SPECIAL TOPIC SEMINAR REPORT
“Comparative study on different tools and approaches for AL-DDoS attack”
Submitted in partial fulfillment of the requirements
for the degree of
Master of Engineering
Under the guidance of
Prof. Umesh Kulkarni
Department of Computer Engineering
VIDYALANKAR INSTITUTE OF TECHNOLOGY
This is to certify that Ms.Bharati Premji Bargot has satisfactorily carried out the special topic seminar entitled “Comparative study on different tools and approaches for AL-DDoS attack “for the degree of Master of Engineering in Computer Engineering of University of Mumbai.
Prof. Umesh Kulkarni External Examiner
Since I have put in efforts to complete the special topic seminar. However, it would not have been possible without the kind support and help of many individuals and our college. I would like to extend our sincere thanks to all of them.
I would like to sincerely thank Prof. Umesh Kulkarni for their guidance and constant supervision for providing necessary information regarding the project & also for their support in carrying out this special topic work.
I would like to express my gratitude towards my parents & members of Vidyalankar Institute of Technology for their kind co-operation and encouragement which helped us in the completion of the special topic seminar.
I would also like to thank and appreciate my colleagues who have rendered their help in developing the project and people who have willingly helped us out with their abilities.
With the vast resources and techniques rapidly available to attackers, application layer distributed denial of service attack(AL-DDoS)have become more challenging to detect and being harder one to mitigate.This challenge arises due to the increasing number and complexity of web applications along with the large network bandwidths of the systems hosting these applications where the attack continuously degrades the resources from the web or application server.
The Application layer DDoS attack is an enlightened DDoS attack that secretively depletes the available resources on target server. They may target specific areas of web application, making it even more difficult to detect from normal traffic. The nature of application layer DDoS attack is a legitimate connection.i.e. it’s not able to detected easily. The challenge with an application layer DDoS attack lies in the ability to distinguish human traffic from bot traffic.
This report presents comprehensive overview of AL-DDoS attack, types of AL-DDoS attack. Also the different mitigation techniques and tools available for AL-DDoS attack and their comparative analysis is made. Of course, there are many other aspects need to be studied to further improve the detection and mitigation mechanisms which require less bandwidth and few packets in order to achieve the same goal.
TABLE OF CONTENTS
Sr. No. Contents Page No.
2. Literature Review
3. What is AL-DDoS attack?
4. Types of AL-DDoS attack
5. AL-DDoS attack tool
6. Comparative study
7. Classification of AL-DDoS defense mechanism
LIST OF FIGURES
Sr. No. Name Page No.
1. AL-DDoS Attack 3
LIST OF TABLES
Sr. No. Name Page No.
1. Network layer DDoS vs Application layer DDoS
2. Comparison of AL-DDoS attack tool
In today’s digital era, Internet has become the most widely popular media of communication. There are various critical services like e-commerce, e-banking, social media are dependent on the internet so lack of internet may lead to financial, legal and social intimation. Distributed Denial of service (DDoS) attack are the most serious attack that hinders the availability of internet. Their major aim is to consume bandwidth and server resources, preventing benign users from accessing them. Due to rapid development of computer networks, threats of distributed denial of service attacks have been increasing day by day and consequently become a serious threat.
Unlike traditional DDoS attacks, AL-DDos attacks exploits vulnerabilities at the application layer rather than at the network layer.AL-DDoS attacks send small packets of permissible content via normal successful TCP connections; no spoofed IP address with standard services such as HTTP and HTTPS. Thus, the DDoS defensive method falsely regard AL-DDoS attacks as normal connections. Moreover AL-DDoS attacks happens when large number of normal users simultaneously send massive amount of requests to one web server. Hence it is difficult to differentiate AL-DDoS attacks from legitimate normal traffic.
