What A DDoS Can Cost

May 16, 2012 at 9:30 pm · Filed under DDoS Attacks, DDoS Defense, Denial of Service Attack, Stop DDoS Attacks

By Kelly Jackson Higgins
Dark Reading

Around 65 percent of IT pros say a DDoS costs their organizations $240,000 in lost revenue per day of the attack, and one-fifth say it would mean a loss of $1.2 million per day, new survey finds
A distributed denial-of-service (DDoS) attack can cost a victim organization as much as $10,000 to $50,000 per hour in lost revenue, according to a new survey.

Neustar polled 1,000 IT professionals in North America from various industries about DDoS attacks, and among the 300 businesses that said they had suffered one, 35 percent said the attack lasted more than 24 hours, and 11 percent said it lasted more than one week. One in 10 suffered a DDoS for more than a week, according to the data.

Around 65 percent said a DDoS would cost them $240,000 in revenue per day of the attack, or $10,000 per hour; 21 percent said it would mean a loss of $1.2 million per day, or $50,000 per hour. Much of the damage depends on the industry: More than 80 percent of financial-services companies said they would lose more than $10,000 per hour, and close to 70 percent of retailers said they would lose more than $2 million a day, or more than $100,000 per hour in revenue.

Ted Swearingen, director of the security operation center at Neustar, says DDoS attacks are on the rise, and no one is immune. “They are not just going after financial firms [only] … we are seeing a lot smaller companies being targets,” Swearingen says. In some of those smaller targets, the attacks may be motivated by protests, for instance, he says.

“We still want to make sure companies know DDoSes are here and growing bigger and more complex. You can’t ignore them and [think], ‘It’s not going to happen to me,’” he says.

But lost revenue is actually the least of businesses’ worries when it comes to DDoS. More than 50 percent said they worry about the affect on customer experience in the wake of a DDoS attack; 25 percent fear brand damage; 19 percent, revenue loss; and 5 percent, job loss.

“When you go down, customer support gets flooded,” Swearingen says.

Telecommunications companies suffer the most DDoS attacks as an industry, with 55 percent reporting attacks in the survey, followed by financial services and travel, each at 32 percent. Nearly 30 percent of IT vendors have been hit, and 16 percent of retailers have, according to the Neustar survey.

“Folks in the retail section had been attacked at the lowest percentage, but if you go back and see what that affected, they had the highest cost per hour when they did get attacked,” Swearingen says.

Meanwhile, less than 5 percent of the respondents said their infrastructure has been built with DDoS mitigation in mind or with DDoS mitigation tools.

Source: http://www.darkreading.com/threat-intelligence/167901121/security/attacks-breaches/240000446/what-a-ddos-can-cost.html

Leave a Comment

Ustream outage due to DDoS aimed at citizen journalist

May 15, 2012 at 10:10 pm · Filed under DDoS Attacks, DDoS Defense, DDoS Protection Specialist, Defend Against DDoS, DoS Attacks, Stop DDoS Attacks

Hackers target streaming of anti-Putin protests with attack, Ustream says.

Ustream was hit with a distributed denial-of-service attack today that apparently was designed to interfere with the streaming of video from antigovernment demonstrations in Russia, the CEO of the live streaming site told CNET.

“We are 100 percent confident that they were targeting a specific channel on Ustream of a Russian citizen journalist. This is the third time in the last six months that a specific Russian citizen journalist was directly targeted through this complex and highly adaptive attack,” Brad Hunstable, co-founder and CEO of Ustream said in a phone interview from Budapest. “We get DDoS attacks all the time and we fight them off. It’s not a big deal. But this is adaptive beyond anything we’ve seen.”

The attack started around 2:30 a.m. PT, which was 2:30 p.m. in Russia, and it took Ustream engineers about 10 hours to get the site back up again for its 55 million users worldwide, he said. The attacks were using a variety of protocols, such as UDP and TCP/IP, but also the requests were coming from Russia, Kazakhstan, and Iran, he added.

