Investigating Ransom DDoS Attacks on VMware Cloud & Countermeasures
VerifiedAdded on 2023/06/04
|115
|22008
|154
Project
AI Summary
This project investigates Ransom Distributed Denial of Service (DDoS) attacks targeting VMware-based cloud systems and explores potential countermeasures. It provides a background on DDoS attacks, SNORT-based Intrusion Detection Systems (IDS), and the specific challenges of DDoS attacks in cloud environments. The project outlines the aim, objectives, research questions, and methodology used to analyze these attacks. It details different types of DDoS attacks and delves into the specifics of Ransom DDoS attacks and ESXi-based cloud systems. The project includes a plan, resource requirements, and test results from simulating DDoS attacks using Kali Linux. Ultimately, the project aims to identify vulnerabilities and propose effective mitigation strategies for protecting VMware cloud systems against Ransom DDoS attacks.
Ransom DDoS Attacks on VMware based cloud
systems & possible counter measures
systems & possible counter measures
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Table of Contents
1. Title.....................................................................................................................................................2
2. Background........................................................................................................................................2
2.1 DDoS Attack...................................................................................................................................2
2.2 SNORT based IDS.........................................................................................................................4
2.3 DDoS attacks in the cloud environment.......................................................................................8
2.4 Counter measures for DDoS attack............................................................................................10
3. Aim...................................................................................................................................................12
4. Objectives.........................................................................................................................................12
5. Research Question...........................................................................................................................12
6. Research Methodology....................................................................................................................13
7. Types of DDoS Attacks....................................................................................................................13
8. Ransom DDoS attacks.....................................................................................................................19
9. ESXi based Cloud Systems..............................................................................................................20
10. Ransom DDoS Attacks on VMware based cloud systems.........................................................21
11. Project Planning..........................................................................................................................29
12. Resources Required.....................................................................................................................36
13. DDoS attacks using Kali Linux and its Test Results.................................................................61
14. Deliverables..................................................................................................................................96
15. Conclusion....................................................................................................................................96
16. References....................................................................................................................................97
1
1. Title.....................................................................................................................................................2
2. Background........................................................................................................................................2
2.1 DDoS Attack...................................................................................................................................2
2.2 SNORT based IDS.........................................................................................................................4
2.3 DDoS attacks in the cloud environment.......................................................................................8
2.4 Counter measures for DDoS attack............................................................................................10
3. Aim...................................................................................................................................................12
4. Objectives.........................................................................................................................................12
5. Research Question...........................................................................................................................12
6. Research Methodology....................................................................................................................13
7. Types of DDoS Attacks....................................................................................................................13
8. Ransom DDoS attacks.....................................................................................................................19
9. ESXi based Cloud Systems..............................................................................................................20
10. Ransom DDoS Attacks on VMware based cloud systems.........................................................21
11. Project Planning..........................................................................................................................29
12. Resources Required.....................................................................................................................36
13. DDoS attacks using Kali Linux and its Test Results.................................................................61
14. Deliverables..................................................................................................................................96
15. Conclusion....................................................................................................................................96
16. References....................................................................................................................................97
1
1. Title
Ransom DDoS Attacks on VMware based cloud systems and possible counter measures
2. Background
2.1DDoS Attack
A DDoS attack is a short form of Distributed Denial of Service. It is a malicious attempt.
It overwhelms the target such as network, service or server with a flood of traffic. The network
consists of a compromised system. Due to this compromised systems, the traffic flow is
increased in the network. It indicates that there are multiple sources for traffic attack (Acharya
and Pradhan, 2017). DDoS attacks create attack traffic to prevent the regular traffic from arriving
at its destination. The DDoS attacks make the online services unavailable. DDoS attacks are used
to force the systems to stop performing its usual services. Various techniques are used for
performing DDoS attacks (Aguiar and Hessel, 2012). Usually, these attacks are compromising
some of the vulnerable systems and forcing them to act on a target (Aswariza, Perdana and
Negara, 2017). As a result, the attacked system will go to the hang state or shutdown state and it
will stop to perform its usual services.
Distributed Denial of service attack
A DDoS attack is a Cyber-attack. In this attack, the attacker prepares a network or
machine resource which performs the disturbance to the denial of services of the connected
systems into the internet (Alleged MPAA DDoS attacks spark retaliatory cyber-attacks, 2010). It
seems to be complex. It overcomes of cloud server by vaccinating the packet of malicious on a
cloud to quickly consume the critical resources (Bose and Sarddar, 2015).