2) Literature Review
There are several DDoS defense methods that utilize application-layer information. Ranjan et al. 4 analyzed time-related characteristics of HTTP sessions, such as session inter-arrival time, request inter-arrival time, and session arrival time. Yatagai et al. 5 presented a method that analyzes the correlation between browsing time and page information size. However, time-related features are insufficient to detect AL-DDoS attacks because attackers can easily control packet-sending rates by utilizing a large-scale botnet 6. On the other hand, Kandula et al. 7 developed a system that protects a web server from DDoS attacks by implementing a probabilistic authentication method using CAPTCHAs, but the task of requiring users to solve graphic puzzles causes additional service delays. As a result, the graphic puzzles cause annoying legitimate users as well as act as another DDoS attack point. For the detection of App-DDoS attacks, Xie et al. 8 used a hidden semi-Markov model (HsMM) to describe the normal browsing behavior of web users. The HsMM uses the sequence order of web page requests to profile normal web browsing behavior. To detect AL-DDoS attacks, they defined a normality threshold and compared it with the model’s output values of incoming users. However, the sequence-order-based method can be complex and may cause many false alarms. The sequence order might vary significantly for different individuals and for different browsing behaviors. For example, web users can directly type URLs to request resources or utilize external web links. Furthermore, they can browse the resources of the web server with multiple browsers, possibly causing changes in the relative sequential positions.
Yadav and Selvakumar (2015)9 proposed a logistic regression-based detection technique to classify legitimate and anomalous users. A total number of 17 different traffic features (nine constructed features and eight extracted features) are utilised to construct a model that is used in the detection process. This technique detects three types of AL-DDoS attacks: request flooding, session flooding and asymmetric flooding.
3) What is AL-DDoS attack?
When attacker send large number of queries to database from victim computer or try to download large number of images and send huge number of request for web pages to make the server down7 it is called AL-DDoS attack.
Figure 1 AL-DDoS attack
Figure 1 shows an example of an AL-DDoS attack. The attacker first make use of a popular web server, the worm distribution server to put malicious codes. It results web users to download malicious codes and make their hosts become infected. When the attacker starts an attack through the command server, an immoderate number of infected hosts make requests for web pages from the victim; as it turns into, the victim’s resources are finally depleted.
AL-DDoS attacks are dependent on target of resource are classified into two types: Bandwidth consumption and server resources consumption. In bandwidth consumption, attacker sends large number of fake HTTP request to the server to download large file as a result full bandwidth is consumed by this traffic and the victim server fails to serve the services to benign users. Contrarily in resource consumption server resources such as memory, server queues are used by sending fake HTTP requests and this results into the server fails to provide services.
Due to computational severity on the internet applications, greater network bandwidth, server resources have become the gridlock. These types of attacks may causes to the server failure within a
less number of zombies used. DDoS attack is an attempt to make an online services unavailable due to massive traffic from multiple sources. The major aim is to consume maximum server and network resources so that authorized users are denied from accessing the services.
TABLE I Network Layer DDoS VS Application Layer DDoS Attack
Characteristics Application Layer DDoS Network Layer DDoS
Definition Such attack occurs when the large amount of data requests overloads server and eat up all of its available resources. Such attack occurs when the amount of data packets and other traffic overloads a network or server and eat up all of its available resources.
Target HTTP server and server resources Web Traffic(HTTP) and CBR(UDP)
Request Rate High Less
Common Examples HTTP GET/POST Flooding CBR Flooding
IP Spoofing No Yes
Similarity with authorized Traffic is very similar to that of authorized users. Traffic rate is different as compare to authorized users.
4) Classification of AL-DDoS attack
Depending upon the attack resource expenditure and attack strategy various AL-DDoS attack divides into two types namely1) Flooding attack and 2) Asymmetric attack
Flooding attack includes
5) AL-DDoS Tool
Just as the network security and hacking world is round of the clock, so many of the DDoS attack tools are used to carry out Distributed Denial of service attacks. There are many attacking tools available for free that can be used to flood a server and perform an attack.
Some of the popular AL-DDoS attack tools are explained below.
1. Low Orbit Ion Cannon (LOIC)
The Low Orbit Ion Cannon (LOIC) tool is known for being a very user friendly and accessible tool which puts the ability to launch DDoS attacks by the user with very little technical knowledge. It has simple point and click interface.