“What we saw today were systematic attempts, method after method, up to seven methods,” Hunstable said, adding that it was the largest attack the site has seen in its more than five years in operation.

Asked if he believed that the Russian government was behind the attack, Hunstable said he could not speculate. “I won’t speculate on who or why. What I do know is that there is no denying that specific Russian citizen journalists were individually targeted,” he said. “We are in contact with many of the government agencies across the world. Ustream is back up and running and we put the Russian protests back up on our front page. This is about Internet freedom and our mission is to allow people to do this and we’re not going to stop until we do.”

The company “lost significant revenue” due to the outage and Hunstable said executives will be doing a full review of how to handle attacks going forward to minimize the economic impact.

The other recent DDoS attacks that were targeted at silencing citizen journalists in Russia were on December 6, 2011, and January 6, 2012, both days of antigovernment protests, according to Hunstable. Today’s attack was targeting the ReggaMortis1 channel on Ustream and previous attacks targeted the Ridus channel, he said.

The attacks all used the “same footprint and focused on citizen journalists in Russia using our iPhone and Android mobile broadcasting capability,” he said.

GigaOM had reported earlier today that live-streaming service provider Bambuser also was under attack.

Demonstrators have been protesting since before and after the inauguration of President Vladimir Putin on Sunday, clashing with police, and hundreds have been detained and arrested. In addition to complaints about election fraud, protesters are clamoring for political reforms.

Russia’s move from communism to a capitalism-based economy led to a new class of billionaires who own formerly nationalized assets while crime syndicates have moved their enterprises online. Many of the early credit card data theft and identity fraud rings were based in Russia and former eastern bloc countries.

Source: http://news.cnet.com/8301-1009_3-57430997-83/ustream-outage-due-to-ddos-aimed-at-citizen-journalist/?tag=txt;title

Leave a Comment

Researcher Warns of Vulnerabilities in Train Switching Systems

January 4, 2012 at 5:16 am · Filed under Uncategorized

Professor Stefan Katzenbeisser says the vulnerabilities could be exploited to cause extensive service disruptions.

At the Chaos Communication Congress in Berlin, Professor Stefan Katzenbeisser recently warned that hackers could use DDoS attacks to shut down train switching systems.

“‘Trains could not crash, but service could be disrupted for quite some time,’ Katzenbeisser told Reuters on the sidelines of the convention,” writes The Hacker News’ Mohit Kumar.

“Prof. Katzenbeisser believes the system is relatively secure from hackers under normal circumstances,” Kumar writes. “However, the computer science expert from Technische Universitat Darmstadt warns that encryption keys, used to protect the communications, could pose risks.”

Go to “Train-switching system can be vulnerable to DDoS attack” to read the details.

Leave a Comment

Recognizably Anonymous

December 11, 2011 at 7:09 am · Filed under Uncategorized

How did a hacker group that rejects definition develop such a strong visual brand?

The loosely affiliated and ever-changing band of individuals who call themselves Anonymous have been variously described as hackers, hacktivists, free-expression zealots, Internet troublemakers, and assorted combinations thereof. By all accounts the group has no clear hierarchy or leadership, or even any internal agreement about what exactly it is. And yet, as you’ve encountered news and speculation about Anonymous—maybe from reports about coordinated denial-of-service attacks on financial institutions that stopped doing business with WikiLeaks last year, or the group’s more recentassociation with Occupy Wall Street—you may also have noticed its memorable logo: a suited figure with a question mark where his head should be, set against a U.N.-style globe. You’ve also likely seen the visual symbol that’s made its way onto the streets: a Guy Fawkes mask borrowed by Anonymous from the V for Vendetta graphic novel and movie for use in real-world protests. So how did this chaotic, volunteer-driven, non-organization manage to create a visual identity stronger than many commercial brands?