2
Ransom DDoS Attacks on VMware based cloud systems and possible counter measures
2. Background
2.1DDoS Attack
A DDoS attack is a short form of Distributed Denial of Service. It is a malicious attempt.
It overwhelms the target such as network, service or server with a flood of traffic. The network
consists of a compromised system. Due to this compromised systems, the traffic flow is
increased in the network. It indicates that there are multiple sources for traffic attack (Acharya
and Pradhan, 2017). DDoS attacks create attack traffic to prevent the regular traffic from arriving
at its destination. The DDoS attacks make the online services unavailable. DDoS attacks are used
to force the systems to stop performing its usual services. Various techniques are used for
performing DDoS attacks (Aguiar and Hessel, 2012). Usually, these attacks are compromising
some of the vulnerable systems and forcing them to act on a target (Aswariza, Perdana and
Negara, 2017). As a result, the attacked system will go to the hang state or shutdown state and it
will stop to perform its usual services.
Distributed Denial of service attack
A DDoS attack is a Cyber-attack. In this attack, the attacker prepares a network or
machine resource which performs the disturbance to the denial of services of the connected
systems into the internet (Alleged MPAA DDoS attacks spark retaliatory cyber-attacks, 2010). It
seems to be complex. It overcomes of cloud server by vaccinating the packet of malicious on a
cloud to quickly consume the critical resources (Bose and Sarddar, 2015).
2
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Challenges
The challenges are described below (Bugnion et al., 2012).
Server resources
If the DDoS attack happens, then the following properties of the server will get severely
attack. These properties are bandwidth, memory, and CPU. Also, the connection is opened until
the session has been expired (Chaolong, Hanning and Lili, 2016).
Open architecture
This tool is arranged by the machine attacker to perform flooding of attacks at a high rate.
The collaborative and open architecture of the internet is demoralized to contaminate the
internetworked devices and machines (GAO et al., 2012). The network for health is preserved if
the polluting machine is repaired and removed.
High speed
The parameters of the attack such as the number of nodes, strength of the attack, and
protocol are unpredictable when the attack is dispersed. (Grimes, 2005). The solution for
protection should be reactive high. So the block of traffic malicious is more in high-speed
networks.
Attack signatures
The attack signatures are used to preserve the list of distributed denial of services. The attack
signatures are mostly covered all the variants which are possible in the real-time (Guo et al.,
2015). The traffic depends on the behavior of the network which is targeted and also a different
way when setting up in another cloud network.
Denial of service
The Denial of service is also considered as the attack. The DoS attack contains the many
forms such as
1. Transmission control protocol SYN flood
2. TCP Dos mitigation strategy.
3
The challenges are described below (Bugnion et al., 2012).
Server resources
If the DDoS attack happens, then the following properties of the server will get severely
attack. These properties are bandwidth, memory, and CPU. Also, the connection is opened until
the session has been expired (Chaolong, Hanning and Lili, 2016).
Open architecture
This tool is arranged by the machine attacker to perform flooding of attacks at a high rate.
The collaborative and open architecture of the internet is demoralized to contaminate the
internetworked devices and machines (GAO et al., 2012). The network for health is preserved if
the polluting machine is repaired and removed.
High speed
The parameters of the attack such as the number of nodes, strength of the attack, and
protocol are unpredictable when the attack is dispersed. (Grimes, 2005). The solution for
protection should be reactive high. So the block of traffic malicious is more in high-speed
networks.
Attack signatures
The attack signatures are used to preserve the list of distributed denial of services. The attack
signatures are mostly covered all the variants which are possible in the real-time (Guo et al.,
2015). The traffic depends on the behavior of the network which is targeted and also a different
way when setting up in another cloud network.
Denial of service
The Denial of service is also considered as the attack. The DoS attack contains the many
forms such as
1. Transmission control protocol SYN flood
2. TCP Dos mitigation strategy.
3
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Transmission control protocol SYN flood
The Transmission control protocol SYN flood is found by internet global. The TCP is
used to transfer the file from source to destination. It provides a reliable order. The data must be
reliable which is sent by the user. The TCP is developed the remind internet which is a private
collection of security and computer. The transmission control protocol has some features. The
TCP is exploited to perform the denial of service attack. The flooding is based on the attacks and
other resource systems such as the Central Processing Unit (CPU).
TCP denial of service mitigation strategy
It is used in the firewall to limit the number of SYN packets regarding the Transmission
Control Protocol (TCP). The multiple hosts are frequently involved in the attack. That is called
distributed Dos. The many composite solutions are met with the success of the network host and
the end of the host. The network is based on the firewall proxies. It is used to forward the
connection request to the client side for getting acknowledgment which is received from the user.
