Transcript ppt - Computer Science

A Taxonomy of DDoS Attack
and DDoS Defense
Mechanisms
Written By Jelena Mirkovic and Peter Reiher
In ACM SIGCOMM Computer Communication
Review, April 2005
Presented by Jared Bott
Key Point!
•
•
DDoS attacks can be carried out in a wide
variety of manners, with a wide variety of
purposes
DDoS defenses show great variety
DDoS Attacks
Agent
•
•
•
An explicit attempt to
prevent the legitimate use
of a service
Multiple attacking entities,
known as agents
DDoS is a serious
problem
•
Many proposals about how
to deal with it
Target
What makes DDoS attacks
possible?
•
Answer: The end-to-end paradigm
•
Internet security is highly interdependent
•
•
•
Susceptibility of system depends on security of
Internet
Internet resources are limited
Intelligence and resources are not collocated
•
End systems are intelligent, intermediate systems
are high in resources
•
Accountability is not enforced
•
•
IP Spoofing is possible
Control is distributed
•
No way to enforce global deployment of a
security mechanism or policy
Taxonomy of Attacks
DA: Degree of Automation
•
How involved is the attacker?
•
Automation of the recruit, exploit, infect and scan
phases
•
DA-1: Manual
DA-2: Semi-Automatic
•
•
•
Recruit, exploit and infect phases are automated
DA-3: Automatic
DA-2:CM: Communication
Mechanism
•
How do semi-autonomous systems communicate?
•
DA-2:CM-1: Direct Communication
Agent/handlers know each other’s identities
• Communication through TCP or UDP
•
•
DA-2:CM-2: Indirect Communication
•
Communication through IRC
DA-2/DA-3:HSS: Host Scanning
Strategy
•
How do attackers find computers to make into agents?
•
Choose addresses of potentially vulnerable
machines to scan
•
DA-2/DA-3:HSS-1: Random Scanning
DA-2/DA-3:HSS-2: Hitlist Scanning
•
DA-2/DA-3:HSS: Host Scanning
Strategy
•
DA-2/DA-3:HSS-3: Signpost Scanning
•
Topological scanning
• Email worms send emails to everyone in
address book
• Web-server worms infect visitors’ vulnerable
browsers to infect servers visited later
DA-2/DA-3:HSS: Host Scanning
Strategy
•
DA-2/DA-3:HSS-4: Permutation Scanning
•
•
•
•
Pseudo-random permutation of IP space is shared
among all infected machines
Newly infected machine starts at a random point
DA-2/DA-3:HSS-5: Local Subnet Scanning
Examples:
•
•
HSS-1: Code Red v2
HSS-5: Code Red II, Nimda
DA-2/DA-3:VSS: Vulnerability
Scanning Strategy
•
We have found a machine, can it be “infected?”
•
DA-2/DA-3:VSS-1: Horizontal Scanning
DA-2/DA-3:VSS-2: Vertical Scanning
DA-2/DA-3:VSS-3: Coordinated Scanning
•
•
•
•
Machines probe the same port(s) at multiple
machines within a local subnet
DA-2/DA-3:VSS-4: Stealthy Scanning
DA-2/DA-3:PM: Propagation
Method
•
How does attack code get onto
compromised machines?
•
DA-2/DA-3:PM-1:
Central Source
Propagation
•
Attack code resides on
server(s)
DA-2/DA-3:PM: Propagation
Method
•
DA-2/DA-3:PM-2:
Back-Chaining
Propagation
•
Attack code is
downloaded from the
machine that exploited
the system
DA-2/DA-3:PM: Propagation
Method
•
DA-2/DA-3:PM-3:
Autonomous
Propagation
•
•
Inject attack
instructions directly
into the target host
during the exploit
phase
Ex. Code Red, various
email worms, Warhol
worm idea
EW: Exploited Weakness to Deny
Service
•
What weakness of the target machine is exploited to deny service?
•
EW-1: Semantic
•
Exploit a specific feature or implementation bug
• Ex. TCP SYN attack
•
•
Exploited feature is allocation of substantial space in a
connection queue immediately upon receipt of a TCP SYN.
