This project studies the characteristics of Distributed Denial of Service (DDoS) attacks, examining their features and impact on critical resources. Through simulation and analysis using the ns-3 network simulator, we evaluated various defense techniques against DDoS attacks. The main goal is to identify the most effective method against DDoS attacks and ensure bandwidth to legitimate users.
A Denial of Service (DoS) is any activity that results in a service being unavailable for legitimate users or causes delays in system operations and functions [1]. A Distributed Denial of Service (DDoS) attack works by overwhelming the target with a high volume of traffic from multiple sources. DDoS attacks target various vital resources such as banks and news websites. A week-long DDoS attack can be purchased on the black market for only $150. As a result, every day, over 2000 DDoS attacks occur globally and it is responsible for one third of all the down time in the world [2]. One famous example of DDoS attack occurred in February 2000, where a high school student launched attacks on major websites such as Amazon, eBay and Yahoo [3].
Our motivation to choose this topic was to study the characteristics and elements of DDoS attacks, and various defence techniques against the attack. From the knowledge we acquired from the course and online research, we will simulate the DDoS attack and defences in ns-3 network simulator. Then, analyze the performance. Our main goal is to compare the defence techniques against DDoS and determine the best defence method, and find the defence which guarantees bandwidth to legitimate users. A related work that we referenced the DDoS attack is by Saket Upadhyay. They coded the DDoS attack simulation in ns-3 which visually represents the concept of the DDoS attack and is a framework for our project. Their work comprises nodes for legitimate users, bots, web server and data server. The bots will send packets to the web server and eventually reach the data server causing the legitimate users to lose access to the data server [4]. We modified this code to implement defence techniques and visually represent the method.
Compared to a DoS, DDoS is more effective for bandwidth flooding attacks because there are multiple sources attacking. If a single attacker is performing a bandwidth flooding attack, an upstream router can easily detect and block them. Additionally, the server access rate can be too large for a single attacker to generate enough traffic to cause harm. With multiple attackers, a DDoS generates larger access rates, and it's harder to defend and detect [5].
DDoS attacks can target different parts of a network. They can be broadly categorized as volumetric attacks, protocol attacks and application layer attacks [6].
Protocol attacks exploit the vulnerabilities in protocols used for data transfer. A SYN (synchronize) flood attack is when an attacker sends a large number of connection requests, using fake source IP addresses that exhausts the server’s connection resources [6]. It is an example of the protocol attack type.
Volumetric attacks are a type of DDoS attack that overwhelm with false data requests and exhaust network bandwidth and processing capabilities, usually done with botnets [6]. DNS (Domain name system) attacks are an example of this type where it sends too many DNS query requests that majority legitimate queries never get answered. The largest internet attack in 2002 was an example of volumetric DDoS attack, hitting seven of thirteen servers of the internet’s DNS hierarchy. The attacker used botnets to send loads of ICMP ping messages to DNS root IP addresses. Fortunately, the attack didn’t affect the users because packet filters were configured to block the ICMP ping packets [7]. This shows the importance of learning defense techniques we are analysing.
Another type of DDoS attack are application layer attacks. An example of this DDoS attack is a HTTP flood attack, specifically Slowloris. This attack resembles a person continuously refreshing a web browser on multiple computers which eventually overwhelms the server causing DoS. The Slowloris attack works by sending HTTP requests to a server but never completing the request. The attacker will slowly add more requests without completing them. This causes the web server to maintain open connections to these fake HTTP requests, preventing any new connections. A real life example of Slowloris attack occurred to banks in Russia in 2018, where a group of hackers known as ‘MoneyTaker’ launched this attack, leading to the website becoming inaccessible [8].
There are four elements of a DDoS attack. There is a real attacker that will study the target’s vulnerabilities and where to attack. Then, they will send an “execute” command to the control master program. When the control master program receives the “execute” command, it tells the attack daemon agents to start the attack. Usually these attack daemon agents of the botnets. Because the real attacker is not directly involved during the attack, it makes it hard to know the true source of the attack [9]. These elements are how we will model our DDoS attack simulation.
