300 likes | 319 Views
A Taxonomy of DDoS Attack and DDoS Defense Mechanisms ¤. Peter Reiher 3564 Boelter Hall Computer Science Department UCLA. Jelena Mirkovic Computer and Information Sciences Department University of Delaware. CS495 – Spring 2005 Northwestern University Sausan Yazji. Overview.
E N D
A Taxonomy of DDoS Attackand DDoS Defense Mechanisms¤ Peter Reiher3564 Boelter HallComputer Science DepartmentUCLA Jelena MirkovicComputer and Information Sciences DepartmentUniversity of Delaware CS495 – Spring 2005 Northwestern University Sausan Yazji
Overview • Distributed denial-of-service (DDoS) is a rapidly growing problem • Variety approaches for the attacks and the defense Mechanisms • Two taxonomies for classifying attacks and defenses: • Highlight commonalities and important features of attack strategies • Classify the body of existing DDoS defenses based on their design decisions
Background • The DDoS attack mechanisms are changing consistently • The Security measures to deal with the attacks are changing consistently • Setting apart and emphasizing crucial features of attack and defense mechanisms • Abstracting detailed differences between the attacks and defense mechanism
Why? • What are the different ways of perpetrating a DDoS attack? • Why is DDoS a difficult problem to handle? • What attacks have been handled effectively by existing defense systems? • What attacks still remain undressed and why? • How would the defense mechanism behave in case of unrelated attack? • What are the defense mechanism vulnerabilities? • Can the defense mechanism complement each other and how? • How can we contribute to the DDoS field?
Proposed Taxonomy • Covers known attacks and also realistic potential threat • Covers published and commercial approaches • The proposed taxonomy is not: • as detailed as possible • dividing attacks and defenses in an exclusive manner • The depth and width of the proposed taxonomies are not • suitable for a traditional numbering of headings • proposing or advocating any specific DDoS defense mechanism
DDOS ATTACK OVERVIEW • DoS is an explicit attempt to prevent the legitimate use of a service • DDoS deploys multiple attacks to attain this goal
What makes DDoS attacks possible? • Internet security is highly interdependent • Internet resources are limited • Intelligence and resources are not collocated • Accountability is not enforced • Control is distributed
How are DDoS attacks performed? • Recruit multiple agent machines • Exploit the vulnerable recruited machines • Infect the exploited machines with the attack code • Use the infected machines to recruit new agents • Distribute the attack code using useful applications • Hide the identity of agent machines through spoofing
Why do people perpetrate DDoS attacks? • Personal reasons • Prestige • Material gain • Political reasons
DA: Degree of Automation • DA1: Manual • DA2: CM2: Indirect Communication • DA3:Automatic • DA2and DA3:HSS: Host Scanning and Vulnerability Scanning Strategy • DA2 and DA3: HSS1: Random Scanning • DA2 and DA3: HSS2: Hit list Scanning • DA2 and DA3: HSS3: Signpost Scanning • DA2 and DA3: HSS3: Signpost Scanning • DA2 and DA3: HSS5:Local Subnet Scanning
DA: Degree of Automation - continued • DA2 and DA3: VSS • DA2 and DA3: VSS1:Horizontal Scanning • DA2 and DA3: VSS2:Vertical Scanning • DA2 and DA3: VSS3: Coordinated Scanning • DA2 and DA3: VSS4:Stealthy Scanning • DA2 and DA3: PM: Propagation Mechanism • DA2 and DA3: PM1:Central Source Propagation • DA2 and DA3: PM2:BackChaining Propagation • DA2 and DA3: PM3:Autonomous Propagation
EW: ExploitedWeakness to Deny Service • EW1: Semantic • EW2: BruteForce
SAV: Source Address Validity • SAV1: Spoofed Source Address • SAV1: AR: Address Routability • SAV1: AR1: Routable Source Address • SAV1: AR2: NonRoutable Source Address • SAV1: ST: Spoofing Technique • SAV1: ST1: Random Spoofed Source Address • SAV1: ST2: Subnet Spoofed Source Address • SAV1: ST3: En Route Spoofed Source Address • SAV1: ST4: Fixed Spoofed Source Address • SAV2: Valid Source Address