EW-2: Brute-Force
SAV: Source Address Validity
•
Do packets have the agents’ real IP addresses?
•
SAV-1: Spoofed Source Address
SAV-2: Valid Source Address
•
•
•
Frequently originate from Windows machines
SAV-1:AR: Address Routability
•
This is not the attacker’s address, but can it be routed?
•
SAV-1:AR-1: Routable Source Address
SAV-1:AR-2: Non-Routable Source Address
•
SAV-1:ST: Spoofing Technique
•
How does an agent come up with an IP address?
•
SAV-1:ST-1: Random Spoofed Source Address
•
•
•
Random 32-bit number
Prevented using ingress filtering, route-based filtering
SAV-1:ST-2: Subnet Spoofed Source Address
•
Spoofs a random address from the address space
assigned to the machine’s subnet
• Ex. A machine in the 131.179.192.0/24 chooses in
the range 131.179.192.0 to 131.179.192.255
SAV-1:ST: Spoofing Technique
•
SAV-1:ST-3: En Route Spoofed Source Address
•
•
Spoof address of a machine or subnet along the path
to victim
SAV-1:ST-4: Fixed Spoofed Source Address
•
•
Choose a source address from a specific list
Reflector attack
ARD: Attack Rate Dynamics
•
Does the attack rate change?
•
ARD-1: Constant Rate
•
Used in majority of known attacks
• Best cost-effectiveness: minimal number of
computers needed
• Obvious anomaly in traffic
•
ARD-2: Variable Rate
ARD-2:RCM: Rate Change
Mechanism
•
How does the rate change?
•
ARD-2:RCM-1: Increasing Rate
•
•
•
Gradually increasing rate leads to a slow exhaustion of victim’s
resources
Could manipulate defense that train their baseline models
ARD-2:RCM-2: Fluctuating Rate
•
•
Adjust the attack rate based on victim’s behavior or
preprogrammed timing
Ex. Pulsing attack
PC: Possibility of Characterization
•
Can the attacking traffic be characterized?
•
Characterization may lead to filtering rules
PC-1: Characterizable
•
•
•
•
Those that target specific protocols or applications at
the victim
Can be identified by a combination of IP header and
transport protocol header values or packet contents
Ex. TCP SYN attack
•
SYN bit set
PC-1:RAVS: Relation of Attack to
Victim Services
•
The traffic is characterizable, but is it related to the target’s
services?
•
PC-1:RAVS-1: Filterable
•
•
•
Traffic made of malformed packets or packets for non-critical
services of the victim’s operation
Ex. ICMP ECHO flood attack on a web server
PC-1:RAVS-2: Non-Filterable
•
•
Well-formed packets that request legitimate and critical services
Filtering all packets that match attack characterization would
lead to a denial of service
PC: Possibility of Characterization
•
PC-2: Non-Characterizable
•
•
Traffic that uses a variety of packets that engage
different applications and protocols
Classification depends on resources that can be
used to characterize and the level of
characterization
•
Ex. Attack uses a mixture of TCP packets with various
combinations of TCP header fields
•
Characterizable as TCP attack, but nothing finer without vast
resources
PAS: Persistence of Agent Set
•
Do the same agents attack the
whole time?
•
Some attacks vary their
set of active agent
machines
•
•
•
Avoid detection and hinder
traceback
PAS-1: Constant Agent
Set
PAS-2: Variable Agent
Set
Bright red attacks for 4 hours
Dark red attacks for next 4 hours
VT: Victim Type
•
What does the attack target?
•
VT-1: Application
•
Ex. Bogus signature attack on an authentication server
•
•
Authentication not possible, but other applications still available
VT-2: Host
•
•
•
Disable access to the target machine
Overloading, disabling communications, crash machine, freeze
machine, reboot machine
Ex. TCP SYN attack overloads communications of machine
VT: Victim Type
•
VT-3: Resource Attacks
•
Target a critical resource in the victim’s network
•
•
•
Ex. DNS server, router
Prevented by replicating critical services, designing
robust network topology
VT-4: Network Attacks
•
Consume the incoming bandwidth of a target network
• Victim must request help from upstream networks
VT: Victim Type
•
VT-5: Infrastructure
•
Target a distributed service that is crucial for
global Internet operation
• Ex. Root DNS server attacks in October 2002,
February 2007
IV: Impact on the Victim

How does an attack affect the victim’s service?