There are four main defence techniques against DDoS that we focused on. They are: rate-limiting, authentication, blackhole routing and firewall [6]. The first defence technique is rate-limiting and this method limits each IP address to a set amount of requests per period of time. This method restricts the volume of network traffic, preventing the server from getting overwhelmed. It is crucial to balance the range as if the rate limit is beyond the necessary amount, it would prevent legitimate users from accessing the service, and if the rate limit is below necessary, it would allow malicious attacks to go through. There are numerous types of rate limiting, which are the following: IP-based rate limiting, geographic-based rate limiting and server-based rate limiting. The IP-based rate limiting sets a number of requests that can be made from a single IP address for a specified amount of time. The advantage of this method is that it is simple to implement and effective if an attack is coming from a single IP address. This method would fail if the attacker uses multiple or dynamic IP addresses. It could also limit access for legitimate users when they are using a shared IP address.
The second method is Server-based rate limiting. This method, as the name suggests, sets a limit on the number requests to a server within a specified time. It can effectively prevent resources within the system from reaching full capacity and give fair access to all users. This method would fail if the attacker utilized multiple servers to attack. It can limit access to legitimate users if the limit is set below the necessary amount or the server is at max capacity. The last type is geography-based rate limiting, where requests from a specific region are limited. This is done to prevent attacks from locations where the attack occurs frequently. This method is effective in general at preventing attacks and reducing risk of resource overloading. This method will fail if the attacker uses proxy servers of VPN. It can also prevent legitimate users from accessing if they are in a limited region [10].
Moreover, moving to rate-limiting algorithms, there are three main algorithms: token bucket, leaky bucket and fixed window counter. The token bucket algorithm works as a bucket that slowly fills up with tokens at a steady rate. Each request will consume a token and it can only be given access if there is a token in the bucket. The bucket will fill up with tokens again at the same constant rate. The leaky bucket algorithm works as a bucket with a hole at the bottom. When requests are poured into the bucket, and if it is not overflowing, the request will be granted access. If the bucket is overflowing, any more requests will be dropped. The bucket will pour out requests at a constant rate. The fixed window counter algorithm works by keeping a tracker of the number of requests within a specified time. If the number of requests exceeds the set threshold, any new requests will be blocked until the next time frame [10].
The next defence technique of authentication. This protocol is able to distinguish between legitimate and bot traffic. In order for this method to work, a strong authentication protocol that can handle large requests should be chosen such as Open Authorization 2.0 (OAuth 2.0). The authentication protocol can be combined with rate limiting to control the rate of requests coming to the server. The most important part to successful working authentication is ensuring that clients use unique and strong passwords. If this information gets leaked, the authentication would fail [11]. Further
security measures can be implemented by using Multi Factor Authentication (MFA). According to Microsoft, MFA can make you 99% less likely to get hacked [12]. Blackhole routing is a defense technique that drops incoming traffic targeted towards a specific IP address by directing all the network traffic to a null route. A technique that is widely used is the Remote Triggered Black Hole Routing. This technique drops the traffic at the edge, protecting the network [13]. The discard route is pre-configured on edge devices. The BGP policy configured to the edge routers will set the next hop of the router to the address of the discord route. A trigger router is also implemented or added to the edge with iBGP peering relationships with the other edge devices. The trigger is controlled by a server administrator that will send iBGP routing updates to the edge devices. This will cause undesirable traffic to be forwarded to a null interface and is dropped [14].
