Overview of Distributed Denial of Service (DDoS) Wei Zhou.
-
Upload
madeline-brooks -
Category
Documents
-
view
214 -
download
1
Transcript of Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Overview of Distributed Denial of Service (DDoS)
Wei Zhou
Outline of the presentation
● DDoS definition and its attacking architectures● DDoS classification● Defense mechanism classification
– Reactive VS. Proactive– Classification by defending front-line
● SOS – a case study
What is it?
– Two major attacking architecture● Direct attack● Reflector attack
– Characteristics● Multiple attackers vs. single victim● To cause denial of service to legitimate users
on the victim
– No ready-to-go definition available
Hacker's attacking network
Attacking Architecture - Direct Attack
Masters (handlers)Zombies
Attacking Architecture – Reflector Attack
Reflector Attack
Hacker's DDoS attacking network
TCP SYN, ICMP, UDP... (with victim's addr. as the src IP addr.)
Reflectors
Classification of DDoS Attacks
● Classification by exploited vulnerability– Protocol Attacks
● TCP SYN attacks● CGI request attacks● Authentication server attacks● ... ...
– Flooding-based Attacks● Filterable● Non-filterable
Defense Mechanisms
● Classification by activity level– Reactive mechanisms
● Easy to be deployed● Hard to tell good guys from bad guys● Inflexible to adapt new attacks
– Proactive mechanisms● Motivations to deploy● Accuracy on differentiating packets
Defense Mechanisms (cont.)
● Classification by defending front-line– Victim network– Intermediate network– Source network
At the victim side● IDS plus Firewall
– Detect bogus packets based on well-known attack signatures
– Flexibility
● Puzzle solving by clients
– Client must solve a puzzle (small scripts, cookies etc.) in order to access server's resources
– Efficiency
● Duplicate server resources
– Distribute server resources into more places
– Synchronization, costs etc.
Victim network can't do NOTHING if its link(s) to the ISP is jammed
In the intermediate network
● IP traceback– Can be used to collect forensic evidence– (Need further exploration on this topic)
● Push-back mechanism● Route-Based packet filtering● Overlay network
Push-back – the idea
R2
R0
R1 R3
R7
R6
R5R4
Heavy traffic flow
Push-back messages
● Reactive mechanism● Accuracy of telling 'poor' packets from bad packets
Route-based packet filtering – the idea
R2
R0
R1
R3R7
R6
R5
R4
R9
R8
Routes from node 2
Attack from node 7 with node 2 addresses
● Proactive mechanism● Overheads● Need to change routers
At the source side
● Ingress/egress filtering– Ingress filtering
● To prevent packets with faked source IP addresses from entering the network
– Egress filtering● To prevent packets with
faked source IP addresses from leaving the network
10.0.0.110.0.0.1
Egress filteringIngress
filtering
9.0.0.0/8
10.0.0.2
At the source side (cont.)● D-WARD (DDoS netWork Attack Recognition and
Defense)– Balance of inbound and outbound traffic
D-WARD (cont.)
● Motivation of deployment● Asymmetric problems
Source network
SOS – Security Overlay Service
● To protect a dedicated server from DDoS attacks● Use high-performance filters to drop all the
packets not from secret servlets● Path redundancy in overlay network is used to
hide the identities of secret servlets● Legitimate users enter the overlay network at the
point of SOAP (secure overlay access point)
SOS (cont.)
Big time delayOverlay network
SOAP(s) Secret servlet(s)
ServerFilter
References● R. K. C. Chang, “Defending against Flooding-Based Distributed Denial-of-
Sevice Attacks: A Tutorial”● P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of
Service Attacks which employ IP Source Address Spoofing”, RFC 2827● J. Ioannidis and S. M. Bellovin, “Implementing Pushback: Router-Based
Defense Against DDoS Attacks” ● A. D. Keromytis, V. Misra and D. Rubenstein, “SOS: Secure Overlay Services”● R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson and S. Shenker,
“Controlling High Bandwidth Aggregates in the Network”● J. Mirkovic, J. Martin and P. Reiher, “A Taxonomy of DDoS Attacks and
DDoS Defense Mechanisms”● J. Mirkovic, G. Prier and P. Reiher, “Attacking DDoS at the Source”● K. Park and H. Lee, “A Proactive Approach to Distributed DoS Attack
Prevention using Route-Based Packet Filtering”
Thank you!