Computer Networks: DoS, DDoS Attacks, and Mitigation Strategies

Verified

Added on 2019/09/25

AI Summary

This assignment comprehensively explains Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, detailing their differences and impacts on network and server resources. It explores attacks like TCP SYN flooding and ICMP (Ping) flooding, illustrating how they consume resources. A network diagram of a typical DDoS attack involving attackers, zombies (bots), control servers, and a target is provided, with explanations of each component's role. The assignment also analyzes a recent DDoS attack utilizing the Network Time Protocol (NTP), detailing the targeted entities, resource consumption (80 Gb/s), and perpetrators. Finally, it outlines at least two methods for detecting, preventing, and mitigating DDoS attacks, such as antivirus updates and traffic redirection/blocking. The assignment is supported by references to academic research on the topic.

What is a DoS attacks? DDoS? What are the differences between DoS and DDoS? Explain
the difference between attacks that consume network resources vs consuming server
resources (e.g. RAM, CPU). Use the examples of TCP SYN flooding and ICMP (Ping)
flooding attacks in your explanation.
A denial of service (DoS) attack is an action that prevents or impairs the authorized use
of networks, systems, or applications by exhausting resources such as CPU, memory,
bandwidth and disk space (Ambrosin, 2015).
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the
bandwidth or resources of a targeted system, usually one or more web servers. Such
an attack is often the result of multiple compromised systems (for example, a botnet)
flooding the targeted system with traffic.
Attacks that consume network resources
TCP SYN Flooding Attack can be used to consume network resources where Attacker
sends TCP SYN segments to target, Source address spoofing is used on TCP SYN
segments; no ACKs from client, Target becomes overloaded processing SYNs and storing
connection information in memory (Bogdanoski, 2016). This way it would not be able to
accept any other connection and will start dropping the connections.
Consuming server resources
Attacker has access to high capacity link and Target’s connection to Internet is lower
capacity. Attacker uses ping to send many ICMP requests to target server Link from ISP
to router is overloaded; router drops (valid) packets.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Q. Draw a network diagram that illustrates a typical (but simplified) DDoS attack
involving: attacker, zombies or bots, (command and) control servers and target. Explain
your diagram, including what is the role of zombies/bots and control servers.
The attacker gives some malicious software to some computers on the internet. The
attacker takes control of computers on internet we call them zombies, where collection
of zombies is referred to as botnets. The attacker needs to sends control messages to
the zombies using the control servers to tell them to start their attack.
So the zombie will start pinging many computers on the internet and the computers
that would reply would be flooded by the request (Chen, 2013).
Describe an example of a recent DDoS attack, including who was targeted, what amount
of resources were consumed (e.g. how many Gb/s), when was the attack, and the likely
perpetrators
A recent set of publicised DDoS attacks made use of the Network Time Protocol. NTP is
used for computers to synchronise their clocks with more accurate time servers. There
are many publictime servers. The attack took advantage of the fact that older versions
of NTP servers allowed a client to send a request for a list of monitoring data the server
records. The list stores records of up to 600 different hosts that have communicated
recently with the time server (Liu, 2013). This allowed a malicious node to send a small
request to a NTP server, which then responds with a very large response. With source
address spoofing, and lots of NTP servers to use, this makes for a very effective DDoS
attack.

Perpetrators :- some gaming web sites and service providers. The attack took place in
December 2013. Around 80 Gb/s resources was consumed.
What are at least two methods for detecting, preventing and/or mitigating DDoS
attacks?
1. Antivirus :- Keep the system updated with antivirus
2. Redirect and block the traffic.

References
Ambrosin, M., Conti, M., De Gaspari, F. and Poovendran, R., 2015, April. Lineswitch:
Efficiently managing switch flow in software-defined networking while effectively
tackling dos attacks. In Proceedings of the 10th ACM Symposium on Information,
Computer and Communications Security (pp. 639-644). ACM.
Bogdanoski, M., Toshevski, A., Bogatinov, D. and Bogdanoski, M., 2016. A novel
approach for mitigating the effects of the TCP SYN flood DDoS attacks. World Journal
of Modelling and Simulation, 12(3), pp.217-230.
Chen, L., Szeto, R.W.L. and Hwang, S.T., A10 Networks, Inc., 2014. System and method
for an adaptive TCP SYN cookie with time validation. U.S. Patent RE44,701.
Liu, S., Liu, X.P. and El Saddik, A., 2013, February. Denial-of-Service (DoS) attacks on
load frequency control in smart grids. In Innovative Smart Grid Technologies (ISGT),
2013 IEEE PES (pp. 1-6). IEEE.