Transcript An Overview and Classification of DDoS Attacks

An Overview and Classification of
DDoS Attacks
A Taxonomy of DDoS Attack
and DDoS Defense Mechanisms
Authors-Jelena Mirkovic, University of Delaware
Peter Reiher, UCLA
Presentation by: Sagar Panchariya
Masters Student
1
Table of Contents
• DDoS definition
• How to inflict, entities involved, phases of attack, possible motives
behind a DDoS attack,
• What makes DDoS possible?
• Classification of Attacks.
• Video
• Conclusion
• References
2
What is a DoS and DDoS attack?
• In its simplest form, a Denial of Service (DoS) attack is an
attack against any system component that attempts to force
that system component to limit, or even halt, normal services
• In its simplest form, a Distributed Denial of Service (DDoS)
attack is a DoS attack that occurs from more than one source,
and/or from more than one location, at the same time.
3
How to inflict a DDoS attack
• Simplest form of attacks is to consistently send a stream of
packets to a victim, the stream occupies substantial resources
of the legitimate client and rendering it’s services to be
unavailable to legitimate clients.
•
Another approach is to send malformed packets to the
victim’s machine to confuse the application and force to
freeze or reboot.
•
An attack may also subvert the machines in a victim’s
network so that the legal client cannot get the service.
4
Entities involved in a DDoS attack
5
Procedure to launch a DDoS attack:
• 1.The recruit phase: It involves scanning of remote machines
looking for security holes that will help breaking into.
• 2. The exploit phase: After the discovery of vulnerable hosts
their security loop holes in these machines are exploited to
inject malicious code.
• 3. The inject phase: The insertion of malicious code to control
these hosts is the inject phase.
• 4. The Use Phase: The infected machines are used to infect
further machines.
6
Reasons for a DDoS attacks:
•
1. The ulterior motives are personal reasons; a significant number of
DDoS attacks are perpetrated against home computers, presumably for
purposes of revenge.
•
2. Prestige, a successful attack on popular Web servers gains the
respect of the hacker community.
•
3. However, some DDoS attacks are performed for material gain
(damaging a competitor's resources or blackmailing companies)
•
4. Political reasons (a country at war could perpetrate attacks against
its enemy's critical resources, potentially enlisting a significant portion of
the entire country's computing power for this action).
7
Why DDoS are easy?
•
•
•
•
The end to end service paradigm of the internet
Security is left up to end parties.
If one of the parties is misbehaving it can cause damage to its peer.
Intermediate network makes its hard to detect misbehaving peers
and cant stop it.
• The making of high bandwidth pathways in the intermediate
network, while the end networks invested in as much
bandwidth as they thought they might need.
• Thus, malicious clients can misuse the abundant resources of
the unwitting intermediate network for delivery of numerous
messages to a less provisioned victim.
8
Need for Classification.
•
Classification can be useful in answering some of these questions:
• Know different ways to perpetrate a DDoS attacks?
• Solutions for what kind of attacks are designed and what solutions
are still left to be designed?
• Any novel kinds of DDoS attacks that can take place?
• A classification gives a common vocabulary to the researchers to
discuss and implement solution space for DDoS threats.
• Understanding these threats, implementing them in a test bed
environment, and using them to test defense systems will help
researchers keep one step ahead of the attackers.
9
10
•
DA1: Manual
The attacker does the entire phases recruit, exploit, infect and use
phase manually. These kinds of attacks were the earliest kinds of
DDoS attacks.
• DA2: Semi-Automatic
The recruit, exploit and infect phases are automated. In the use
phase, the attacker specifies the attack type, onset, duration and the
victim via the handler to agents, who send packets to the victim.
• DA2: CM: Communication Mechanism
Based on the communication mechanism deployed between agent
and handler machines, attacks are further divide Direct and indirect
communication.
• DA2:CM1: Direct Communication
During attacks with direct communication, the agent and handler
machines need to know each other's identity in order to
11
communicate.
• DA2:CM2: Indirect Communication
Attacks with indirect communication use some legitimate
communication service to synchronize agent actions. Recent attacks
have used IRC (Internet chat program) channels.
• DA3: Automatic
The start time of the attack, attack type, duration and victim are
preprogrammed in the attack code.
No need of further
communication needed.
• DA2 and DA3:HSS1: Random Scanning
During random scanning, each compromised host probes random
addresses in the IP address space3, using a different seed. there is a
high amount of internetwork traffic. High number of machines are
infected.
• DA2 and DA3:HSS2: Local Subnet Scanning
Local subnet scanning can be added to any of the previously
described techniques to preferentially scan for targets that reside on
the same subnet as the compromised host.
12
• SAV1: Spoofed Source Address
This is the prevalent type of attack since it is always to attacker's
advantage to spoof the source address, avoid accountability, and
possibly create more noise for detection.
