Overview of Distributed Denial of Service (DDoS) Wei Zhou
Outline of the presentation ● DDoS definition and its attacking architectures ● DDoS classification ● Defense mechanism classification – Reactive VS. Proactive – Classification by defending front-line ● SOS – a case study
What is it? – Two major attacking architecture ● Direct attack ● Reflector attack – Characteristics ● Multiple attackers vs. single victim ● To cause denial of service to legitimate users on the victim – No ready-to-go definition available
Hacker's attacking network Attacking Architecture - Direct Attack Masters (handlers) Zombies
Attacking Architecture – Reflector Attack Reflector Attack Hacker's DDoS attacking network TCP SYN, ICMP, UDP... (with victim's addr. as the src IP addr.) Reflectors
Classification of DDoS Attacks ● Classification by exploited vulnerability – Protocol Attacks ● TCP SYN attacks ● CGI request attacks ● Authentication server attacks ● – Flooding-based Attacks ● Filterable ● Non-filterable
Defense Mechanisms ● Classification by activity level – Reactive mechanisms ● Easy to be deployed ● Hard to tell good guys from bad guys ● Inflexible to adapt new attacks – Proactive mechanisms ● Motivations to deploy ● Accuracy on differentiating packets
Defense Mechanisms (cont.) ● Classification by defending front-line – Victim network – Intermediate network – Source network
At the victim side ● IDS plus Firewall – Detect bogus packets based on well-known attack signatures – Flexibility ● Puzzle solving by clients – Client must solve a puzzle (small scripts, cookies etc.) in order to access server's resources – Efficiency ● Duplicate server resources – Distribute server resources into more places – Synchronization, costs etc. Victim network can't do NOTHING if its link(s) to the ISP is jammed
In the intermediate network ● IP traceback – Can be used to collect forensic evidence – (Need further exploration on this topic) ● Push-back mechanism ● Route-Based packet filtering ● Overlay network
Push-back – the idea R2R2 R0R0 R1R1 R3R3 R7R7 R6R6 R5R5 R4R4 Heavy traffic flow Push-back messages ● Reactive mechanism ● Accuracy of telling 'poor' packets from bad packets
Route-based packet filtering – the idea R2R2 R0R0 R1R1 R3R3 R7R7 R6 R5R5 R4R4 R9R9 R8R8 Routes from node 2 Attack from node 7 with node 2 addresses ● Proactive mechanism ● Overheads ● Need to change routers
At the source side ● Ingress/egress filtering – Ingress filtering ● To prevent packets with faked source IP addresses from entering the network – Egress filtering ● To prevent packets with faked source IP addresses from leaving the network Egress filtering Ingress filtering /
At the source side (cont.) ● D-WARD (DDoS netWork Attack Recognition and Defense) – Balance of inbound and outbound traffic
D-WARD (cont.) ● Motivation of deployment ● Asymmetric problems Source network
SOS – Security Overlay Service ● To protect a dedicated server from DDoS attacks ● Use high-performance filters to drop all the packets not from secret servlets ● Path redundancy in overlay network is used to hide the identities of secret servlets ● Legitimate users enter the overlay network at the point of SOAP (secure overlay access point)
SOS (cont.) Big time delay Overlay network SOAP(s) Secret servlet(s) Server Filter
References ● R. K. C. Chang, “Defending against Flooding-Based Distributed Denial- of-Sevice Attacks: A Tutorial” ● P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing”, RFC 2827 ● J. Ioannidis and S. M. Bellovin, “Implementing Pushback: Router-Based Defense Against DDoS Attacks” ● A. D. Keromytis, V. Misra and D. Rubenstein, “SOS: Secure Overlay Services” ● R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson and S. Shenker, “Controlling High Bandwidth Aggregates in the Network” ● J. Mirkovic, J. Martin and P. Reiher, “A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms” ● J. Mirkovic, G. Prier and P. Reiher, “Attacking DDoS at the Source” ● K. Park and H. Lee, “A Proactive Approach to Distributed DoS Attack Prevention using Route-Based Packet Filtering”
Thank you!