Survey of Distributed Denial of Service Attacks and Popular Countermeasures Andrew Knotts, Kent State University Referenced from: Charalampos Patrikakis,Michalis.

Slides:



Advertisements
Similar presentations
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Advertisements

CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World
Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.
3/30/2005 Auburn University Information Assurance Lab 1 Simulating Secure Overlay Services.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.
Lecture 15 Denial of Service Attacks
Design and Implementation of SIP-aware DDoS Attack Detection System.
Lecture 11 Intrusion Detection (cont)
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Department Of Computer Engineering
An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Internet Security facilities for secure communication.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,
SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
SOS: Secure Overlay Services A.Keromytis, V. Misra, and D. Rubenstein Presented by Tsirbas Rafail.
SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
Denial of Service Attack 발표자 : 전지훈. What is Denial of Service Attack?  Denial of Service Attack = DoS Attack  Service attacks on a Web server floods.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.
SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Hiral Chhaya CDA 6133.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
DoS/DDoS attack and defense
Advanced Anti-Virus Techniques
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
SOS: An Architecture For Mitigating DDoS Attacks Authors: Angelos D. Keromytis, Vishal Misra, Dan Rubenstein. Published: ACM SIGCOMM 2002 Presenter: Jerome.
Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method:
Role Of Network IDS in Network Perimeter Defense.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Error and Control Messages in the Internet Protocol
Defending Against DDoS
Defending Against DDoS
Red Team Exercise Part 3 Week 4
DDoS Attack and Its Defense
Presentation transcript:

Survey of Distributed Denial of Service Attacks and Popular Countermeasures Andrew Knotts, Kent State University Referenced from: Charalampos Patrikakis,Michalis Masikos, and Olga Zouraraki. Denial of service attacks. Internet Protocol Journal, 7(4):13–25, December 2004.

Outline Introduction/Overview Recruiting Zombie Machines Spreading the Virus A Typical DDoS Attack Defending Against a DDoS Attack

Confidentiality Integrity Availability Storing Processing Transmitting Education Policies Technology

DoS vs. DDoS Attacks A DoS attack is targeted at a particular node (machine). Attempts to deny service to that node Source of the attack:  Single node: DoS (Denial of Service) attack  Multiple nodes: DDoS (Distributed Denial of Service) attack

DDoS Attacks: A Tough Problem Victims are unable to communicate with other machines, so the surrounding network may not know to help. Traffic spikes very fast. It is hard to react quickly enough. Traffic filtering will filter user traffic as well. The network may be the bottleneck, not the victim. IP spoofing makes it hard to back trace attack traffic.

Target Resources A (D)DoS attack overwhelms the resources of the target:  Network Bandwidth  Computing Power Processor Memory

Recruiting Zombie Machines The attacker must infect a set of nodes to target the victim. Unpatched machines are easily compromised. Once infected these nodes are known as zombies.

Finding Vulnerable Machines Random Scanning  Targets machines at random IP addresses. Hit-list Scanning  Targets nodes from a hit-list. Topological Scanning  The hit-list is generated “on-the-fly” by scanning infected machines for valid URLs. Local Subnet Scanning  An infected machine on the same subnet may exploit vulnerabilities of other machines normally protected by the firewall.

Spreading the Virus Central Source Propagation  A central source contains the code.  The central source copies the code to the victim once infected.

Central Source Propagation 1) Infect Victim AttackerVictimNext Victim Central Source 2) Request Code3) Transfer Code 4) Repeat Again *Concept of Diagram referenced from [1]

Spreading the Virus (cont.) ‏ Back-chaining Propagation  The attacker contains the code.  The new victim requests the code from the attacker once infected.  Alleviates the need for a central source.  Requires the attacker to be able to accept connections and transfer code.

Back-chaining Propagation 1) Infect Victim AttackerVictimNext Victim 4) Repeat Again 2) Request Code 3) Transfer Code *Concept of Diagram referenced from [1]

Spreading the Virus (cont.) ‏ Autonomous Propagation  Sends the code at the same time the victim is compromised.  Avoids both a central source and file transfer requirements of other methods.

Autonomous Propagation 1) Infect Victim & Transfer Code AttackerVictimNext Victim 2) Repeat Again *Concept of Diagram referenced from [1]

A Typical DDoS Attack Typical DDoS Attack  The zombies are divided into masters and slaves.  The attacker signals the masters to start the attack, the masters then signal the slaves.  The slaves flood the victim.  IP spoofing is usually used to hide the identity of the slave zombies.