Blackhole routing is widely used as it’s a quick way to discard packets. It’s cheaper than other defense methods that require buying more bandwidth and other resources. [16] Not only is this a reason that smaller sites use blackhole routing techniques, it's effective for smaller sites within a larger network because blackholing traffic away at smaller sites can shield larger networks from an attack. [6] Blackholing can also reduce network congestion and improve network performance, like saving CPU cycles. Implementing blackhole routing needs to come with proper filtering because it can make the web server or application unavailable to legitimate users, effectively helping attackers’ goal. This is why blackhole routing is more effective when layered with other filtering techniques
The last defence technique that we researched is the firewall. Two main features of firewalls are traffic filtering and limitation of connections. The firewall works by applying customizable policies to filter traffic made to the server. It can incorporate multiple methods of defence as shown in previous methods. Firewall provides application layer protection by inspecting traffic. The filter is defined by local security
policy on what can and cannot pass. The advantage of firewalls is the firewall itself is immune to penetration. And since the filter is self defined it can be very sophisticated, however, if there are logic holes in the wall then attackers can leverage this weakness to cause damage to the server. Then the implemented firewall may provide a false sense of security that may be worse than no security. If the attack’s volume is great enough, the firewall itself can be a bottleneck. In the case of a DDoS attack with high volume, the firewall may fail as it cannot handle these huge fake requests [15]. With a simple structure, following the elements of a DDoS attack, we attempt to simulate these defense techniques. However, our best efforts were only able to simulate rate limiting and authentication. Our results are shown in the following sections.
Please refer to the Final Report Document Link at top
We explored four defence techniques that the Canadian Centre for Cyber Security suggested against DDoS attacks. Each of these defence techniques have weaknesses and limitations.
In our implementation, we see that rate limiting guarantees user service. From the performance of the simulation we see that while it didn’t completely negate the effects of the DDoS attack, it guaranteed the user to finish its transfer in less time than the unprotected simulation. The rate limiting of 10 ms per request finished 3 times faster than the unprotected server, but in terms also 3 times slower than the base simulation without the attacks.
In the authentication method, the network is able to distinguish between legitimate and bot traffic, therefore only legitimate user’s packets will reach the data server. The limitation of this technique is that this protocol checks for authorization of all incoming traffic. Therefore, it cannot guarantee bandwidth for a legitimate user. A very sophisticated and robust authentication protocol would be necessary with rate limiting to set a threshold on the amount of traffic going into the server. Furthermore, this method cannot protect against the HTTP flood (such as slowloris) since it checks for authorization, instead of removing ongoing fake requests. One experiment I did was to go to outlook and refresh the page multiple times, and it resulted in error 500 starting refresh limited reached. This would be a simple but effective method to defend against slowloris attack. As described before, slowloris works as if refreshing the page on multiple devices, so if refresh limit is implemented, new requests could be made to the server.
Simulating the base attack was non-trivial as it was easy to replicate and modify nodes with ns-3. During the implementation of the simulation, integrating additional modules not originally part of ns-3 led to significant time being spent on debugging. Our limited coding skills and time management contributed to our outcome of the project. If these factors needed to improve, in order to carry out the other defence methods. In the industry, techniques are combined and utilized together to mitigate each other’s limitations and build a stronger fortress against DDoS attack. This is the scalability of our project; the next step for us would be to combine all these defence methods and test it through ns-3 simulations. Also, we would test these methods with different types and more sophisticated DDoS attacks.
There’s a lot of future improvements that could be made. For starters the DDoS simulation model while proved successful may not be an accurate model for real life attack situations. This model can only prove that a defense technique is working but when more variables are added we cannot know if the performance will be the same or prove to show different flaws. So scaling up the overall model would give a more holistic view of DDoS attacks and the defense techniques.
Given more time we would like to go back to visiting the firewall technique as it was difficult in concept to apply but seem to give a more promising result in terms of performance. With further progress into this project the more we find that simplistic defense methods while effective do not react well to variable change in the DDoS attack and we may want to focus on a more complex idea of defense method like the firewall and measure it against a variety of attacks and see its performance.