Anonymous traces its roots to the infamous /b/ message board on 4Chan.org. Much of the communication on the board takes place in the form of rapid-fire, freewheeling, and often blatantly offensive images and remarks from legions of individuals posting anonymously, riffing on, insulting, and trying to top each other. The most familiar (and misleadingly innocuous) meme to emerge from this iteration-obsessed corner of the Internet is thelolcat phenomenon. 4Chan has been around since 2003, and it’s hard to pin down when and to what degree some of the people posting as Anonymous began to think of themselves as a de facto entity of the same name.

That said, some of the images and phrases now associated with the group were clearly circulating on 4Chan by 2007, when a rather sensational local Fox News report depicted Anonymous as “a hacker gang,” and offered a scary assessment of wanton Internet cruelty and destruction. The segment included a disguised individual declaring: “We do not forgive, we do not forget,” a phrase that’s since become familiar to anybody conversant in Anonymous rhetoric, and ended with a visual of that headless-suit guy on amotivational-style poster bearing the message: “Because none of us are as cruel as all of us.” (This visual was doubtless grabbed from /b/, where the headless image had been posted and riffed on since about 2006.) The Fox story inspired a theatrically obnoxious video response from someone purporting to speak for Anonymous: “We are the face of chaos and the harbingers of judgment,” it declared. “We mock those who are in pain.” This early video traffics in some of the elements (visuals, as well as what Ars Technica has called a “florid bombasticism”) of what would become the Anonymous image.

Those elements really coalesced in early 2008, when some “Anons,” evidently incensed by the Church of Scientology’s efforts to keep an embarrassing Tom Cruise video off the Internet, began congregating via Internet Relay Chat to organize a response. Gregg Housh, then an active participant in Anonymous activities, was part of this group. At first, he says, the effort involved recruiting people to keep re-uploading the video faster than the Church could take it down. But one participant who had some experience with the media argued that Anonymous needed “a solid identity to present to the press.”

Six or eight people, Housh reckons, hashed out a press release. It read like the script to a movie trailer, so somebody proposed turning it into a video, combing Archive.org to dig up images of rolling clouds and ominous background music available under a Creative Commons license. They kept fiddling with the ending of the script, using Anonymous-associated phrases already in circulation. Another contributor proposed a conclusion: “We are Anonymous. We are legion. We do not forgive, we do not forget.” Pause. “Expect us.”

“Everyone in the channel erupts,” Housh recalls. “Like ‘Oh my god. You’ve done it. You have done it! We win this game.’ ” The script was fed into AT&T text-to-speech software, and became the video’s creepy voice-over. Next the group created a Web site. For a logo, they considered imagery that had been floating around 4Chan and elsewhere, including the headless suit-man. Someone—Housh says the person wishes to remain anonymous—suggested imposing that image over a U.N.-style globe logo. Then a question mark was added where the figure’s head should be. In what seems like a missed opportunity, the Anonymous logo did not appear anywhere in the video. “We weren’t branding experts or anything,” Housh explains.

Fair enough, but the video really is a fine bit of propaganda—with 4.6 million YouTube views—mixing the snotty but intimidating “hacker gang” vibe with rhetoric that not only transcended the nihilistic, but sounded rather righteous. Excited by their surprisingly large audience, participants in Anonymous’ anti-Scientology efforts decided to organize in-person protests—a challenge, since they were already being accused of various illegal activities. (The Church of Scientology eventually outed Housh, andpressed a variety of criminal charges against him; those were ultimately settled pretrial, but today he describes himself as “an internet activist who observes Anonymous”—not a member.)

The need to remain anonymous at live protests led the group to adopt its now-familiar mask depicting a highly stylized visage of Guy Fawkes, an early-17th-Century British figure who was executed following a foiled plot to assassinate King James I. Though Brits have long used effigies of Fawkes in their Guy Fawkes Nightcelebrations, this particular, cartoonish representation comes from the 1980s comic-book seriesV for Vendetta: A vigilante character wore such a mask while overthrowing a totalitarian British government in an imagined dystopian future. In 2006, the seriesbecame a film. Also in 2006, the mask began to appear in a popular 4Chan meme calledEpic Fail Guy. According to Housh, the suggestion to use the Fawkes mask as protest gear was almost immediate. But some Anons weren’t convinced that the Fawkes mask was right, so they made a short list of alternatives: a Batman mask, classic masquerade masks, a few others. “Then we called comics and costume shops, all over the world,” Housh says, checking availability and price, and the V mask won out: “It’s available, it’s cheap, and it’s in every city.” (The actual Fawkes had “nothing to do with it, for us,” Housh says.)

