Presentation is loading. Please wait.

Presentation is loading. Please wait.

“A Taxonomy of DDoS Attack and DDoS Defense Mechanisms”

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "“A Taxonomy of DDoS Attack and DDoS Defense Mechanisms”"— Presentation transcript:

1 “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms”
By Jelena Mirkovic and Peter Reiher (CCR April 2004) NSRG - Network Security Reading Group: Vijay Erramilli Nahur Fonseca Abhishek Sharma Georgios Smaragdakis and Prof John W. Byers

2 Outline Overview of DDoS Taxonomy of DDoS Attacks DDoS Activity
Taxonomy of DDoS Defenses Examples of DDoS Defenses

3 Overview (D)DoS := explicit attempt to prevent the legitimate use of a service Why this is part of today’s internet? Current Internet Design is focused on effectiveness of moving packets. Internet Resource Limitations. Control is distributed.

4 DDoS Overview

5 Taxonomy of DDoS Attacks [MR04]
DDoS Attack Mechanisms Classification By.. Degree of Automation Impact on the Victim Exploited Weakness Victim Type Source Address Validity Persistence of Agent Set Attack Rate Dynamics Possibility of Characterization

6 Mainly Worms Scanning Strategies: Manually (Semi-)Automated
Classification By Degree of Automation Mainly Worms Manually (Semi-)Automated Scanning Strategies: Random Scanning (CRv2) Hitlist Scanning Permutation Scanning – sub HitList (Warhol) Topological Scanning ( Worms) Local Subnet Scanning (CRv2, nimba)

7 Vulnerability Scanning Strategies
Classification By Degree of Automation Vulnerability Scanning Strategies Horizontal: same port of different machines Vertical: all ports of one machine Coordinated Stealthy Propagation Mechanism Central Source (Li0n worm) Back-chaining (Ramer Worm, Morris worm) Autonomous Propagation (CR, Warhol)

8 Searching for specific feature or bug
Classification By Exploit Weakness To Deny Service Searching for specific feature or bug SYN ACK attack, NAPTHA /connection queue CGI Request attack /CPU Flooding (reflectors) DNS Request attacks Smurf attacks (ICMP reply attacks)

9 Spoofing Techniques Random Spoofed Source Address
Classification By Source Address Validity Spoofing Techniques Random Spoofed Source Address Subnet Spoofed Source Address (hard to detect) En Route Spoofed Source Address (future) address along the path from the slave to the victim Fixed Spoofed Source Address

10 Constant Rate Variable Rate
Classification By Attack Rate Dynamics Constant Rate Attacker can deploy a min number of machines Patterns in traffic Variable Rate Increasing Rate Fluctuating Rate (Low Rate attacks like Shrew, Rat and RoQ)

11 Classification By Possibility of Characterization Filterable Filtered by a firewall eg. UDP flooding, ICMP echo flood to Web Servers, DNS (TCP). Non-Filterable mainly try to consume bandwidth, using a mixture of TCP SYN, TCP Attack, ICMP ECHO/ REPLY, and UDP packets.

12 Constant Slave Set Variable Slave Set Lack of synchronization
Classification By Persistence of Agent (Slave) Set Constant Slave Set Lack of synchronization Variable Slave Set eg. Take turns (waves) of floods of packets

13 Application Host Resource Network Infrastructure
Classification By Victim Type Application Attack packets indistinguishable from legitimate packets at the transport level. A lot of applications that have to be modeled. Host CPU/Stack Resource Critical resource eg. DNS, router, bottleneck Network Traffic Infrastructure Misconfiguration by the attacker/BGP (future)

14 Disruptive Degrading Deny the victim’s service to its clients
Classification By Impact on the Victim Disruptive Deny the victim’s service to its clients Degrading Consumes some portion of the victim’s resources. Not easily detected Lead to Disruptive DoS in high load periods

15 Attack Tools Very Easy to find code
(eg. Trinoo: Flood Attack The communication link btw Attacker and slaves is encrypted. TFN2k: Flood Attack, but also allows SYN, ICMP flood and Smurf Attacks. The communication link btw Attacker and slaves is encrypted.

16 Outline Overview of DDoS Taxonomy of DDoS Attacks DDoS Activity
Taxonomy of DDoS Defenses Examples of DDoS Defenses

17 Why bother ? Fact 1: prevalence
David Moore, et al. Infering Internet Denial-of-Service Activity

18 Backscatter Analysis Assumptions Biases Flood attack
Randomly spoofed source address Victims always respond Backscatter is evidence of ongoing attack Responses are equaly distributed across IP E(x) = nm/232, m=pkts R > R’ 232/n , n=224 Biases Underestimate due to Ingress filtering, Reflector attack, Packet losses, Rate limiting, Minor factor due to random port scans on the observed hosts.

19 Backscatter Results

20 Why bother? “Fact” 2: cost
What’s the worst-case worm ? A lot of resources, a nation state, to find A zero-day (never seen) vulnerability in A widely used service. Infect intranets first and then the Internet Very fast (e.g. flash worms). < 1 day. Cause data damage, hardware damage. How much would it cost ? A conservative linear model based on: recovery, data, work-hour and BIOS costs US$50 Bi

21 Taxonomy of DDoS Defenses
Preventive x Reactive Degree of Cooperation Autonomous Cooperative Interdependent Deployment Location Victim network Intermediate network Source network

22 Proactive / Reactive Actions
Preventive Prevention Goal Attack Prevention DoS Prevention Secured Target System security Protocol security Prevention Method Resource Accounting Resource Multiplication Reactive Detection Strategy Pattern Anomaly Third Party Response Strategy Agent Identification Rate-limiting Filtering Reconfiguration

23 Degree of Cooperation Autonomous – independent defense at the point of deployment Cooperative – perform better in joint operation. Interdependent – cannot operate autonomously.

