ICMP and DDoS Attacks:
Challenges and Way Forward
Introduction
“Cybersecurity is not just about
technology, It’s about the people who use it. It’s important to create a
culture of security where everyone understands the risks and takes
responsibility for protecting themselves and their organization.” - Stephania
Mango
XYZ Hospital staff has been
unable to connect to the record server creating an impasse in their day to day
medical operations of the hospital. As a Network Administrator, I conduct a
preliminary investigation by trying to remotely log in to the server which I
was unable to do. I am duty-bound to diagnose the network issue, correct it
immediately with put in place preventive safeguards so that hospital operations
can resume.
The records server is the main
entity that plays a crucial role in the hospital in an online environment as
shown in the figure 1.0. Not only it provides database management
services to staff, doctors, patients but also contains confidential sensitive
medical records such as patient history, private diagnostic reports and other
critical information that is essential to medical staff to provide timely and
effective care. Therefore, any interruption to the access of records would
result in delays in provisioning of essential medical services for patients.
This may be damaging for the image of the hospital and risk valuable human
lives that depend on it.
In this context, I as
a network administrator run a preliminary wire shark packet capture of the
network that is small but representative of the sample. I observe certain
peculiar frame trends that pinpoints towards an unusual cyber activity which
needs to be studied in detail.
Figure 1.0: Server of XYZ Hospital
Background: ICMP and DDoS
ICMP:
Internet Control Message
Protocol, an integral part of the
Internet Protocol Suite (TCP/IP) and operating at the Network Layer (Layer 3)
of the OSI model provides a mechanism for network devices (e.g., routers and
hosts) to communicate with each other for diagnosing network connectivity issues.
Devices can transmit control messages and error reports using the ICMP.
Moreover, ICMP is made to manage a wide range of situations, including
controlling network congestion, reporting problems, and debugging network
connectivity. A header and a data portion are both present in ICMP frame.
Message type, code, checksum, and identifier/sequence number are a few of the
fields found in the header while data portion may contain text or binary
information.
ICMP Type |
Function |
ICMP Type 8 |
Useful for network
diagnostics, including measuring the round-trip time (RTT) |
ICMP Type 3 |
Indication that a destination
host cannot be reached |
ICMP Type 11 |
Routers send this message to
let other devices know that an IP packet's Time-to-Live (TTL) value has run
out |
ICMP Type 5 |
Informs a host about a
different, more effective route |
DDoS:
A DDoS (Distributed Denial of
Service) attack is a type of cyber attack
that seeks to overload a target system, network with an influx of unauthorised
traffic from multiple sources, impairing its functionality or preventing access
for authorised users.
In a DDoS attack, the intention
of the attacker is to overwhelm the target (i.e. record server) with
many requests that its resources, such as bandwidth, processing power, or
memory, are completely exhausted. The target system may experience a slowdown,
become unresponsive, or even crash because of this overload. (figure
1.1)
Figure
1.1
Normal ICMP Behaviour:
Below are some common types of normal
ICMP messages when network is reachable:
Figure
2.1: Normal ICMP messages in Wireshark
Herein, total 8 messages are
displayed, 4 query and reply pairs- an Echo (ping) reply for every Echo (Ping)
Request. Therefore, it ensures that the connectivity between the server and the
user is reliable where the server replies back within a given time frame.
Observations of the captured
wire shark file of Hospital server (Abnormal Behaviour):
The observed behaviour, however,
revealed a significant amount of ICMP traffic, which might indicate irregular
or excessive ICMP requests directed at the records server without a response
from host. The
server destination IP 200.200.1.77 is not responding to consecutive stream ping
(Echo) requests at a very miniscule interval of time from multiple IP source
addresses as highlighted in the figure 3.1. The only logical
explanation to this could be that ping echo requests have been carried out with
the intention of overwhelming the server thereby making it a connectivity
issue.
Figure
3.1: DDoS detection by Wireshark
Explanation of the capture
file: Attack determination:
A DDoS attack has taken place
because of the disruption of the records server and the huge number of ICMP
traffic in which the server is overloaded with ICMP queries. Moreover,
this attack can be considered an “Active attack” as it involves the
intentional action of flooding the record server with a huge amount of network
traffic. It can be clearly stated that the attacker has actively sent a huge
volume of Echo Requests/data to overwhelm the server, which is in contrast to “Passive”
attacks, where an attacker engages in observing the data without actively
interrupting the normal functioning of the system.