2.2SNORT based IDS
SNORT based Intrusion Detection System can be designed to stop and study the DDoS attacks.
Snort
It is a signature-based intrusion detection system. It enables to monitor the network. It
examines all the traffic network to observe that whether the intrusion is present or not. It
implements the detection engine that enables responding, warning, and registering earlier defined
to some kind of attack. It is free and it is lower than Linux/GNU and Windows (Halton et al.,
2017). Snort is the most commonly used tool. It has the number of continuous updates and
predefined signature. Snort is having some basics component in its architecture (Kennedy, 2011).
A decoder is one of the components in Snort and that is responsible for creating the structure of
data to recognize the network protocols. And it has the preprocessor that enables the
functionality of a system to extend and also has the engine detection that examines the package
4
The Transmission control protocol SYN flood is found by internet global. The TCP is
used to transfer the file from source to destination. It provides a reliable order. The data must be
reliable which is sent by the user. The TCP is developed the remind internet which is a private
collection of security and computer. The transmission control protocol has some features. The
TCP is exploited to perform the denial of service attack. The flooding is based on the attacks and
other resource systems such as the Central Processing Unit (CPU).
TCP denial of service mitigation strategy
It is used in the firewall to limit the number of SYN packets regarding the Transmission
Control Protocol (TCP). The multiple hosts are frequently involved in the attack. That is called
distributed Dos. The many composite solutions are met with the success of the network host and
the end of the host. The network is based on the firewall proxies. It is used to forward the
connection request to the client side for getting acknowledgment which is received from the user.
2.2SNORT based IDS
SNORT based Intrusion Detection System can be designed to stop and study the DDoS attacks.
Snort
It is a signature-based intrusion detection system. It enables to monitor the network. It
examines all the traffic network to observe that whether the intrusion is present or not. It
implements the detection engine that enables responding, warning, and registering earlier defined
to some kind of attack. It is free and it is lower than Linux/GNU and Windows (Halton et al.,
2017). Snort is the most commonly used tool. It has the number of continuous updates and
predefined signature. Snort is having some basics component in its architecture (Kennedy, 2011).
A decoder is one of the components in Snort and that is responsible for creating the structure of
data to recognize the network protocols. And it has the preprocessor that enables the
functionality of a system to extend and also has the engine detection that examines the package
4
according to the signatures. The plugin detection in the snort enables the changes of the
functionality of engine detection and the signatures of the files where the well-known attacks are
distinct to the detection. The plugins of output are used for defining in where, how and what the
observant are saved. Finally, the capture of the module of the traffic that enables to capture all
the packages of the network is done. (Kandias and Gritzalis, 2013). For the case, the
representations of traffic HTTP improves the snort functionality repeatedly to generate the
pattern of the attacked data, and the network traffic models asset the events and it is looking for
irregularities of these events.
Intrusion Detection System
According to the National Institute of Standard and Technology (NIST), the IDS system
is the method of event monitoring. The events which happen in network or computer system are
monitored and also these are identified (Khawaja, 2018). The intrusion detection system is based
on two main types. They are anomaly-based intrusion detection system and signature-based
intrusion detection system. The anomaly-based IDS attempts to identify the apprehensive activity
on the computer system. At the first stage of the intrusion detection system, the system is trained
and the knowledge about what is reflected in legitimate and normal is obtained. (Marshall et al.,
2015). Afterward, the computer system will notify nearby apprehensive activity (Kim, Lee and
Jang, 2012). The user can identify the various techniques in detection which is used to define
what activities are in the normal stage (L. Pritchett, 2013). Both anomaly-based and signature-
based intrusion detection system has pros and cons.
The signature-based intrusion detection system examines the traffic network. The signatures are
collected with different elements. This will help to find the traffic (Liebowitz, Kusek and Spies,
2014). To define whether none of the traffic networks relates to the well-known signature, the
intrusion detection system used as a design appreciation method. The snort is used in IDS. It has
the following policies (Liu, n.d.). They are recorder network, network intrusion detection, snort,
and security network monitor.
5
functionality of engine detection and the signatures of the files where the well-known attacks are
distinct to the detection. The plugins of output are used for defining in where, how and what the
observant are saved. Finally, the capture of the module of the traffic that enables to capture all
the packages of the network is done. (Kandias and Gritzalis, 2013). For the case, the
representations of traffic HTTP improves the snort functionality repeatedly to generate the
pattern of the attacked data, and the network traffic models asset the events and it is looking for
irregularities of these events.
