Presentation is loading. Please wait.

Presentation is loading. Please wait.

Outline Why is DDoS hard to handle?

Published byCandace Harvey Modified over 4 years ago

Similar presentations

Presentation on theme: "Outline Why is DDoS hard to handle?"— Presentation transcript:

1 Major Challenges of DDoS Attacks Advanced Network Security Peter Reiher August, 2014

2 Outline Why is DDoS hard to handle?
Important characteristics of good DDoS defenses

3 Why Is DDoS Hard to Handle?
A simple form of attack Designed to prey on the Internet’s strengths Easy availability of attack machines Attack can look like normal traffic Lack of Internet enforcement tools Hard to get cooperation from others Effective solutions may be hard to deploy

4 1. Simplicity of Attack Basically, just send someone a lot of traffic
More complicated versions can add refinements, but that’s the crux of it No need to find new vulnerabilities No need to worry about timing, tracing, etc. Toolkits are readily available to allow the novice to perform DDoS Even distributed parts are very simple

5 2. DDoS Preys on Internet’s Strengths
The Internet was designed to deliver lots of traffic From lots of places, to lots of places DDoS attackers want to deliver lots of traffic from lots of places to one place Any individual packet can look proper to the Internet Without sophisticated analysis, even the entire flow can appear proper

6 The Internet and Resource Utilization
The Internet was not designed to monitor resource utilization It’s pretty much first come, first served Many network services work the same way And many key underlying mechanisms do, too Thus, if a villain can get to the important resources first, he can often deny them to good users

7 3. Easy Availability of Attack Machines
DDoS is feasible because attackers can enlist many machines Attackers can enlist many machines because many machines are readily vulnerable Not hard to find 10,000 crackable machines on the Internet Particularly if you don’t care which ones Some reports suggest attack armies of tens of thousands of machines are at the ready

8 Can’t We Fix These Vulnerabilities?
Doubtful DDoS attacks don’t really harm the attacking machines Many people don’t protect their machines even when the attacks can harm them Why will they start protecting their machines just to help others? Altruism has not proven to be a compelling argument for for network security, to date

9 4. Attack Can Look Like Normal Traffic
A DDoS attack can consist of vast number of requests for a web server’s home page No need for attacker to use particular packets or packet contents So neat filtering/signature tools may not help Attacker can be arbitrarily sophisticated at mirroring legitimate traffic In principle Not currently done because dumb attacks work so well

10 5. Lack of Internet Enforcement Tools
DDoS attackers typically not caught by tracing or observing attack Only by old-fashioned detective work The Internet offers no help in tracing a single attack stream, Much less multiple ones Even if you trace them, a clever attacker leaves no clues of his identity on attack machines

11 What Is the Internet Lacking?
No validation of IP source address No enforcement of amount of resources used No method of tracking attack flows Or those controlling attack flows No method of assigning responsibility for bad packets or packet streams No mechanism or tools for determining who corrupted a machine

12 6. Poor Cooperation in the Internet
It’s hard to get anyone to help you stop or trace or prevent an attack Even your ISP might not be too cooperative Anyone upstream of your ISP is less likely to be cooperative ISPs more likely to cooperate with each other, though Even if cooperation occurs, it occurs at human timescales The attack might be over by the time you figure out who to call

13 7. Effective Solutions May Be Hard to Deploy
The easiest place to deploy defensive systems is near your own machine But defenses there might not work well E.g., firewall example Effective research solutions require deployment near attackers or in Internet core Or, worse, in many places A working solution is no use if required parties won’t deploy it Hard to get anything deployed if deployer gets no direct advantage

14 Defending Against DDoS Attacks
DDoS attacks sound pretty terrible So what do I do to keep my machines and networks safe from DDoS attacks? How would I even go about starting to defend myself and others from DDoS attacks?

