An Analysis of DDoS Attacks on the Instant Messengers

. Latest technologies of voice over IP (VoIP) and mobile messaging for smartphones messengers such as WhatsApp, Viber, Skype, etc., offer free-of-charge facilities of worldwide SMS, MMS, and voice calls to their users, unlike the traditional and expensive cellular or telephone networks’ services. Customers of the formerly mentioned messengers are estimated in millions because of the attractive features offered by them. However, these messengers face many cyber security threats and the required security features are either not available at all or are insufficient for efficiently countering the threats. Professionals working in the domain of cyber security are challenged by the devastating effects of distributed denial of service (DDoS) attacks on all major platforms including Apple Macintosh, Windows, Unix, and Linux. In this paper, we demonstrate the effect of DDoS attack on the performance of an IRC server using a test bed. We use a game theoretic model to analyze the feasibility of DDoS attacks on the IRC platform, keeping in view the attacker’s objective. The analysis will help the security experts to propose appropriate countermeasures to reduce the attackers’ utility, thereby making it less attractive for those attackers to launch the attack.


Introduction
Smartphones have various types of connectivity options such as WiFi, Bluetooth, LTE, and ubiquitous computing features, which make them an important part of our daily lives.People are using smartphones for social networking, online banking and shopping, web browsing, tracking locations such as hotels, restaurants, and hospitals, and mail checking, besides the conventional uses including phone calls and messaging services [1].ey have also become the target of hackers and crackers for carrying out malicious activities.
ey have become an ideal hub for malware, grayware, and spyware developers who can easily exploit the vulnerabilities and insecure communication channels.When a security service is proposed to counter a particular type of breach, in short period of time, a new attacking mechanism is invented by malicious user(s).
One of the important services used in the smart phones is instant messaging (IM) applications that follow customized versions of the Internet Relay Chat (IRC) protocol [2].e IRC is a client-server, multiuser, and multichannel chatting application that facilitates users to communicate with their peers in real time on the Internet worldwide.A user runs an IRC client that is connected to a server on the IRC network.Servers then forward the messages to other relay servers on the same network.However, there are many vulnerabilities in the IRC protocol, such as weak authentication, channel privacy, and others, that would ultimately pave the path to denial of service (DoS) or distributed denial of service (DDoS) attacks.e primary objective of DoS and DDoS attacks is to compromise the availability service of a system, thereby weakening the system to an extent that shall deny the legitimate requests.Till date, the most usual DoS attack strategies reported can be categorized into two classes: logic and ooding attacks.
e logic attacks use the existing known vulnerabilities as tool to crash the remote servers or at least disrupt their performance till they are not usable by the legitimate users.e ooding-based DoS attack bombards a large volume of data or control packets (sometimes intended for computationally intensive tasks) on a destination, which would result in exhausted resources, such as bandwidth, memory, and CPU, at the destination.e latter attack type is considered to be more dangerous because typically there is no trivial way to differentiate between bad packets from the good ones.Early DoS attacks were not that sophisticated, i.e., they used a single node to generate the flooding traffic and sent towards the destination server.However, over time, the attack evolved from single source to multiple sources of attacks, which is called DDoS attack.In DDoS, an attacker compromises and controls innocent nodes, called bots, to be part of the attack.e attacker then launches a large-scale attack on a target server using network of bots, called botnets.Ironically, usually in DDoS attack, the actual attacker is hard to be detected.Considering the variety in DDoS attacks and their diverse classification, a single security mechanism cannot be a panacea for DDoS attacks in all scenarios [1,3,4].
e IRC platform has recently been used as a commandand-control for the large-scale DDoS attacks [2,5,6] due to its weak security.In this paper, we demonstrate practically the effect of the attack in terms of bandwidth using a testbed.We also develop a game theoretic model for analyzing the feasibility of DDoS attacks on the IRC platform, keeping in view the attacker's objective.
is will help the security experts to propose appropriate mechanisms to reduce the attackers' utility, thereby making it less attractive for those attackers to launch the attack.
e rest of the paper is structured as follows: Section 2 presents DDoS attacks on mobile devices (Android, Symbian, Palm, and iPhone) on smartphone platforms.Section 3 presents the basics of IRC messaging system and its vulnerabilities.In Section 4, we present our game theoretic model to analyze and evaluate the effect of DDoS attack on IRC.Section 5 presents the testbed and experimentation of launching the DDoS attack.
e paper is concluded in Section 6 while highlighting the future work.

