1 / 14

Distributed Denial of Service Attacks: Characterization and Defense

Will Lefevers CS522 UCCS. Distributed Denial of Service Attacks: Characterization and Defense . Anatomy of a DDoS Attack: Gibson Research Corporation DDoS Attack Characterization Advanced DDoS with Traffic Reflection Attack Taxonomy Potential DDoS Defenses Defense Taxonomy

ataret
Download Presentation

Distributed Denial of Service Attacks: Characterization and Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Will Lefevers CS522 UCCS Distributed Denial of Service Attacks: Characterization and Defense

  2. Anatomy of a DDoS Attack: Gibson Research Corporation DDoS Attack Characterization Advanced DDoS with Traffic Reflection Attack Taxonomy Potential DDoS Defenses Defense Taxonomy Initiatives at UCCS Next? Outline

  3. May 4th, 2001, two direct-line 1.54Mb T1's flooded 1500B UDP packets bound for port 666, plus some ICMP and a little TCP; ISP didn't filter any of it 17 hours initial downtime, then 5 more attacks Anatomy of a DDoS: Gibson Research Corporation

  4. 474 “Zombie” systems (mostly from national ISPs), exclusively Win9X, directed by a 13-year old Attacking hosts were unable to IP spoof because of a half-implemented TCP/IP stack in Win9x Anatomy of a DDoS: Attack Vector

  5. Anatomy of a DDoS: Zombie Hosts • "Bot-farmers" preferred Cable ISPs over DSL because of upload bandwidth • Virus distributed widely, then coordinated through IRC

  6. DDoS Characterization • Target scarce resources (find the weakest link): • Services provided, Connectivity, Physical network hardware, possibly even bandwidth costs • Other methods proven to work: • TCP SYN half-open or SYN/ACK which disables services/reserves all ports; no new connections • ICMP PoD can cause an OS dump when packets larger than 65536 are received; takes the system offline • Heavy UDP traffic – connectionless, 0 packet delay, quickly floods routers/gateways killing host and ISP • Virus/bot Networks (tribal flood network, stacheldraht, trinoo) typically using IRC for coordination

  7. Advanced DDoS: Traffic Reflection • Real connections, volumes of non-filterable traffic from widely-spread public internet servers at high rates • No single “reflector” will notice the flood if the packets are forged and spoofed well (from victim to reflector, correct TCP sequence numbers, legitimate service) • Coordinator/Initiator is much harder to find; traffic won't look suspect until you compare each reflector's logs • Traffic amplification can make things much worse (asynchronous payload) but is less common • Examples include DNS recursive queries, forged http file requests, FTP bounce techniques

  8. DDoS Attack Taxonomy

  9. DDoS: Potential Defenses • Public Internet Routers/Gateways/Switches: • Implement filters for malformed packets and common attacks (wide deployment, but feasible) • Require ingress route filters and mapping (which side is that host on?) to prevent packet injection • "Followup" packets (ITRACE) can be forwarded by all routers via ICMP along the data path. This could highlight the slave systems to the reflector and victim. • Implement QoS and rate-limiting across the board

  10. DDoS: Potential Defenses • Operating System: • Disable address spoofing at the OS (Win9x's half-implemented TCP/IP) • Implement quota systems for limited resources (ftp shares, TCP ports, etc) • Use TCP cookies -- do not allocate resources until the handshake is complete • Application: • Make the TCP sequence numbers harder to guess • Network: • Multi-homed bandwidth and server pools/clusters

  11. DDoS Defense Taxonomy

  12. DDoS Initiatives at UCCS • Rate-limiting w/ Autonomous Anti-DDoS (A2D2) • Based on a SNORT plugin which interacts faster with the firewall and utilizes adaptive flood detection methods • Explores the efficient use of rate-limiting and content-based queuing • Network reconfiguration with Secure Collective Defense(SCOLD) • Extends the DNS system to supports update and retrieval of enhanced DNS entries including a set of proxy servers for indirect routes • Develops indirect routing protocol on Linux for setting up proxy-based indirect routes when the main route gets flooded.

  13. Next Up? • Route modification – is it possible to drop the attacked IP address and give it another? • Can we “push” routing table changes to routers? • Can we change the appearance of our topology from the outside and let the (more capable) ISP handle the problem? • *Contact me for sources/citations

  14. Anatomy of a DDoS Attack: Gibson Research Corporation DDoS Attack Characterization Advanced DDoS with Traffic Reflection Attack Taxonomy Potential DDoS Defenses Defense Taxonomy Initiatives at UCCS Next? Review

More Related