Compromised Security Goal:
The security goal that seems to
have been compromised here is ‘Availability’ because DDoS attack
de-captivates the access of resources by users as the server is overwhelmed due
to by ping requests. The confidentiality and Integrity are left unviolated
because the attacker is not able to breach inside the server records in this scenario.
Analysis of the Potential
Vulnerabilities: The potential underlying causes
that may have facilitated the DDoS attack (based on the figure 3.1) would be
the social and technical vulnerabilities in the network architecture of
the XYZ Hospital that would include Network vulnerability, Server
vulnerability, Social - cultural vulnerability of hospital staff.
1.
Social
Vulnerabilities:
·
Inadequate
security procedures: Users frequently disregard
fundamental security procedures such as using weak passwords, failing to update
software or firmware, or failing to put the required security safeguards in
place on their devices. These flaws make equipment vulnerable to compromise and
botnet inclusion.
·
IoT and
Bots: The increase in the number of
insecure IoT (Internet of Things) devices coupled with rise in automated bots
to send echoes has led to DDoS attacks.
1.
Technical
Vulnerabilities
·
Software
flaws that can be exploited:
Network infrastructure with unpatched flaws can be used by attackers to
overwhelm targets and create a DDoS attacks.
·
Insufficient
network capacity and traffic management:
A DDoS attack's enormous amount of malicious traffic can overload targeted
networks or systems that are under-resourced or lack effective traffic
filtering techniques.
·
Lack of
traffic anomaly detection: It is
difficult to recognise and mitigate irregular traffic patterns linked to DDoS
attacks without efficient monitoring and detection tools.
Recommendation Solutions:
Business Continuity and Disaster Recovery Plan :
A
disaster recovery plan for a DDoS assault as shown in figure 4.1 should
include the following essential components:
1.
Detection strategy: Monitoring tools to quickly identify DDoS attacks.
2.
Response and Mitigation strategy: Establish a response strategy that
details what to do in the case of a DDoS assault, for e.g. how to alert
IT employees, get in touch with impacted users and activate DDoS Protection
Services.
3.
Recovery and Corrective Strategy: Start the process of returning to
normal operations once the assault has been contained.
5. Prevention and Evaluation strategy:
Conduct a post-incident review to find areas that may be improved and updated
upon from time to time.
Figure :4.1 Disaster Recovery Plan
What is DDoS Protection Services?
DDoS Protection Services involves an amalgamation of Detection Prevention
and Curative Strategies implemented across the 7 layers of OSI model that
addresses the social and physical vulnerabilities of the server |
Detection
strategy:
Detective
strategy is used to investigate about the cause of the incident by analyzing
packet behaviour through the application of sniffer tools, activity log
records, etc. as explained below:
·
Signature-based
detection: By looking for recognisable
patterns or signatures in the network the method compares network
traffic to a database of recognised DDoS attack signatures. If a match is
found, the technique can intervene to stop the attack from happening by
blocking traffic coming from the attack's source.
Strengths: The
approach can be used to determine the sort of DDoS attack being utilised, which
can aid in choosing the best defences.
Weakness
of Detection: As signature-based detection may only identify
established attack patterns, it may not be effective against fresh emerging
threats that masquerade a recognizable pattern.
Attacks
that are sophisticated can utilise advanced ways to avoid being caught by this
detection measures, for instance, patterns may use encryption or look like
legal traffic.
·
Traffic
rate-based detection: This tactic entails monitoring
the flow of incoming traffic and looking out for any abrupt increases that
might be a sign of a DDoS assault.
Weakness:
Source of attacker can’t be known just by examining the traffic variations.
·
Protocol-based
detection: This method examines the protocol
being used in network traffic to find any suspicious activity that might
point to a DDoS attack. It works by inspecting the headers of network packets
to determine whether they are a part of a DDoS attack or a genuine
communication.
Strengths: The method can also be used to locate the attack's
origin, which is helpful in pursuing legal action against the offender.
Challenges with Detection Strategy: to keep up with the emerging advanced nature of DDoS
attacks, the cost of maintaining detection methods in place and keeping
them upgraded can be expensive, especially for small businesses with limited
funding.
