------ an overview zhang fu [email protected]. outline what is ddos ? how it can be done? different...
TRANSCRIPT
Mitigating DDoS Attacks------ An Overview
Zhang [email protected]
OutlineWhat is DDoS ? How it can be done?Different types of DDoS attacks.Reactive VS Proactive DefenceSome noticeable solutionsCrux issuesDiscussionThe “battle” is going on.
DDoS AttacksA Denial of Service (DoS) attack is an attempt by the
attacker to prevent the legitimate users of a service from using that service.
If the attack is launched from multiple compromised machines, then it is a Distributed Denial of Service (DDoS) attack.
Basic Types of DDoS attacks: Sending malformed packets to confuse systems (protocol or
application). Can be also called semantic attack. Example: SYN-flooding, Teardrop Attacks
Flooding packets to the victim to depleting key resources (bandwidth). Can be also called brute-force attack. Example: DNS request flooding, Smurf attack.
DDoS Attacks (cont.)What makes DDoS possible?
End-to-End paradigm : intermediate network provides best-effort packets delivery service.
Different networks do not have effective cooperation. Victim’s security relies on the rest of the network End hosts can not control the bandwidth allocation
or queuing mechanism of the network Control is distributed.
Zhang [email protected]
Steps of launching DDoS attacksRecruiting and Exploit.Propagation.Launching attacks.
order
attack
Victim TypesApplication
Target on a given application. If the resource is not completely consumed, other application maybe still available.
The attack traffic volume is usually small, and seems to be normal packets. E.g. signature attack.
Host Overwhelming the host’s communication mechanism. Or make the host
crash/reboot. The attack traffic is usually big. The host can not solve the problem alone.
Resource Attack Attack some critical entities in the victim’s network, such as DNS server. Congest some critical links of the network. The attack traffic is big and easy to detect. But need cooperation to
defense.
Victim Types (cont.)Infrastructure
Aim to disable the critical service of the whole Internet, such as root DNS server, core network, certificate server.
The attack can aggregate a huge volume of traffic with in a very short time period.
Need cooperation to defend against this attack.
Impact of the attackDisruptive: completely disable the victim’s
service. The victim can recover automatically after the
attack. Some may need human to be involved. And some may be not recoverable.
Degrading: consume some portion of the victim’s resource. Success depends on the service. QoS plays an
important role. Not easy to detect. Tradeoff between deploying a defense mechanism
and losing market caused by the degradation.
Summary of DDoS attacksWhat is a DoS / DDoS attack?Why DDoS attacks can be launched
successfully?DDoS attacks target both in application layer
and network layer.Some DDoS attacks aims to completely
deplete the resource of the victim, while others aims to degrade the quality of the victim’s service.
Challenges for defense mechanismsDDoS is a problem in distributed manner. It
needs to be solved in a distributed way. However, assumption of global deployment would be rather strong.
Some attacks can be hardly defined. Many factors may be involved, such as number of compromised machines, attack rate, attack duration, impact of the attack.
Lack of universal benchmark.Lack of test platforms for large scale
network.
Principles for counter measuresSecurity
The attacker can hardly break the secrets used in the system. Or find a semantic flaw to attack the system.
Accuracy The system should filter out the malicious traffic as
much as possible and affect the legitimate traffic as little as possible.
Efficiency Keep the overhead within a acceptable threshold
Safe Failure When the system is fail, the situation can not be worse
than that before the deployment.
Which way to go? Proactive VS ReactiveProactive solutions aim at prevent the DDoS
attacks from beginning. Or the victim’s service is not denied during the attacks. How to prevent DDoS attacks? Secure the hosts,
Build DDoS-resilient protocol. We need both police and doctor!
How to make system tolerate DDoS attacks? Resource accounting, provide more resource.
Examples of proactive solutions: puzzle based solutions, network capability, secure overlay.
Proactive VS Reactive (cont.)Reactive solutions aims at mitigate DDoS attacks
when the victim suffers those attacks, or some DDoS attacks are detected. Need some detection mechanisms. Less
overhead in the normal situation. The problem is how to identify DDoS attacks,
what are the proper responses for different kinds of attacks?• Use models of attacks to detect. We can also define
abnormal behaviors for detection, But have to be careful with false positive.
• Block identified zombies, or rate limiting /filtering.
14
Network Layer DefenseNetwork Capability
Choose a path from source to the destination Capability Establishment (Sending Request and getting Capability) Sending Packets with Capability Capability Refreshing
Internet
Packet Marking (Trace back)• Packets will be marked by the routers along the path.• When DDoS attacks occur, the victim will identify the attacking sources.• Victim will also send control command to the router which is near to the sources to limit the malicious traffic.
What’re the advantages
and disadvantage
s?
SOS: Secure Overlay Service
Application Layer DefenseHow can network-based applications defend by themselves?Solutions inspired by Frequency Hopping.
ACK-based port hopping (Badishi et al. 2005)Port hopping with bounded clock offset (Lee and Ting
2004)Hopping authentication code (Srivatsa et al 2006)Port hopping in the presence of clock drifts. (Zhang et
al.2008)
Crux IssuesIP spoofing.Network topology dependency.Refreshing secrets.Feedback mechanisms.Space efficiency.
We can hardly solve DDoS problem completely. The ideal solution could be very complicated. We might need an integrated solution. However, it’s unclear about the optimal integration.
SummaryWhat is DDoSWhy it is possible What is the main category of defence
mechanisms We want secure, robust, efficient solutions
for the problem.Zhang Fu
20
The End
Thank You