Mitigating DDoS Attacks
Download
Report
Transcript Mitigating DDoS Attacks
------ An Overview
Zhang Fu
[email protected]
Outline
What is DDoS ? How it can be done?
Different types of DDoS attacks.
Reactive VS Proactive Defence
Some noticeable solutions
Crux issues
Discussion
The “battle” is going on.
DDoS Attacks
A Denial of Service (DoS) attack is an attempt by the attacker to
prevent the legitimate users of a service from using that service.
If the attack is launched from multiple compromised machines, then it
is a Distributed Denial of Service (DDoS) attack.
Basic Types of DDoS attacks:
Sending malformed packets to confuse systems (protocol or application).
Can be also called semantic attack.
Example: SYN-flooding, Teardrop Attacks
Flooding packets to the victim to depleting key resources (bandwidth). Can
be also called brute-force attack.
Example: DNS request flooding, Smurf attack.
DDoS Attacks (cont.)
What makes DDoS possible?
End-to-End paradigm : intermediate network provides
best-effort packets delivery service.
Different networks do not have effective cooperation.
Victim’s security relies on the rest of the network
End hosts can not control the bandwidth allocation or
queuing mechanism of the network
Zhang Fu
Control is [email protected]
Steps of launching DDoS attacks
Recruiting and Exploit.
Propagation.
Launching attacks.
order
attack
Victim Types
Application
Target on a given application. If the resource is not completely consumed,
other application maybe still available.
The attack traffic volume is usually small, and seems to be normal packets.
E.g. signature attack.
Host
Overwhelming the host’s communication mechanism. Or make the host
crash/reboot.
The attack traffic is usually big. The host can not solve the problem alone.
Resource Attack
Attack some critical entities in the victim’s network, such as DNS server.
Congest some critical links of the network.
The attack traffic is big and easy to detect. But need cooperation to defense.
Victim Types (cont.)
Infrastructure
Aim to disable the critical service of the whole Internet, such as root DNS
server, core network, certificate server.
The attack can aggregate a huge volume of traffic with in a very short time
period.
Need cooperation to defend against this attack.
Impact of the attack
Disruptive: completely disable the victim’s service.
The victim can recover automatically after the attack. Some
may need human to be involved. And some may be not
recoverable.
Degrading: consume some portion of the victim’s
resource.
Success depends on the service. QoS plays an important role.
Not easy to detect.
Tradeoff between deploying a defense mechanism and losing
market caused by the degradation.
Summary of DDoS attacks
What is a DoS / DDoS attack?
Why DDoS attacks can be launched successfully?
DDoS attacks target both in application layer and
network layer.
Some DDoS attacks aims to completely deplete the
resource of the victim, while others aims to degrade
the quality of the victim’s service.
Challenges for defense mechanisms
DDoS is a problem in distributed manner. It needs to
be solved in a distributed way. However, assumption of
global deployment would be rather strong.
Some attacks can be hardly defined. Many factors may
be involved, such as number of compromised
machines, attack rate, attack duration, impact of the
attack.
Lack of universal benchmark.
Lack of test platforms for large scale network.
Principles for counter measures
Security
The attacker can hardly break the secrets used in the system. Or
find a semantic flaw to attack the system.
Accuracy
The system should filter out the malicious traffic as much as
possible and affect the legitimate traffic as little as possible.
Efficiency
Keep the overhead within a acceptable threshold
Safe Failure
When the system is fail, the situation can not be worse than that
before the deployment.
Which way to go? Proactive VS Reactive
Proactive solutions aim at prevent the DDoS attacks
from beginning. Or the victim’s service is not denied
during the attacks.
How to prevent DDoS attacks? Secure the hosts, Build
DDoS-resilient protocol. We need both police and doctor!
How to make system tolerate DDoS attacks? Resource
accounting, provide more resource.
Examples of proactive solutions: puzzle based solutions,
network capability, secure overlay.
Proactive VS Reactive (cont.)
Reactive solutions aims at mitigate DDoS attacks when the
victim suffers those attacks, or some DDoS attacks are
detected.
Need some detection mechanisms. Less overhead in the
normal situation.
The problem is how to identify DDoS attacks, what are
the proper responses for different kinds of attacks?
•
•
Use models of attacks to detect. We can also define abnormal
behaviors for detection, But have to be careful with false
positive.
Block identified zombies, or rate limiting /filtering.
Network Layer Defense
Network Capability
Choose a path from source to the destination
Capability Establishment (Sending Request and getting Capability)
Sending Packets with Capability
Capability Refreshing
Internet
14
Packet Marking (Trace back)
• Packets will be marked by the routers along the path.
• When DDoS attacks occur, the victim will identify the attacking sources.
• Victim will also send control command to the router which is near to the
sources to limit the malicious traffic.
What’re the
advantages and
disadvantages?
SOS: Secure Overlay Service
Application Layer Defense
How can network-based applications
defend by themselves?
Solutions inspired by Frequency Hopping.
ACK-based port hopping (Badishi et al. 2005)
Port hopping with bounded clock offset (Lee and Ting 2004)
Hopping authentication code (Srivatsa et al 2006)
Port hopping in the presence of clock drifts. (Zhang et al.2008)
Crux Issues
IP spoofing.
Network topology dependency.
Refreshing secrets.
Feedback mechanisms.
Space efficiency.
We can hardly solve DDoS problem completely. The ideal solution could be
very complicated. We might need an integrated solution. However, it’s
unclear about the optimal integration.
Summary
What is DDoS
Why it is possible
What is the main category of defence mechanisms
We want secure, robust, efficient solutions for the
problem.
Zhang Fu
[email protected]
The End
Thank You
20