1. You should worry if you are below this point

2.  Your projected and optimistically projected grades should be in the grade center soon o Projected:  Your current weighted score /30 * 100 o Optimistic:  (Your current weighted score+70)/100 o Just for your feedback  Quiz 1 is posted o Do it before your lab slot but after this week’s lab lecture o Open book open notes, unlimited time o You will do the same version again after your lab – to be posted soon. Better score counts.

3.  Don’t allow an individual attack machine to use many of a target’s resources  Requires: o Authentication, or o Making the sender do special work (puzzles)  Authentication schemes are often expensive for the receiver  Existing legitimate senders largely not set up to handle doing special work  Can still be overcome with a large enough army of zombies

4.  Make it hard for anyone but legitimate clients to deliver messages at all  E.g., keep your machine’s identity obscure  A possible solution for some potential targets o But not for others, like public web servers  To the extent that approach relies on secrecy, it’s fragile o Some such approaches don’t require secrecy

5.  As attacker demands more resources, supply them  Essentially, never allow resources to be depleted  Not always possible, usually expensive  Not clear that defender can keep ahead of the attacker  But still a good step against limited attacks  More advanced versions might use Akamai-like techniques

6.  Figure out which machines attacks come from  Go to those machines (or near them) and stop the attacks  Tracing is trivial if IP source addresses aren’t spoofed o Tracing may be possible even if they are spoofed  May not have ability/authority to do anything once you’ve found the attack machines  Not too helpful if attacker has a vast supply of machines

7.  The basis for most defensive approaches  Addresses the core of the problem by limiting the amount of work presented to target  Key question is: o What do you drop?  Good solutions drop all (and only) attack traffic  Less good solutions drop some (or all) of everything

8.  Filtering drops packets with particular characteristics o If you get the characteristics right, you do little collateral damage o At odds with the desire to drop all attack traffic  Rate limiting drops packets on basis of amount of traffic o Can thus assure target is not overwhelmed o But may drop some good traffic

9. Near the target? Near the source? In the network core? In multiple places?

10.  Near target  Near source  In core

11.  Near target o Easier to detect attack o Sees everything o May be hard to prevent collateral damage o May be hard to handle attack volume  Near source  In core

12.  Near target  Near source o May be hard to detect attack o Doesn’t see everything o Easier to prevent collateral damage o Easier to handle attack volume  In core

13.  Near target  Near source  In core o Easier to handle attack volume o Sees everything (with sufficient deployment) o May be hard to prevent collateral damage o May be hard to detect attack

14.  Have database of attack signatures  Detect anomalous behavior o By measuring some parameters for a long time and setting a baseline  Detecting when their values are abnormally high o By defining which behavior must be obeyed starting from some protocol specification

15.  Devise filters that encompass most of anomalous traffic  Drop everything but give priority to legitimate-looking traffic o It has some parameter values o It has certain behavior

16.  Need for a distributed response  Economic and social factors  Lack of detailed attack information  Lack of defense system benchmarks  Difficulty of large-scale testing  Moving target

17.  Attacker sends lots of TCP SYN packets o Victim sends an ack, allocates space in memory o Attacker never replies o Goal is to fill up memory before entries time out and get deleted  Usually spoofed traffic o Otherwise patterns may be used for filtering o OS at the attacker or spoofed address may send RST and free up memory

18.  Effective defense against TCP SYN flood o Victim encodes connection information and time in ACK number o Must be hard to craft values that get encoded into the same ACK number – use crypto for encoding o Memory is only reserved when final ACK comes  Only the server must change o But TCP options are not supported o And lost SYN ACKs are not repeated

19.  Overwhelm routers o Create a lot of pps o Exhaust CPU o Most routers can’t handle full bandwidth’s load of small packets  No real solution, must filter packets somehow to reduce router load

20.  Periodically slam the victim with short, high-volume pulses o Lead to congestion drops on client’s TCP traffic o TCP backs off o If loss is large back off to 1 MSS per RTT o Attacker slams again after a few RTTs  Solution requires TCP protocol changes o Tough to implement since clients must be changed

21.  Generate legitimate application traffic to the victim o E.g., DNS requests, Web requests o Usually not spoofed o If enough bots are used no client appears too aggressive o Really hard to filter since both traffic and client behavior seem identical between attackers and legitimate users

22.  Generate service requests to public servers spoofing the victim’s IP o Servers reply back to the victim overwhelming it o Usually done for UDP and ICMP traffic (TCP SYN flood would only overwhelm CPU if huge number of packets is generated) o Often takes advantage of amplification effect – some service requests lead to huge replies; this lets attacker amplify his attack