Thousands of people in various cities subsequently participated in a day of anti-Scientology street demonstrations, plenty of them wearing the mask. “Videos and images and photographs circulated almost immediately,” says Gabriella Coleman, the incoming Wolfe Chair in Scientific and Technological Literacy at McGill University and author of the forthcoming Coding Freedom: The Ethics and Aesthetics of Hacking. “It was just so powerful.” And it cemented Anonymous as, paradoxically, a recognizable phenomenon.

Why has this particular set of signifiers stuck? For starters, the visuals simply look cool—headless-suit-guy and the Fawkes mask are both stark, simple, and vaguely ominous in a way that’s compelling. The suit-man juxtaposed against the U.N. map is also a cleverly subversive, and ironic, appropriation and exploitation of paranoia about Big Brother-style faceless power. Particularly when paired with Anonymous’ over-the-top rhetoric, it suggests that the most powerful entity on earth isn’t a corporation or a totalitarian regime: It’s something so amorphous that the person next to you on the subway could be part of it. And the Fawkes mask, with its hard-to-read expression and mild air of menace, extends that idea into the public sphere; at a time when privacy seems under threat, it’s a tool for mixing free expression with personal secrecy—which might be one of the few propositions that participants in the Anonymous phenomenon agree upon.

Today the headless-man/U.N. globe logo appears on the widely followed @AnonOpsTwitter account (and blog). The image also showed up for a time on the Web site ofSyria’s Ministry of Defense—apparently hacked in an Anonymous effort that resulted in an incendiary anti-government message briefly replacing the official content.@YourAnonNews (and a related Tumblr) uses the Fawkes mask, as does @GroupAnon. And of course the mask has been worn by street protesters who supported WikiLeaks last year, and by many participants in this year’s Occupy Wall Street actions. Versions of both symbols also appear in this recent Spanish-language video as well as in the trailerfor a forthcoming documentary on the Anonymous phenomenon.

These examples reveal that the iconography of Anonymous is highly accessible: If there is a Grand Conspiracy, you don’t have to fear it—in fact, you can join it! But both Housh and Coleman underscore a vital point about the visual identity of an entity with no real structure: All these examples borrow from the same set of images and tropes—but almost always tweak them in some way. “With Anonymous,” Housh says, “you can only make suggestions.” People will pick up and riff on the stuff they like—and ignore whatever they don’t.

“It’s very meme-like,” observes Coleman, who is now researching a book about Anonymous and has studied its distinctly nonhierarchical decision-making process. (Housh also reportedly has a book in the works.) Coleman has argued that Anonymous’ visual branding has enhanced the group’s power—and may even have been essential in binding together people who resist being bound to anything, or anyone. It’s impossible to say whether any given person wearing a Fawkes mask to an Occupy event is “part of” Anonymous, which after all has no official membership structure. Possibly some wearers aren’t even familiar with Anonymous. But even that ambiguity seems to play to the strength of this visual identity. Participants in Anonymous who Coleman has interviewed don’t seem put off by seeing their symbols go mainstream; instead, she describes their attitude as a kind of proprietary pride with an irony of its own: “That’s me.”

Leave a Comment

Application Level Distributed Denial of Service Attack (DDoS)

November 27, 2011 at 6:24 am · Filed under Uncategorized

Distributed Denial of Service Attack

I. What is Denial of Service Attack?

DoS attacks are a class of attacks initiated by individual or group of individuals exploiting aspects of the internet Protocol to deny other users from legitimate access to systems and information. If an attacker can force a router to stop forwarding packets, then all hosts behind the router are effectively disconnected. Recently though more forms of attacks are crafted to attack web servers, mail servers and other services.

