Researchers at the Queensland University of Technology hope to test and mitigate the risks of a Distributed Denial of Service (DDoS) attack by creating and running their own internal testbed.
The new dosTF testbed, one of the few available globally, uses eight Linux and Windows-based PCs and three VMware servers to create 200 virtual hosts used in cohort to simulate the attacks. The idea is to better understand the global attack methodology and develop protection methods. Each PC is fitted with two Ethernet cards - one for incoming traffic and the other for monitoring - and is monitored by SNMP messaging, with experimental scenarios recorded in XML format to be later documented and potentially replayed for further experimentation.
One of the researchers involved in the project, Desmond Schmidt, told the World Computing Congress 2010 in Brisbane it was vital to conduct the experiments on an internal network, rather than on a live system or the wider internet, in order to better understand the attacks without breaking laws in numerous countries.
A DDoS attack uses several infected computers coralled into a 'botnet' to collaboratively attack and subsequently bring down targeted websites. A recent study conducted by EMC’s security division, RSA, found DDoS attacks could be commissioned or bought for a desired website for an average price of $US50 per attack. Security organisations such as the Australian Computer Emergency Response Team (AusCERT) and the international intelligence firm, Cyveillance have both identified the National Broadband Network (NBN) and the general ubiquity of faster access networks and, specifically, faster upload speeds as a potential boon to botnet operators and hackers.
The prevalence of recent DDoS attacks made news when it was discovered copyright protection organisations had contracted India-based software companies to target BitTorrent trackers and search engines believed to be hosting infringing media. Users on the 4chan message board, however, have reportedly used the same tactic against the same companies, launching 'Operation Payback' to collaboratively bring down websites associated with both the contracted software companies and the copyright protection organisations.
Schmidt pointed to existing, similar testbeds which provided similar capabilities such as DETER at Berkeley University and Emulab at the University of Utah, both of which utilise a system formulated by the latter. Schmidt said existing testbeds posed problems for researches working in the India-Australia project howver; while they were accessible anywhere in the world, they required remote login and didn’t suit the project’s prospects.
He said the internal testbed was inexpensive to construct and maintain.
Each of the PCs and virtual hosts in the dosTF testbed can be used as an attacker, traffic generator, defender or vulnerable service, all activated via a command line. Targets are also assigned on the network for the attack, while another provides a view of the experiment.
The India-Australia project, which hosts the testbed is being funded by the Indo-Australian Science and Technology Fund, is partly paid for by the Department of Innovation, Industry, Science and Research.
According to Schmidt, the testbed has been successful in two separated denial of service attacks; one makes use of a vulnerability in the Ruby XML parser, while the second sent repeated requests for a service description file on a Glassfish application server. Researchers involved in the project will in future make use of the testbed for testing mitigation against DDoS attacks as well as formulating defence applications. Another project will identify potential vulnerabilities in the IPv6 protocol in the behaviour of SCADA systems.