Part I: Introduction

Download Report

Transcript Part I: Introduction

DDoS Attack and Its Defense
CSE 5473: Network Security
Prof. Dong Xuan
DDoS Attack and Its Defense
1
Why DoS?
 Sub-cultural status
 To gain access
 Revenge
 Political reasons
 Economic reasons
 Nastiness
DDoS Attack and Its Defense
2
How DoS (remotely)?
 Consume host resources
 Memory
 Processor cycles
 Network state
 Consume network resources
 Bandwidth
 Router resources (it’s a host too!)
 Exploit protocol vulnerabilities
 Poison ARP cache
 Poison DNS cache
 Etc…
DDoS Attack and Its Defense
3
Where DoS
 End hosts
 Critical servers (disrupt C/S network)
 Web, File, Authentication, Update
 DNS
 Infrastructure
Routers within org
 All routers in upstream path

DDoS Attack and Its Defense
4
Outline

What is a DDOS attack?

How to defend a DDoS attack?
DDoS Attack and Its Defense
5
What is DDoS attack?
• Internet DDoS attack is real threat
- on websites
· Yahoo, CNN, Amazon, eBay, etc (Feb. 2000)
 services were unavailable for several hours
- on Internet infrastructure
· 13 root DNS servers (Oct, 2002)
 7 of them were shut down, 2 others partially unavailable
• Lack of defense mechanism on current Internet
DDoS Attack and Its Defense
6
What is a DDos Attack?
 Examples of DoS include:
 Flooding a network
 Disrupting connections between machines
 Disrupting a service
 Distributed Denial-of-Service Attacks
 Many machines are involved in the attack against one or more
victim(s)
DDoS Attack and Its Defense
7
ATTACK SIZE IN GBPS
ATTACK SIZE IN GBPS
MAIN TARGETS
ESTONIAN CYBERWAR APRIL
27, 2007
 Inoperability of the following state and
commercial sites:
The Estonian presidency and its parliament.
 Almost all of the country’s government
ministries.
 Political parties.
 Three news organizations.
 Two biggest banks and communication’s firms.
 Governmental ISP.
 Telecom companies.

» Source: Alexei Zhatechenko
Distributed Denial of Service
(DDoS) Networks
DDoS Attack and Its Defense
12
DDoS Network
http://www.adelphi.edu/~spock/lisa2000-shaft.pdf
DDoS Attack and Its Defense
13
You are here…
DDoS Attack and Its Defense
14
Typical DDoS attack
DDoS Attack and Its Defense
15
DDoS Attack and Its Defense
16
DDoS Attack and Its Defense
17
DDoS Attack and Its Defense
18
What Makes DDoS Attacks Possible?
 Internet was designed with functionality & not
security in mind
 Internet security is highly interdependent
 Internet resources are limited
 Power of many is greater than power of a few
DDoS Attack and Its Defense
19
To Address DDoS attack
 Ingress Filtering
- P. Ferguson and D. Senie, RFC 2267, Jan 1998
- Block packets that has illegitimate source addresses
- Disadvantage : Overhead makes routing slow
 Identification of the origins (Traceback problem)
- IP spoofing enables attackers to hide their identity
- Many IP traceback techniques are suggested
 Mitigating the effect during the attack
- Pushback
DDoS Attack and Its Defense
20
IP Traceback
- Allows victim to identify the origin of attackers
- Several approaches
ICMP trace messages, Probabilistic Packet Marking,
Hash-based IP Traceback, etc.
DDoS Attack and Its Defense
21
PPM
 Probabilistic Packet Marking scheme
- Probabilistically inscribe local path info
- Use constant space in the packet header
- Reconstruct the attack path with high probability
Marking at router R
For each packet w
Generate a random number x from [0,1)
If x < p then
Write IP address of R into w.head
Write 0 into w.distance
else
if w.distance == 0 then
write IP address of R into w.tail
Increase w.distance
endif
DDoS Attack and Its Defense
22
PPM (Cont.)
legitimate user
attacker
Victim
DDoS Attack and Its Defense
23
PPM (Cont.)
legitimate user
attacker
Victim
DDoS Attack and Its Defense
24
PPM (Cont.)
legitimate user
attacker
R
R
R
R
R
Victim
V
DDoS Attack and Its Defense
25
What is Pushback?
 A mechanism that allows a router to
request adjacent upstream routers to limit
the rate of traffic
 Reference
DDoS Attack and Its Defense
26
How Does it Work?
 A congested router requests adjacent
routers to limit the rate of traffic for
that particular aggregate
 Router sends pushback message
 Received routers propagate pushback
DDoS Attack and Its Defense
27
How Does it Work?
DDoS Attack and Its Defense
28
When is it invoked?
 Drop rate for an aggregate exceeds the
limit imposed on it (monitoring the queue)
 Pushback agent receives information that a
DoS attack is underway (packet drop
history)
DDoS Attack and Its Defense
29
When does it stop?
 Feedback messages are sent to upstream
routers that report on how much traffic
from the aggregates is still present
DDoS Attack and Its Defense
30
What are some advantages?
 Pushback prevents bandwidth from being
wasted on packets that will later be
dropped (better when closer to the source)
 Protects other traffic from the attack
traffic
 When network is under attack it can rate
limit the malicious traffic
DDoS Attack and Its Defense
31
Any disadvantages?
 Pushback will be ineffective against certain
DoS attacks (reflector attack)
 Can make matters worse (against flooding
attacks)
 Not the only solution
DDoS Attack and Its Defense
32
Conclusion
 What is a DDoS attack?
 Defending a DDoS attack
 Ingress filtering
 Traceback
 Pushback
DDoS Attack and Its Defense
33