IV-1: Disruptive
 Completely
deny the victim’s service to its clients
 All currently reported attacks are this kind

IV-2: Degrading
 Consume
some portion of a victim’s resources,
seriously degrading service to customers
 Could remain undetected for long time
IV-1:PDR: Possibility of Dynamic
Recovery
•
Can a system recover from an attack? How?
•
IV-1:PDR-1: Self-Recoverable
•
•
IV-1:PDR-2: Human-Recoverable
•
•
Ex. UDP flooding attack
Ex. Computer freezes, requires reboot
IV-1:PDR-3: Non-Recoverable
•
•
Permanent damage to victim’s hardware
No reliable accounts of these attacks
DDoS Defense
•
Several factors hinder the advance of DDoS
defense research
•
Need for a distributed response at many points on the
Internet
•
•
Many attacks need upstream network resources to stop
attacks
Economic and social factors
•
A distributed response system must be deployed by parties
that aren’t directly damaged by a DDoS attack
DDoS Defense
•
Lack of defense system benchmarks
•
•
No benchmark suite of attack scenarios or
established evaluation methodologies
Lack of detailed attack information
•
•
•
We have information on control programs
Information on frequency of various attack types is
lacking
Information on rate, duration, packet size, etc. are
lacking
DDoS Defense
•
Difficulty of large-scale testing
•
No large-scale test beds
•
•
•
U.S. National Science Foundation is funding
development of a large-scale cybersecurity test bed
No safe ways to perform live distributed
experiments across the Internet
No detailed and realistic simulation tools that
support thousands of nodes
Taxonomy of DDoS Defenses
AL: Activity Level
•
When does a defense system work?
•
AL-1: Preventive
•
•
Eliminate possibility of DDoS attacks or enable
victims to endure the attack without denial of service
AL-1:PG: Prevention Goal
•
What is the system trying to do?
•
AL-1:PG-1: Attack Prevention
•
The system is trying to prevent attacks
AL-1:PG-1:ST: Secured Target
•
What does a system try to secure to prevent an attack?
•
AL-1:PG-1:ST-1: System Security
•
•
•
Secure the system
Guard against illegitimate accesses to a machine
Remove application bugs, Update protocol
installations
• Ex. Firewall systems, IDSs, Automated updates
AL-1:PG-1:ST: Secured Target
•
AL-1:PG-1:ST-2: Protocol Security
•
•
Secure the protocols
Bad protocol design examples: TCP SYN Attack,
Authentication server attack, IP source address spoofing
•
•
Ex. Deployment of a powerful proxy server that
completes TCP connections
Ex. TCP SYN cookies
AL-1:PG: Prevention Goal
•
AL-1:PG-2: DoS Prevention
•
•
The system is trying to prevent a denial of service
Enable the victim to endure attack attempts without
denying service
•
•
Enforce policies for resource consumption
Ensure that abundant resources exist
AL-1:PG-2:PM: Prevention
Method
•
How do the defense systems prevent DoS?
•
AL-1:PG-2:PM-1: Resource Accounting
•
Police the access of each user to resources based on the
privileges of the user and user’s behavior
• Let real, good users have access
• Coupled with legitimacy-based access mechanisms
•
AL-1:PG-2:PM-2: Resource Multiplication
•
Ex. Pool of servers with load balancer, high bandwidth
network
AL-2: Reactive
•
Defense systems try to alleviate the impact of an
attack
•
•
Detect attack and respond to it as early as possible
AL-2:ADS: Attack Detection Strategy
•
How does the system detect attacks?
