1 / 21

Defense Against DDoS

Defense Against DDoS. Presented by Zhanxiang for [Crab] Apr. 15, 2004. DoS & DDoS. DoS: “an attack with the purpose of preventing legitimate users from using a victim computing system or network resource” [3]

Samuel
Download Presentation

Defense Against DDoS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004

  2. DoS & DDoS • DoS: “an attack with the purpose of preventing legitimate users from using a victim computing system or network resource” [3] • DDoS: “A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. “ [4] • You may have paid for the hardware, but do you really own your network?

  3. Typical Attack Skill • SYN Flooding • IP spoofing • Bandwidth attack • Filling victim’s hard disk space • …

  4. What can DoS lead to? • Website • DNS • Mail Server • Emergency • Many tools are available for DoS attack and teenagers must like to try them.[2]

  5. Case Study • DDoS attack hits clickbank and spamcop.net, by Mirko Zorz, June 25, 2003 • Super Bowl fuels gambling sites' extortion fears, by Paul Roberts, IDG News Service, January 28, 2004

  6. Defense • Two general area: • Defense against IP spoofing • Defense against bandwidth flooding attack • Turn to Lingxuan

  7. Against Bandwidth Flooding Attack • Goal: stop attacks on their way to the victims • Scheme: SIFF[1]

  8. SIFF: Assumptions • Marking space in the IP header. • Routers mark every packet. • Short-term Route Stability.

  9. Idea • Divide all traffic into • Privileged: Always get transfer • Unprivileged: Transferred if not affect Privileged packets • Unprivileged -------------------> Privileged handshake (to get the privilege token)

  10. Idea (cont.) • Routers • mark packets in hand shakes • match privilege token while forwarding packets • Recipient refuse the attack flow by • not providing the privilege token • or provide a false one

  11. Packet Identifier Design • Flags field (3-bits). • SF: Packet is non-legacy • PT: EXP or DTA • CU: Capability reply present or not • Capability: Marks modified by routers • C-R: recipients to signal to sender a capability

  12. Handshake Client Routers Server EXP(0) Legend: Packet-Type (Capability) {Capability Reply} EXP(α) EXP(0) {α} EXP(β){α} DTA(!α){β} DTA(!α){β} ……

  13. Router Marking Calculation IP of the Interface that at which the packet arrived at IP of the Last-hop router’s outgoing interface Keyed Hash Fun Marking Last z bits Source IP and Destination IP of the packet

  14. Marking Scheme for EXP • Packets with a capability field of all zeros get marked with an additional 1bit. • Routers push their markings into the least significant bits of the capability field.

  15. Authentication scheme for DTA ? • Routers check the marking in the least significant bits of the capability field, and rotate it into the most significant bits, if it is equal to what the marking would be for an EXPLORER packet.

  16. Key Switch • Why? • If the hash fun does not change periodically, an attacker can simply obtain a capability through a seemingly legitimate request, and then use it to flood the server with privileged traffic. • Solution • Windowed authentication and marking

  17. Windowed authentication and Marking for DTA • Routers check that the marking equals one of the valid markings in its window and always rotate the newest marking in the window into the capability field.

  18. Do Guesses work? • x: # of markings each router maintains in its window; • z: # of bits per router marking; • P(x, z): probability that a randomly guessed capability will pass a particular router.

  19. Can Privilege Channel be Established Under Unprivileged Packet Flooding? • i: hops of the network; • εi: Probability of getting dropped at any one of those routers

  20. Limitations • Depend on mechanism to detect attack • Network with some router not implemented SIFF • Colluding attacker • Host granularity not application granularity

  21. Reference [1] SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. With Avi Yaar and Dawn Song. Appears in 2004 IEEE Symposium on Security and Privacy [2] Tools: http://staff.washington.edu/dittrich/misc/ddos/ [3]David Karig and Ruby Lee, “Remote Denial of Service Attacks and Countermeasures,” Princeton University Department of Electrical Engineering Technical Report CE-L2001-002, October 2001. [4]Lincoln Stein and John N. Stuart. “The World Wide Web Security FAQ”, Version 3.1.2, February 4, 2002. http://www.w3.org/security/faq/ (8 April 2003).

More Related