Background and Literature Review
Technologies such as GSM (Global System for Mobile Communications), GPRS (General Packet Radio Services), EDGE (Enhanced Data rates for GSM Evolution), UMTS (Universal Mobile Telecommunication System), and Bluetooth make smartphones a tool of connectivity and a door for malwares, graywares, and spywares to infiltrate and carry out malicious activities.GSM is technology of second generation (2G) that enabled the communication between the smartphones and base stations via switching subsystem.
e GSM substituted first generation (1G) analog-based services by a digital, full-duplex, and circuit switched network for voice telephony.GPRS is 2.5 generation technology developed to enhance the data rates and reduce the connection access time of the 2G, implementing the packet switching mechanism and introducing WAP (Wireless Access Protocol) and MMS (Multimedia Messaging Services).EDGE was an effort towards improving the GPRS features with enhancement in its data rates and service reliability.UMTS introduced in 2002 achieved the data rate limit of up to 2 Mbps.Both packet and circuit switching connections were supported at the same time.Multiple services could be accessed simultaneously by the user such as streaming, and conversation with interactive backgrounds.Bluetooth, developed in 1999 based on radio transmission short wavelength standard, is widely used for data communication and personal area networks.It can support short range of communication up to 100 meters with minimal cost and consumption [1].Before going ahead, here we are going to elaborate potential threats for smart phones.Based on the legality, delivery methods, and user authentication, mobile threats can be classified into three main and defense mechanisms [7].

Malwares.
e focus of malware is usually to frustrate or block the legitimate user from the services they have been authorized to or steal their private data, thereby exploiting the device or platform vulnerabilities.Malware includes virus, worm, trojan horse, root kits, and botnets.Virus is a self-replicating piece of code whereas worm is a self-copying program; trojan horse is a friendly-looking software that is appearing to provide services but a malicious program; root kits install trojans after which then may disable firewalls and antiviruses; and botnets are group of virus-infected devices used for organized crime [1,7,8].

Spyware.
To trace the location of the node and retrieve its history for a specific span of time are the main objectives of the spyware.Spywares may be legitimate and illegitimate based on the intention of its use.For example, considering the scenario of someone installing a spyware on their child's or spouse's smartphone.In this scenario, the spyware will not deceive the attacker.However, if the spyware is installed without the user's consent and it successfully gains access to the device and it sends confidential information to the intruder rather than the real author, then it is illegitimate [7].

Grayware.
Collecting user information for the purpose of profiling and then sending marketing information back to the user are the main intentions of grayware.However, the objectives of grayware distributor corporations are not to harm users; rather, they provide some sort of functionality and importance to the host user.Users can complain and block the services of a grayware if the data collection process of a grayware is questionable.e illegal use of grayware is punished by fines rather than any personal statements in many developed countries unlike malwares and spywares.
at is why grayware is sometimes called at the boundary of legality and illegality.Depending on the privacy policy sanctioned and the user jurisdiction of complaints, grayware companies have to disclose their compilation practices in their terms and conditions [7].

DDoS Attacks on Smart
Phones.Here, we discuss DDoS/ botnet attacks on different cell phone or mobile platforms.

2
Security and Communication Networks

iKee.A.
Using the Internet as a source, after scrutinizing the vulnerable IP addresses of phones that have enabled the SSH, the intruder can effectively upload a simple application that makes the phone as part of a botnet that can easily effect other phones via self-propagation [9].

iKee.B.
As like its predecessor, iKee.B authorizes the boot master to command and control (C&C) the shell of all affected phones; this can pass on the C&C of the affected devices to any new location on the Internet.Moreover, it can also extract all the messages from the phone database [9].

