------ An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

Slides:

Advertisements

Similar presentations

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Advertisements

Defending Against Denial of Service Attacks Presented By: Jordan Deveroux 1.

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

CISCO NETWORKING ACADEMY PROGRAM (CNAP)

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

A Taxonomy of DDoS Attack and DDoS Defense Mechanisms By Jelena Mirkovic and Peter Reiher.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff

Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Survey of Distributed Denial of Service Attacks and Popular Countermeasures Andrew Knotts, Kent State University Referenced from: Charalampos Patrikakis,Michalis.

Lecture 15 Denial of Service Attacks

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University

APA of Isfahan University of Technology In the name of God.

– Chapter 4 – Secure Routing

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.

Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,

Final Introduction ---- Web Security, DDoS, others

Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.

--Harish Reddy Vemula Distributed Denial of Service.

EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security News Source Courtesy:

SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.

Lecture 18 Page 1 Advanced Network Security Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks Paper by: Bryan Parno et al. (CMU) Presented by: Ionut Trestian Gergely Biczók.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

Denial of Service Attacks

Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring Presented by: Dedicated Instructor: Hiteshkumar Thakker.

Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.

DoS/DDoS attack and defense

Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.

SOS: An Architecture For Mitigating DDoS Attacks Authors: Angelos D. Keromytis, Vishal Misra, Dan Rubenstein. Published: ACM SIGCOMM 2002 Presenter: Jerome.

Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method:

Role Of Network IDS in Network Perimeter Defense.

Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.

Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.

Defending Against DDoS

Defending Against DDoS

Outline Basics of network security Definitions Sample attacks

DDoS Attack and Its Defense

Outline Why is DDoS hard to handle?

Presentation transcript:

An Overview Zhang Fu

Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence Some noticeable solutions Crux issues Discussion The “battle” is going on.

DDoS Attacks A Denial of Service (DoS) attack is an attempt by the attacker to prevent the legitimate users of a service from using that service. If the attack is launched from multiple compromised machines, then it is a Distributed Denial of Service (DDoS) attack. Basic Types of DDoS attacks: Sending malformed packets to confuse systems (protocol or application). Can be also called semantic attack.  Example: SYN-flooding, Teardrop Attacks Flooding packets to the victim to depleting key resources (bandwidth). Can be also called brute-force attack.  Example: DNS request flooding, Smurf attack.

DDoS Attacks (cont.) What makes DDoS possible?  End-to-End paradigm : intermediate network provides best-effort packets delivery service.  Different networks do not have effective cooperation.  Victim’s security relies on the rest of the network  End hosts can not control the bandwidth allocation or queuing mechanism of the network  Control is distributed. Zhang Fu

Steps of launching DDoS attacks Recruiting and Exploit. Propagation. Launching attacks. order attack

Victim Types Application  Target on a given application. If the resource is not completely consumed, other application maybe still available.  The attack traffic volume is usually small, and seems to be normal packets. E.g. signature attack. Host  Overwhelming the host’s communication mechanism. Or make the host crash/reboot.  The attack traffic is usually big. The host can not solve the problem alone. Resource Attack  Attack some critical entities in the victim’s network, such as DNS server.  Congest some critical links of the network.  The attack traffic is big and easy to detect. But need cooperation to defense.

Victim Types (cont.) Infrastructure  Aim to disable the critical service of the whole Internet, such as root DNS server, core network, certificate server.  The attack can aggregate a huge volume of traffic with in a very short time period.  Need cooperation to defend against this attack.

Impact of the attack Disruptive : completely disable the victim’s service.  The victim can recover automatically after the attack. Some may need human to be involved. And some may be not recoverable. Degrading: consume some portion of the victim’s resource.  Success depends on the service. QoS plays an important role.  Not easy to detect.  Tradeoff between deploying a defense mechanism and losing market caused by the degradation.

Summary of DDoS attacks What is a DoS / DDoS attack? Why DDoS attacks can be launched successfully? DDoS attacks target both in application layer and network layer. Some DDoS attacks aims to completely deplete the resource of the victim, while others aims to degrade the quality of the victim’s service.

Challenges for defense mechanisms DDoS is a problem in distributed manner. It needs to be solved in a distributed way. However, assumption of global deployment would be rather strong. Some attacks can be hardly defined. Many factors may be involved, such as number of compromised machines, attack rate, attack duration, impact of the attack. Lack of universal benchmark. Lack of test platforms for large scale network.

Principles for counter measures Security  The attacker can hardly break the secrets used in the system. Or find a semantic flaw to attack the system. Accuracy  The system should filter out the malicious traffic as much as possible and affect the legitimate traffic as little as possible. Efficiency  Keep the overhead within a acceptable threshold Safe Failure  When the system is fail, the situation can not be worse than that before the deployment.

Which way to go? Proactive VS Reactive Proactive solutions aim at prevent the DDoS attacks from beginning. Or the victim’s service is not denied during the attacks. How to prevent DDoS attacks? Secure the hosts, Build DDoS-resilient protocol. We need both police and doctor! How to make system tolerate DDoS attacks? Resource accounting, provide more resource. Examples of proactive solutions: puzzle based solutions, network capability, secure overlay.

Proactive VS Reactive (cont.) Reactive solutions aims at mitigate DDoS attacks when the victim suffers those attacks, or some DDoS attacks are detected.  Need some detection mechanisms. Less overhead in the normal situation.  The problem is how to identify DDoS attacks, what are the proper responses for different kinds of attacks? Use models of attacks to detect. We can also define abnormal behaviors for detection, But have to be careful with false positive. Block identified zombies, or rate limiting /filtering.

Network Layer Defense Network Capability Choose a path from source to the destination Capability Establishment (Sending Request and getting Capability) Sending Packets with Capability Capability Refreshing InternetInternet 14

Packet Marking (Trace back) Packets will be marked by the routers along the path. When DDoS attacks occur, the victim will identify the attacking sources. Victim will also send control command to the router which is near to the sources to limit the malicious traffic. What’re the advantages and disadvantages?

SOS: Secure Overlay Service

Application Layer Defense How can network-based applications defend by themselves ？ Solutions inspired by Frequency Hopping. ACK-based port hopping (Badishi et al. 2005) Port hopping with bounded clock offset (Lee and Ting 2004) Hopping authentication code (Srivatsa et al 2006) Port hopping in the presence of clock drifts. (Zhang et al.2008)

Crux Issues IP spoofing. Network topology dependency. Refreshing secrets. Feedback mechanisms. Space efficiency. We can hardly solve DDoS problem completely. The ideal solution could be very complicated. We might need an integrated solution. However, it’s unclear about the optimal integration.

Summary What is DDoS Why it is possible What is the main category of defence mechanisms We want secure, robust, efficient solutions for the problem. Zhang Fu

20 The End Thank You