unit of time, the
target server goes to unresponsive.
Attack scenario – 2
It is a mixed traffic and it has been agreed to send both backgrounds and attack traffic
and it is also examining the loss of packet legitimate in per unit of time. The snort performance
and the target packet and the ability in the detection of snort also been examined.
Test benches
In test benches, three tools have been chosen and it is containing the various hardware
structure. The NIDS displays the presentation as limited while the virtual platform is running as
specified in our test bench to encompass the actual environment and all four systems are
containing to lead the experiments. In test benches, a Linux operating system is the superior as
equaled to windows OS in positions of execution in snort. All the systems have been installed by
the Linux operating system. There are various tools present for test benches.
DDoS simulation attack tools
In this tool, Hping3 have been preferred due to its ability to make shaped TCP packets
that are generated. It is informal to simulate flooding TCP for the DDoS attack. The Hping3 tool
is permitted to control the number of packets per second, TCP session for a flag, source address
and destination address.
Generation tools for background traffic
The Hping3 tool and ostinato are used in the generation of background traffic. The loss of
packet rate in background traffic has been identified using the Wire Shark. In Order to examine
7
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
Computer Security: Melbourne IT Attacklg...
|10
|2318
|138
Distributed Denial of Service (DDoS) Attack: An Overview and Real World Examplelg...
|10
|2158
|245
Computer Security: DDoS Attackslg...
|11
|2444
|233
Advanced Network Security - DDos Mechanism | Assignmentlg...
|5
|857
|149
An Active Defense Mechanism for TCP SYN flooding attackslg...
|6
|3528
|82
Understanding DoS and DDoS Attackslg...
|4
|834
|488