A Typical DDoS Attack Attacker Master Zombies Slave Zombies Victim *Concept of Diagram referenced from [1]

A DRDoS Attack DRDoS Attack  Distributed Reflector Denial of Service  Reflectors are uncompromised machines.  The slave zombies send packets to the reflectors with IP source addresses spoofed as the target.  The reflectors carry out the flooding rather than the slaves.  More distributed than a typical DDoS attack.

A DRDoS Attack Attacker Master Zombies Slave Zombies Victim *Concept of Diagram referenced from [1] Reflectors

Defending Against a DDoS Attack Two General Approaches  Prevent the Attack Try to stop the attack from happening in the first place.  React to the Attack Detect the attack early, and react appropriately.

Defending Against a DDoS Attack Techniques to prevent attacks  Keep machines up-to-date with patches and antivirus. Hard to do because machines are distributed.  Filter spoofed IP traffic Source IPs of outbound packets should be from the local network. Source IPs of inbound packets should not be from the local network.

Defending Against a DDoS Attack Techniques to detect an attack early  Signature Detection Compare traffic signatures to known attack signatures. Cannot detect new attacks with new signatures.  Anomaly Detection Compare traffic behavior with “normal” traffic behavior. What constitutes “normal” traffic has to be updated.  Hybrid Systems Combine both signature detection and anomaly detection. Anomaly DetectionSignature Database Update

Honeypots Attempt to lure the attacker into a “trap”. This trap may be:  A machine masquerading as a service provider (increasing its chances of being attacked).  An entire network designed to be targeted. Honeypots monitor the attackers actions, and can extract patterns useful in detecting future attacks.

Route Filtering Blackhole routing  Routes attack traffic to a “blackhole” (null interface).  Only useful if attack traffic can be differentiated from legitimate traffic. Sinkhole routing  Detect suspicious traffic and redirect it to an analyzer.  If it is attack traffic, drop it (route to null interface). Otherwise route it to its original destination.

Real-time Analysis of Flow Data Flow data can be useful for analyzing the behavior characteristics of traffic. In order for flow data to be useful for detecting attacks, it must be processed fast enough to respond. Munz and Carle [2] propose a system and framework to handle the real-time analysis of this flow data.

Real-time Analysis of Flow Data Receiver Container Detection Algorithm 1 Container Detection Algorithm 2 Container Detection Algorithm 3 Alert *Concept of Diagram referenced from [2] Ring Buffer IPFIX/Netflow Data A simplified diagram of the TOPAS system

Path Identification IP spoofing is commonly used to mask the source of an attack. Use a “Path Identifier” (Pi) to discover an approximate source of attack packets [3]. These packets can then be classified as malicious (based on their path identifier) and filtered accordingly.

Issues with Path Identification 16 bits used to store path information.  This is not very large and may be insufficient for long paths! Packets from the same attacker are not guaranteed to follow the same path.

Network Overlays To prevent malicious traffic, only allow the target to communicate with a confirmed user [4]. The target must give permission to this “user”. Filter all traffic in the region around the target that is not confirmed. Confirmed traffic originates from a list of pre- defined friendly nodes. Protect the identity of these nodes by using a network overlay.

Filtered Region The SOS System *Concept of Diagram referenced from [4] A simplified diagram of the SOS system Target Overlay Network Overlay Nodes “Secret Servlets”

Issues with the SOS system Expensive to implement  An entire overlay must be created to protect a node. Overlay routers must implement a filtering protocol.

Future Work IP is not a security-oriented protocol. Designing Internet protocols with security in mind will help mitigate DDoS attacks. Most current work simply focuses on the target or the network around the target. It is useful to also utilize the entire network from attacker to target to help DdoS attacks (the Pi system touched on this concept).

References [1] Charalampos Patrikakis,Michalis Masikos, and Olga Zouraraki. Denial of service attacks. Internet Protocol Journal, 7(4):13–25, December [2] Gerhard Munz and Georg Carle. Real-time analysis of flow data for network attack detection. 10th IFIP/IEEE International Symposium on Integrated Network Management, pages 100– 108, May [3] Abraham Yaar, Adrian Perrig, and Dawn Song. Pi: A path identification mechanism to defend against ddos attacks. In Proceedings of the 2003 IEEE Symposium on Security and Privacy, pages 93–107, Washington, DC, USA, May IEEE Computer Society. [4] Angelos D. Keromytis, Vishal Misra, and Dan Rubenstein. Sos: Secure overlay services. In SIGCOMM, Pittsburgh, PA, August ACM.