Overview of Distributed Denial of Service (DDoS) Wei Zhou.

19
Overview of Distributed Denial of Service (DDoS) Wei Zhou

Transcript of Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Page 1: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS)

Wei Zhou

Page 2: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Outline of the presentation

● DDoS definition and its attacking architectures● DDoS classification● Defense mechanism classification

– Reactive VS. Proactive– Classification by defending front-line

● SOS – a case study

Page 3: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

What is it?

– Two major attacking architecture● Direct attack● Reflector attack

– Characteristics● Multiple attackers vs. single victim● To cause denial of service to legitimate users

on the victim

– No ready-to-go definition available

Page 4: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Hacker's attacking network

Attacking Architecture - Direct Attack

Masters (handlers)Zombies

Page 5: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Attacking Architecture – Reflector Attack

Reflector Attack

Hacker's DDoS attacking network

TCP SYN, ICMP, UDP... (with victim's addr. as the src IP addr.)

Reflectors

Page 6: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Classification of DDoS Attacks

● Classification by exploited vulnerability– Protocol Attacks

● TCP SYN attacks● CGI request attacks● Authentication server attacks● ... ...

– Flooding-based Attacks● Filterable● Non-filterable

Page 7: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Defense Mechanisms

● Classification by activity level– Reactive mechanisms

● Easy to be deployed● Hard to tell good guys from bad guys● Inflexible to adapt new attacks

– Proactive mechanisms● Motivations to deploy● Accuracy on differentiating packets

Page 8: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Defense Mechanisms (cont.)

● Classification by defending front-line– Victim network– Intermediate network– Source network

Page 9: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

At the victim side● IDS plus Firewall

– Detect bogus packets based on well-known attack signatures

– Flexibility

● Puzzle solving by clients

– Client must solve a puzzle (small scripts, cookies etc.) in order to access server's resources

– Efficiency

● Duplicate server resources

– Distribute server resources into more places

– Synchronization, costs etc.

Victim network can't do NOTHING if its link(s) to the ISP is jammed

Page 10: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

In the intermediate network

● IP traceback– Can be used to collect forensic evidence– (Need further exploration on this topic)

● Push-back mechanism● Route-Based packet filtering● Overlay network

Page 11: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Push-back – the idea

R2

R0

R1 R3

R7

R6

R5R4

Heavy traffic flow

Push-back messages

● Reactive mechanism● Accuracy of telling 'poor' packets from bad packets

Page 12: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Route-based packet filtering – the idea

R2

R0

R1

R3R7

R6

R5

R4

R9

R8

Routes from node 2

Attack from node 7 with node 2 addresses

● Proactive mechanism● Overheads● Need to change routers

Page 13: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

At the source side

● Ingress/egress filtering– Ingress filtering

● To prevent packets with faked source IP addresses from entering the network

– Egress filtering● To prevent packets with

faked source IP addresses from leaving the network

10.0.0.110.0.0.1

Egress filteringIngress

filtering

9.0.0.0/8

10.0.0.2

Page 14: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

At the source side (cont.)● D-WARD (DDoS netWork Attack Recognition and

Defense)– Balance of inbound and outbound traffic

Page 15: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

D-WARD (cont.)

● Motivation of deployment● Asymmetric problems

Source network

Page 16: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

SOS – Security Overlay Service

● To protect a dedicated server from DDoS attacks● Use high-performance filters to drop all the

packets not from secret servlets● Path redundancy in overlay network is used to

hide the identities of secret servlets● Legitimate users enter the overlay network at the

point of SOAP (secure overlay access point)

Page 17: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

SOS (cont.)

Big time delayOverlay network

SOAP(s) Secret servlet(s)

ServerFilter

Page 18: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

References● R. K. C. Chang, “Defending against Flooding-Based Distributed Denial-of-

Sevice Attacks: A Tutorial”● P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of

Service Attacks which employ IP Source Address Spoofing”, RFC 2827● J. Ioannidis and S. M. Bellovin, “Implementing Pushback: Router-Based

Defense Against DDoS Attacks” ● A. D. Keromytis, V. Misra and D. Rubenstein, “SOS: Secure Overlay Services”● R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson and S. Shenker,

“Controlling High Bandwidth Aggregates in the Network”● J. Mirkovic, J. Martin and P. Reiher, “A Taxonomy of DDoS Attacks and

DDoS Defense Mechanisms”● J. Mirkovic, G. Prier and P. Reiher, “Attacking DDoS at the Source”● K. Park and H. Lee, “A Proactive Approach to Distributed DoS Attack

Prevention using Route-Based Packet Filtering”

Page 19: Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Thank you!