In this article, we present a scenario model of a DDoS attack on elements of specialized information technology. The proposed model ensures the finding of initial data for a comprehensive assessment of the stability of the functioning of a specialized information system operating under the conditions of the action of malicious software on its network elements. The approbation of the model and the simulation of the DDoS attack process in the environment of the MathCAD application program allowed us to conclude that the proposed model allows adequately, with a sufficient level of detail and flexibility, to display the simulated process, is sensitive to changes in input data, and allows obtaining consistent simulation results. as well as identify appropriate directions for ensuring the viability of specialized information systems. The resulting model allows you to estimate not only the potential capabilities of malicious software, but also the time it takes to implement a DDoS attack on network elements of information systems. The work also provides practical advice regarding the inclusion in the architectures of developed specialized information systems of hardware to prevent malware attacks.
[
systems, this problem is relevant in the design and operation of specialized information systems
The difficulty of ensuring stable operation of modern specialized information systems (IS)
has recently been constantly increasing due to more frequent cases of attacks implemented by
malicious software [
network infrastructure, such as routers and others. A DDoS attack at the third level aims at the transmission of a large volume of data (flood). The attack at the fourth level is carried out with the aim of slowing down, and with the maximum effect - blocking the operation of the web server. Loading the access channels of the web server will eventually lead to the blocking of access of the client's automated workplaces to the resources provided by the specialized IS.
is that it is directed to the application server, which causes it to become overloaded and, to a large extent, makes the functions of the specialized IS unavailable for its automated workplaces.
transparency for anti-virus software due to their similarity to useful traffic.
fifth Ukrainian company or state organization experienced a DDoS attack. At the same time, attacks most often targeted large banks (27%), medium and small businesses (15%). DDoS attacks were aimed at creating problems in the operation of the main pages of the websites of both state institutions (including educational institutions - the authors of the article directly observed and investigated the actions of attackers on the electronic resources of the Khmelnytskyi National
communication, as well as functions that allow the user to enter the IS (19%).
on specialized IS is, along with others, one of the most pressing scientific tasks today.
One of the most difficult and important tasks for evaluating capabilities, detecting and
countering the effects of malicious software is the selection of a mathematical model adequate
for the purposes [14,15]. Today, a large number of cyber security models are used in information
security tasks: models of a legitimate user and violator [12, 20], models of attacks [
computer attack of the type "Distributed Denial of Service" on the elements of a specialized information system. The resulting model allows you to estimate not only the potential capabilities of malicious software, but also the time it takes to implement a DDoS attack on network elements of information systems.
Today, one of the most convenient technologies for building computer networks of organizations and companies is the MPLS network technology [18, 19]. It combines the technique of virtual channels with the functionality of the TCP/IP stack. This network property is achieved by having the same LSR (Label Switch Router) network device act as both an IP router and a virtual circuit switch. This makes it possible to combine territorially separated parts of information systems of companies into single local networks, which is extremely convenient. That is why the MPLS technology is chosen as the basic one when creating a mathematical model of a DDoS attack.
client automated workstations of some specialized IS, which functions under the influence of
attack depends on the number of computers that make up the Bot network. Unfortunately, today, such networks not only exist, but are also provided by criminals for rent. Therefore, today the attacker has the opportunity to immediately focus directly on the object of the attack.
As a rule, an attacker needs to conduct reconnaissance of the network of the information system chosen for the attack by performing a number of steps. For this, he needs to determine its active elements, type and versions of operating systems, as well as network services. We denote the average time spent on this as . , . and . . with distribution functions M(t), D(t), L(t), respectively. The attacker successfully implements these actions with probabilities .
. . . The calculation of these probabilities can be carried out according to the method proposed in the description of the mathematical model of the information security violator [20].
If the attacker failed to set at least one of the network parameters, then his attempts will be repeated with probabilities 1 − . , 1 − . and 1 − . . , respectively, where .
is the average repetition time with the distribution function Z(t).
In the next step, the attacker analyzes the received data and determines the vulnerabilities of the elements of the attacked network in the spent average time . distribution function K(t) and determines the connection requests to the server - attack targets with the time in the average time
with the time distribution function Y(t) and the probability connecting to the target server
. , and receiving a response about its status after time
with a distribution function U(t). If access is not obtained, the attacker sends a second request in the average time .
with the distribution function V(t).
attack (Fig. 1). Each bot computer starts sending service requests to the attack object with an average time .
. with a time distribution function W(t).
anonymous false connection requests through the Bot-network controlled by him, which lead to the overflow of the server's RAM. Server overload, in turn, blocks the access of legitimate client automated jobs of the attacked specialized IS. Such blocking of IS servers is carried out during the average time . with the distribution function N(t).
The average time .
. and the distribution function F(t) of the time of implementation by the offender of the DDoS attack are to be determined. At the same time, we will assume that the implementation time of all stages is random and characterized by an exponential distribution, and all probabilities take the same values.
an average time . with probability 1 − . ..
configuration errors or vulnerabilities known to the attacker. Successful implementation of the attack script can cause the server to "hang" due to a buffer overflow, for example.