Intrusion Detection System
According to the National Institute of Standard and Technology (NIST), the IDS system
is the method of event monitoring. The events which happen in network or computer system are
monitored and also these are identified (Khawaja, 2018). The intrusion detection system is based
on two main types. They are anomaly-based intrusion detection system and signature-based
intrusion detection system. The anomaly-based IDS attempts to identify the apprehensive activity
on the computer system. At the first stage of the intrusion detection system, the system is trained
and the knowledge about what is reflected in legitimate and normal is obtained. (Marshall et al.,
2015). Afterward, the computer system will notify nearby apprehensive activity (Kim, Lee and
Jang, 2012). The user can identify the various techniques in detection which is used to define
what activities are in the normal stage (L. Pritchett, 2013). Both anomaly-based and signature-
based intrusion detection system has pros and cons.
The signature-based intrusion detection system examines the traffic network. The signatures are
collected with different elements. This will help to find the traffic (Liebowitz, Kusek and Spies,
2014). To define whether none of the traffic networks relates to the well-known signature, the
intrusion detection system used as a design appreciation method. The snort is used in IDS. It has
the following policies (Liu, n.d.). They are recorder network, network intrusion detection, snort,
and security network monitor.
5
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Evaluation methodology
The resolution of the work examines the snort in the positions of presentation lower than
various hardware configurations. In DDoS attacks of managing TCP flooding, the assessment
has been agreed on a test refined using advanced and limited hardware (Lowe et al., 2013). In
this process, a simulation will be completed for background and attack traffic. The ability of
snort in detection and presentation is prominent under the different traffic loads in the unit of
time. The different traffic loads are evaluation metrics, test benches, and attack scenarios
(Marshall and Lowe, 2014).
Evaluation metrics
It is related straightly to the snort performance and the ability of detection with the
increasing time. The Metrics are described below briefly.
Packet rate in maximum
This metric is used to measure the ability of snort. It processes the traffic in a specific
hardware pattern. This is dignified with the maximum traffic in snort that can be examined and
handled. It started the snort to descent packets and also measured a benchmark. The metrics are
the implication. Because in every test bench, packets are produced within the constraint of
packet benchmark rate.
Resource availability
All the systems have finite resources. The attack DoS aims to override the finite
resources. So, that these resources are not existing in the legitimate users. The memory and CPU
exploitation of snort to the system resources in CPU exploitation of snort energies in first test
bench as 79%, the second test bench as 74% and the third test bench as 76%. From the above-
mentioned values, it is obtained that the snort is done better on a second test bench.
Throughput
A throughput specifies the UDP and ICMP packets' part loss in all the test benches. It can
be perceived that each time, the packet is 100% lost while the target server undergoes from DoS.
6
The resolution of the work examines the snort in the positions of presentation lower than
various hardware configurations. In DDoS attacks of managing TCP flooding, the assessment
has been agreed on a test refined using advanced and limited hardware (Lowe et al., 2013). In
this process, a simulation will be completed for background and attack traffic. The ability of
snort in detection and presentation is prominent under the different traffic loads in the unit of
time. The different traffic loads are evaluation metrics, test benches, and attack scenarios
(Marshall and Lowe, 2014).
Evaluation metrics
It is related straightly to the snort performance and the ability of detection with the
increasing time. The Metrics are described below briefly.
Packet rate in maximum
This metric is used to measure the ability of snort. It processes the traffic in a specific
hardware pattern. This is dignified with the maximum traffic in snort that can be examined and
handled. It started the snort to descent packets and also measured a benchmark. The metrics are
the implication. Because in every test bench, packets are produced within the constraint of
packet benchmark rate.
Resource availability
All the systems have finite resources. The attack DoS aims to override the finite
resources. So, that these resources are not existing in the legitimate users. The memory and CPU
exploitation of snort to the system resources in CPU exploitation of snort energies in first test
bench as 79%, the second test bench as 74% and the third test bench as 76%. From the above-
mentioned values, it is obtained that the snort is done better on a second test bench.
Throughput
A throughput specifies the UDP and ICMP packets' part loss in all the test benches. It can
be perceived that each time, the packet is 100% lost while the target server undergoes from DoS.
6
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Attack scenario
The Apache 2 web server have been arranged on the target server. The machine attacking
have been arranged to conduct TCP SYN packet flooding by using hping3 tool with the source in
random to option for IP addresses. This process has two scenarios. They are,
Attack scenario – 1
This scenario is used to performance analyzing of the snort. Then, in the unit of time, the
target server goes to unresponsive.
Attack scenario – 2
It is a mixed traffic and it has been agreed to send both backgrounds and attack traffic
and it is also examining the loss of packet legitimate in per unit of time. The snort performance
and the target packet and the ability in the detection of snort also been examined.