2. High Orbit Ion Cannon (HOIC)
The High Orbit Ion Cannon (HOIC) tool is a simple and friendly user interface which aims to flood a victim’s network with web traffic and disrupts the web services.
3. R-U-Dead-Yet (RUDY)
The R-U-D-Y is an attack tool that aims to keep web server slow down by submitting form data at an extremely slow steps.This tool provides user friendly environment which uses only URL of targeted system.
Slowloris is a denial-of-service attack program which allows an attacker to overrun a victim’s server by opening and maintaining many simultaneous HTTP connections between the attacker and the victim.
DDOSIM is a popular DDoS attacking tools used to perform DDoS attacks by simulating several zombie hosts. All zombie host connects full TCP connections to the target server. It is specially designed for layer 7 attack.
6. Hulk Web Server
HULK (Http Unbearable Load King) is a popular AL-DDoS attack tool designed to generate volumes of unique and obscured traffic at a web server. This puts a heavy load on a HTTP server in order to bring them to their knees by consuming the resources.
GoldenEye is a simple tool developed in python that can launch the http flood attack .It is developed for testing DoS attack but people also use it as a hacking tool.
8. OWSAP HTTP DoS POST
OWSAP is a simple graphical user interface has the slow HTTP POST attack request are sent to victim’s server and maintain SSL half connection with the victim. It has the ability to deplete the resources of the victim’s server 1.
TABLE-II shows unique features of several attacking tools which makes attack difficult to detect for attack handling tools.
6) Comparative Study
All the popular attack tools are compared on the basis of identified key features as shown in table-II. The key feature includes impact ,of attack which cause degradation either at resource or bandwidth level, scope of the attack tool, the type of attack launched, operating system supported, number of zombies involved, makes botnet or not IP spoofing carried or not, implemented in which language, and interface type.
TABLE-II : Comparison of AL-DDoS attack tool
SN. Year Name Target impact Scope Type of attack Traffic OS supported
1 2008 LOIC Resource DoS,DDoS TCP,UDP, ICMP,HTTP LINUX,WINDOWS, ANDROID,MAC OS
2 2009 DDOSIM Resource DDoS TCP,UDP, SMTP, HTTP LINUX
3 2010 OWASP HTTP DOS POST Resource DOS HTTP WINDOWS
4 2011 R-U-D-Y Resource DoS,DDoS HTTP LINUX
5 2012 HOIC Resource DDoS HTTP WINDOWS
6 2012 HULK Resource DoS,DDoS HTTP LINUX,WINDOWS
7 2012 GOLDENEYE Resource DOS HTTP LINUX,WINDOWS,MAC OS
SN. Name No .of zombies Whether makes botnet(Y/N) Ip Spoofing(Y/N) Encrypted(Y/N) Implemented language Interface Type
1 LOIC Multiple Y N N C# GUI
2 DDOSIM Multiple Y N N C++ CLI
3 OWASP HTTP DOS POST Single N N N PYTHON GUI
4 R-U-D-Y Single N Y N PYTHON CLI
5 HOIC Multiple Y N N BASIC GUI
6 HULK Single N N N PYTHON CLI
7 GOLDENEYE Single N N N PYTHON CLI
A wide variety of AL-DDoS attack tools are available on the internet. Most of them are very sturdy and noxious. Out of these attack tools HOIC, LOIC, Hulk ,R-U-Dead Yet can produce legitimate looking HTTP traffic. The parameters required to launch an attack differ with the type of attack tool used. The year-wise comparison shows the extreme change in the technology wise features of attack tools over the former time.
7) Classification of application layer DDoS defense mechanisms
The serious threat of AL-DDoS attack and tremendous growth of it leads to advent of numerous AL-DDoS mechanisms. Some of these mechanisms mark a specific kind of AL-DDoS attack such as attacks on web servers or authentication servers. Most of the proposed approaches require certain features to achieve their peak execution and will perform diversely if deployed in an environment where these requirements are not met
We need to understand not only each existing AL-DDoS defense approach but also how those approaches might be combined together to effectively and completely solve the problem. The proposed classification may help us to reach this goal.
