Download presentation
Presentation is loading. Please wait.
1
Major Challenges of DDoS Attacks Advanced Network Security Peter Reiher August, 2014
2
Outline Why is DDoS hard to handle?
Important characteristics of good DDoS defenses
3
Why Is DDoS Hard to Handle?
A simple form of attack Designed to prey on the Internet’s strengths Easy availability of attack machines Attack can look like normal traffic Lack of Internet enforcement tools Hard to get cooperation from others Effective solutions may be hard to deploy
4
1. Simplicity of Attack Basically, just send someone a lot of traffic
More complicated versions can add refinements, but that’s the crux of it No need to find new vulnerabilities No need to worry about timing, tracing, etc. Toolkits are readily available to allow the novice to perform DDoS Even distributed parts are very simple
5
2. DDoS Preys on Internet’s Strengths
The Internet was designed to deliver lots of traffic From lots of places, to lots of places DDoS attackers want to deliver lots of traffic from lots of places to one place Any individual packet can look proper to the Internet Without sophisticated analysis, even the entire flow can appear proper
6
The Internet and Resource Utilization
The Internet was not designed to monitor resource utilization It’s pretty much first come, first served Many network services work the same way And many key underlying mechanisms do, too Thus, if a villain can get to the important resources first, he can often deny them to good users
7
3. Easy Availability of Attack Machines
DDoS is feasible because attackers can enlist many machines Attackers can enlist many machines because many machines are readily vulnerable Not hard to find 10,000 crackable machines on the Internet Particularly if you don’t care which ones Some reports suggest attack armies of tens of thousands of machines are at the ready
8
Can’t We Fix These Vulnerabilities?
Doubtful DDoS attacks don’t really harm the attacking machines Many people don’t protect their machines even when the attacks can harm them Why will they start protecting their machines just to help others? Altruism has not proven to be a compelling argument for for network security, to date
9
4. Attack Can Look Like Normal Traffic
A DDoS attack can consist of vast number of requests for a web server’s home page No need for attacker to use particular packets or packet contents So neat filtering/signature tools may not help Attacker can be arbitrarily sophisticated at mirroring legitimate traffic In principle Not currently done because dumb attacks work so well
10
5. Lack of Internet Enforcement Tools
DDoS attackers typically not caught by tracing or observing attack Only by old-fashioned detective work The Internet offers no help in tracing a single attack stream, Much less multiple ones Even if you trace them, a clever attacker leaves no clues of his identity on attack machines
11
What Is the Internet Lacking?
No validation of IP source address No enforcement of amount of resources used No method of tracking attack flows Or those controlling attack flows No method of assigning responsibility for bad packets or packet streams No mechanism or tools for determining who corrupted a machine
12
6. Poor Cooperation in the Internet
It’s hard to get anyone to help you stop or trace or prevent an attack Even your ISP might not be too cooperative Anyone upstream of your ISP is less likely to be cooperative ISPs more likely to cooperate with each other, though Even if cooperation occurs, it occurs at human timescales The attack might be over by the time you figure out who to call
13
7. Effective Solutions May Be Hard to Deploy
The easiest place to deploy defensive systems is near your own machine But defenses there might not work well E.g., firewall example Effective research solutions require deployment near attackers or in Internet core Or, worse, in many places A working solution is no use if required parties won’t deploy it Hard to get anything deployed if deployer gets no direct advantage
14
Defending Against DDoS Attacks
DDoS attacks sound pretty terrible So what do I do to keep my machines and networks safe from DDoS attacks? How would I even go about starting to defend myself and others from DDoS attacks?
15
Desirable Characteristics of DDoS Defense Solutions
Effective Accurate Cheap Deployable Complete
16
1. Effectiveness of DDoS Defenses
Does it stop the DDoS attack from crippling my machine? If so, is it merely pushing the problem upstream? Or is it fundamentally solving it? Will it only stop disruptive attacks? Or will it also stop degrading attacks?
17
2. Accuracy of DDoS Defenses
Ultimately, DDoS defense usually requires dropping some packets Avoiding the DDoS effect by not delivering the attack traffic that causes it That’s great, but . . . Is it only attack traffic that is getting dropped? Or is my defense system also dropping some legitimate traffic?
18
The Vital Importance of Accuracy
The point of a DDoS attack is not to deliver a bunch of bogus packets to you It’s to prevent you from offering regular service If your defense mechanism drops both attack packets and legitimate packets, It offers the DDoS attacker another mechanism to deny service DDoS defense mechanisms that do not ensure the delivery of all (or almost all) legitimate traffic are of little help!
19
Collateral Damage The term used to describe unintended and undesirable consequences of a defense mechanism How much good traffic does the defense mechanism drop (or delay)? Low collateral damage is tolerable If the collateral damage is high enough, it’s as bad as the attack itself
20
DDoS Collateral Damage Types
You drop good packets destined for the target That’s bad You drop good packets from an attack source Also bad You drop good packets going to and from uninvolved third parties That’s even worse
21
Accuracy and False Alerts
Most nodes aren’t under DDoS attack most of the time If the DDoS defense system signals an attack when there is no attack, there may be a problem Small problem if the signal doesn’t disrupt the good traffic Big problem if it does
22
Dimensions of Accuracy
Detection Did the defense system signal an attack when one occurred? And only when one occurred? Response Did the defense system take action only against attack packets?
23
3. Cost of DDoS Defense Systems
Defense systems must be reasonably inexpensive In money, but especially in performance Particularly when no attacks are going on Since that will be most of the time Low cost important even when attacks are ongoing If defense system eats 95% of your CPU when defending, this can easily deny service to legitimate clients
24
4. Deployability of DDoS Defenses
Defense systems on or near to the potential target are highly deployable
25
Deployability of DDoS Defenses
Defense systems on or near to potential attackers are less deployable 1. No economic incentive for deployment 2. Attacker might gain control of defense system 3. Wide deployment required for effectiveness
26
Deployability of DDoS Defenses
Core routers are already heavily loaded 2. If you’re putting it in the core, you’d better get it right the first time Defense systems in the Internet core face serious deployment challenges 3. Owners of these routers have no economic incentive to deploy defenses
27
5. Completeness A DDoS defense systems should handle all kinds of DDoS attacks Systems that only handle SYN floods (for example) are of less value Ideally, the entire range of known attacks should be covered Plus anything else we didn’t think about yet
28
Conclusion Distributed denial of service attacks are difficult to handle for multiple reasons Some deal with the nature of the Internet Some deal with business practicalities Some deal with choices in our protocols All are hard or impossible to change
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.