Test benches
In test benches, three tools have been chosen and it is containing the various hardware
structure. The NIDS displays the presentation as limited while the virtual platform is running as
specified in our test bench to encompass the actual environment and all four systems are
containing to lead the experiments. In test benches, a Linux operating system is the superior as
equaled to windows OS in positions of execution in snort. All the systems have been installed by
the Linux operating system. There are various tools present for test benches.
DDoS simulation attack tools
In this tool, Hping3 have been preferred due to its ability to make shaped TCP packets
that are generated. It is informal to simulate flooding TCP for the DDoS attack. The Hping3 tool
is permitted to control the number of packets per second, TCP session for a flag, source address
and destination address.
Generation tools for background traffic
The Hping3 tool and ostinato are used in the generation of background traffic. The loss of
packet rate in background traffic has been identified using the Wire Shark. In Order to examine
7
The Apache 2 web server have been arranged on the target server. The machine attacking
have been arranged to conduct TCP SYN packet flooding by using hping3 tool with the source in
random to option for IP addresses. This process has two scenarios. They are,
Attack scenario – 1
This scenario is used to performance analyzing of the snort. Then, in the unit of time, the
target server goes to unresponsive.
Attack scenario – 2
It is a mixed traffic and it has been agreed to send both backgrounds and attack traffic
and it is also examining the loss of packet legitimate in per unit of time. The snort performance
and the target packet and the ability in the detection of snort also been examined.
Test benches
In test benches, three tools have been chosen and it is containing the various hardware
structure. The NIDS displays the presentation as limited while the virtual platform is running as
specified in our test bench to encompass the actual environment and all four systems are
containing to lead the experiments. In test benches, a Linux operating system is the superior as
equaled to windows OS in positions of execution in snort. All the systems have been installed by
the Linux operating system. There are various tools present for test benches.
DDoS simulation attack tools
In this tool, Hping3 have been preferred due to its ability to make shaped TCP packets
that are generated. It is informal to simulate flooding TCP for the DDoS attack. The Hping3 tool
is permitted to control the number of packets per second, TCP session for a flag, source address
and destination address.
Generation tools for background traffic
The Hping3 tool and ostinato are used in the generation of background traffic. The loss of
packet rate in background traffic has been identified using the Wire Shark. In Order to examine
7
the snort performance with the traffic mix, the traffic legitimate must have other attacks than the
attack traffic. Hence, in the total traffic, 50% is used by the background traffic.
DoS verification tool
The Hping3 tool and the team viewer is used to confirm the DoS attack on the target
system. It replies to the legitimate clients. The ICMP echoes come from the legitimate clients.
The Hping3 tool is similar to the ping command.
2.3DDoS attacks in the cloud environment
Cloud computing is a combination of utilization of hardware and software. Over a
network, it provides services to the end users. The cloud computing consists of a set of virtual
machines. The physical components are simulated by these virtual machines and services are
provided to the end users. It is difficult to configure virtualization in cloud computing. The
structure of cloud computing consists of three service layers. They are IaaS (Infrastructure as a
Service), PaaS (Platform as a Service) and SaaS (Software as a Service). The service layer of
Infrastructure as a Service allows users to access storage, bandwidth, networks and physical
resources. The second service layer of Platform as a Service is built on the Infrastructure as a
Service layer and it allows the end users to access the databases and the operating systems. And
the last service layer is Software as a Service which is built on the Platform as a Service layer
and it allows the end users to access the software applications.
In the cloud computing environment, safety and reliability are the important things. The
users only have to pay what they are using in the cloud computing services. The cloud services
are distributed in nature. So, it can be sharable by billions of users. Because of this nature, the
cloud services have numerous security issues. In today world, Distributed Denial of Service
attacks is posing the largest threat to all the internet users and the cloud computing services. This
attack targets the cloud computing services and then lowers the ability of these services.
There are many attacks possible in cloud computing (Impact Evaluation of DDoS Attacks
on DNS Cache Server Using Queuing Model, 2013). They are browser level attacks, application-
level attacks, server level attacks, network-level attacks, and DDoS attacks. Various DDoS
8
attack traffic. Hence, in the total traffic, 50% is used by the background traffic.
DoS verification tool
The Hping3 tool and the team viewer is used to confirm the DoS attack on the target
system. It replies to the legitimate clients. The ICMP echoes come from the legitimate clients.
The Hping3 tool is similar to the ping command.