Note that here: w(s), m(s), z(s), d(s), l(s), k(s), y(s), v(s), u(s), n(s) and o(s) are the LaplaceStiltjes transformations of the corresponding distribution functions specified in the problem statement and defined as:
∞ ri(S ) = ∫ e 0 − st d [Ri(t )] =
ri ri + s (1) where: ri - the equivalent transformation function of the ith distribution function W(t), M(t),..., O(t);
network (Fig. 2 and Fig. 3) with a fictitious branch ( ) = s is the change defined on the complex plane S, where the transformation ri(S ) exists.
1 where: ( )
assumption that the values of all probabilities . ., .
, . . , .
P equal and equal to some value n .
Then the loops of the first order Lk.n, where k = 1, n = 1 - 4 will be defined as: L1.1 = m(s) ⋅ (1 − P ) ⋅ z(s) ;
n L1.2 = m(s) ⋅ d (s) ⋅ P ⋅ (1 − P ) ⋅ z(s) ; n n
2 L1.3 = m(s) ⋅ d (s) ⋅ l(s) ⋅ P ⋅ (1 − P ) ⋅ z(s) ;
n n L1.4 = y(s) ⋅ (1 − P ) .
n Accordingly, loops of the second order Lk.n, where k=2, n=1 - 3: 2 L2.1 = m(s) ⋅ (1 − P ) ⋅ z(s) ⋅ y(s) ⋅ v(s) ; n
2 L2.2 = m(s) ⋅ d (s) ⋅ P ⋅ (1 − P ) ⋅ z(s) ⋅ y(s) ⋅ v(s) ; n n
2 2 L2.3 = m(s) ⋅ d (s) ⋅ l(s) ⋅ P ⋅ (1 − P ) ⋅ z(s) ⋅ y(s) ⋅ v(s) .
n n
k k H = 1 + ∑ (−1) ⋅ Q (s) = 0 (2)
i=1 k where ( ) are the equivalent functions of loops of the kth order, we get the equivalent function of the stochastic network:
Q(s, P ) = n
1 2 v(s) ⋅ 1 + d (s) ⋅ P + d (s) ⋅ l(s) ⋅ P n n w(s) ⋅ m(s) ⋅ d(s) ⋅ l(s) ⋅ k(s) ⋅ y(s) ⋅ u(s) ⋅ n(s) ⋅ P
2 1 - m(s) ⋅ (1 - P ) ⋅ z(s) ⋅ 1 + d(s) ⋅ P + d (s) ⋅ l(s) ⋅ P − y(s) ⋅ 1 − P n n n ,
.), which is defined as the second D(t ) = − p
2 2 dds 2 Q(Qs(=s,0P, nP)n) s = 0 − − dds Q(Qs(=s,0P, nP)n) s = 0 . 0, _ if _ t < 0 α F (t) = t µ ∫ ⋅ t 0 Γ(α ) α −1
− µ ⋅ t ⋅ e dt, _ if _ t > 0
distribution function of the successful implementation of a DDoS attack as an incomplete gamma function with sufficient accuracy for engineering calculations [21]: where = [ ̅ ( )]2 is the shape parameter and == ( ) is the scale parameter Γ(α ) .
( ̅ ) ( )
calculation, we will take its value equal to 0.75 - 0.9.
The values of all of the probabilities are assumed to be equal to . . ., . , . Therefore, in the future we will replace them with the notation Pn and, in the of a DDoS attack at different values of the probability Pn is: at Pn=0,75
Pn=0,85 Pn= 0,9 . . . implementation of a DDoS attack when it is successfully implemented with probability Pn.
implementation of a DDoS attack by an attacker on the elements of a specialized information system is sufficiently sensitive to changes in the initial data, allows obtaining consistent results, adequately reflects the course of the computer attack and makes it possible to determine the probability-time characteristics of the attacker's cyber influence system.
implementation of a DDoS attack on IS elements is carried out through the parameters that can become available to him as a result of intelligence of the IS network, through knowledge of methods of identification and authentication of legitimate users.
implement the organizational and technical measures outlined in [21,23 - 26].
based, should provide for its division into local segments with access restrictions to them.
(VLAN) made it difficult for the attacker to explore the network he chose for the attack, increasing the probability of its negative termination 1 − . ., 1 − . , 1 − . . , 1 − and at the same time allowed:
able to ignore and drop packets coming from other subnets, regardless of the originating IP address. 2. Flexibly manage the separation of computers by virtual subnets, ensuring isolation from each other, while their topology does not depend on where the network components are physically located.
is a separate broadcast domain whose broadcast traffic will not be broadcast between different subnets, reducing the load on network equipment.
rules for each of them, which reduces the likelihood of a DDoS attack.
It is clear that it is almost impossible to get rid of the destructive influence of malicious software, but it is possible to significantly reduce its level using advanced countermeasures. As an example, the company "NVisionGroup" offers a comprehensive solution for protection against DDoS attacks based on Cisco Clean Pipes technology, which provides a quick response to DDoS attacks, is easily scalable, has high reliability and speed. Cisco Clean Pipes technology involves the use of Cisco Anomaly Detector and Cisco Guard modules, as well as various systems for statistical analysis of network traffic based on data received from routers using the
fairly effective countermeasure, which is the elimination of software vulnerabilities at all levels.
accordingly, a decrease in the probability of successful completion of . .. This approach is especially effective when used in conjunction with network monitoring.