The scope of our simulations were limited given our ability to use ns-3 and heavily relied on ns-3’s pre-existing libraries and functions. We can conjecture that rate-limiting will provide a baseline of security for DDoS attacks, and there are advantages and drawbacks to all defense techniques that we’ve studied for each of them have an advantage to specific DDoS attacks. And a better technique would be to have an adaptable algorithm that incorporates all the techniques we’ve discussed above and more for individual cases, that would give us a technique that’s the best of all worlds.
[1] Canadian Centre for Cyber Security, Security considerations for Critical Infrastructure (ITSAP.10.100), https://www.cyber.gc.ca/en/guidance/security-considerations-critical-infrastructure-itsap1 0100 (accessed Apr. 11, 2024).
[2] Digital Attack Map, https://www.digitalattackmap.com/understanding-ddos/ (accessed Apr. 11, 2024).
[3] “Mafiaboy pleads guilty,” FBI,
https://archives.fbi.gov/archives/news/pressrel/press-releases/mafiaboy-pleads-guilty
(accessed Apr. 11, 2024).
[4] S. Upadhyay, “DDOS simulation in NS-3 [C++],” Medium, https://infosecwriteups.com/ddos-simulation-in-ns-3-c-12f031a7b38c (accessed Apr. 11, 2024).
[5] J. F. Kurose and K. W. Ross, Computer Networking : A Top-Down Approach, 8th ed. Boston: Pearson, 2021
[6] Canadian Centre for Cyber Security, “Defending against distributed denial of service (ddos) attacks – itsm.80.110,” Canadian Centre for Cyber Security, https://www.cyber.gc.ca/en/guidance/defending-against-distributed-denial-service-ddos-a ttacks-i tsm80110 (accessed Apr. 11, 2024).
[7] “20 Years Ago in Cybersecurity: Massive DDoS Attack Hits the Roots of the Internet,” Security Intelligence. https://securityintelligence.com/articles/20-years-cybersecurity-largest-ever-ddos-attack/ (accessed Apr. 11, 2024).
[8] V. Sundar, “How to mitigate a slowloris attack?: Indusface Blog,” Indusface, https://www.indusface.com/blog/what-is-slowloris/ (accessed Apr. 11, 2024).
[9]F. Lau, S. Rubin, M. Smith, and L. Trajkovic, “Distributed Denial of Service Attacks.”
Accessed: Aug. 24, 2023. [Online]. Available: https://www.sfu.ca/~ljilja/papers/smc00_edited.pdf (accessed Apr. 11, 2024).
[10] Radware, “What is rate limiting and how does it work?,” Radware, https://www.radware.com/cyberpedia/bot-management/rate-limiting/ (accessed Apr. 11, 2024).
[11] IT Services, “How can you ensure your authentication system is resilient to ddos attacks?,” How to Protect Your Authentication System from DDoS Attacks, https://www.linkedin.com/advice/3/how-can-you-ensure-your-authentication-system-resili ent (accessed Apr. 12, 2024).
[12] “More than a password: CISA,” Cybersecurity and Infrastructure Security Agency CISA, https://www.cisa.gov/MFA (accessed Apr. 12, 2024).
[13] “REMOTELY TRIGGERED BLACK HOLE FILTERING- DESTINATION BASED AND SOURCE BASED.” Available: https://www.cisco.com/c/dam/en_us/about/security/intelligence/blackhole.pdf (accessed Apr. 11, 2024).
[14]“RFC 5635 - Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (uRPF),” datatracker.ietf.org. https://datatracker.ietf.org/doc/html/rfc5635 (accessed Apr. 11, 2024).
[15] H. Darnell, “Firewall vs ddos protection: Why it is confused: Ddos-guard,” What Is a Firewall and Why It Is Often Confused with DDoS Protection, https://ddos-guard.net/en/blog/what-is-a-firewall-and-how-it-works (accessed Apr. 12, 2024).
[16] Rising Tide Cybersecurity, “DDOS Mitigation Technologies,” YouTube. https://www.youtube.com/watch?v=hbNNneCThQ0 (accessed Apr. 11, 2024).