Under the supervision of(IMS2013004) Dr.Abhishek Vaish (IMS2013041) Abhinav Nautiyal Kompal Gulati Problem Definition Application DDOS attacks has been among the most trending attacks in the recent past. There has been a lot of researches of DoS tools but the field lags in research’s based on recently used tools in launching the attacks against different well known private and government organizations. Objective To analyze the DDoS tools on the basis of their parameters and rank them on the basis of their efficiency. Introduction What is a Denial of Service attack? Using up resources and / or bandwidth of a server in a malicious way to prevent legitimate users from accessing its services. Some common DoS methodologies SYN flood – exploits poor implementation of TCP in some OSs. Ping of Death – uses inherent weakness in IP fragmentation and reassembly UDP Flooding Bots Classification of DDoS attacks. The classification of DDoS attacks can be considered on the basis of different DDoS attack tools and their analysis as mentioned by Mohd. Jameel Hashmi, Manish Saxena. Against users Against hosts fork() bomb Intentionally generate errors to fill logs, consuming disk space, crashing. The power switch. Against networks UDP bombing TCP SYN flooding Ping of death Smurf attack Tools Analysed LOIC (Low Orbit Ion Cannon) LOIC is an open source DOS tool which was used by a very known group of hackers “anonymous”. This tool is highly scalable and can be used in performing DDoS attacks, as different users can join in via IRC (internet relay chat). This tool has a GUI based dashboard which makes it easy for beginners to use. It is generally used for TCP, UDP and HTTP flooding. HOIC (High Orbit Ion Cannon) HOIC is an advanced version of LOIC and is used by the hacker’s group anonymous. It performs flooding at the targets end by sending numerous number of HTTP request. It does have an added functionality of uploading scripts called as “boosters” which can be uniquely customized depending upon on the target. This tool also provides the functionality of controlling the speed of the attack in three different modes i.e. high, medium and low. HULK (HTTP Unbearable Load King) HULK is another very know tool for performing DDoS attack. It is unique in its own way as each packet is crafted with unique request thus helping it to bypass the caching engines and staying being undetected. TORSHAMMER or Tor’s Hammer Torshammer is a slow post DDoS tool which is extremely different as compared to others in terms of its functionality. It is designed in Python and as the name suggests it runs through a TOR network thus providing an added advantage of staying anonymous while performing the attack. Parameters for Analysis 1 On the basis of extensive literature review the following are the vital parameters on which each tool mentioned will be judged and compared to each other. Additional Script Up loader: It is a feature that provides the attacker to upload a customizable script depending on the target. Handshake: Initially a handshake is done between two systems to establish a connection which helps in exchange of information. During this handshake a log of IP is maintained which keeps the track of all the activities of the client’s IP. This log helps in tracing the malicious IP addresses. GUI Interface: GUI interface refers as Graphical User interface that allows the user to interact with the tool. It is an advantage to all naive users as it doesn’t require a high level expertise for operating the tool to launch the attacks. Spoofed IP: This property provides the feature of anonymity i.e. it helps the attacker to launch the attacks by keeping its identity hidden. Valid Packet Content: This describes the authenticity of the packet’s content which are sent during the attack by the attacker. Customizable Packet Rate: It defines the inbuilt feature by which the attacker can hold the rate of packets that he sends during the attack. Parameters for Analysis 2 Attacks This parameter describes the type of attack done by what type of flooding at the application layer. Request-Flooding Attacks HTTP GET Request: The client sends requested data packet to the server in form of HTTP GET request. HTTP POST Request: The client sends data that needs to be processed at servers end by HTTP POST request. HTTP Slow Read: The attacker forces the targeted server to forward a large number of data which compels the server to breakdown. Ranking Scoring System -1 By using arithmetic mean based scoring system we will calculate the mean and rank the tools accordingly. Every attack vector holds a value of either zero(0) or one (1). We will analyze the tools on different attack vectors and assign them Zero –If the attack vector does not exist in the tool One - If the attack vector exist in the tool. Will calculate the mean. Ranking Scoring System -2 Results Results For LOIC: For HULK: P = (X2+X3+X71)/7 = (1+1+1)/7 = 0.43 P = (X2+ X71)/7 = (1+1)/7 = 0.28 For HOIC: P= (X1+X2+X3+X5+X6+X71) /7 = (1+1+1+1+1+1)/7 = 0.86 For Torshammer: P= (X2+X4+X5+X71+X72+X73) /7 = (1+1+1+1+1+1)/7 = 0.86 Conclusion The application DDoS attack are mostly non volumetric and very popular these days. On the basis of the defined ranking scoring system we found two tools with highest values i.e. HOIC and Torshammer having 0.86 as the highest values. Each of these tools is unique in their own way. We would recommend the industries to consider these tools while deploying controls against these types of attacks. Recommendation and Scope for future work Our research project is only limited to only one layer of OSI model i.e. the application layer of DDoS attacks. With due course of time the parameters for analysis and the ranking scoring system can be improved for the better results. References [1] Monowar H. Bhuyan,H. J. Kashyap1, D. K. Bhattacharyya and J. K. Kalita , “Detecting Distributed Denial of Service Attacks:Methods, Tools and Future Directions”, The ComputerJournal, December 2012. [2] Hoffman, Stefanie. "DDoS: A Brief History." Web log post. Https://blog.fortinet.com/post/ddos-a-brief-history.Fortinet, 25 Mar. 2013. [3] Mohd. Jameel Hashmi, Manish Saxena, Dr. Rajesh Saini,“Classification of DDoS Attacks and their Defense Techniques using Intrusion Prevention System”, International Journal of Computer Science & Communication, Networks,Vol2(5),607-614. [4] Stephen M. Specht and Ruby B. Lee, “Distributed Denial of Service:Taxonomies of Attacks, Tools and Countermeasures”, 17TH International Conference on Parallel and Distributed Computing Systems, pp. 543-550, September 2004. [5] Vangie Beal, DDoS attack – Distributed Denial of Service,Webopedia. [6] NextGen DDoS Experts,“Taxonomy of DDoS Attacks”, RioRey, RioRey_Taxonomy_Rev_2.6_2014, 2014. [7] The Fedral Emergency Team, “Anonymous announce to attack big corporate websites”, CERT, 25 May 2012. [8] United States Computer Emergency Readiness Team,“Anonymous DDoS Acitivity”, US-CERT, 23 April 2012. [9] Hardeep Singh, “Anonymous attack on Indian Government Continues”,Infi-Zeal Technologies, 21 May 2012. [10] Pavitra Shankdhar, “DOS Attacks and free DOS Attacking Tools”, Infosec Institute, 29 October 2013. [11] Bliznet, “Bliznet”,Packet Storm Security,9 Dec 1999. [12] Thomas O’Connor, “DOSnet.c”, Packet Storm Security,5 September 2002. [13] Exptirpater, “ddnsf.tar.gz” , Packet Storm Security,Distributed DNS Flooder v0.1b, 27 March 2001. [14] Flitz, “Flitz”, Packet Storm Security, 20 February 2007. [15] Knigth, Packet Storm Security, 12 July 2001. [16] Mstream, Packet Storm Security, 1 May 2000. [17] Omega v3 Beta, Packet Storm Security, 31 August 2000. [18] Peer-to-peer UDP Distributed Denial of Service (PUD),Packet Storm Security. 20 February 2007 . [19] Skydance v3.6, Packet Storm Security, 19 July 2001. [20] StacheldrahtV4, Packet Storm Security, 8 February 2000. [21] Tribe Flood Network (TFN),Packet Storm Security, 23 September 1999.