1. Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS

2. Outline Anatomy of a DDoS Attack: Gibson Research Corporation DDoS Attack Characterization Advanced DDoS with Traffic Reflection Attack Taxonomy Potential DDoS Defenses Defense Taxonomy Initiatives at UCCS Next?

3. Anatomy of a DDoS: Gibson Research Corporation May 4th, 2001, two direct-line 1.54Mb T1's flooded 1500B UDP packets bound for port 666, plus some ICMP and a little TCP; ISP didn't filter any of it 17 hours initial downtime, then 5 more attacks

4. Anatomy of a DDoS: Attack Vector 474 “Zombie” systems (mostly from national ISPs), exclusively Win9X, directed by a 13-year old Attacking hosts were unable to IP spoof because of a half-implemented TCP/IP stack in Win9x

5. Anatomy of a DDoS: Zombie Hosts "Bot-farmers" preferred Cable ISPs over DSL because of upload bandwidth Virus distributed widely, then coordinated through IRC

6. Target scarce resources (find the weakest link): Services provided, Connectivity, Physical network hardware, possibly even bandwidth costs Other methods proven to work: TCP SYN half-open or SYN/ACK which disables services/reserves all ports; no new connections ICMP PoD can cause an OS dump when packets larger than 65536 are received; takes the system offline Heavy UDP traffic – connectionless, 0 packet delay, quickly floods routers/gateways killing host and ISP Virus/bot Networks (tribal flood network, stacheldraht, trinoo) typically using IRC for coordination DDoS Characterization

7. Real connections, volumes of non-filterable traffic from widely-spread public internet servers at high rates No single “reflector” will notice the flood if the packets are forged and spoofed well (from victim to reflector, correct TCP sequence numbers, legitimate service) Coordinator/Initiator is much harder to find; traffic won't look suspect until you compare each reflector's logs Traffic amplification can make things much worse (asynchronous payload) but is less common Examples include DNS recursive queries, forged http file requests, FTP bounce techniques Advanced DDoS: Traffic Reflection

8. DDoS Attack Taxonomy

9. Public Internet Routers/Gateways/Switches: Implement filters for malformed packets and common attacks (wide deployment, but feasible) Require ingress route filters and mapping (which side is that host on?) to prevent packet injection "Followup" packets (ITRACE) can be forwarded by all routers via ICMP along the data path. This could highlight the slave systems to the reflector and victim. Implement QoS and rate-limiting across the board DDoS: Potential Defenses

10. Operating System: Disable address spoofing at the OS (Win9x's half-implemented TCP/IP) Implement quota systems for limited resources (ftp shares, TCP ports, etc) Use TCP cookies -- do not allocate resources until the handshake is complete Application: Make the TCP sequence numbers harder to guess Network: Multi-homed bandwidth and server pools/clusters DDoS: Potential Defenses

11. DDoS Defense Taxonomy

12. DDoS Initiatives at UCCS Rate-limiting w/ Autonomous Anti-DDoS (A2D2) Based on a SNORT plugin which interacts faster with the firewall and utilizes adaptive flood detection methods Explores the efficient use of rate-limiting and content- based queuing Network reconfiguration with Secure Collective Defense(SCOLD) Extends the DNS system to supports update and retrieval of enhanced DNS entries including a set of proxy servers for indirect routes Develops indirect routing protocol on Linux for setting up proxy-based indirect routes when the main route gets flooded.

13. Next Up? Route modification – is it possible to drop the attacked IP address and give it another? Can we “push” routing table changes to routers? Can we change the appearance of our topology from the outside and let the (more capable) ISP handle the problem? *Contact me for sources/citations

14. Review Anatomy of a DDoS Attack: Gibson Research Corporation DDoS Attack Characterization Advanced DDoS with Traffic Reflection Attack Taxonomy Potential DDoS Defenses Defense Taxonomy Initiatives at UCCS Next?