2.3DDoS attacks in the cloud environment
Cloud computing is a combination of utilization of hardware and software. Over a
network, it provides services to the end users. The cloud computing consists of a set of virtual
machines. The physical components are simulated by these virtual machines and services are
provided to the end users. It is difficult to configure virtualization in cloud computing. The
structure of cloud computing consists of three service layers. They are IaaS (Infrastructure as a
Service), PaaS (Platform as a Service) and SaaS (Software as a Service). The service layer of
Infrastructure as a Service allows users to access storage, bandwidth, networks and physical
resources. The second service layer of Platform as a Service is built on the Infrastructure as a
Service layer and it allows the end users to access the databases and the operating systems. And
the last service layer is Software as a Service which is built on the Platform as a Service layer
and it allows the end users to access the software applications.
In the cloud computing environment, safety and reliability are the important things. The
users only have to pay what they are using in the cloud computing services. The cloud services
are distributed in nature. So, it can be sharable by billions of users. Because of this nature, the
cloud services have numerous security issues. In today world, Distributed Denial of Service
attacks is posing the largest threat to all the internet users and the cloud computing services. This
attack targets the cloud computing services and then lowers the ability of these services.
There are many attacks possible in cloud computing (Impact Evaluation of DDoS Attacks
on DNS Cache Server Using Queuing Model, 2013). They are browser level attacks, application-
level attacks, server level attacks, network-level attacks, and DDoS attacks. Various DDoS
8
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
attacks disrupt the cloud environment. The followings are some of the DDoS attacks which
disrupt the cloud environment. Smurf attack, PING of death attack, IP Spoofing attack, Buffer
overflow attack, land attack, SYN flood attack, and Teardrop attack.
All these DDoS attacks on the cloud environment are based on both external and internal
type. In the IP spoofing attack, packet transmission between the cloud server and the end user are
intercepted. The headers of the packets are modified. The IP source field in the IP packet is
modified by entering either an unreachable IP address or a legitimate IP address. So, the server is
not able to complete the transaction to the unreachable IP address, which in turn affects resources
of the server. In the SYN flood attack, the number of SYN requests are sending to the server
from the attacker’s computer or from a compromised system in the network. The server sent
back the SYN-ACK request and wait for the ACK message from the computer. The attacker will
not send ACK message to the server and keep sending SYN requests. Because of that, the server
will not accept any legitimate SYN requests and it will be go done. This is known as ‘SYN flood
attack’. In the Smurf attack, the number of ICMP echo requests are sent to the target system.
These requests are spoofed. The source IP is replaced by the target IP address and the destination
IP address is replaced by the broadcast IP address. Because of this, the target system is flooded
with the broadcast addresses. The prevention of this attack is difficult. In a buffer overflow
attack, to take control over the advantage of buffer overflow vulnerability, the attacker sends an
executable code to the target system. As a result, the attacker controls the target system. In the
ping of Death attack, the attacker sends the larger size of the IP packets to the target system. The
target system is affected when handling the oversized IP packets. The cloud system and the
resources in the cloud system are affected by this. The land attack uses ‘Land.c’ program to send
the TCP SYN packets. This packet is forged. The source and destination fields have the same IP
address (IP address of the target). The target system will be crashed when it received this request.
The ‘Teardrop.c’ program is used for the Teardrop attack. This program sends the invalid
overlapping values in the TCP packet headers. As a result, in the re-assembly process, the target
system within a cloud system will be crashed.
9
disrupt the cloud environment. Smurf attack, PING of death attack, IP Spoofing attack, Buffer
overflow attack, land attack, SYN flood attack, and Teardrop attack.
All these DDoS attacks on the cloud environment are based on both external and internal
type. In the IP spoofing attack, packet transmission between the cloud server and the end user are
intercepted. The headers of the packets are modified. The IP source field in the IP packet is
modified by entering either an unreachable IP address or a legitimate IP address. So, the server is
not able to complete the transaction to the unreachable IP address, which in turn affects resources
of the server. In the SYN flood attack, the number of SYN requests are sending to the server
from the attacker’s computer or from a compromised system in the network. The server sent
back the SYN-ACK request and wait for the ACK message from the computer. The attacker will
not send ACK message to the server and keep sending SYN requests. Because of that, the server
will not accept any legitimate SYN requests and it will be go done. This is known as ‘SYN flood
attack’. In the Smurf attack, the number of ICMP echo requests are sent to the target system.