II. What is DDoS Attack?

DDoS attacks aim to disrupt the service of information systems by overwhelming the processing capacity of systems or by flooding the network bandwidth of the targeted business. In modern web applications, the web client makes a request which takes very little effort to compose, but when it reaches the server, the application has to process lots of data and compose the response with a lot of effort. This disparity in the computation efforts of the server and the client is usually of an order of magnitude and works very well in the favour of an attacker when he modifies a web client to launch an application level attack against a server. Hence a single compromised machine can inflict a lot of problem on the server end and a bunch of such compromised machines in the hands of an attacker can easily launch a denial of service attack against even the biggest server farms and succeed.

In this Figure Attacker/s has compromised several systems by installing his malicious program in the systems. When the attacker sends command to these systems, they will start sending enormous number of requests to the victim machine which brings victim machine down and it is no more available for a legitimate user. In modern web application, when the web client makes a request it takes a little effort to compose it, but causes the server to process a lots of data and compose the response. This variation in computation efforts between the server and the client makes the DDoS attack successful. Various categories of DDoS include:-

  • HTTP Flood
  • SYN Flood
  • UDP Flood
  • ICMP Flood
  • TCP Data Flood
  • DDoS on DNS

Out of these listed attack, HTTP flood, which is an Application Level DDoS is the most threatening one.

HTTP flood is the most popular (88.9%: As per the statistics of survey done by Kaspersky Labs Q2 2011) method of attacking a website: a huge number of HTTP requests are sent to the targeted site over a short period. In most cases they look just like regular user requests, making it difficult to filter them out. This makes this type of DDoS attack more popular among cybercriminals than others. A NEW and very lethal form of Layer 7 attack technique, which uses slow HTTP POST connections, was discovered by Onn Chee and his team. An attacker sends properly crafted HTTP POST headers, which contains a legitimate “Content-Length” field to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up precious server resources.

 

III. Types of DDOS Attack

  • Bandwidth Attacks: During load of any site, it takes certain time to “load”. This “loading” consumes some amount of memory. Every site is given with a particular amount of bandwidth by its hosting, for example, 100GB. Now if we get more visitors who consumes all the 100GB bandwidth, the hosting of the site can be banned. So now if the attackers do the same, they can open 100 pages of a site and keep on refreshing and consume all the bandwidth and thus it goes out of service.
  • Logic Attacks: These kinds of attack can exploit vulnerabilities in network software such as web server or the underlying TCP/IP stack.
  • Protocol Attacks: Exploiting a specific feature or implementation bug of some protocol installed at the victim in order to consume excess amounts of its resources is known as Protocol attack. Protocols here are rules that are to be followed to send data over network.

IV. Symptoms of DoS/DDoS Attack

The USCERT defines the following symptoms:

  • Unusually slow network performance (opening files or accessing web sites)
  • Unavailability of a particular web site
  • Inability to access any web site
  • Dramatic increase in the number of spam emails received.
  • The services that result from malicious activity are also denial-of-service attacks.

DoS attacks can also lead to problems in the network branches around the actual computer being attacked. For example, the bandwidth of a router between the Internet and a LAN may be consumed by DoS, compromising not only the intended computer, but also the entire network.

V. Solution to DDOS attack:

i. Using Trapdoor Puzzle:

Under a DoS attack, a defending server sends a client a simple puzzle to authenticate the ownership of the service request before allocating any system resource for him. The client has to solve the puzzle in a specified period and send back the solution. Only if the solution is correct, the defending server distributes the resource and continues the rest of the request. Otherwise, the request is dropped immediately.

The puzzle used for this purpose, for example, is the integer factorization. When there is request from the client, the server sends an integer to be factorized. The client in turn, if not malicious, will return the factors of the integer as the solution. If the solution is correct, then the connection is established else not. This method may help reduce the malicious DoS client requests.

ii. Malicious IP Restrictions

The Dynamic IP Restrictions Extension for IIS provides a configurable module that helps block Denial of Service Attacks by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.

