Group 8 Distributed Denial of Service

DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to deny the legitimate clients access to a particular resource.”

How to take down a restaurant? DoS Table for four at 8 o’clock. Name of Mr. Smith. O.K., Mr. Smith SYN Flood DDoS Proposed Algorithm Group 8

How to take down a restaurant? DoS No More Tables! SYN Flood DDoS Proposed Algorithm Group 8

DoS DDoS What is Distributed Denial of Service? Doesn’t rely on the weakness of a system Distributed way Different sources Engage the power Consume resource SYN Flood Proposed Algorithm Group 8

DoS DDoS DDoS Tools Plagued the attack on Yahoo, Amazon.com, and other famous web sites in February 2000 !! SYN Flood Proposed Algorithm Group 8

DoS DDoS DDoS Attack One of the major attack on today’s Internet SYN Flood Proposed Algorithm Group 8

DoS DDoS DDoS Defense Classification The defense of DDoS attack is very difficult No apparent characteristics Distributed structures & small memory Difficult to traceback Attackers can modify their toolkits constantly Three lines of defense Three lines of defense Attack Prevention Attack Detection Attack Mitigation SYN Flood Proposed Algorithm Group 8

DoS DDoS Attack Prevention Stop the attacking Filter packets with illegitimate source addresses Need to be installed on all routers Not viable  Usually refuses the legitimate Both match the signaturesExamples: Ingress filtering Egress filtering Route-based distributed packet filtering Obviously, the prevention line is inadequate for defense the DDoS attacks… … SYN Flood Proposed Algorithm Group 8

DoS DDoS Attack Detection Misuse Detection Identify the well defined patterns of known attack Anomaly Detection Detect the anomaly behaviors in system Examples: − NOMAD: statistical analysis of IP packet − D-WARD: monitors the traffic − MULTOPS: uses disproportional rates to/from hosts and subnets SYN Flood Proposed Algorithm Group 8

DoS DDoS Attack Mitigation Minimize the impact of attacks Impossible to stop DDoS attack completely Maximize the QoS Describes the assurance of the ability of a network to deliver predictable resultsExamples: Class-Based Queuing Techniques Resource Pricing Architecture Pushback architecture Throttling SYN Flood Proposed Algorithm Group 8

DoS DDoS SYN Flood Proposed Algorithm Normal TCP/IP Communication Group 8

Basic Vulnerability TCB : contains all of the information about the connection. Potential risk : each incoming SYN packet will be allocated a TCB, it will result the memory exhausted. Backlog: contains all the simultaneous TCBs in the SYN_RECV state. Potential risk: the backlog is full, the new request will be ignored until some of the TCBs is reaped or removed. DoS DDoS SYN Flood Proposed Algorithm Group 8

Unfinished TCP/IP Communication DoS DDoS SYN Flood Proposed Algorithm Group 8

Attack Method DoS DDoS SYN Flood Proposed Algorithm Group 8

Defense of SYN Flood Attack Counter the weakness of the TCP/IP protocol to attack. When attacking, only if less data could have obvious effect. The origin of the attacker’s source IP address could not be traced back. It cannot be distinguished whether legitimate TCP connection in server- side. Characteristics of the Attack DoS DDoS SYN Flood Proposed Algorithm Group 8

Defense End-Host Countermeasures Increasing TCP Backlog Reducing the SYN_RECV Timer SYN Caches SYN Cookies Hybrid Approaches Network-Based Countermeasures Filtering Firewalls or Proxies DoS DDoS SYN Flood Proposed Algorithm Group 8

Using Spoofed SYN-ACK DoS DDoS SYN Flood Proposed Algorithm Group 8

Using Spoofed ACK DoS DDoS SYN Flood Proposed Algorithm Group 8

DoS DDoS SYN Flood Proposed Algorithm Group 8 Three Counters Algorithm

THE END THE END Thank you for your listening!