Embed Size (px)
Citation preview
Defending Against Flooding Based DoS Attacks : A tutorial
- Rocky K.C. Chang, The Hong Kong Polytechnic University
Presented by – Ashish Samant
CS577 Spring 05
2
Introduction (http://www.denailinfo.com)Introduction (http://www.denailinfo.com)
CS577 Spring 05
3
IntroductionIntroduction
Denial of Service (DoS) Attack – An incident that disables a victim from receiving or providing normal service.
Relies on consuming limited or non-renewable system resources.
Can be launched by using system design weaknesses, CPU intensive tasks, or flooding.
Examples : ping of death, teardrop, smurf.
CS577 Spring 05
4
Distributed Denial of Service (DDoS)Distributed Denial of Service (DDoS)
Do not depend on system or protocol weaknesses.
DDoS use the computing power of thousands of vulnerable, unpatched machines to overwhelm a target or a victim.
Compromised host are gathered to send useless service requests, packets at the same time.
The burst of traffic generated, crashes the victim or disables it.
CS577 Spring 05
5
Distributed Denial of Service (DDoS)Distributed Denial of Service (DDoS)
Hard to detect and stop.
Can spread within a few minutes.
Usually period of flooding lasts for a few hours, and is sporadic.
IP Spoofing makes it harder to identify attackers.
This is a critical problem because of its potential of use in cyber warfare and ability to disrupt essential government services.
CS577 Spring 05
6
Timeline (http://staff.washington.edu/dittrich/misc/ddos/timeline.html )Timeline (http://staff.washington.edu/dittrich/misc/ddos/timeline.html )
May/June, 1998 First primitive DDoS tools developed in the underground -- small networks, only mildly worse than coordinated point-to-point DoS attack.
August 17, 1999 Attack on the University of Minnesota reportedly using trinoo. Campus disconnected from the Internet for 3 days.
Early October 1999 CERT reviews hundreds of Solaris intrusion reports and finds
many match the trinoo analysis. They arrange the Distributed System Intruder Tools Workshop.
February 8 - 12, 2000 Attacks on eCommerce sites. Yahoo, eBay, Amazon hacked.
2002 DoS attack on the 13 core root Internet DNS Servers.
2000-2001 Melissa, I Love You, Anna Kournikova. 2002 Code Red 2003 Slammer
CS577 Spring 05
7
Direct DDoS AttacksDirect DDoS Attacks
Direct Attacks ( flooding of request packets )– Attacker sends out packets directly towards the target.– Uses TCP, UDP, ICMP packets and uses random spoofed IP
addresses.– Only a few compromised machines are sufficient.
Examples : – TCP SYN flooding ; based on TCP three way handshake, the
final ACK from source to victim never arrives.
– Congesting a victims incoming link using TCP RST packets, ICMP control packets or UDP packets.
– TCP ( 94 %) , UDP (2%), ICMP ( 2%)
CS577 Spring 05
8
Reflector DDoS AttacksReflector DDoS Attacks
Reflector Attacks ( flooding of response packets )– Attackers initiate an attack that is relayed to reflector
machines, such as routers, web servers etc.– Reflectors may or may not be aware.– In response to requests by attackers, reflectors flood
victims with reply packets.– Address of victim spoofed in requests to reflectors.
Examples :– Smurf attacks. ICMP echo packets with spoofed victim
addresses are broadcast. – TCP SYN ACK flooding.– Bandwidth amplification , attack requests that send
response packets of much larger size to the victim.
CS577 Spring 05
9
Direct and Reflector AttacksDirect and Reflector Attacks
CS577 Spring 05
10
DDoS Attack SetupsDDoS Attack Setups
CS577 Spring 05
11
Summary of Reflector AttacksSummary of Reflector Attacks
CS577 Spring 05
12
Amount of SYN Packets NeededAmount of SYN Packets Needed
CS577 Spring 05
13
Solutions to DDoSSolutions to DDoS
Attack Prevention and Preemption– Prevent hosts from becoming masters/agents;
this is hard and inadequate.– Regular patching and security updates.
Attack Source Traceback– Identify source of attack and block it. Routers
need to store packet source info.– After the fact measure, cannot stop active attack.– Cannot always trace packet origins.– Ineffective against reflector attacks, because
reflectors are legitimate.