This can be done by inspecting the source IP of the requests and identifying patterns that could signal an attack. When an attack pattern is detected, the module will place the offending IP temporarily in a deny list and will avoid responding to the requests for a predetermined amount of time.

iii. Use of Content Delivery Network

For a Capacity based attack, can have more capacity than the attacker. The easy way of getting additional capacity beyond the means of any DDOS attacker is by the use of a Content Delivery Network. A CDN is a proxy solution that can be used to deliver content close to a target group which offloads traffic from your website. There’s a number of services available like Akamai, Amazon CloudFront or MaxCDN. If a CDN is being used and your site is being attacked with a DDoS attack, then it is the CDN which is being attacked, not the site. And, since the CDN has tons and tons of capacity, no normal DDoS will be able to saturate.

iv. Use of Plugins available for WordPress to protect against DDoS

a.       bad-behavior.2.1.15

Bad Behavior complements other link spam solutions by acting as a gatekeeper, preventing spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place. This keeps your site’s load down, makes your site logs cleaner, and can help prevent denial of service conditions caused by spammers.

Bad Behavior also transcends other link spam solutions by working in a completely different, unique way. Instead of merely looking at the content of potential spam, Bad Behavior analyzes the delivery method as well as the software the spammer is using. In this way, Bad Behavior can stop spam attacks even when nobody has ever seen the particular spam before. Bad Behavior is designed to work alongside existing spam prevention services to increase their effectiveness and efficiency. Whenever possible, you should run it in combination with a more traditional spam prevention service.

Reference link:    http://wordpress.org/extend/plugins/bad-behavior/

b.        php-floating-point-dos-attack-workaround.0.2

It prevents 32-bit PHP versions from hanging when processing a request containing 2.2250738585072011e-308 value. As a string, 2.2250738585072011e-308 causes no problems; it’s when it’s treated as a numeric value that the bug hits. If the value 2.2250738585072011e-308 is assigned to a variable, e.g. $d = 2.2250738585072011e-308, PHP hangs (loops).

2.2250738585072011e-308 represents the largest subnormal double-precision floating-point number; written as a hexadecimal floating-point constant, it’s 0×0.fffffffffffffp-1022. 2.2250738585072011e-308 is one of five 17-digit decimal values that convert (correctly) to 0×0.fffffffffffffp-1022:

  • 2.2250738585072007e-308
  • 2.2250738585072008e-308
  • 2.2250738585072009e-308
  • 2.2250738585072010e-308
  • 2.2250738585072011e-308

Only 2.2250738585072011e-308 causes the problem. It happens to be the largest of the five decimal values.

Reference link: http://wordpress.org/extend/plugins/php-floating-point-dos-attack-workaround/

VI. Other Prevention and response methods for DDoS

 i. Firewalls

Firewalls can help to allow or deny protocols, ports or IP addresses using simple rules. Some DoS attacks are too complex for today’s firewalls, for example, if there is an attack on port 80 (web service), firewalls cannot prevent that attack as they will be unable to distinguish good traffic from DoS attack traffic. Also, firewalls are too deep in the network hierarchy. Routers may get affected much before a firewall gets the traffic. Nonetheless, firewalls can prevent users from launching simple flooding type attacks effectively from machines behind the firewall.

ii. Switches

Most of the switches have some rate-limiting and Access Control List capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering.

These schemes will work as long as the DoS attacks are something that can be prevented by using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS can be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as the rate-thresholds have been set correctly and granularly.

iii. Application front end hardware

Application front end hardware is a hardware which is placed on the network before traffic reaches the servers. It can be used on networks along with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then classifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. Hardware acceleration is key to bandwidth management.

iv. Blackholing and sinkholing

With blackholing, all the traffic to the attacked DNS or IP address is sent to a “black hole” (null interface, non-existent server). To be more efficient and avoid affecting your network connectivity, it can be managed by the ISP. Sinkholing routes to a valid IP address which analyzes traffic and rejects bad ones. Sinkholing is not efficient for most severe attacks.