15 Desirable Characteristics of DDoS Defense Solutions
Effective Accurate Cheap Deployable Complete

16 1. Effectiveness of DDoS Defenses
Does it stop the DDoS attack from crippling my machine? If so, is it merely pushing the problem upstream? Or is it fundamentally solving it? Will it only stop disruptive attacks? Or will it also stop degrading attacks?

17 2. Accuracy of DDoS Defenses
Ultimately, DDoS defense usually requires dropping some packets Avoiding the DDoS effect by not delivering the attack traffic that causes it That’s great, but . . . Is it only attack traffic that is getting dropped? Or is my defense system also dropping some legitimate traffic?

18 The Vital Importance of Accuracy
The point of a DDoS attack is not to deliver a bunch of bogus packets to you It’s to prevent you from offering regular service If your defense mechanism drops both attack packets and legitimate packets, It offers the DDoS attacker another mechanism to deny service DDoS defense mechanisms that do not ensure the delivery of all (or almost all) legitimate traffic are of little help!

19 Collateral Damage The term used to describe unintended and undesirable consequences of a defense mechanism How much good traffic does the defense mechanism drop (or delay)? Low collateral damage is tolerable If the collateral damage is high enough, it’s as bad as the attack itself

20 DDoS Collateral Damage Types
You drop good packets destined for the target That’s bad You drop good packets from an attack source Also bad You drop good packets going to and from uninvolved third parties That’s even worse

21 Accuracy and False Alerts
Most nodes aren’t under DDoS attack most of the time If the DDoS defense system signals an attack when there is no attack, there may be a problem Small problem if the signal doesn’t disrupt the good traffic Big problem if it does

22 Dimensions of Accuracy
Detection Did the defense system signal an attack when one occurred? And only when one occurred? Response Did the defense system take action only against attack packets?

23 3. Cost of DDoS Defense Systems
Defense systems must be reasonably inexpensive In money, but especially in performance Particularly when no attacks are going on Since that will be most of the time Low cost important even when attacks are ongoing If defense system eats 95% of your CPU when defending, this can easily deny service to legitimate clients

24 4. Deployability of DDoS Defenses
Defense systems on or near to the potential target are highly deployable

25 Deployability of DDoS Defenses
Defense systems on or near to potential attackers are less deployable 1. No economic incentive for deployment 2. Attacker might gain control of defense system 3. Wide deployment required for effectiveness

26 Deployability of DDoS Defenses
Core routers are already heavily loaded 2. If you’re putting it in the core, you’d better get it right the first time Defense systems in the Internet core face serious deployment challenges 3. Owners of these routers have no economic incentive to deploy defenses

27 5. Completeness A DDoS defense systems should handle all kinds of DDoS attacks Systems that only handle SYN floods (for example) are of less value Ideally, the entire range of known attacks should be covered Plus anything else we didn’t think about yet

28 Conclusion Distributed denial of service attacks are difficult to handle for multiple reasons Some deal with the nature of the Internet Some deal with business practicalities Some deal with choices in our protocols All are hard or impossible to change

Download ppt "Outline Why is DDoS hard to handle?"

Similar presentations

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
CIS 659 – Introduction to Network Security – Fall 2003 – Class 10 – 10/9/03 1 What is Distributed Denial of Service?

CIS 659 – Introduction to Network Security – Fall 2003 – Class 10 – 10/9/03 1 What is Distributed Denial of Service?
1 Securing Information Transmission by Redundancy Jun LiPeter ReiherGerald Popek Computer Science Department UCLA NISS Conference October 21, 1999.

1 Securing Information Transmission by Redundancy Jun LiPeter ReiherGerald Popek Computer Science Department UCLA NISS Conference October 21, 1999.
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Denial of Service. Denial of Service Attacks Unlike other forms of computer attacks, goal isn’t access or theft of information or services The goal is.

Denial of Service. Denial of Service Attacks Unlike other forms of computer attacks, goal isn’t access or theft of information or services The goal is.
------ An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Denial of Service.

Denial of Service.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.

Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

Similar presentations

Ads by Google