2.4.3.
Yxes.Sketch the insight of Yxes being the pioneer malware for Symbian operating system 9 targeting to achieve IMEI and IMSI of cell phones, terminating the superfluous applications.However, for its propagation, it uses phishing techniques by sending an SMS to incoming victim phones possessing a link for downloading malwares from the malicious server [10].

Trojan-SMS.AndroidOS.FakePlayer.b.
As it is Trojan in nature, after installation by user permission through manual steps, it sends messages via SMS without the user/ owner permission, will, and demand.At the end, the result becomes denying the normal service of messaging when required by the owner [1].

ZeuS MitMo.
Exploiting the social engineering techniques, the malware first of all sends an SMS containing the link to download and install the software, which can sabotage all the online banking transactions from the cell phone.After this, not only the initial username and password are stolen successfully, but also the malware will become capable of recertifying the message and authenticating the process from the central server of online banking system.So, the malware can now be able to deny the legitimate users from its own operation or services [11].

Sound Miner.
Trojan in nature is capable of extracting confidential data from audio sensors installed in Android devices.Sound miner can sniff important information such as credit card number or personal identification number (PIN) on the basis of both speech and voice communication between the users and the phone system, reporting these data to a central malicious party located remotely somewhere else.During installation, it requests for granting access to the microphone of the cell phone.Now, the microphone will obey the malware commands rather than the owner, thereby denying him from regular sound services [12].
2.4.7.Crafted Shell Code.In many Linux-based cell phones, root privileges can be accessed to activate ptrace() to inject code to other processes giving wrong messages such as buffer overflow, denying the usual processes and activities of the running application of its legitimate users [13].

Battery Exhaustion Attack. Approximately 22 times
faster than the normal battery utility, this attack consumes battery lifetime and badly affects the routine services.Automatically downloads MMS messages exploiting the Internet connection and insecure MMS protocol.In the same way, it also sends UDP packets to its partner zombies and the hit list of the target devices, denying the services of routine users [14].
2.4.9.Curse of Silence Attack. is works by crafting the Symbian S60 phones silent by barring the smart phones to receive SMS messages and reporting to the user that memory is incapable to receive more messages or delete messages to vacate space for incoming messages [15].

DDoS Attacks on UMTS.
In this section, we discuss the vulnerabilities of UMTS due to which possible DoS attack can be launched [16][17][18][19].

Authentication Modification.
If the radio network controller (RNC) is continuously getting tampered with messages from the intruders, ultimately the connection between the subscriber and the user is terminated, denying the services for the right user.

Dropping the Acknowledgement Signals.
A malevolent node observing the Temporary Mobile Subscriber Identity (TMSI) after which trying to drop all the forthcoming messages to compel the system for creating new TMSIs ultimately will result in DoS for all the incoming subscribers.

Replacing the Vulnerable Radio Resource Control (RRC)
Messages.An intruder swapping the acceptance of an association sets up an absolute RRC message with a decline RRC message affecting the service quality and for the subscriber creating a DoS.

Demand for
Synchronization.An intruder impersonates for repeated and simultaneous requests to resynchronize the data flow for multiple users; it will exaggerate the Home Resource Register and create the DoS for all subscribers.

DoS Attacks on VOIP and SIP
2.6.1.Deregistration Attack.Highlighting the deregistration attack in SIP by [20], the intruder enforces the legitimate caller either to divert his call to a third party (probably the attacker party) or to re-register again and again with the SIP server/proxy denying the regular services.
e attack is powerful enough that it can even bypass authentication procedure.