•
AL-2:ADS-1: Pattern Detection
•
•
•
Store signatures of known attacks and monitor
communications for the presence of patterns
Only known attacks can be detected
Ex. Snort
AL-2:ADS-2: Anomaly Detection
•
•
•
Compare current state of system to a model of
normal system behavior
Previously unknown attacks can be discovered
Tradeoff between detecting all attacks and false
positives
AL-2:ADS-2:NBS: Normal Behavior
Specification
•
How is normal behavior defined?
•
AL-2:ADS-2:NBS-1: Standard
•
Rely on some protocol standard or set of rules
• Ex. TCP protocol specification describes
three-way handshake
•
•
Detect half-open TCP connections
No false positives, but sophisticated attacks
can be left undetected
AL-2:ADS-2:NBS-2: Trained
•
•
Monitor network traffic and system behavior
Generate threshold values for different parameters
•
•
•
Communications exceeding one or more thresholds are marked
as anomalous
Low threshold leads to many false positives, high threshold
reduces sensitivity
Model of normal behavior must be updated
•
Attacker can slowly increase traffic rate so that new models are
higher and higher
AL-2: Reactive
•
AL-2:ADS-3: Third-Party Detection
•
•
Rely on external message that signals occurrence of
attack and attack characterization
AL-2:ARS: Attack Response Strategy
•
What does the system do to minimize impact of attack?
•
Goal is to relieve impact of attack on victim with
minimal collateral damage
AL-2:ARS: Attack Response
Strategy
•
AL-2:ARS-1: Agent Identification
•
Provides victim with information about the ID
of the attacking machines
• Ex. Traceback techniques
•
AL-2:ARS-2: Rate-Limiting
•
Extremely high-scale attacks might still be
effective
AL-2:ARS: Attack Response
Strategy
•
AL-2:ARS-3: Filtering
•
Filter out attack streams
•
•
•
Risk of accidental DoS to legitimate traffic, clever attackers
might use as DoS tools
Ex. Dynamically deployed firewalls
AL-2:ARS-4: Reconfiguration
•
Change topology of victim or intermediate network
•
•
Add more resources or isolate attack machines
Ex. Reconfigurable overlay networks, replication
services
CD: Cooperation Degree
•
How much do defense systems work together?
•
CD-1: Autonomous
•
•
•
Independent defense at point of deployment
Ex. Firewalls, IDSs
CD-2: Cooperative
•
•
•
Capable of autonomous detection/response
Cooperate with other entities for better performance
Ex. Aggregate Congestion Control (ACC) with pushback
mechanism
•
•
Autonomously detect, characterize and act on attack
Better performance if rate-limit requests sent to upstream routers
CD-3: Interdependent
•
•
•
Cannot operate on own
Require deployment at multiple networks
or rely on other entities for attack
prevention, detection or efficient response
Ex. Traceback mechanism on one router
is useless
DL: Deployment Location
•
Where are defense systems located?
•
DL-1: Victim Network
•
•
DL-2: Intermediate Network
•
•
•
Ex. Resource accounting, protocol security
mechanisms
Provide defense service to a large number of hosts
Ex. Pushback, traceback techniques
DL-3: Source Network
•
Prevent network customers from generating DDoS
attacks
Using The Taxonomies
•
How can the taxonomies be used?
•
•
•
•
•
•
•
A map of DDoS research
Common vocabulary
Understanding of solution constraints
DDoS benchmark generation
Exploring new attack strategies
Design of attack class-specific solutions
Identifying unexplored research areas
Strengths
•
Primary Contribution
•
•
•
Obviously the taxonomy of DDoS
mechanisms and defenses
Fosters easier cooperation among
researchers
Covers current attacks and research
Weaknesses
•
•
Clearly non-exhaustive categorization of
attacks
Naming conventions
•
AL-2:ADS-2:NBS-1 is not easily
understandable
Improvements
•
Use taxonomy to create defenses
•
How do you improve a taxonomy?
Summary
•
Taxonomy of DDoS attacks and defenses
•
•
There are many characteristics of DDoS
attacks and defenses
Hard to design a defense against all attack
types