Prolog to Lecture 18 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

DDoS In the Real World Do DDoS attacks really happen? What responses are taken in real cases? What tools are available and used today to handle DDoS?

Real World Occurrence of DDoS Estonia, Georgia, Iran, Australia governments have all suffered large DDoS attacks in recent years Companies also get attacked fairly often Usually for extortion Group of US banks attacked in late 2012 It’s pretty common

So What Do Victims Do? Generally, either last it out Or pay extortion, if that’s the goal of the attacker Or enlist help from ISP Who may, in turn, enlist help of other parties

How Do ISPs Help? Two approaches: Drop traffic Block attacking machines

Dropping Traffic Drop traffic before it gets to the victim Which traffic? Usually, ISP engineers examine data flows by hand Dropping obvious attack flows Or all traffic from obvious attack sources May need to get upstream ISPs to help Generally a blunt instrument And not quick

Blocking the Bots Can’t just block them near the target Must get them further upstream Generally at their entry to the Internet Requires cooperation of their providers Won’t do it for just anyone A lot of work, if there are lots of bots

Content Distribution Network Approaches Akamai and similar companies can help their customers They maintain cached copies of customer content And have huge server pools spread around the Internet How does that help?

The Resource Multiplication Solution Cache content at vast number of places As demand increases, increase caching Few attackers can overwhelm big enough cache providers Who could charge for the protection A feasible solution, but not cheap

Do Practical Measures Work? If you can get the necessary parties to help, usually yes What’s theoretically hard might not be too bad, in practice If you are important enough Small fry are likely to get squashed