Distributed Denial of Service (DDoS) is known to compromise availability of Information Systems today. Widely deployed Microsoft’s Windows 2003 & 2008 servers provide some built-in protection against common Distributed Denial of Service (DDoS) attacks, such as TCP/SYN attack. In this paper, we evaluate the performance of built-in protection capabilities of Windows servers 2003 & 2008 against a special case of TCP/SYN based DDoS attack. Based on our measurements, it was found that the built-in security features which are available by default on Microsoft’s Windows servers were not sufficient in defending against the TCP/SYN attacks even at low intensity attack traffic. Under TCP/SYN attack traffic, the Microsoft 2003 server was found to crash due to processor resource exhaustion, whereas the 2008 server was found to crash due to its memory resource depletion even at low intensity attack traffic.
Cyber warfare is making headlines very frequently worldwide. Distributed Denial of Service (DDoS) is one of the common tools being used in today’s Cyber warfare and to compromise legitimate online transactions. Recent target of such coordinated attacks have been Twitter, Facebook, YouTube, Sony PlayStation network, Master Card etc. just to name few, whose websites were brought down by Distributed Denial of Service (DDoS) attacks and in some cases customers’ confidential information were compromised. According to the research reports and surveys conducted by from Arbor Networks [
This paper is organized as follows: Section II presents a brief background on DDoS attacks, especially on TCP/SYN attack. Section III gives information about experimental setup and default systems configurations of the servers under test. Section VI presents results and discussion, and Section V is conclusion.
DDoS attacks are increasing both in terms of frequency and attack intensity. DDoS attacks have been found to occur with increasing intensity-largest intensity was reported to be 100 Gbps in 2010 and in 2013 the largest intensity was reported to be over 300 Gbps [
A TCP/SYN flood is one of the common mechanisms used by hackers to launch DDoS attacks. This occurs when an attacker remotely uses its Botnets to send a flood of TCP/SYN packets, often with forged IP addresses towards a victim server/computer. The victim server/computer treats TCP/SYN packets like a normal connection requests, creates half-open connections, and sends back acknowledgement packets called TCP/SYN-ACK packets for every TCP/SYN packets received. The victim server waits for a response from the senders. Since the senders’ IP addresses are forged, the follow up response never comes. The half-open connections created at the victim computer saturate the number of available connections that the server can make, and thus limiting the total number of legitimate connections that can be established.
For every TCP-SYN packet that is received, the victim computer allocates TCB resources before establishing a complete connection by following 3-way handshake process. Continuous flood of TCP-SYN packets lead to ever increasing allocation of TCB resources and thus resulting in exhaustion of resources of a victim computer [
For Windows 2003 server with Service Pack2, there is a built-in security feature provided by the operating system called “Syn Attack Protect”, which is enabled by default for Windows Servers 2003 with Service Packs installed. This protection reduces the amount of retransmissions of the SYN-ACKS, which also reduces the allocated memory for TCB entry resources for the incoming SYN segment until the full connection is established after completing three-way handshake process. And, this protection mechanism is activated when the Tcp MaxHalf Open and Tcp Max Half Open Retried threshold levels are exceeded [
In our experiments, we launched a TCP/SYN based DDoS attack to observe the inbuilt ability of the Microsoft servers 2003 (with SP-2) and 2008 (with SP-1, which was the first release of server 2008 with service pack) to defend on its own against the TCP/SYN based network attacks. No external security systems were deployed in these experiments in order to understand inbuilt attack prevention capability these servers. Two different server platforms used in the experiments were Microsoft Windows Server 2003 with Service Pack-2 (Enterprise ×64 Bit Editions) and Microsoft Windows Server 2008 with Service Pack-1 (Enterprise × 64 Bit Editions) on Intel® Xeon® CPU E5345 @ 2.33 GHz with Memory (RAM): 8.00 GB. The Microsoft Windows servers 2003 (with SP-2) & 2008 (with SP-1) under test were configured as HTTP Servers.
