Andrew Knotts` presentation on Distributed DOS attacks

Download Report

Transcript Andrew Knotts` presentation on Distributed DOS attacks

Survey of Distributed Denial of
Service Attacks and Popular
Countermeasures
Andrew Knotts, Kent State University
Referenced from:
Charalampos Patrikakis,Michalis Masikos, and Olga Zouraraki. Denial of service
attacks. Internet Protocol Journal, 7(4):13–25, December 2004.
Outline





Introduction/Overview
Recruiting Zombie Machines
Spreading the Virus
A Typical DDoS Attack
Defending Against a DDoS Attack
Technology
Policies
Education
Transmitting
Processing
Storing
DoS vs. DDoS Attacks



A DoS attack is targeted at a particular node
(machine).
Attempts to deny service to that node
Source of the attack:


Single node: DoS (Denial of Service) attack
Multiple nodes: DDoS (Distributed Denial of
Service) attack
DDoS Attacks: A Tough Problem





Victims are unable to communicate with other
machines, so the surrounding network may not
know to help.
Traffic spikes very fast. It is hard to react quickly
enough.
Traffic filtering will filter user traffic as well.
The network may be the bottleneck, not the victim.
IP spoofing makes it hard to back trace attack traffic.
Target Resources

A (D)DoS attack overwhelms the resources
of the target:


Network Bandwidth
Computing Power


Processor
Memory
Recruiting Zombie Machines



The attacker must infect a set of nodes to
target the victim.
Unpatched machines are easily
compromised.
Once infected these nodes are known as
zombies.
Finding Vulnerable Machines

Random Scanning

Targets machines at random IP addresses.

Hit-list Scanning

Targets nodes from a hit-list.
Topological Scanning



The hit-list is generated “on-the-fly” by scanning infected
machines for valid URLs.
Local Subnet Scanning

An infected machine on the same subnet may exploit
vulnerabilities of other machines normally protected by the
firewall.
A Typical DDoS Attack

Typical DDoS Attack




The zombies are divided into masters and slaves.
The attacker signals the masters to start the
attack, the masters then signal the slaves.
The slaves flood the victim.
IP spoofing is usually used to hide the identity of
the slave zombies.
A Typical DDoS Attack
Slave Zombies
Master Zombies
Victim
Attacker
*Concept of Diagram referenced from [1]
A DRDoS Attack

DRDoS Attack





Distributed Reflector Denial of Service
Reflectors are uncompromised machines.
The slave zombies send packets to the reflectors
with IP source addresses spoofed as the target.
The reflectors carry out the flooding rather than
the slaves.
More distributed than a typical DDoS attack.
A DRDoS Attack
Slave Zombies
Reflectors
Master Zombies
Victim
Attacker
*Concept of Diagram referenced from [1]
Defending Against a DDoS Attack

Two General Approaches

Prevent the Attack


Try to stop the attack from happening in the first place.
React to the Attack

Detect the attack early, and react appropriately.
Defending Against a DDoS Attack

Techniques to prevent attacks

Keep machines up-to-date with patches and
antivirus.


Hard to do because machines are distributed.
Filter spoofed IP traffic


Source IPs of outbound packets should be from the local
network.
Source IPs of inbound packets should not be from the
local network.
Defending Against a DDoS Attack

Techniques to detect an attack early

Signature Detection



Anomaly Detection



Compare traffic signatures to known attack signatures.
Cannot detect new attacks with new signatures.
Compare traffic behavior with “normal” traffic behavior.
What constitutes “normal” traffic has to be updated.
Hybrid Systems

Combine both signature detection and anomaly detection.
Anomaly Detection
Update
Signature Database
Route Filtering

Blackhole routing



Routes attack traffic to a “blackhole” (null
interface).
Only useful if attack traffic can be differentiated
from legitimate traffic.
Sinkhole routing


Detect suspicious traffic and redirect it to an
analyzer.
If it is attack traffic, drop it (route to null interface).
Otherwise route it to its original destination.
Real-time Analysis of Flow Data



Flow data can be useful for analyzing the
behavior characteristics of traffic.
In order for flow data to be useful for
detecting attacks, it must be processed fast
enough to respond.
Munz and Carle [2] propose a system and
framework to handle the real-time analysis of
this flow data.
Real-time Analysis of Flow Data
A simplified diagram of the TOPAS system
IPFIX/Netflow
Data
Receiver
Container
Detection
Algorithm 1
Alert
Container
Detection
Algorithm 2
Alert
Container
Detection
Algorithm 3
Alert
Ring Buffer
*Concept of Diagram referenced from [2]
Path Identification



IP spoofing is commonly used to mask the
source of an attack.
Use a “Path Identifier” (Pi) to discover an
approximate source of attack packets [3].
These packets can then be classified as
malicious (based on their path identifier) and
filtered accordingly.
Issues with Path Identification

16 bits used to store path information.


This is not very large and may be insufficient for
long paths!
Packets from the same attacker are not
guaranteed to follow the same path.
Network Overlays




To prevent malicious traffic, only allow the
target to communicate with a confirmed user
[4]. The target must give permission to this
“user”.
Filter all traffic in the region around the target
that is not confirmed.
Confirmed traffic originates from a list of predefined friendly nodes.
Protect the identity of these nodes by using a
network overlay.
The SOS System
A simplified diagram of the SOS system
Overlay Network
“Secret Servlets”
Overlay Nodes
Target
Filtered Region
*Concept of Diagram referenced from [4]
Issues with the SOS system

Expensive to implement

An entire overlay must be created to protect a
node. Overlay routers must implement a filtering
protocol.
Future Work


IP is not a security-oriented protocol.
Designing Internet protocols with security in
mind will help mitigate DDoS attacks.
Most current work simply focuses on the
target or the network around the target. It is
useful to also utilize the entire network from
attacker to target to help DdoS attacks (the Pi
system touched on this concept).
References
[1] Charalampos Patrikakis,Michalis Masikos, and Olga Zouraraki.
Denial of service attacks. Internet Protocol Journal, 7(4):13–25,
December 2004.
[2] Gerhard Munz and Georg Carle. Real-time analysis of flow data
for network attack detection. 10th IFIP/IEEE International
Symposium on Integrated Network Management, pages 100–
108, May 2007.
[3] Abraham Yaar, Adrian Perrig, and Dawn Song. Pi: A path
identification mechanism to defend against ddos attacks. In
Proceedings of the 2003 IEEE Symposium on Security and
Privacy, pages 93–107, Washington, DC, USA, May 2003. IEEE
Computer Society.
[4] Angelos D. Keromytis, Vishal Misra, and Dan Rubenstein. Sos:
Secure overlay services. In SIGCOMM, Pittsburgh, PA, August
2002. ACM.