GORAN OSIM AND TIM MYERSCPSC 424

DDOS AND THE SYSADMIN

WHAT IS DDOS?

• DoS stands for Denial of Service • It is an attempt to make a computer resource

unavailable to its intended users• The term is generally used with regards to

computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management• DDoS is a Distributed Denial of Service• It generally consists of the concerted efforts of a

person or groups of people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely

HISTORY OF DDOS

•  Distributed DoS attacks are much newer than simple DoS attacks. The first attack sighted was in late June and early July of 1999.• The first well-publicized DDoS attack in the public

press was in February 2000. On February 7, Yahoo! was the victim of a DDoS during which its Internet portal was inaccessible for three hours.• In a DDoS attack, the attacking packets come

from tens or hundreds of addresses rather than just one, as in a "standard" DoS attack.

STRUCTURE OF DDOS ATTACK

EFFECT ON THE SYSADMIN

• Lack of service on the network• Little can be done until the attack subsides• Checks can be done, such as a SYN flood check,

but cannot remedy the problem• Anycast is a way to mitigate DDoS attacks• It is a network addressing and routing

methodology in which datagrams from a single sender are routed to the topologically nearest node in a group of potential receivers all identified by the same destination address

ANYCAST AND SYSADMINS

• As traffic is routed to the closest node, a process over which the attacker has no control, the DDoS traffic flow will be distributed amongst the closest nodes. Thus, not all nodes might be affected• The effectiveness of this technique to divert

attacks is questionable, however, because unicast addresses (used for maintenance) can be easy to obtain

PROTECTION

• A router and firewall is the SysAdmin’s first line of defense• An IDS (Intrusion Detection System) is a must, so

they SysAdmin is aware of possible attacks• The SysAdmin should use an anycast type

topology to route the attacks to various nodes• Unfortunately, if the attacker makes it past all

these, the only thing to do is wait for the attack to end, as they rarely last a significant amount of time

CONCLUSION

• DDoS attacks can be devastating to SysAdmin’s and the networks they administrate• Once an attack is happening, little can be done to

stop it• The SysAdmin must put preliminary defense

measures in place beforehand• A SysAdmin must always be monitoring for such

attacks as they could come from anywhere at anytime.

QUESTIONS?