I. Preventive Mechanisms
Main aim of preventive mechanisms is either to eliminate the possibility of DDoS attacks altogether or to enable potential victims to suffer through attack without denying services to legitimate clients.
• Attack Prevention Mechanisms
Attack Prevention mechanisms modify the system configuration to eliminate the possibility of a AL-DDoS attack.
• System Security Mechanisms
Increase the overall security of the system guarding against unauthorized accesses to the machine, removing application bugs and updating protocol installations to prevent intrusions and misuse of the system.
• Protocol Security Mechanisms
Protocol security mechanisms marks the problem of bad protocol design. Many protocols contain operations that are cheap for the client but expensive for the server. Such a protocols can be misused to exhaust the resources of a server by initiating the large numbers of simultaneous requests.
II. Reactive Mechanisms
Main aim is to reduce the impact of an attack on the victim server. To attain this aim they need to detect the attack and reply to it. The goal of attack detection is to detect every tried AL-DDoS attack as early as possible and to have a low degree of false positives.
• Mechanisms with anomaly attack detection
Anomaly based detection approach, modeled according to normal user behavior and therefore are able to detect behavior based denial of service attacks.The current state of the system is periodically compared with the models to detect anomalies.
• Filtering Mechanisms
Filtering Mechanisms use the classification provided by a detection mechanism to sort out the attack stream completely.
• Mechanisms with characteristics of user behavior
Characteristics of the dynamism of the user behavior are employed. In this
Application layer distributed denial of service attack(AL-DDoS) becomes a serious threat for the internet based web services that are not available to authorized users and give rise to huge financial losses to the banking,communication,medical and research applications. A number of surveys of AL-DDoS attack tools have been proposed till date but all of them lack in one dimension or the other. The existing method fails to provide the technical details of these tools and their usage.In this paper we have broadly surveyed the popular AL-DDoS attack tools used by the attackers to launch range of attacks.
1 OWASP, Open Web Application Security Project, 2014. (https://www.owasp.org/)
2 Packet Storm, DDoS Attack Tools, 2015. (http:// packetstormsecurity.org)
3 Silvia Bravo, David Mauricio: DDoS attack detection mechanism in the application layer using user features. IEEE/International conference on information and computer technologies 2018
4 Ranjan S, Swaminathan R, Uysal M, Nucci A, and Knightly E: DDoSshield: DDoS-resilient scheduling to counter application layer attacks. IEEE/ACM Trans Netw 2009, 17(1):26- 39(2009)
5 Yatagai T, Isohara T, Sasase I: Detection of HTTP-GET flood attack based on analysis of page access behavior. Proceedings IEEE Pacific RIM Conference on Communications, Computers, and Signal Processing 2007, 232-235. art. no. 4313218
6 Shevtekar A, Ansari N: Is it congestion or a DDoS attack? IEEE Commun Lett 2009, 13(7):546-548.
7 Kandula S, Katabi D, Jacob M, Berger AW: Botz-4-Sale: surviving organized DDoS attacks that mimic flash crowds. NSDI’05
8 Xie Y, Yu S-Z: A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors. IEEE/ACM Trans Netw 2009, 17(1):54-65.
9 Yadav, S. and Selvakumar, S. (2015) ‘Detection of application layer DDoS attack by modeling user behavior using logistic regression’, Proceedings of the fourth International Conference on Reliability, Infocom Technologies and Optimization, Noida, India, pp.1–6.
10 Ye, Chengxu, Kesong Zheng, and Chuyu She. “Application layer DDoS detection using clustering analysis.” Computer Science and Network Technology (ICCSNT), 2012 2nd International Conference on. IEEE, 2012.
11 Xie, Y.; Yu, S., “Monitoring the Application-Layer DDoS Attacks for Popular Websites”, in Proc. Networking, IEEE/ACM Transactions on, Vol: 17, Issue: 1, pp. 15 – 25, Publication Year: 2009.
12 Mahadev, Vinod kumar, Krishna Kumar, “Classification of DDoS attack tools and its handling techniques and strategy at application layer”, IEEE:2016