23.  Pushback  Traceback  SOS  Proof-of-work systems

24.  Goal: Preferentially drop attack traffic to relieve congestion  Local ACC: Enable core routers to respond to congestion locally by: o Profiling traffic dropped by RED o Identifying high-bandwidth aggregates o Preferentially dropping aggregate traffic to enforce desired bandwidth limit  Pushback: A router identifies the upstream neighbors that forward the aggregate traffic to it, requests that they deploy rate-limit 1 ”Controlling high bandwidth aggregates in the network,” Mahajan, Bellovin, Floyd, Paxson, Shenker, ACM CCR, July 2002

25.  Even a few core routers are able to control high-volume attacks  Separation of traffic aggregates improves current situation o Only traffic for the victim is dropped o Drops affect a portion containing the attack traffic  Likely to successfully control the attack, relieving congestion in the Internet  Will inflict collateral damage on legitimate traffic

26. 26 + Routers can handle high traffic volumes + Deployment at a few core routers can affect many traffic flows, due to core topology + Simple operation, no overhead for routers + Pushback minimizes collateral damage by placing response close to the sources – Pushback only works in contiguous deployment – Collateral damage is inflicted by response, whenever attack is not clearly separable – Requires modification of existing core routers

27.  Goal: locate the agent machines  Each packet header may carry a mark, containing: o EdgeID (IP addresses of the routers) specifying an edge it has traversed o The distance from the edge  Routers mark packets probabilistically  If a router detects half-marked packet (containing only one IP address) it will complete the mark  Victim under attack reconstructs the path from the marked packets 1 “Practical network support for IP Traceback,” Savage, Wetherall, Karlin, Anderson, ACM SIGCOMM 2000

28.  Traceback does nothing to stop DDoS attacks  It only identifies attackers’ true locations o Comes to a vicinity of attacker  If IP spoofing were not possible in the Internet, traceback would not be necessary  There are other approaches to filter out spoofed traffic

29.  Incrementally deployable, a few disjoint routers can provide beneficial information  Moderate router overhead (packet modification)  A few thousand packets are needed even for long path reconstruction  Does not work well for highly distributed attacks  Path reassembly is computationally demanding, and is not 100% accurate: o Path information cannot be used for legal purposes o Routers close to the sources can efficiently block attack traffic, minimizing collateral damage

30. + Incrementally deployable + Effective for non-distributed attacks and for highly overlapping attack paths + Facilitates locating routers close to the sources – Packet marking incurs overhead at routers, must be performed at slow path – Path reassembly is complex and prone to errors – Reassembly of distributed attack paths is prohibitively expensive

31. 31  Goal: route only “verified user” traffic to the server, drop everything else  Clients use overlay network to reach the server  Clients are authenticated at the overlay entrance, their packets are routed to proxies  Small set of proxies are “approved” to reach the server, all other traffic is heavily filtered out 1 “ SOS: Secure Overlay Services, ” Keromytis, Misra, Rubensteain, ACM SIGCOMM 2002

32. 32  User first contacts nodes that can check its legitimacy and let him access the overlay – access points  An overlay node uses Chord overlay routing protocol to send user’s packets to a beacon  Beacon sends packets to a secret servlet  Secret servlets tunnel packets to the firewall  Firewall only lets through packets with an IP of a secret servlet o Secret servlet’s identity has to be hidden, because their source address is a passport for the realm beyond the firewall o Beacons are nodes that know the identity of secret servlets  If a node fails, other nodes can take its role

33. 33  SOS successfully protects communication with a private server: o Access points can distinguish legitimate from attack communications o Overlay protects traffic flow o Firewall drops attack packets  Redundancy in the overlay and secrecy of the path to the target provide security against DoS attacks on SOS

34. 34 + Ensures communication of “verified user” with the victim + Resilient to overlay node failure + Resilient to DoS on the defense system – Does not work for public service – Traffic routed through the overlay travels on suboptimal path – Brute force attack on links leading to the firewall still possible

35. 35  Goal: defend against connection depletion attacks  When under attack: o Server distributes small cryptographic puzzles to clients requesting service o Clients spend resources to solve the puzzles o Correct solution, submitted on time, leads to state allocation and connection establishment o Non-validated connection packets are dropped  Puzzle generation is stateless  Client cannot reuse puzzle solutions  Attacker cannot make use of intercepted packets 1 “Client puzzles: A cryptographic countermeasure against connection depletion attacks, ” Juels, Brainard, NDSS 1999

36. 36  Client puzzles guarantee that each client has spent a certain amount of resources  Server determines the difficulty of the puzzle according to its resource consumption o Effectively server controls its resource consumption  Protocol is safe against replay or interception attacks  Other flooding attacks will still work

37. 37 + Forces the attacker to spend resources, protects server resources from depletion + Attacker can only generate a certain number of successful connections from one agent machine + Low overhead on server – Requires client modification – Will not work against highly distributed attacks – Will not work against bandwidth consumption attacks (Defense By Offense paper changes this)