• SAV1: AR: Address Routability
Based on the address routability we differentiate between routable
source address and non-routable source address attacks.
• SAV1:AR1: Routable Source Address
Attacks that spoof routable addresses take over the IP address of
another machine. This is sometimes done not to avoid
accountability, but to perform a reflector attack on the machine
whose address was hijacked.
• SAV1:AR2: NonRoutable Source Address
Attackers can spoof non-routable source addresses, some of which
can belong to a reserved set of addresses (such as 192.168.0.0/16)
or be part of an assigned but not used address space of some
13
network.
•
DA2and DA3:VSS1: Horizontal Scanning
This is the common type of the scan for worms. Scanning machines are
looking for a specific vulnerability, scanning the same destination port on
all machines from the list, assembled through host scanning techniques.
•
DA2and DA3:VSS2: Vertical Scanning
This is the common type of the scan for intrusions and multiple vector
worms. Scanning machines probe multiple ports at a single destination,
looking for any way to break in.
•
EW1:Semantic
Semantic attacks exploit a specific feature or implementation bug of some
protocol or application installed at the victim in order to consume excess
amounts of its resources.
•
EW2:BruteForce
Brute-force attacks are performed by initiating a vast amount of
seemingly legitimate transactions.
.
14
• SAV1: ST: Spoofing Technique
Spoofing technique defines how the attacker chooses the spoofed
source address in its attack packets.
• SAV1:ST1: Random Spoofed Source Address
Many attacks spoof random source addresses in the attack packets,
since this can simply be achieved by generating random 32-bit
numbers and stamping packets with them.
• SAV1:ST2: Subnet Spoofed Source Address
In subnet spoofing, the attacker spoofs a random address from the
address space assigned to the agent machine's subnet.
• SAV1:ST4: Fixed Spoofed Source Address
Attacker performing a reflector attack or wishing to place a blame for
the attack on several specific machines would use fixed spoofing.
15
• ARD: Attack Rate Dynamics
• RD1: Constant Rate
The majority of known attacks deploy a constant rate mechanism.
After the onset is commanded, agent machines generate attack
packets at a steady rate, usually as many as their resources permit.
• RD2: Variable Rate
Variable rate attacks vary the attack rate of an agent machine to
delay or avoid detection and response.
• RD2: RC: Rate Change Mechanism
RD2:RC1: Increasing Rate
Attacks that have a gradually increasing rate lead to a slow
exhaustion of the victim's resources.
16
• RD2: RC2: Fluctuating Rate
Attacks that have a fluctuating rate adjust the attack rate based on
the victim's behavior or preprogrammed timing, occasionally
relieving the effect to avoid detection.
• IV: Impact on the Victim
Based on victim type
IV1: Disruptive
The goal of disruptive attacks is to completely deny the victim's
service to its clients.
• IV1: RM1: Possibility of Dynamic Recovery
Depending on the possibility of dynamic recovery during or after the
attack, we differentiate between self-recoverable, humanrecoverable and non-recoverable attacks.
17
•
IV1 RM2: Self-Recoverable
In the case of self-recoverable attacks, the victim recovers without any
human intervention, as soon as the influx of attack packets has
stopped.
•
IV1:RM3: Human-Recoverable
A victim of a human-recoverable attack requires human intervention
(e.g., rebooting the victim machine or reconfiguring it) for recovery, after
the attack is stopped.
•
IV1:RM3: Non-Recoverable
Non-recoverable attacks inflict permanent damage to victim's
hardware. A new piece of hardware must be purchased for recovery.
•
IV: Degrading
The goal of degrading attacks is to consume some (presumably
constant) portion of a victim's resources, seriously degrading service to
legitimate customers.
18
Conclusion
• Multitude types of DDoS exist and there is no defined classification
for them to study them using a hierarchy.
• An attempt to structure the various forms of DDoS attacks known
and some of the novel attacks which could be possible in the future
using a classification scheme is made.
• Future work
Many new coming forms of DDoS attacks could be added to the
classification under a existing level or creating a separate class
altogether.
19
Video
• Shut Down A Website-Perl (with myspace hacker)
• http://www.youtube.com/watch?v=5pzh5zqQ4ic
20
References
•
J. Mirkovic and P. Reiher, ”A Taxonomy of DDoS Attack and
DDoS Defense Mechanisms,” ACM SIGCOMM Computer
Communications Review(CCR), vol. 34, no. 2, April 2004, pp
39-54
•
Denial of Service Attack
http://en.wikipedia.org/wiki/Denial-of-service_attack
•
Network Security: DoS vs DDoS attacks
http://www.crime-research.org/articles/network-security-dos-ddosattacks/
21