VII. Web Stress Tools

Several tools are available that can used to simulate load for Web applications. By simulating load for the application, concurrency issues can be tested as well as better understand how the application behaves under stress. With these tools stress test can be done on the Web server to see how it reacts when several hundred users access the application at peak times.  Testing load and concurrency by refreshing a browser is not considered a valid test.

Some of the Web Stress Tools are:

 i. Webserver Stress Tool:

Webserver Stress Tool is a powerful HTTP-client/server test application which is designed to identify critical performance issues in your web site or web server that may prevent optimal experience for your site’s visitors. It can simulate large number of users accessing a website via HTTP/HTTPS. This stress and load test tool provides graphs and data in a number of different formats including: Easy to use graphs, Text log summary, Detailed text log, User text log (one for each user) etc.

ii. HP LoadRunner software:

HP LoadRunner software is an automated performance and testing product from Hewlett-Packard for examining system behaviour and performance, while generating actual load. HP LoadRunner can emulate hundreds or thousands of concurrent users to put the application through the rigors of real-life user loads, while collecting information from key infrastructure components (Web servers, database servers etc).

iii. NeoLoad – Load Testing Tool:

NeoLoad is a load testing software designed for Web applications, which also simulates user activity and analyze server behavior.  NeoLoad records and replays browser requests to the server. It can simulate requests made by components such as plug-ins, Java applets, ActiveX, Flash animations etc.

Other Stress tools that can used are WebLoad – Load Generation Engine, Microsoft WAS Tool, Apache JMeter, FWPTT – Fast Web Performance Test Tool, JCrawler – Stress Testing Tool, Curl-loader.

The drawbacks of these tools are that these tools are not tuneable. So what we suggest is to use HTTP Attack tool which can be downloaded from here.

HTTP Attack tool is an open source web stress tool developed in Information Security lab, Department of computer engineering, National institute of technology Karnataka. HTTPattack tool is used to simulate the number of clients accessing the website simultaneously in a given instant of time. Its source code is available for research communities so that they can use it and modify it according to their requirement. They can easily understand its source code as it is written in C#.Net with the naming guidelines taken from MSDN and with proper comments. It can be used to simulate a heavy load on a server to test its strength or to analyse overall performance under different load types. It can also be used to test the amount to which the website can withstand DDoS under heavy load. It will accept input as a set of URLs (uniform resource locator) and then it starts sending requests to each URL in circular fashion. It does not wait for the response after sending the request rather it simply switches to send next request, but it will create one thread to receive that response, so for each request the corresponding thread is created and that is responsible to receive the response. In the similar fashion, it can send maximum number of request in less time interval (technically it is sending Asynchronous requests). Efforts have been made to make the tool interactive. When tool starts running after every 5 seconds, it shows the updated value and draws the graph. This helps the user to analyse whether the success rate is high or failure rate is high in a given duration of time and whether the tool is running properly or not. There is an IPC (inter process communication) problem in logging the requests and responses. The responses may arrive at any time and may try to access the log file concurrently. So we made an effort to solve this problem using the queue concept. Whenever the response or request arrived, which has to be logged, first it will be pushed to the queue rather than directly writing it to the log file. Later at regular intervals all the entries from the queue are written to the log file. The same method is used to trace the file.

VIII. Conclusion

DoS and DDoS attacks are a difficult problem. They present a very real threat to online business, even more so when the availability of the service is an essential business function. These can be reduced to some extent by use of the trapdoor puzzles. Firewalls and sensible security at the border gateway as discussed above can provide some degree of protection against low bandwidth attacks. But more and more attacks are using flooding techniques to saturate the bandwidth of online companies, thereby denying legitimate users access to their services. By careful planning and understanding the nature of the attack, it is possible to throttle this type of attack using different methods, some of which were discussed above.

Leave a Comment

Older Posts »