In this case, first the legitimate HTTP traffic from different clients on Internet was sent towards the targeted server. Web Server configured on the Microsoft Windows Server 2003 (SP-2) resulted in maximum of 20,000 connections per second, in the absence of any attack traffic sent towards the server. This formed the baseline for the number of connections supported by the Windows Server 2003.
To measure the impact of the TCP/SYN attack on the Windows Server 2003, different loads of such attack traffic were sent towards the server in the range of 0 Mbps (baseline) to 10 Mbps. The impact of TCP/SYN attack was measured in terms of the processor utilization and the number of legitimate connections that could be supported in the presence of the TCP/SYN attack traffic. It was observed that the processor consumption of the Windows Server reached to 100% at 6 Mbps, which is a small amount of attack traffic compared to the server’s interface speed of 1 GB. Unlike processor, memory was not completely exhausted. The memory consumption was found to be 197 Mb under 6 Mbps of attack traffic (
To evaluate impact of the TCP/SYN attack on number of legitimate connections-first, legitimate HTTP traffic is sent to Windows Server 2003 to maintain 20,000 connections per second. Thereafter, TCP/SYN attack traffic of increasing load is directed towards the Windows Server 2003. From
As a baseline, we first determine the maximum number of connections that the Windows Server 2008 SP-1 can provide to the legitimate users in the absence of TCP/SYN attack traffic. By sending HTTP traffic from different legitimate users to the server, it was found that Windows Server 2008 (with SP-1) could establish 25,000 Connections/Second in the absence of any TCP/SYN attack traffic.
To determine the impact of attack, different loads of TCP/SYN traffic was sent towards the Windows Server 2008. Even though the number of connections supported by the Windows 2008 Server were higher than those supported by the Windows 2003 Server, the number of connections continued to drop as the TCP/SYN traffic load increased. The number of connections/sec dropped to half of the baseline i.e. 12,000/sec when the TCP/ SYN attack traffic load reached 3 Mbps (
At 5 Mbps of TCP/SYN attack traffic load, the connections were brought down to 6000 connections/sec. Interestingly, when the load was further increased to 6 Mbps, the server was found to have crashed resulting in zero connections to legitimate users.
To understand the cause of the crash, a relatively higher load of 10 Mbps of TCP/SYN attack traffic was sent again to the Windows 2008 Server with SP-1, and it was found that Microsoft Windows Server 2008 crashed rather due to rapid depletion of the memory, whereas the processor was not consumed completely.
Comparison of two different Windows Servers under TCP/SYN attack traffic is shown in
TCP/SYN Attack Load | Max # of legitimate TCP-Connections/Sec | |
---|---|---|
Windows-2003 | Windows-2008 | |
No Attack (baseline) | 20,000 | 25,000 |
1 Mbps | 8000 | 18,000 |
2 Mbps | 7500 | 12,000 |
3 Mbps | 6500 | 10,000 |
4 Mbps | 3500 | 8000 |
5 Mbps | 1500 | 6000 |
6 Mbps | 0 | 0 |
In this paper, we evaluated the security availability of Windows Servers 2003 (with SP-2) and 2008 (with SP-1) under the presence of TCP/SYN based DDoS attacks. The Windows 2008 Server was found to support more connections/sec compared to Windows 2003 server under conditions of no network attacks, nevertheless both servers rapidly lost legitimate connections as the TCP/SYN based attack traffic increased in intensity. It was discovered that Microsoft Windows Server 2003 (with SP-2) crashed due to complete processor exhaustion at relatively low flood of TCP/SYN traffic which was around 6 Mbps. The Windows Server 2008 (with SP-1) was found to crash also at 6 Mbps of TCP/SYN attack traffic however the crash was due to the memory depletion rather than the complete processor exhaustion, which resulted in zero legitimate connections for the users. The experimental evaluations presented in this paper shows that the built-in security capability of Windows servers are not sufficient to withstand TCP/SYN based DDoS attacks on their own. It is important for the server farm operators to not rely solely on the host-based, built-in protection provided by the Microsoft’s Windows servers. Additional security systems such as intrusion prevention systems must be deployed strategically on the periphery of the network to allow security protection against DDoS attacks.