evil ddos attacks and strong defenses group 6: yisi lu, yuantong lu, hao wu, yuchen liu, hua li
TRANSCRIPT
Evil DDos Attacks and Strong Defenses
Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li
Distributed
Large-scale attacks
Denial of service
Deny the victim's access to a particular resource (service).
• Volume Based Attacks– The volume-based attack’s goal is to saturate the
bandwidth of the attacked site• Protocol Based Attacks– Exploit a specific feature or implementation bug of
some protocol installed at the victim in order to consume excess amounts of its resources
• Application Layer Attacks– goal of these attacks is to crash the web server
Volume Based Attacks
Volume Based Attacks
-->UDP floods
-->ICMP floods -->Other spoofed-packet floods
Published in:· ProceedingLEET'12 Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent ThreatsPages 7-7 USENIX Association Berkeley, CA, USA ©2012
Classification of UDP traffic for DDoS detection
Alexandru G.Bardas Loai Zomlot Sathya Chandran Sundaramurthy Xinming Qu S.Raj Rajagopalan Marc R.Eisenbarth
Basic points of the article
(1)Examine the “proportional packet rate ” assumption .Test a large number of production networks
(2)Algorithm for UDP traffic that aims at differentiating benign and flooding UDP flows based on the assumption
(3)Two operation modes of using the algorithm for thwarting UDP-based DDos flooding.
Background information
->UDP is a stateless, simple protocol
->UDP floods: easy to launch but hard to detect
->Existing DoS sensor and prevention mechanisms are either ineffective or non-applicable
->Assumption: under normal operations, the packet rate in one direction is proportional to the packet rate in the opposite direction
->Algorithm
Put into a NACK-queue rather than waiting queue.
Experiments
i.Validating the assumption
ii.Ratio function for UDP attack traffic
Iii.Performance, accuracy, calibration
Summary For this articleSince UDP flooding attack is a kind of volume-based attack, we should analyze the flow of the packets to determine whether the flow is benign or is a DDos attack.The paper gives a possible mechanism to detect and evaluate the flow.And it gives the possible protections to the detected DDos attack.
Protocol Based Attacks
Protocol based DDOS
• Definition:• This type of attack consumes actual server
resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in Packets per second.
• 2 popular Protocol based DDOS attacks.• Ping of Death, Syn Flood
Ping of Death
• Definition:• A ping of death is a type of attack on a computer that
involves sending a malformed or otherwise malicious ping to a computer.
• Reassemble• many computer systems could not handle a ping
packet larger than 65535 bytes. Larger packets could crash the target computer.
Syn Floods
Syn Floods
• Attack:• 1. Send a large number of TCP open request.• 2. OS allocate resources to track the TCP state.• 3. Since the sender's IP is forged, the returning
ACK will never be back.• 4. By continuing sending this request, the
attacker could exhaust the resource on the server machine.
Syn Floods
• Defend:• Syn Caches• Syn cookies
Application Layer Attacks
Comprised of seemingly legitimate and
innocent requests
• Crash the webserver
• Delay the response time or even block the
service
Application layer DDoS attack
Other Layer attack App-layer attack
Target: network bandwidth around Internet subsystems such as routers, Domain Name Servers, or web clusters.
• High level protocol such as HTTP.
• Legitimate lower level packets
• Harder to monitor and mitigate (more complicate and diverse)
Difference
Application layer DDoS attack
TypesRequest-flooding - many requests in a http session
Session-flooding - many sessions are set up by a client
Asymmetric - each request is every time-consuming
Application layer DDoS attack
DefenseDetermine suspicious session/client by previous collected data
Least suspicion first served, high suspicion blocked
Application layer DDoS attack
Our Opinion
Application layer DDoS attack
• Complex because it mimics legitimate user requests a lot
• Involve more human decision which is not as normalized as things in lower layer
• Solutions yield the case that some of the time-consuming or impatient user requests being postponed largely
• Still not a solution to the case that botnet being employed to perform the attack.
Comparison
Volume-based Protocol-based Application Layer
Request Bogus Bogus Legitimate
Protocol UDP, ICMP TCP, ICMP HTTP, HTTPS
Connection Not full Not full Full
High-bandwidth Yes Yes No
Detectable Yes Yes Stealthy
Protection Easy Easy Hard
Q&A