DoS
Attack with Unidentified URLs.Zhang et al. [21] illustrate DoS attack with unnamed and unidentified URLs (uniform resource locator) whose DNS (Domain Name Security and Communication Networks System) in reality does not exist.ey make the server busy in nonsignificant activities and push the legal requests to wait, and especially the attack is effective in synchronous DNS resolution.It is verified experimentally by Zhang et al. that even a well-established synchronous-resolution server can drop calls exceedingly by as few as 1000 messages per second else a single threaded server can even be made shut down and drop calls by one message per second.
2.6.3.Semantic Level Attack.Conner and Nahrstedt [22] explain an attack in which the user itself automatically calls nonresponding callers in his/her contact list impersonating itself as a legitimate owner, ultimately draining the resources and denying the services from valuable users.

Billing Inconsistencies Attack.
Envisage the SIP vulnerability of recording bills in various modes in contrast to VOIP. e impostors primarily attack and focus on to create inconsistencies in billing system, which can either increase the tariff grand amount or to decrease the real consumption payment.Few of these are managed by the man-in-the-middle attack, while some require prior interaction with the victim [23].

IRC Messenger
A swift boost in online communication in the recent decades is due to the various social media-based applications and messengers whereby users can share audio, video, and images with each other very easily, almost free of charge, around the world.Although the connection is round the clock with known and unknown users but their privacy is at high risk, and both sender and receivers are vulnerable to security threats [24].eir security models with respect to their authentication schemes are studied.All of them use their personal cell number or SIM (subscriber identification module) for authentication purposes only, and they are using Internet infrastructure rather than cell phone telecommunication networks for intercommunication and intracommunication.Cell number is entered during the installation phase of the messenger although Android can detect cell number from the phone automatically, while Apple for security reasons makes it manual mandatory.Even devices such as tablets, which are without phone module in architecture, can be activated by exploiting phone numbers of other device through WiFi [24].

Why IRC Messengers?
Few of the vulnerability features of IRC messenger are send and receive text, videos, audio, images, group chats, and sharing cards and contact information.e latest smart phone messengers are the best option for DDoS attack because of its cross-platform (Android, BlackBerry, Symbian, and iPhone) compatibility.Nolog-out facility is always available, and once logged in, the user is always connected and online.

Modifying Status Messages.
IRC messengers suffer from a vulnerability in which every user can set and reset status that is shared with all users in his/her address book.
is sort of facility can create various possible threats.An attacker can change user's status according to his/her own wish although the attacker is unauthorized to do so by sending just an HTTPs request to server containing the user cell number.An attacker can save a number in address book even without a confirmation.Attacker can access all subscribers' status messages for modification.

IRC Messenger Vulnerabilities.
Various security issues such as account hijacking, senders ID spoofing, SMS flooding, enumeration, etc. are open for malicious users to launch DDoS attacks [25][26][27] presented in Table 1.

Account Hijacking.
During installation of all smartphone messengers, cell/SIM number of the device is used for account establishment.None of the messenger is allowed to enter it automatically.A confirmation message with a PIN code is sent on that specified cell number.User enters that PIN code in the application interface during the installation process for verification purposes.Multiple opportunities are created for hackers that can hijack the account, such as: first, impersonation by hackers to misuse someone cell number.Second, Android can detect the cell number automatically.

ID Spoofing.
Communication between IRC messengers' user identities can be spoofed easily as the users cannot be logout; so, the malicious users can misuse the IRC ID of the real users to send spoof messages.Mistrust among the users can be created, which is very harmful in business context.In such a scenario, eavesdropping is also inevitable.

SMS Flooding.
Sometimes, the messengers generate unwanted messages to their subscribers through their cell phone numbers.In this scenario, the malicious users can generate messages of its own type and can broadcast to the users like business promotion messages without confusing its real identity.Hence, scenarios such as SMS flooding can be occurring.Similarly, replay attacks can be launched by the malicious users that can copy the original messenger message and text it again and again to the IRC users and generate DDoS attack by SMS flooding.
3.6.Enumeration.IRC messenger exchanges the user's contacts with its main server by uploading its own contact list to the server in return to serve and provide the list of all users using IRC messenger along with their details/biodata given, which can be added to the friend of the users contact list automatically.e attacker can get multiple benefits such as information about users: device platform/operating system, cell phone number, geographic location, ethnic origin if given, and picture for confirmation.All these biodata can lead the attacker to launch DDoS attack easily exploiting the vulnerability of any information provided during the enumeration process.