These requests are spoofed. The source IP is replaced by the target IP address and the destination
IP address is replaced by the broadcast IP address. Because of this, the target system is flooded
with the broadcast addresses. The prevention of this attack is difficult. In a buffer overflow
attack, to take control over the advantage of buffer overflow vulnerability, the attacker sends an
executable code to the target system. As a result, the attacker controls the target system. In the
ping of Death attack, the attacker sends the larger size of the IP packets to the target system. The
target system is affected when handling the oversized IP packets. The cloud system and the
resources in the cloud system are affected by this. The land attack uses ‘Land.c’ program to send
the TCP SYN packets. This packet is forged. The source and destination fields have the same IP
address (IP address of the target). The target system will be crashed when it received this request.
The ‘Teardrop.c’ program is used for the Teardrop attack. This program sends the invalid
overlapping values in the TCP packet headers. As a result, in the re-assembly process, the target
system within a cloud system will be crashed.
9
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
2.4Counter measures for DDoS attack
DDoS attack stands for Distributed Denial of Service attacks. Nowadays, this attack is
one of the major threats on the internet. This attack affects the online retailers and also affects the
functions of the online business. If this attack affects a website means, then the attack will be
easily distributed. It leads to the loss of important files in the network. It mostly attacks the
majorly used and famous websites. To prevent this, strong antivirus software needs to be used in
the system. Then the security needs to be upgraded in each and every time in the website. The
preventive measures need to be taken to prevent the website from the DDoS attack
(SearchSecurity, 2018). The first preventive measure is taken by using the Intrusion Prevention
System (IPS) along with the capability of DDoS detection. Then, another method to preventing
the network from the DDoS attack is making the network partnership with the ISP (Internet
Service Provider). It leads to the provision of clean and full bandwidth to the network. Because
ISPs are capable to give protection to their customers from the malicious attacks. It detects and
filters all the DDoS packets in the network. Therefore, the attack of DDoS is reduced.
DDoS attacks are based on the vulnerabilities in the protocols of the TCP/IP model. The
main goal of preventing the DDoS attack is to prevent the network from the damage. For this,
there are many schemes available. These schemes are needed to be deployed in the routers in the
network. It filters the unwanted packets (i.e. malicious packets) and sends only the legitimate
and wanted information in the form of the packet in the network. For this, four types of filtering
are used. They are Ingress and Egress filtering, hop-count packet filtering, router-based filtering
of the packet and the protocol for Source Address Validity Enforcement (SAVE).
The ingress filter filters the packet by considering the IP address. It checks the source
address of the traffic. This should be within the range of actual IP address. The ingress filter is
used to filter the incoming traffic of the local network. Then, the egress filter is used to filter the
traffic which is leaves from the network. The second filter is the router based packet filter. In
this method, information (or) data of the router is used (Us.norton.com, 2018). In this method,
based on the source and destination address, the valid packet which enters the network is
identified. If the incoming packets in the network are not matched with the source/destination
packets means, then the filter will filter those unmatched packets in the network. This helps to
10
DDoS attack stands for Distributed Denial of Service attacks. Nowadays, this attack is
one of the major threats on the internet. This attack affects the online retailers and also affects the
functions of the online business. If this attack affects a website means, then the attack will be
easily distributed. It leads to the loss of important files in the network. It mostly attacks the
majorly used and famous websites. To prevent this, strong antivirus software needs to be used in
the system. Then the security needs to be upgraded in each and every time in the website. The
preventive measures need to be taken to prevent the website from the DDoS attack
(SearchSecurity, 2018). The first preventive measure is taken by using the Intrusion Prevention
System (IPS) along with the capability of DDoS detection. Then, another method to preventing
the network from the DDoS attack is making the network partnership with the ISP (Internet
Service Provider). It leads to the provision of clean and full bandwidth to the network. Because
ISPs are capable to give protection to their customers from the malicious attacks. It detects and
filters all the DDoS packets in the network. Therefore, the attack of DDoS is reduced.
DDoS attacks are based on the vulnerabilities in the protocols of the TCP/IP model. The
main goal of preventing the DDoS attack is to prevent the network from the damage. For this,
there are many schemes available. These schemes are needed to be deployed in the routers in the
network. It filters the unwanted packets (i.e. malicious packets) and sends only the legitimate
and wanted information in the form of the packet in the network. For this, four types of filtering
are used. They are Ingress and Egress filtering, hop-count packet filtering, router-based filtering
of the packet and the protocol for Source Address Validity Enforcement (SAVE).