Recovery
and Corrective Strategies:
After detecting the attack type, source, timing and causes of DDoS information,
IT administrator should resort to next stage of disaster management i.e.
corrective strategies as explained below:
- Diverting traffic
entails sending incoming traffic to a DDoS Protection Provider that uses
the cloud to filter out dangerous data.
- Filtering traffic
entails identifying and blocking harmful traffic while allowing genuine
traffic to get through using network filtering techniques. Some common
filtering techniques that could be used are:
IP
filtering, geo location filtering, protocol filtering, traffic rate filtering,
behavioral filtering.
- Rate-limiting: This can assist
prevent the network from becoming overloaded by restricting the number of
requests or connections from a single IP address or subnet. Most common
techniques used for rate limiting are as follows:
o bandwidth rate limiting that limits amount of bandwidth available for
traffic to a server.
o Connecting rate limiting: that limits the number of connections that can be
established with the server. This is achieved using firewalls, routers.
o Request rate limiting: that limits the number of requests that can be
put to a server. Its done through firewalls.
o Session rate limiting: that
limits the number of sessions that can be established to a server. This is
achieved through load balancers.
- Scaling up resources: To
manage the increased traffic load, scaling up resources entails increasing
bandwidth, processing power, or other resources. This can be achieved by
following techniques:
o Load balancers: create
multiple servers for distributing traffic.
o Cloud based solutions: such
as CDNs Content Delivery Networks can be used to distribute traffic into remote
cloud database and thus scale up server resources.
o Mirroring:
create copies of critical
hospital resources and distribute it among various servers.
- Blackholing: This method effectively shuts down the website until the attack
is over by blocking all traffic to the targeted IP address or range.
Challenges with Corrective Strategies:
- Blackholing might take a toll on hospital’s operations and
essential services indefinitely as one does not know till when the DDoS
attack may last.
- Mirroring, Load balancing, traffic diversion techniques are costly
adding burden to infrastructure costs of the hospital.
- The
corrective strategy is dependent upon how long it takes to detect the
problem in previous stage. Detection Latency means the delay in
implementing the corrective measures due to delays in detection of the
problem. Greg Tomsho, (2019).
Preventive
Strategy:
After
corrective strategy stage, we discuss the preventive strategy that should
be implemented to prevent such an attack happening in future.
- Use Performance Monitor Software to monitor if the
amount of available memory, processing power of server is available in
stock to support the operations. It triggers an automatic pre-emptive mail
to I.T administrator whenever an resources availability falls below a
limit.
- Server application
hardening can make a server more durable and less
vulnerable to compromise by lowering the attack surface of a server and
minimising the possibility for vulnerabilities.
- Network segmentation is a security technique that involves dividing a network into
smaller sub-networks, or segments, to reduce the impact of security
breach. It can help mitigate the impact of a DDoS attack by limiting the
spread of the attack and isolating affected systems.
- Web Content Filtering: is a security strategy that involves restricting access to web
content by preventing traffic from known malicious sources such as
well-known botnets that are frequently utilised in DDoS assaults.
- Access Control: is a
security approach that restricts access to resources based on user
identity using identity authentication. The number of people that have
access to vital resources, such as servers and databases, can be
restricted by putting access restrictions in place.
- Threat Intelligence based on adversary tradecraft
Threat Intelligence based on adversary tradecraft
can certainly help prevent DDoS attacks by providing insights into the tactics,
techniques, and procedures (TTPs) of potential attackers.
Finally,
one should comply with a Cyber Safety policy and robust documentation
at the organization level to have a framework in place that ensures we plan,
prevent and pre-empt DDoS attacks rather than respond, rescue and
rehabilitate.
References
Chapter 4 - Layer 3: The Network Layer,
Editor(s): Michael Gregg,
Hack the Stack,
Syngress,
2006,
Pages 103-150,
ISBN 9781597491099,
https://doi.org/10.1016/B978-159749109-9/50008-3.
(https://www.sciencedirect.com/science/article/pii/B9781597491099500083)
https://resources.infosecinstitute.com/topic/icmp-attacks/
Greg Tomsho Guide to Networking Essentials, 8th
Edition, Chapter 14-Troubleshooting and Support, Approaches to Network
Troubleshooting pg.738
Comments
Post a Comment