4
Security and Communication Networks 3.7.Message Modification.May be a design error or an opportunity/vulnerability for the attacker, PIN code message of IRC messenger can be modified, simply by sending an HTTPs verification request to the server.is vulnerability is exploited by the hackers for launching spam attack.
In our study of the IRC server (RFC [27]) and literature review, we found multiple vulnerabilities among which the shortlisted vulnerability that we used as an evaluation parameter for our proposed DDoS attack is the message sequence format.

Analysis of the DDoS Attack
In this section, we model using game theory (GT) [28] the attacker's feasibility of launching a DDoS attack on the IM server.In the GT context, this is called the attacker's utility.After analyzing the attacker's benefit or utility gained from an attack, the security experts can thwart them by employing strategies to prevent these attacks to happen, thereby reducing the benefits of the attack, so that the attack will become not a lucrative option for the attackers.

Attacker's Utility.
In the GT, a scenario is modelled as a game of n rational players.After each outcome of a game, the players expect a utility and through the game, the players try to devise strategies that give them the highest possible expected payoffs or utilities.Since players are rational, they will take actions after carrying out complete cost-benefit analysis.In this GT modelling, we will not model any specific game, such as zero-sum or prisoners' dilemma, but will follow basic GT to analyze attackers' utilities [29].
Let E represent a set of entities or nodes participating in a particular IM system, maintaining a set of identities I. Let S e be the set of action profile that an entity e ∈ E can carry out, called strategies.An entity must decide on a unique strategy selected from his knowledge base in order to achieve certain goal.An example strategy for an attacker would be to launch an attack and compromise nodes for some benefits based on whatever resources available, such as malwares and stolen information.However, strategy for benign nodes would be to defend against the malicious attacks using the available resources, such as antivirus, intrusion detection systems, and other methods of information protection.Since there are multiple entities participating in IM system, there is a set of outcomes for n � |E| entities O � S e 1 × S e 2 × S e 3 × . . .× S e n . ( e combination of the strategies of participating entities completely defines an outcome.An outcome o ∈ O is a selection of one strategy from each of these n sets, that is, o is tuple (s e 1 , s e 2 , . . ., s e n ) representing the strategy taken by all entities.
Each entity's preferences are denoted by exploiting a utility function that maps outcomes to a utility score.e utility of an outcome o to an entity e is the sum of a benefit utility B e (o) and a cost utility C e (o) determined by payments made by e in outcome o: (2)