24 Deployment Location Victim network – most common, the most interested party. Intermediate network – ISP can provide the service, potential to cooperation. Source network – prevent DDoS at the source, least motivation (Tragedy of the Commons).

25 Examples of Defenses Preventive Reactive Autonomous Cooperative
Interdependent At Victim IDS, SNORT Puzzles Intermediate In-Filter SOS Traceback At Source D-WARD

26 IDS, Snort Intrusion Detection System
Purpose: to sniff all traffic on a network and to compare the network packets with certain patterns. Sniff all traffic Preprocess Patten matching Policy Enforcement Deny

27 SOS: Secure Overlay Service
Proactively prevent DoS to allow legitimate users to communicate with critical target. + Illegitimate packets are dropped - Attackers take over source - Attackers spoof address - Sources have mobile IP + Proxy forwards authentic traffic - Attackers may spoof proxy IP - Attackers may attack proxy

28 A node on the overlay that acts as the only entry point to the target
SOS: Architecture A node on or off the overlay that wants to send a transmission to a target A node on the overlay, it receives traffic destined for the target and ,after verifying the legitimacy of the traffic, forwards it to a secret servlet A node on the overlay that acts as the only entry point to the target source傳訊息給target source -> overlay -> target 接下來簡介在這個overlay裡幾種不同的角色 Target node that wishes to receive transmissions from validated sources A node on the overlay that accepts traffic to the target from approved source points

29 Ingress Filtering (RFC2267)
An ingress filter on "router 2” restricts traffic to allow only source addresses within the /8 prefix. Problems with special cases, for example, mobile IP. Still can spoof addresses within the same prefix.

30 D-WARD Monitors each peer in both ways. Keep per flow statistics.
Compare to “normal traffic” models. Detect anomalies. Throttle malicious users.

31 Cliente Puzzles: Intuiton
??? Please solve this puzzle. Table for four at 8 o’clock. Name of Mr. Smith. O.K., Mr. Smith O.K. Restauranteur

32 A legitimate patron can easily reserve a table,
Intuition Suppose: A puzzle takes an hour to solve There are 40 tables in restaurant Reserve at most one day in advance A legitimate patron can easily reserve a table, but:

33 Intuition ??? Would-be saboteur has too many puzzles to solve

34 The client puzzle protocol
Service request R Server Client Buffer O.K.

35 IP traceback The ability to trace IP packets to their origin.
IP spoofing Ingress filtering prevents IP address manipulation not fully enforced due to political and technical reasons. Some ISPs refuse to install inbound filters to prevent source-address spoofing.

36 IP traceback approaches
Reactive : initiate the traceback process in response to an attack e.g. Input debugging and controlled flooding Must be completed while the attack is active; ineffective once the attack ceases Require large degree of ISP cooperation- extensive administrative burden, difficult legal and policy issues.

37 Input debugging: Figure from IP Traceback: A New Denial-
of-Service Deterrent?, H. Aljifri, IEEE Security & Privacy, 2003.

38 Proactive IP traceback
Record tracing measures as packets are routed through the network. Traceback data used for attack path reconstruction and subsequent attacker identification. Techniques: Logging Messaging Packet-marking

39 Logging Log packets at key routers throughout the Internet and then use data-mining techniques to extract information about attack traffic’s source. Huge amount of processing and storage power needed to store the logs. Need to save and share information among ISPs : logistical and legal problems, as well as privacy concerns.

40 How to reduce the resource demand?
Probabilistic sampling of the packet stream and compression. SPIE (Source Path Isolation Engine), A. Snoeren et. al. Makes use of Bloom filters to store a hash digest of only the relevant invariant portions of a packet Overlay Network of sensors, tracing agents and managing agents. Selectively log traffic – after an attack is recognized. Log only certain relevant characteristics Increased speed and less storage.

41 ICMP-based traceback: Figure from IP Traceback: A New Denial-
of-Service Deterrent?, H. Aljifri, IEEE Security & Privacy, 2003.

42 ICMP-based traceback vs DDoS
In a DDoS attack, each zombie contributes only a small amount of the total attack traffic. The probability of choosing an attack packet is much smaller than the sampling rate used. The victim probably will get many ICMP traceback messages from the closest routers but very few originating near the zombies’ machines. Intension-driven ICMP traceback : more effective against DDoS.

43 Packet-Marking : Figure from IP Traceback: A New Denial-
of-Service Deterrent?, H. Aljifri, IEEE Security & Privacy, 2003.

44 Packet Marking To be effective, packet marking should not increase the packets’ size (to avoid additional downstream fragmentation, thus increasing network traffic). Secure enough to prevent attackers from generating false markings. Must work within the existing IP specifications : the specified order and length of fields in an IP header. Packet-marking algorithms and associated routers must be fast enough to allow real-time packet marking. Probabilistic Packet Marking Received widespread attention; active area of research

45 Discussion What is the cost of ISPs to prevent DDoS?
Law Enforcement of Homogeneous Control? Is DDoS an important problem for WINGers? Can be part of the iBENCH: Safe & Secure Composition… Can be part of the ITM: Soft state and sampling of flows?

Download ppt "“A Taxonomy of DDoS Attack and DDoS Defense Mechanisms”"

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
A Taxonomy of DDoS Attack and DDoS Defense Mechanisms By Jelena Mirkovic and Peter Reiher.

A Taxonomy of DDoS Attack and DDoS Defense Mechanisms By Jelena Mirkovic and Peter Reiher.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
John Kristoff DePaul Security Forum 2003 1 Network Defenses to Denial of Service Attacks John Kristoff +01 312 362-5878.

John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.

Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Similar presentations

Ads by Google