Distributed denial-of-service attack (DDoS)

Around the world hundreds of millions of computing devices are connected to form a new virtual world Internet. The World of internet relies on the interconnectivity between the computing devices; this interconnectivity if on the one side is blessing but on the other side is hot target for the malicious users attempt to exhaust resources and launch attacks against them.

In a DoS attack, a malicious attempt takes place to prevent the legitimate users from accessing information and services from the victim, sites, or nodes. The Dos attacks are derived from a single host of the network. On the other hand, it is also feasible that a lot of malicious hosts organize in way that the attack takes place simultaneously from multiple points. This type of attack is called a Distributed DoS, or DDoS attack.

A Short History of DDoS

According to numbers of experts the Denial-of-service attack has been around for decades as compare to Distributed DoS attacks which first appeared in late June and early July of 1999. The first well-documented DDoS attack appears to have occurred in August 1999, when a DDoS tool called Trinoo was deployed in at least 227 systems, of which at least 114 were on Internet2, to flood a single University of Minnesota computer; this system was knocked off the air for more than two days. The first well-publicized DDoS 2 attack in the public press was in February 2000. On February 7, Yahoo! Was the victim of a DDoS during which its Internet portal was inaccessible for three hours. On February 8, Amazon, Buy.com, CNN, and eBay were all hit by DDoS attacks that caused them to either stop functioning completely or slowed them down significantly. Analysts estimated that during the three hours Yahoo was down, it suffered a loss of e-commerce and advertising revenue that amounted to about $500,000. According to book seller Amazon.com, its widely publicized attack resulted in a loss of $600,000 during the 10 hours it was down. During the DDoS attacks, Buy.com went from 100% availability to 9.4%, while CNN.coms users went down to below 5% of normal volume. The downtime loss was huge [1].

How a Distributed denial-of-service attack (DDoS) works.

A computer under the command of malicious users is known as a zombie or bot. A group of coopted computers is known as a botnet or a zombie army. In a typical DDoS attack, malicious users establish an attack by taking advantage of weakness in one computer system on the network and making it the DDoS master. It is from the master system that the zombie identifies and communicates with other systems that can be compromised. The zombie loads cracking tools available on the Internet on multiple --

sometimes thousands of -- compromised systems. With a single command, the zombie instructs the controlled machines to launch attacks against a specified target to causes a denial of service. In October 2010, a massive DDoS attack took the entire country of Myanmar offline.[2] In February 15th 2012, Stock exchange operators Nasdaq and BATS saw their Web sites attacked for over 24 hours on Tuesday, blocking access to sites although trading was not affected, report said. Security watcher noted such denial-of-service (DoS) attacks "impossible" to prevent, though.[3] Liau Yun Qing, ZDNet Asia on February 15th, 2012 (February 15th, 2012) Facebook, Twitter,Yahoo, Buy.com, RIAA and the United States Copyright Office are among the victims of DDoS attacks. The largest DDoS attacks have now grown to 40 gigabit barrier this year and may reach to 100 gigabitssoon. So if someone threatens to bring down the cloud system with DDoS attack cloud may become worrisome. Preventing zombies from attacking the cloud infrastructure is the only realisticthing the staff, management and planners can predict.

Distributed denial-of-service attack (DDoS) and Cloud.

Cloud computing is a combination of distributed system, utility computing and grid computing. In cloud computing we use combination of all these three in virtualized manner. Cloud computing converts desktop computing into service based computing using server cluster and huge databases at data center. Cloud as the nature rule with increase in facility vulnerability also increases. The same concept apply in cloud computing also, it is provides the facility to consumers in the same way it provides facility to attackers also. There are more chance of attacks in cloud computing. As cloud computing mainly provides three types of services so in each layer have some soft corners which invite attackers to attack. Some of these soft corners are (1) SaaS vulnerability (a)Insecure Application Programming Interface (API) (b)Account or Service hacking (c)Attack on cloud firewall / Attack on public firewall (d)Attack on consumer browser (e)Integrity, Confidentiality and Availability (2) PaaS vulnerability (a)Insecure Application Programming

Interface (API) (b)Unknown risk profile (Heartland Data Breach) (c)Integrity, Confidentiality and Availability (3) IaaS vulnerability (a) Data leakage in Virtual Machine (b) Shared technology issues (c)Integrity, Confidentiality and Availability So among all these different vulnerabilities Availability affects all three layers and more harmful.

Since cloud computing security follows the idea of cloud computing, there are two main areas that security experts look at security in a cloud system: These are VM (Virtual Machine) vulnerabilities and message Availability between cloud systems. Intrusion detection system (IDS) is a practical solution to resist these kinds of attacks. However, if IDS is deployed in each cloud computing region, but without any cooperation and communication, IDS may easily suffers from single point of failure attack. Obviously, the abilities of intrusion detection and response are decreased significantly. Thus, the cloud environment could not support services continually. Intrusion detection technique has become an extremely feature of the system defense. Intrusion detection system sets off alerts about detected intrusions so that a system administrator or the system itself may take appropriate action. In general, IDS collects network traffics, analyzes these traffics, and makes response or alerts the network to the manager if there is an intrusion taking place. Thus, the aim of the IDS is to alert or notify the system that some malicious activities have taken place and try to eliminate it. According to the method of the collection of intrusion data, all the intrusion detection systems can be classified into two types: host-based and network-based IDSs. Host-based intrusion detection systems (HIDSs) analyze audit data collected by an operating system about the actions performed by users and applications; while network-based intrusion detection systems (NIDSs) analyze data collected from network packets. IDSs analyze one or more events gotten from the collected data. According to analysis techniques, IDS system is classified into two different parts: misuse detection and anomaly detection. Misuse detection systems use signature patterns of exited well-known attacks of the system to match and identify known intrusions. Misuse detection techniques, in general, are not effective against the latest attacks that have no matched rules or pattern yet. Anomaly detection systems identify those activities which deviate significantly from the established

normal behaviors as anomalies. These anomalies are most likely regarded as intrusions. Anomaly detection techniques can be effective against unknown or the latest attacks. However, anomaly detection systems tend to generate more false alarms than misuse detection systems because an anomaly may be a new normal behavior or an ordinary activity. While IDS detects an intrusion attempt, IDS should report to the system administrator. There are three ways to report the detection results [3]: notification, manual response, and automatic response. In notification response system, IDS only generates reports and alerts. In manual response system, IDS provides additional capability for the system administrator to initiate a manual response. In automatic response system, IDS immediately respond to an intrusion through auto response system.

References
[1] Gary C. Kessler, Defenses against distributed denial of service attacks, http://www.garykessler.net/library/ddos.html, November 2000. [2]http://searchsecurity.techtarget.com/definition/distributed-denial-of-service-attack(This was last

updated in November 2010)

[3] Liau Yun Qing, ZDNet Asia on February 15th, 2012 (February 15th, 2012)