Distributed Denial of Service (DDoS)

1. Distributed Denial of Service (DDoS) • Definition: A computer attack that hijacks many other Internet computers and instructs them to inundate a target site with packets or requests for data. • Use of multiple, sometimes compromised systems, to launch attacks • Type of distributed attacks include: • Denial-of-service (Trinoo, tribal flood network, …) • Password cracking (saltine cracker, Slurpie) • Information gathering (none available yet)

2. 1. Go Command Sent To Handler 2. Echoes Command Back Attacker 3. Sends Command To Agents Handler Agent 1 Agent 2 Agent 3 Agent 4 Agent 5 Agent 6 Agent 7 4. Sends Flood To Target(s) Also called Slaves or Zombies Target Distributed DoS

3. DDoS Protective Measures • Keep your systems and applications updated • Automated tools can be used to update systems enterprise wide • Use only trusted tools • Untrusted tools could be used to distribute viruses, Trojan horses and back doors • Employ strong gateway protection (firewall, edge router rules, etc.) • Use intrusion detection tools to detect specific packet attacks • Check for Trojan horse and zombie code • Network vulnerability scans • Host vulnerability scans • Antivirus

4. DDoS Protective Measures • Egress filtering • Disallow packets without valid source address from leaving your network (prevents IP spoofing) • Block certain “broadcast” traffic (for example, ICMP echo reply) • Ingress filtering • ISPs only accept traffic from authorized sources • Have routers turn off forwarding of IP directed broadcast packets • Turn off echo and chargen services

5. Conclusion • Proactive security prevents many attacks • Implement security policy • Fast, robust response is key to handling outbreaks • Implement incident management • Blended threat protection requires comprehensive security across gateways, servers, clients • Security application and management integration increases protection while reducing cost of ownership