Security in Obscurity

Guide to counter denial-of-service (DoS) and DDoS attacks: Detection of compromised systems (Part 1)

The methods to counter DoS attacks should include early detection of compromised systems, December 2018

What can you do to counter a denial-of-service attack? There are a number of ways to counter denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. The methods to counter the attacks range from technical to human-related and help to propagate early detection of compromised systems, hardening of systems to block infection as well as ways to remediate an attack in progress. Additionally the growing reliance on cloud services such as SAAS and PAAS solutions can provide lift in countering DoS and DDoS attacks. This thought is a part of a four part series on countering DoS and DDoS attacks including:

Detection of Compromised Systems
Hardening of Systems to Block Infection
Remediating an Attack In Progress
Offsetting Risk with Cloud Services

First lets get an understanding of what is a DoS or DDoS attack. A Denial-of-Service attack occurs when a system or network on which computers are connected become unavailable due to that system or network being overloaded with bad connections to the resources. These extra connections inundate the system to the point that they utilize all available resources making it either flat out crash or prevent legitimate traffic from getting through to access the network or system. [1] The computers sending the bad requests to the targeted system are computers which have been compromised and are under the control of the attacker. These machines are considered slaves or zombies. The attacker leverages the zombies to initiate the malicious actions instead of submitting the bad traffic directly from the attacker's machine. A Distributed Denial-of-Service (DDoS) attack is very similar to a DoS or Denial-Of-Service attack but is on a much larger scan. The number of the systems leveraged by an attacker in a DDoS attack can range in the thousands. Using so many machines provides a few advantages to the attacker. It makes the attack more difficult to detect as well as provides the ability for the attacker consume a larger number of resources on the victim system or network being targeted in the attack. [2]

Detection of compromised systems

The detection of compromised systems will be key to addressing any potential DoS or DDoS attack. If you do not know how you are being attacked and/or where this attack is directed towards, further actions will prove futile. Therefore considering approaches to detecting compromised systems should be our first step in addressing the attack vector.

IDS

An intrusion detection system (IDS) is used either on a network (NIDS) or a host (HIDS) to analyze actions to determine if they are malicious in nature. The NIDS solution will need to sit inline to your network traffic so that it can properly assess it for potential compromise. This approach will allow you to capture this information for any system communicating on that network, whether you know of its existence or not. A HIDS will require some sort of software, usually in the form of an agent, to live on each system that you are looking to analyze. While this approach will only analyze systems you have the HIDS software installed upon (meaning any unknown systems to you will not be tracked) the HIDS concept does not have to be so reliant on fixed network boundaries as NIDS are.

Intrusion detection systems utilize two different methods in the analysis of network traffic or hosts, to determine if the activity is malicious. IDS can assess the information using anomaly-based detection which compares processes to determine if behavior is normal. [3] The IDS can also assess the information leveraging signature detections that identifies threats that match certain patterns of known threats. According to the NIST Institute, IDS devices are industry standards that should be leveraged by organizations to identify possible incidents. In particular, NIST recommends leveraging both anomaly-based and signature-based detection methods to accurately detect possible intrusions such as a DDoS attack. [3]

Intrusion detection systems are an industry standard for countering denial-of-service attacks because the devices can be leveraged to identify potential attacks as they occur on a network. Additionally, if a system is infected and is being used as a zombie a HIDS will be able to detect this. The detection of potential attacks allow network and security engineers to gain a better grasp of an overall attack including the areas of your environment which it impacts and more quickly remediate the situation.

Implementing a Security Awareness Program

The human element in DDoS attacks is a weakness in addition to technical hardware and software vulnerabilities. People leveraging your network, whether they be employees, guests or otherwise are vulnerable to phishing and social engineering attacks as well as facilitating the infection of machines with malware. [2] All of these attack vectors can leave machines and networks compromised, and susceptible to DDoS attacks. Leveraging a security awareness program to education staff on how to combat malicious attacks against the human element can help strengthen a network and counter DDoS attacks.

To address this, think about initiating a security awareness program based on the concept of EAT to help provide personnel the tools to combat malicious attacks on them and their systems. EAT stands for education, awareness and training. [2] The idea in an EAT program is that the human element on a network are inoculated to proper thought on combating malicious attacks.

A number of different techniques can be leveraged to assist in inoculation such as computer-based training and seminars. [2] These techniques will provide personnel the information and instincts needed to react to an attempt to socially engineering information from them or how they should respond if they believe a system they are using has been infected. Graduates of a proper EAT program will each become additional tools for security staff to leverage, to identify potential incidents, and take quick action to remediated the system(s) involved before an attack, such as a DDoS can occur, or do full damage.

---

In summary, the first step to addressing potential DoS or DDoS attacks should be the detection of compromised system. Leveraging technical controls such as a IDS as well as focusing on administrative controls through a security awareness program directed at the human element on a network will provide you the ability to know the scope of the attack. These controls will enable you to successfully detect compromised systems during an attack.

Note: Parts of this thought were previously used in content I submitted while in Grad School during my Hacking Countermeasures course.

---

Resources Consulted

[1] Denial-of-Service attacks: Understanding network vulnerabilities. (2003). Article Link

[2] Tipton, Harold F. & Krause, Micki. (2007). Information security management handbook, sixth edition, volume 1. Buy on Amazon

[3] Scarfone, Karen. and Mell, Peter. (2007, February). Guide to Intrusion Detection and Prevention Systems (IDPS). NIST Special Publication 800-94. Publication Link