Attacker's Objective.
Let us assume that an attacker m is trying to launch a DDoS attack and let ρ q ∈ S m represent the strategy of compromising q nodes-and doing whatever else is necessary in order to reach this objective.
Let A be the objective (such as launching a successful DDoS on the IM server) that an attacker is trying to achieve.We define an objective success count operator Φ(o), which gives the number of successes by m in the outcome o.For example, one set of objectives is to compromise as many nodes as possible in order to create a botnet.If the number of nodes being compromised increases, so is the value of Φ increased accordingly.
We assume that the attacking entity m ∈ E values attacks linearly, with the success of a single attack valued at v, so that B m (o) � vΦ(o). ( In general, an attacker's expected utility from launching a successful attack using q compromised nodes is Now, we model in order to determine the real benefit of an attacker.By real, we mean when benefits gained from an attack exceed its cost─a point we call as attacker's valuation.It is important because when the attacker's valuation of an attack surpasses the cost valuation, it is in the attacker's best interests to launch the attack.e other side of the coin is if the security experts somehow make it reverse, then there will be no benefit for the attackers to launch the attack. We denote the valuation of a DDoS attack (for instance) to be an objective a by ξ a , defined as follows: where gives the expected number of successes for an attacker with the objective a launching a DDoS attack compromising or infecting q nodes for its botnet creation.
A security expert, using this measure, may figure out how intrinsically resistant a server is to the DDoS attacks.He/she may independently evaluate and analyze the designed server and the resources installed on it and design strategies to reduce the attacker's utility, thereby making it hard for the attacker to reach such an objective.First, we show that an attacker m only benefits from an attack when their objective valuation is at least ξ a times their per-compromised machine cost.e attacker's expected utility for the attack with q compromised nodes must be nonnegative for the attack to be rational.So, an attack is rational if and only if where c is cost incurred per-compromised node.Since the attacker is rational, he/she would try to optimize (i.e. to minimize) the number of compromised nodes q because it is the related to the cost c.erefore, according to equation ( 5) and ( 6), It is evident from equation ( 7) that the valuation of an attack is directly proportional to the cost c.To counteract DDoS attacks, it is important for the security experts to devise strategies and design protocols in order to increase the cost c (which is the cost to compromise a single machine as a launching pad for the attack) for the attacker, so that the attack will become not beneficial any more: the induced cost exceeds the benefits gained.Now, it is important to analyze the number of attempts in creating a botnet of size b in a subregion S of IM network.For a successful DDoS attack, suppose that the attacker requires to compromise b nodes that is the limit where the server may not take on more connections simultaneously.e b nodes may then bombard the targeted server with high volume of traffic in order to overload it and ultimately cripple the server.e probability of attacking a random node is p � b/S.Since this is an independent event, we can define the probability of success in t attempts or less by the cumulative distribution function of geometric distribution as: A very simple case where an attacker creates a botnet of one node, equation ( 8) defines the success probability of DDoS attack, after t attempts, targeting a single instance of a server and compromising a single node for bot b out of S population.
In order to create a botnet of size r, the attacker needs to compromise r nodes.Since compromising r nodes is an independent event, the probability of compromising r nodes after k attempts should be as follows: As shown in equation ( 9), the probability of success on compromising r nodes to construct bot b grows exponentially.

DDoS Attack Testbed
In this section, we will demonstrate how the performance of IM server degrades after launching DDoS attack against it.We implement an abstract IM server where the DNS is hosted and that is targeted by DDoS attack, whereas the clients are using a JavaScript code to create bots on the server and then keep it busy forever with the help of indefinite loop embedded in the script.e wire shark tool installed on the server is observing the system status and performance before and after the attack.
To evaluate the multiple requests of home page of a domain name system, here we use JavaScript codes to create the bots and the DNS/website as a platform and wire shark tool for collection of results.RFC: rfc2813 Internet Relay Chat: Server Protocol [26].

Observation 1.
e rfc2813 Internet Relay Chat Server Protocol [26] suffers from various vulnerabilities.But, one of them is that intruder can exploit the vulnerability of the multiple requests of home page of the same domain name In Figure 1, it is observed that after flooding the server by different bots, the number of packets received and processed by the server decreases until the server is completely down.
Observation 2. Exploiting the vulnerability of the multiple requests of home page in various domains, the following observations have been detected before and after the DDoS attack.
is time we used the Android platform.As shown in Figure 2, the server goes down around 160 seconds after flooding it by launching DDoS attack.

Conclusion and Future Work
In this paper, we discussed the DDoS attacks in general and in the IRC messenger context.We presented a simple scenario of DDoS attack on a server using a real testbed just to realize the effect of the attack on the server resources.We developed a game theoretic model in order to assess the feasibility of the DDoS attack on the IRC platform and also to analyze the attacker's utility.We believe that this will help the security experts to devise appropriate countermeasures to reduce the attackers' utility, thereby making it less attractive for those attackers to launch the DDoS attack.
In our future work, we intend to identify different criteria that affect the attacker's utility and propose countermeasures that make the attack less attractive for the attackers.

Figure 1 :
Figure 1: Traffic before the attack.

Figure 2 :
Figure 2: e server operations after the attack.

Table 1 :
Attacks on IRC messenger.