Part I: Introduction
Download
Report
Transcript Part I: Introduction
DDoS Attack and Its Defense
CSE 5473: Network Security
Prof. Dong Xuan
DDoS Attack and Its Defense
1
Why DoS?
Sub-cultural status
To gain access
Revenge
Political reasons
Economic reasons
Nastiness
DDoS Attack and Its Defense
2
How DoS (remotely)?
Consume host resources
Memory
Processor cycles
Network state
Consume network resources
Bandwidth
Router resources (it’s a host too!)
Exploit protocol vulnerabilities
Poison ARP cache
Poison DNS cache
Etc…
DDoS Attack and Its Defense
3
Where DoS
End hosts
Critical servers (disrupt C/S network)
Web, File, Authentication, Update
DNS
Infrastructure
Routers within org
All routers in upstream path
DDoS Attack and Its Defense
4
Outline
What is a DDOS attack?
How to defend a DDoS attack?
DDoS Attack and Its Defense
5
What is DDoS attack?
• Internet DDoS attack is real threat
- on websites
· Yahoo, CNN, Amazon, eBay, etc (Feb. 2000)
services were unavailable for several hours
- on Internet infrastructure
· 13 root DNS servers (Oct, 2002)
7 of them were shut down, 2 others partially unavailable
• Lack of defense mechanism on current Internet
DDoS Attack and Its Defense
6
What is a DDos Attack?
Examples of DoS include:
Flooding a network
Disrupting connections between machines
Disrupting a service
Distributed Denial-of-Service Attacks
Many machines are involved in the attack against one or more
victim(s)
DDoS Attack and Its Defense
7
ATTACK SIZE IN GBPS
ATTACK SIZE IN GBPS
MAIN TARGETS
ESTONIAN CYBERWAR APRIL
27, 2007
Inoperability of the following state and
commercial sites:
The Estonian presidency and its parliament.
Almost all of the country’s government
ministries.
Political parties.
Three news organizations.
Two biggest banks and communication’s firms.
Governmental ISP.
Telecom companies.
» Source: Alexei Zhatechenko
Distributed Denial of Service
(DDoS) Networks
DDoS Attack and Its Defense
12
DDoS Network
http://www.adelphi.edu/~spock/lisa2000-shaft.pdf
DDoS Attack and Its Defense
13
You are here…
DDoS Attack and Its Defense
14
Typical DDoS attack
DDoS Attack and Its Defense
15
DDoS Attack and Its Defense
16
DDoS Attack and Its Defense
17
DDoS Attack and Its Defense
18
What Makes DDoS Attacks Possible?
Internet was designed with functionality & not
security in mind
Internet security is highly interdependent
Internet resources are limited
Power of many is greater than power of a few
DDoS Attack and Its Defense
19
To Address DDoS attack
Ingress Filtering
- P. Ferguson and D. Senie, RFC 2267, Jan 1998
- Block packets that has illegitimate source addresses
- Disadvantage : Overhead makes routing slow
Identification of the origins (Traceback problem)
- IP spoofing enables attackers to hide their identity
- Many IP traceback techniques are suggested
Mitigating the effect during the attack
- Pushback
DDoS Attack and Its Defense
20
IP Traceback
- Allows victim to identify the origin of attackers
- Several approaches
ICMP trace messages, Probabilistic Packet Marking,
Hash-based IP Traceback, etc.
DDoS Attack and Its Defense
21
PPM
Probabilistic Packet Marking scheme
- Probabilistically inscribe local path info
- Use constant space in the packet header
- Reconstruct the attack path with high probability
Marking at router R
For each packet w
Generate a random number x from [0,1)
If x < p then
Write IP address of R into w.head
Write 0 into w.distance
else
if w.distance == 0 then
write IP address of R into w.tail
Increase w.distance
endif
DDoS Attack and Its Defense
22
PPM (Cont.)
legitimate user
attacker
Victim
DDoS Attack and Its Defense
23
PPM (Cont.)
legitimate user
attacker
Victim
DDoS Attack and Its Defense
24
PPM (Cont.)
legitimate user
attacker
R
R
R
R
R
Victim
V
DDoS Attack and Its Defense
25
What is Pushback?
A mechanism that allows a router to
request adjacent upstream routers to limit
the rate of traffic
Reference
DDoS Attack and Its Defense
26
How Does it Work?
A congested router requests adjacent
routers to limit the rate of traffic for
that particular aggregate
Router sends pushback message
Received routers propagate pushback
DDoS Attack and Its Defense
27
How Does it Work?
DDoS Attack and Its Defense
28
When is it invoked?
Drop rate for an aggregate exceeds the
limit imposed on it (monitoring the queue)
Pushback agent receives information that a
DoS attack is underway (packet drop
history)
DDoS Attack and Its Defense
29
When does it stop?
Feedback messages are sent to upstream
routers that report on how much traffic
from the aggregates is still present
DDoS Attack and Its Defense
30
What are some advantages?
Pushback prevents bandwidth from being
wasted on packets that will later be
dropped (better when closer to the source)
Protects other traffic from the attack
traffic
When network is under attack it can rate
limit the malicious traffic
DDoS Attack and Its Defense
31
Any disadvantages?
Pushback will be ineffective against certain
DoS attacks (reflector attack)
Can make matters worse (against flooding
attacks)
Not the only solution
DDoS Attack and Its Defense
32
Conclusion
What is a DDoS attack?
Defending a DDoS attack
Ingress filtering
Traceback
Pushback
DDoS Attack and Its Defense
33