The ingress filter filters the packet by considering the IP address. It checks the source
address of the traffic. This should be within the range of actual IP address. The ingress filter is
used to filter the incoming traffic of the local network. Then, the egress filter is used to filter the
traffic which is leaves from the network. The second filter is the router based packet filter. In
this method, information (or) data of the router is used (Us.norton.com, 2018). In this method,
based on the source and destination address, the valid packet which enters the network is
identified. If the incoming packets in the network are not matched with the source/destination
packets means, then the filter will filter those unmatched packets in the network. This helps to
10
prevent the DDoS attacks from hackers. The third filter is the Hop Count Filtering (HCF) in the
packet. The hop count is defined as the difference value which is obtained from the initial value
and observed value of TTL. TTL stands for Time To Live. It indicates the duration of the
packet. The TTL value needs to be the same in the network in HCF. If the observed TTL value
differs from the initial TTL value means, then it will be confirmed that there is some attack
happens in the packet of information. This TTL value indicates the hop count. Based on this
hop count table in the router, the network filters the attacked packets to prevent the network.
The fourth one is the Source Address Validity Environment (SAVE) protocol. This SAVE
protocol allows the packets from the correct source addresses. In the network, the routers are
available. In these routers, the intermediate routers have some table. This table is consisting of
the valid incoming source addresses in the network. If any packets enter into the network means,
it should across this router then only it reaches the destination. At the time of entering, the
routers check the address of the incoming packet. If the address is not valid (i.e. the incoming
packet address is not available in the router table) means, then the router will not allow the
packet into the network. These all are done by the SAVE protocol in the network.
The preventive measures of DDoS attack include the detection of the DDoS attack in the
network. While detecting these attack, the monitoring and the investigating of the system needs
to be carried out in the network. This detection is of two types. They are high rate DDoS
detection and the low rate DDoS detection. The high rate DDoS attacks stop the services to the
users in the network. The low rate DDoS attacks cause the loss of packets by the process of
bursting in the network. Its effect is low when compared to the high rate DDoS attack. The high
rate DDoS attacks are detected by the high rate DoS attack techniques of detection. It is further
divided into two types. They are signature-based detection and anomaly-based detection (Anon,
2018). The signature-based detection process involves in the finding of the unique patterns in
the attacks of DoS. It is totally different from the actual pattern. By differentiating this pattern,
the unique patterns are stored in the database. These patterns are used to find the malicious
activities which are occurring in the network. The second type is the anomaly-based detection
type. This is further classified into two main parts. They are effective parameters, identification
to create similarity measures. Here, the parameters indicate the length of the IP Packet, rate, etc.
Then the second part in the anomaly based detection is the calculation of similarity. It is
calculated from the profile of predefined traffic and the new traffic in the network. These are
11
packet. The hop count is defined as the difference value which is obtained from the initial value
and observed value of TTL. TTL stands for Time To Live. It indicates the duration of the
packet. The TTL value needs to be the same in the network in HCF. If the observed TTL value
differs from the initial TTL value means, then it will be confirmed that there is some attack
happens in the packet of information. This TTL value indicates the hop count. Based on this
hop count table in the router, the network filters the attacked packets to prevent the network.
The fourth one is the Source Address Validity Environment (SAVE) protocol. This SAVE
protocol allows the packets from the correct source addresses. In the network, the routers are
available. In these routers, the intermediate routers have some table. This table is consisting of
the valid incoming source addresses in the network. If any packets enter into the network means,
it should across this router then only it reaches the destination. At the time of entering, the
routers check the address of the incoming packet. If the address is not valid (i.e. the incoming
packet address is not available in the router table) means, then the router will not allow the
packet into the network. These all are done by the SAVE protocol in the network.
The preventive measures of DDoS attack include the detection of the DDoS attack in the
network. While detecting these attack, the monitoring and the investigating of the system needs
to be carried out in the network. This detection is of two types. They are high rate DDoS
detection and the low rate DDoS detection. The high rate DDoS attacks stop the services to the
users in the network. The low rate DDoS attacks cause the loss of packets by the process of
bursting in the network. Its effect is low when compared to the high rate DDoS attack. The high
rate DDoS attacks are detected by the high rate DoS attack techniques of detection. It is further
divided into two types. They are signature-based detection and anomaly-based detection (Anon,
2018). The signature-based detection process involves in the finding of the unique patterns in
the attacks of DoS. It is totally different from the actual pattern. By differentiating this pattern,
the unique patterns are stored in the database. These patterns are used to find the malicious
activities which are occurring in the network. The second type is the anomaly-based detection
type. This is further classified into two main parts. They are effective parameters, identification
to create similarity measures. Here, the parameters indicate the length of the IP Packet, rate, etc.
Then the second part in the anomaly based detection is the calculation of similarity. It is
calculated from the profile of predefined traffic and the new traffic in the network. These are
11
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 115
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.