Major Challenges of DDoS Attacks Advanced Network Security Peter Reiher August, 2014
Outline Why is DDoS hard to handle? Important characteristics of good DDoS defenses
Why Is DDoS Hard to Handle? A simple form of attack Designed to prey on the Internet’s strengths Easy availability of attack machines Attack can look like normal traffic Lack of Internet enforcement tools Hard to get cooperation from others Effective solutions may be hard to deploy
1. Simplicity of Attack Basically, just send someone a lot of traffic More complicated versions can add refinements, but that’s the crux of it No need to find new vulnerabilities No need to worry about timing, tracing, etc. Toolkits are readily available to allow the novice to perform DDoS Even distributed parts are very simple
2. DDoS Preys on Internet’s Strengths The Internet was designed to deliver lots of traffic From lots of places, to lots of places DDoS attackers want to deliver lots of traffic from lots of places to one place Any individual packet can look proper to the Internet Without sophisticated analysis, even the entire flow can appear proper
The Internet and Resource Utilization The Internet was not designed to monitor resource utilization It’s pretty much first come, first served Many network services work the same way And many key underlying mechanisms do, too Thus, if a villain can get to the important resources first, he can often deny them to good users
3. Easy Availability of Attack Machines DDoS is feasible because attackers can enlist many machines Attackers can enlist many machines because many machines are readily vulnerable Not hard to find 10,000 crackable machines on the Internet Particularly if you don’t care which ones Some reports suggest attack armies of tens of thousands of machines are at the ready
Can’t We Fix These Vulnerabilities? Doubtful DDoS attacks don’t really harm the attacking machines Many people don’t protect their machines even when the attacks can harm them Why will they start protecting their machines just to help others? Altruism has not proven to be a compelling argument for for network security, to date
4. Attack Can Look Like Normal Traffic A DDoS attack can consist of vast number of requests for a web server’s home page No need for attacker to use particular packets or packet contents So neat filtering/signature tools may not help Attacker can be arbitrarily sophisticated at mirroring legitimate traffic In principle Not currently done because dumb attacks work so well
5. Lack of Internet Enforcement Tools DDoS attackers typically not caught by tracing or observing attack Only by old-fashioned detective work The Internet offers no help in tracing a single attack stream, Much less multiple ones Even if you trace them, a clever attacker leaves no clues of his identity on attack machines
What Is the Internet Lacking? No validation of IP source address No enforcement of amount of resources used No method of tracking attack flows Or those controlling attack flows No method of assigning responsibility for bad packets or packet streams No mechanism or tools for determining who corrupted a machine
6. Poor Cooperation in the Internet It’s hard to get anyone to help you stop or trace or prevent an attack Even your ISP might not be too cooperative Anyone upstream of your ISP is less likely to be cooperative ISPs more likely to cooperate with each other, though Even if cooperation occurs, it occurs at human timescales The attack might be over by the time you figure out who to call
7. Effective Solutions May Be Hard to Deploy The easiest place to deploy defensive systems is near your own machine But defenses there might not work well E.g., firewall example Effective research solutions require deployment near attackers or in Internet core Or, worse, in many places A working solution is no use if required parties won’t deploy it Hard to get anything deployed if deployer gets no direct advantage
Defending Against DDoS Attacks DDoS attacks sound pretty terrible So what do I do to keep my machines and networks safe from DDoS attacks? How would I even go about starting to defend myself and others from DDoS attacks?
Desirable Characteristics of DDoS Defense Solutions Effective Accurate Cheap Deployable Complete
1. Effectiveness of DDoS Defenses Does it stop the DDoS attack from crippling my machine? If so, is it merely pushing the problem upstream? Or is it fundamentally solving it? Will it only stop disruptive attacks? Or will it also stop degrading attacks?
2. Accuracy of DDoS Defenses Ultimately, DDoS defense usually requires dropping some packets Avoiding the DDoS effect by not delivering the attack traffic that causes it That’s great, but . . . Is it only attack traffic that is getting dropped? Or is my defense system also dropping some legitimate traffic?
The Vital Importance of Accuracy The point of a DDoS attack is not to deliver a bunch of bogus packets to you It’s to prevent you from offering regular service If your defense mechanism drops both attack packets and legitimate packets, It offers the DDoS attacker another mechanism to deny service DDoS defense mechanisms that do not ensure the delivery of all (or almost all) legitimate traffic are of little help!
Collateral Damage The term used to describe unintended and undesirable consequences of a defense mechanism How much good traffic does the defense mechanism drop (or delay)? Low collateral damage is tolerable If the collateral damage is high enough, it’s as bad as the attack itself
DDoS Collateral Damage Types You drop good packets destined for the target That’s bad You drop good packets from an attack source Also bad You drop good packets going to and from uninvolved third parties That’s even worse
Accuracy and False Alerts Most nodes aren’t under DDoS attack most of the time If the DDoS defense system signals an attack when there is no attack, there may be a problem Small problem if the signal doesn’t disrupt the good traffic Big problem if it does
Dimensions of Accuracy Detection Did the defense system signal an attack when one occurred? And only when one occurred? Response Did the defense system take action only against attack packets?
3. Cost of DDoS Defense Systems Defense systems must be reasonably inexpensive In money, but especially in performance Particularly when no attacks are going on Since that will be most of the time Low cost important even when attacks are ongoing If defense system eats 95% of your CPU when defending, this can easily deny service to legitimate clients
4. Deployability of DDoS Defenses Defense systems on or near to the potential target are highly deployable
Deployability of DDoS Defenses Defense systems on or near to potential attackers are less deployable 1. No economic incentive for deployment 2. Attacker might gain control of defense system 3. Wide deployment required for effectiveness
Deployability of DDoS Defenses Core routers are already heavily loaded 2. If you’re putting it in the core, you’d better get it right the first time Defense systems in the Internet core face serious deployment challenges 3. Owners of these routers have no economic incentive to deploy defenses
5. Completeness A DDoS defense systems should handle all kinds of DDoS attacks Systems that only handle SYN floods (for example) are of less value Ideally, the entire range of known attacks should be covered Plus anything else we didn’t think about yet
Conclusion Distributed denial of service attacks are difficult to handle for multiple reasons Some deal with the nature of the Internet Some deal with business practicalities Some deal with choices in our protocols All are hard or impossible to change