Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Denial of Service (DDoS) Attacks

Published byAgnes Riley Modified over 6 years ago

Similar presentations

Presentation on theme: "Distributed Denial of Service (DDoS) Attacks"— Presentation transcript:

1 Distributed Denial of Service (DDoS) Attacks
Goal: Prevent a network site from doing its normal business Method: overwhelm the site with attack traffic Response: ?

2 The Problem

3 Characterizing the Problem
An attacker compromises many hosts Usually spread across Internet He orders them to send garbage traffic to a target site The combined packet flow overwhelms the target Perhaps his machine Perhaps his network link Perhaps his ISP’s network link

4 Why Are These Attacks Made?
Generally to annoy Sometimes for extortion If directed at infrastructure, might cripple parts of Internet So who wants to do that . . .?

5 Attack Methods Pure flooding Of network connection
Or of upstream network Overwhelm some other resource SYN flood CPU resources Memory resources Application level resource Direct or reflection

6 Why “Distributed”? Targets are often highly provisioned servers
A single machine usually cannot overwhelm such a server So harness multiple machines to do so Also makes defenses harder

7 DDoS Attack on DNS Root Servers
Concerted ping flood attack on all 13 of the DNS root servers in October 2002 Successfully halted operations on 9 of them Lasted for 1 hour Turned itself off, was not defeated Did not cause major impact on Internet DNS uses caching aggressively Another (less effective) attack in February 2007

8 DDoS Attack on Estonia Occurred April-May 2007
Estonia removed a statue that Russians liked Then somebody launched large DDoS attack on Estonian gov’t sites Took much of Estonia off-line for ~ 3 weeks Recently, DDoS attack on Radio Free Europe sites in Belarus

9 How to Defend? A vital characteristic: Don’t just stop a flood
ENSURE SERVICE TO LEGITIMATE CLIENTS!!! If you deliver a manageable amount of garbage, you haven’t solved the problem

10 Complicating Factors High availability of compromised machines
At least tens of thousands of zombie machines out there Internet is designed to deliver traffic Regardless of its value IP spoofing allows easy hiding Distributed nature makes legal approaches hard Attacker can choose all aspects of his attack packets Can be a lot like good ones

11 Basic Defense Approaches
Overprovisioning Dynamic increases in provisioning Hiding Tracking attackers Legal approaches Reducing volume of attack

12 Overprovisioning Be able to handle more traffic than attacker can generate Works well for Microsoft and Google Not a suitable solution for Mom and Pop Internet stores Can sometimes dynamically increase provisioning Some attackers are highly provisioned

13 Hiding Don’t let most people know where your server is
If they can’t find it, they can’t overwhelm it Possible to direct your traffic through other sites first Can they be overwhelmed . . .? Not feasible for sites that serve everyone

14 Tracking Attackers Almost trivial without IP spoofing
With IP spoofing, more challenging Big issue: Once you’ve found them, now what? Not clear tracking actually does much good Not usually feasible for law enforcement to use this information effectively Law enforcement approaches are slow

15 Reducing the Volume of Traffic
Addresses the core problem: Too much traffic coming in, so get rid of some of it Vital to separate the sheep from the goats Unless you have good discrimination techniques, not much help Most DDoS defense proposals are variants of this

16 Approaches to Reducing the Volume
Give preference to your “friends” Require “proof of work” from submitters Detect difference between good and bad traffic Drop the bad Easier said than done

17 Some Sample Defenses D-Ward DefCOM SOS

18 D-WARD Core idea is to leverage a difference between DDoS traffic and good traffic Good traffic responds to congestion by backing off DDoS traffic responds to congestion by piling on Look for the sites that are piling on, not backing of

19 The D-Ward Approach Deploy D-Ward defense boxes at exit points of networks Use ingress filtering here to stop most spoofing Observe two-way traffic to different destinations Throttle “poorly behaved” traffic If it continues to behave badly, throttle it more If it behaves well under throttling, back off and give it more bandwidth

20 D-WARD in Action requests replies D-WARD attacks D-WARD

21 A Sample of D-Ward’s Effectiveness

22 The Problem With D-Ward
D-Ward defends other people’s networks from your network’s DDoS attacks It doesn’t defend your network from other people’s DDoS attacks So why would anyone deploy it? No one did, even though, if fully deployed, it could stop DDoS attacks

23 DefCOM Different network locations are better for different elements
Near source good for characterizing traffic Core nodes can filter effectively with small deployments Near target it’s easier to detect and characterize an attack DefCOM combines defense in all locations

24 DefCOM in Action Classifiers can assure priority for good traffic
DefCOM instructs core nodes to apply rate limits core alert generator Core nodes use information from classifiers to prioritize traffic classifier

25 Benefits of DefCOM Provides effective DDoS defense
Without ubiquitous deployment Able to handle higher volume attacks than target end defenses Offers deployment incentives for those who need to deploy things

26 DefCOM Performance

27 SOS A hiding approach Don’t let the attackers send packets to the possible target Use an overlay network to deliver traffic to the destination Filter out bad stuff in the overlay Which can be highly provisioned

28 How SOS Defends Clients are authenticated at the overlay entrance
A few source addresses are allowed to reach the protected node All other traffic is filtered out Several overlay nodes designated as “approved” Nobody else can route traffic to protected node Good traffic tunneled to “approved” nodes They forward it to the server Most suited for “private” services

29 SOS Advantages and Limitations
Ensures communication of “confirmed” user with the victim Resilient to overlay node failure Resilient to DoS Problematic for public service Clients must be aware of and use overlay to access victim Traffic routed through suboptimal path Still allows brute force attack on links entering the filtering router in front of client If the attacker can find it Basically dependent on a secret

Download ppt "Distributed Denial of Service (DDoS) Attacks"

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.

CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
Lecture 8 Page 1 CS 236, Spring 2008 Distributed Denial of Service Attacks CS 236 Advanced Computer Security Peter Reiher May 20, 2008.

Lecture 8 Page 1 CS 236, Spring 2008 Distributed Denial of Service Attacks CS 236 Advanced Computer Security Peter Reiher May 20, 2008.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
15-441: Computer Networking Lecture 26: Networking Future.

15-441: Computer Networking Lecture 26: Networking Future.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
------ An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Similar presentations

Ads by Google