ARD: Attack Rate Dynamics • ARD1: Constant Rate • ARD2: Variable Rate • ARD2: RCM: Rate Change Mechanism • ARD2: RCM1: Increasing Rate • ARD2: RCM2: Fluctuating Rate
PC: Possibility of Characterization • PC1: Characterizable • PC1:RAVS: Relation of Attack to Victim Services • PC1: RAVS1:Filterable • PC1: RAVS2: NonFilterable • PC2: NonCharacterizable
PAS: Persistence of Agent Set • PAS1: Constant Agent Set • PAS2: Variable Agent Set
VT: Victim Type • VT1: Application • VT2: Host • VT3: Resource Attacks • VT4: Network Attacks • VT5: Infrastructure
IV: Impact on the Victim • IV1: Disruptive • IV1: PDR: Possibility of Dynamic Recovery • IV1: PDR1: Self Recoverable • IV1: PDR2: Human Recoverable • IV1: PDR3: Non Recoverable • IV2: Degrading
DDOS DEFENSE CHALLENGE No real complete solution is proposed for the DDoS yet: • Need for a distributed response at many points on the Internet • Economic and social factors • Lack of detailed attack information • Lack of defense system benchmarks • Difficulty of large-scale testing
AL: Activity Level • AL1: Preventive • AL1: PG: Prevention Goal • AL1:PG1:Attack Prevention • AL1:PG1:ST: Secured Target • AL1: PG1: ST1: System Security • AL1: PG1: ST2: Protocol Security • AL1: PG2: DoS Prevention • AL1: PG2: PM: Prevention Method • AL1: PG2: PM1: Resource Accounting • AL1: PG2: PM2: Resource Multiplication
AL: Activity Level - Continued • AL2: Reactive • AL2: ADS: Attack Detection Strategy • AL2: ADS1: Pattern Detection • AL2: ADS2: Anomaly Detection • AL2: ADS2: NBS: Normal Behavior Specification • AL2: ADS2: NBS1:Standard • AL2: ADS2: NBS2:Trained • AL2: ADS3: Third Party Detection • AL2: ARS: Attack Response Strategy • AL2: ARS1: Agent Identification • AL2: ARS2: Rate Limiting • AL2: ARS3: Filtering • AL2: ARS4: Reconfiguration
CD: Cooperation Degree • CD1: Autonomous • Firewalls • Intrusion Detection Systems • CD2: Cooperative • Can operate autonomously at a single deployment point • Aggregate Congestion Control (ACC) System • CD3: Interdependent • Cannot operate autonomously at a single deployment point • Trace Back Mechanism • Secure Overlay Services
DL: Deployment Location • DL1: Victim Network • Protect this network from DDoS attacks • Respond to attacks by alleviating the impact on the victim • DL2: Intermediate Network • Provide defense service to a large number of Internet hosts • Push-back and trace-back techniques • DL3: Source Network • Prevent network customers from generating DDoS attacks • Low motivation
USING THE TAXONOMIES • A map of DDoS research field • Exploring new attack strategies • DDoS benchmark generation • Common vocabulary • Design of attack class-specific solutions • Understanding solution constrains • Identifying unexplored research areas
RELATEDWORK • Classification of DoS attacks according to: • Target Type • Consumed Resource • Exploited Vulnerability • Number of Agent Machines • Focusing on computer attacks in general • Discussion of the DDoS problem and of some defense approaches • Classification of the DDoS defense field only, Intrusion Detection • New studies: • focus on taxonomy of computer incidents • Generation of a DDoS attack overview
CONCLUSION • Help the community think about the threats we face and the possible countermeasures • Foster easier cooperation among researchers • Facilitate communication and offer common language for discussing solutions • Clarify how different mechanisms are likely to work in concert • Identify areas of remaining weaknesses that require additional work • Help developing common metrics and benchmarks for DDoS defense evaluation • Offer a foundation for classifying threats and defenses in DDoS field
A Taxonomy of DDoS Attack and DDoS Defense Mechanisms QUESTIONS?