CS577 Spring 05
14
Solutions to DDoSSolutions to DDoS
Attack Detection and Filtering– Identify attack packets using anomaly or misuse
detection.– Drop suspect packets.– False Positive Ratio (FPR), False Negative Ratio
(FNR) measure efficiency of detection.– While filtering packets, dropping of useful packets
should be minimum ; measured by Normal Packet Survival Ratio (NPSR).
CS577 Spring 05
15
Ideal location for detection/filteringIdeal location for detection/filtering
CS577 Spring 05
16
Internet Firewall ApproachInternet Firewall Approach
Packet detection and filtering at source and victim networks not adequate.
Internet Firewall approach – Global defense mechanism that is deployed at the
core and drops packets before they reach the victim.
– Potential to maintain a victim’s normal service, even during an attack.
– Based on Route Based Packet Filtering (RPF) and Distributed Attack Detection (DAD).
CS577 Spring 05
17
Route Based Packet Filtering (RPF)Route Based Packet Filtering (RPF)
RPF– Move the ingress packet filtering from
source networks and next level ISP networks to the Internet core.
– Check to see if each packet arrives on the correct link, with respect to the source and destination address in the packet.
– Drop packet if it arrives from an unexpected link.
CS577 Spring 05
18
Route Based Packet Filtering (RPF)Route Based Packet Filtering (RPF)
Drawbacks– About 18% of ASs need to be equipped with
filters. This is a lot and will increase !
– BGP messages need to also carry source addresses, which increases their size.
– Reflected packets and packets with legitimate source addresses will still survive.
CS577 Spring 05
19
Distributed Attack Detection (DAD)Distributed Attack Detection (DAD)
DAD– Extend the packet detection function from
the victim network to the core.– Distributed Systems (DSs) are used that
work locally to identify attack patterns and then collaborate to identify global attacks.
– Uses anomaly or misuse detection.– Must process packets at a high speed. DSs
must be placed strategically.
CS577 Spring 05
20
Distributed Attack Detection (DAD)Distributed Attack Detection (DAD)
Once an attack is confirmed, packet filters are installed and upstream networks notified to drop packets.
The DSs must be available at all times and be able to flood other DS networks with attack alarm messages.
Not very effective in stopping DDoS attacks that last for short periods.
Not effective in stopping Degradation of Service (DeS) attacks.
Consumes time to arrive at global decisions.
CS577 Spring 05
21
Comparison of DDoS SolutionsComparison of DDoS Solutions
Ubiquitous Ingress Packet Filtering (UIPF)– Loacted at the ISP networks that connect to the
leaves, spread towards the edges. Route Based Packet Filtering (RPF)
– Located at the core , away from the edges. Local Area Detection (LAD)
– Victims local network or their upstream ISP. Distributed Attack Detection (DAD)
– DSs spread in the core of the Internet.
CS577 Spring 05
22
Comparison of DDoS SolutionsComparison of DDoS Solutions
UIPF, RPF based on spoofed IP addresses and routing info.
LAD, DAD based on traffic pattern anomalies and misuses. Less deterministic than UIPF, RPF, hence more false positives.
All susceptible to false negatives because of problem of reflector packets.
RPF, DAD require new protocols.
UIPF difficult to deploy, huge number of hosts need to be covered.
DAD requires highest computation , hence longest delay in detection.
CS577 Spring 05
23
ConclusionConclusion
Current approaches inadequate.
Attack mechanisms and tools continue to improve.
A global defense mechanism, Internet Firewall may work.
Internet Firewall has deployment issues.
CS577 Spring 05
24
ReferencesReferences
1 http://dslab.csie.ncu.edu.tw/93html/paper/pdf/Defending%20against%20flooding-
based%20distributed%20denial-of-service%20attacks%20%20a%20tutorial.pdf
2 http://staff.washington.edu/dittrich/misc/ddos/timeline.html
3 http://www.denialinfo.com
4 http://www.cagle.com/news/hackers/hacker5.asp
CS577 Spring 05
25
http://www.cagle.com/news/hackers/hacker5.asphttp://www.cagle.com/news/hackers/hacker5.asp
