Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method: overwhelm the site with attack traffic Response: ?
The Problem
Characterizing the Problem An attacker compromises many hosts Usually spread across Internet He orders them to send garbage traffic to a target site The combined packet flow overwhelms the target Perhaps his machine Perhaps his network link Perhaps his ISP’s network link
Why Are These Attacks Made? Generally to annoy Sometimes for extortion Sometimes to disable opponent’s network operations If directed at infrastructure, might cripple parts of Internet So who wants to do that . . .?
Attack Methods Pure flooding Of network connection Or of upstream network Overwhelm some other resource SYN flood CPU resources Memory resources Application level resource Direct or reflection
Why “Distributed”? Targets are often highly provisioned servers A single machine usually cannot overwhelm such a server So harness multiple machines to do so Also makes defenses harder
DDoS Attack on DNS Root Servers Concerted ping flood attack on all 13 of the DNS root servers in October 2002 Successfully halted operations on 9 of them Lasted for 1 hour Turned itself off, was not defeated Did not cause major impact on Internet DNS uses caching aggressively Another (less effective) attack in February 2007
DDoS Attack on Estonia Occurred April-May 2007 Estonia removed a statue that Russians liked Then somebody launched large DDoS attack on Estonian government sites Took much of Estonia off-line for ~ 3 weeks DDoS attack on Radio Free Europe sites in Belarus in 2008
How to Defend? A vital characteristic: Don’t just stop a flood ENSURE SERVICE TO LEGITIMATE CLIENTS!!! If you deliver a manageable amount of garbage, you haven’t solved the problem
Complicating Factors High availability of compromised machines At least tens of thousands of zombie machines out there Internet is designed to deliver traffic Regardless of its value IP spoofing allows easy hiding Distributed nature makes legal approaches hard Attacker can choose all aspects of his attack packets Can be a lot like good ones
Basic Defense Approaches Overprovisioning Dynamic increases in provisioning Hiding Tracking attackers Legal approaches Reducing volume of attack
Overprovisioning Be able to handle more traffic than attacker can generate Works well for Microsoft and Google Not a suitable solution for Mom and Pop Internet stores Can sometimes dynamically increase provisioning Some attackers are highly provisioned
Hiding Don’t let most people know where your server is If they can’t find it, they can’t overwhelm it Possible to direct your traffic through other sites first Can they be overwhelmed . . .? Not feasible for sites that serve everyone
Tracking Attackers Almost trivial without IP spoofing With IP spoofing, more challenging Big issue: Once you’ve found them, now what? Not clear tracking actually does much good Not usually feasible for law enforcement to use this information effectively Law enforcement approaches are slow
Reducing the Volume of Traffic Addresses the core problem: Too much traffic coming in, so get rid of some of it Vital to separate the sheep from the goats Unless you have good discrimination techniques, not much help Most DDoS defense proposals are variants of this
Approaches to Reducing the Volume Give preference to your “friends” Require “proof of work” from submitters Detect difference between good and bad traffic Drop the bad Easier said than done
Some Sample Defenses D-Ward DefCOM SOS
D-WARD Core idea is to leverage a difference between DDoS traffic and good traffic Good traffic responds to congestion by backing off DDoS traffic responds to congestion by piling on Look for the sites that are piling on, not backing of
The D-Ward Approach Deploy D-Ward defense boxes at exit points of networks Use ingress filtering here to stop most spoofing Observe two-way traffic to different destinations Throttle “poorly behaved” traffic If it continues to behave badly, throttle it more If it behaves well under throttling, back off and give it more bandwidth
D-WARD in Action requests replies D-WARD attacks D-WARD
A Sample of D-Ward’s Effectiveness
The Problem With D-Ward D-Ward defends other people’s networks from your network’s DDoS attacks It doesn’t defend your network from other people’s DDoS attacks So why would anyone deploy it? No one did, even though, if fully deployed, it could stop DDoS attacks
DefCOM Different network locations are better for different elements Near source good for characterizing traffic Core nodes can filter effectively with small deployments Near target it’s easier to detect and characterize an attack DefCOM combines defense in all locations
DefCOM in Action Classifiers can assure priority for good traffic DefCOM instructs core nodes to apply rate limits core alert generator Core nodes use information from classifiers to prioritize traffic classifier
Benefits of DefCOM Provides effective DDoS defense Without ubiquitous deployment Able to handle higher volume attacks than target end defenses Offers deployment incentives for those who need to deploy things
DefCOM Performance
SOS A hiding approach Don’t let the attackers send packets to the possible target Use an overlay network to deliver traffic to the destination Filter out bad stuff in the overlay Which can be highly provisioned
How SOS Defends Clients are authenticated at the overlay entrance A few source addresses are allowed to reach the protected node All other traffic is filtered out Several overlay nodes designated as “approved” Nobody else can route traffic to protected node Good traffic tunneled to “approved” nodes They forward it to the server Most suited for “private” services
SOS Advantages and Limitations Ensures communication of “confirmed” user with the victim Resilient to overlay node failure Resilient to DoS Problematic for public service Clients must be aware of and use overlay to access victim Traffic routed through suboptimal path Still allows brute force attack on links entering the filtering router in front of client If the attacker can find it Basically dependent on a secret