1. Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant

2. CS577 Spring 05 2 Introduction (http://www.denailinfo.com)

3. CS577 Spring 05 3 Introduction  Denial of Service (DoS) Attack – An incident that disables a victim from receiving or providing normal service.  Relies on consuming limited or non-renewable system resources.  Can be launched by using system design weaknesses, CPU intensive tasks, or flooding.  Examples : ping of death, teardrop, smurf.

4. CS577 Spring 05 4 Distributed Denial of Service (DDoS)  Do not depend on system or protocol weaknesses.  DDoS use the computing power of thousands of vulnerable, unpatched machines to overwhelm a target or a victim.  Compromised host are gathered to send useless service requests, packets at the same time.  The burst of traffic generated, crashes the victim or disables it.

5. CS577 Spring 05 5 Distributed Denial of Service (DDoS)  Hard to detect and stop.  Can spread within a few minutes.  Usually period of flooding lasts for a few hours, and is sporadic.  IP Spoofing makes it harder to identify attackers.  This is a critical problem because of its potential of use in cyber warfare and ability to disrupt essential government services.

6. CS577 Spring 05 6 Timeline (http://staff.washington.edu/dittrich/misc/ddos/timeline.html )  May/June, 1998 First primitive DDoS tools developed in the underground -- small networks, only mildly worse than coordinated point-to-point DoS attack.  August 17, 1999 Attack on the University of Minnesota reportedly using trinoo. Campus disconnected from the Internet for 3 days.  Early October 1999 CERT reviews hundreds of Solaris intrusion reports and finds many match the trinoo analysis. They arrange the Distributed System Intruder Tools Workshop.  February 8 - 12, 2000 Attacks on eCommerce sites. Yahoo, eBay, Amazon hacked.  2002 DoS attack on the 13 core root Internet DNS Servers.  2000-2001 Melissa, I Love You, Anna Kournikova. 2002 Code Red 2003 Slammer

7. CS577 Spring 05 7 Direct DDoS Attacks  Direct Attacks ( flooding of request packets ) –Attacker sends out packets directly towards the target. –Uses TCP, UDP, ICMP packets and uses random spoofed IP addresses. –Only a few compromised machines are sufficient.  Examples : –TCP SYN flooding ; based on TCP three way handshake, the final ACK from source to victim never arrives. –Congesting a victims incoming link using TCP RST packets, ICMP control packets or UDP packets. –TCP ( 94 %), UDP (2%), ICMP ( 2%)

8. CS577 Spring 05 8 Reflector DDoS Attacks  Reflector Attacks ( flooding of response packets ) –Attackers initiate an attack that is relayed to reflector machines, such as routers, web servers etc. –Reflectors may or may not be aware. –In response to requests by attackers, reflectors flood victims with reply packets. –Address of victim spoofed in requests to reflectors.  Examples : –Smurf attacks. ICMP echo packets with spoofed victim addresses are broadcast. –TCP SYN ACK flooding. –Bandwidth amplification, attack requests that send response packets of much larger size to the victim.

9. CS577 Spring 05 9 Direct and Reflector Attacks

10. CS577 Spring 05 10 DDoS Attack Setups

11. CS577 Spring 05 11 Summary of Reflector Attacks

12. CS577 Spring 05 12 Amount of SYN Packets Needed

13. CS577 Spring 05 13 Solutions to DDoS  Attack Prevention and Preemption –Prevent hosts from becoming masters/agents; this is hard and inadequate. –Regular patching and security updates.  Attack Source Traceback –Identify source of attack and block it. Routers need to store packet source info. –After the fact measure, cannot stop active attack. –Cannot always trace packet origins. –Ineffective against reflector attacks, because reflectors are legitimate.

14. CS577 Spring 05 14 Solutions to DDoS  Attack Detection and Filtering –Identify attack packets using anomaly or misuse detection. –Drop suspect packets. –False Positive Ratio (FPR), False Negative Ratio (FNR) measure efficiency of detection. –While filtering packets, dropping of useful packets should be minimum ; measured by Normal Packet Survival Ratio (NPSR).

15. CS577 Spring 05 15 Ideal location for detection/filtering

16. CS577 Spring 05 16 Internet Firewall Approach  Packet detection and filtering at source and victim networks not adequate.  Internet Firewall approach –Global defense mechanism that is deployed at the core and drops packets before they reach the victim. –Potential to maintain a victim’s normal service, even during an attack. –Based on Route Based Packet Filtering (RPF) and Distributed Attack Detection (DAD).

17. CS577 Spring 05 17 Route Based Packet Filtering (RPF)  RPF –Move the ingress packet filtering from source networks and next level ISP networks to the Internet core. –Check to see if each packet arrives on the correct link, with respect to the source and destination address in the packet. –Drop packet if it arrives from an unexpected link.

18. CS577 Spring 05 18 Route Based Packet Filtering (RPF)  Drawbacks –About 18% of ASs need to be equipped with filters. This is a lot and will increase ! –BGP messages need to also carry source addresses, which increases their size. –Reflected packets and packets with legitimate source addresses will still survive.

19. CS577 Spring 05 19 Distributed Attack Detection (DAD)  DAD –Extend the packet detection function from the victim network to the core. –Distributed Systems (DSs) are used that work locally to identify attack patterns and then collaborate to identify global attacks. –Uses anomaly or misuse detection. –Must process packets at a high speed. DSs must be placed strategically.

20. CS577 Spring 05 20 Distributed Attack Detection (DAD)  Once an attack is confirmed, packet filters are installed and upstream networks notified to drop packets.  The DSs must be available at all times and be able to flood other DS networks with attack alarm messages.  Not very effective in stopping DDoS attacks that last for short periods.  Not effective in stopping Degradation of Service (DeS) attacks.  Consumes time to arrive at global decisions.

21. CS577 Spring 05 21 Comparison of DDoS Solutions  Ubiquitous Ingress Packet Filtering (UIPF) –Loacted at the ISP networks that connect to the leaves, spread towards the edges.  Route Based Packet Filtering (RPF) –Located at the core, away from the edges.  Local Area Detection (LAD) –Victims local network or their upstream ISP.  Distributed Attack Detection (DAD) –DSs spread in the core of the Internet.

22. CS577 Spring 05 22 Comparison of DDoS Solutions  UIPF, RPF based on spoofed IP addresses and routing info.  LAD, DAD based on traffic pattern anomalies and misuses. Less deterministic than UIPF, RPF, hence more false positives.  All susceptible to false negatives because of problem of reflector packets.  RPF, DAD require new protocols.  UIPF difficult to deploy, huge number of hosts need to be covered.  DAD requires highest computation, hence longest delay in detection.

23. CS577 Spring 05 23 Conclusion  Current approaches inadequate.  Attack mechanisms and tools continue to improve.  A global defense mechanism, Internet Firewall may work.  Internet Firewall has deployment issues.

24. CS577 Spring 05 24 References 1 http://dslab.csie.ncu.edu.tw/93html/paper/pdf/Defending%20against%20flooding- based%20distributed%20denial-of-service%20attacks%20%20a%20tutorial.pdf 2 http://staff.washington.edu/dittrich/misc/ddos/timeline.html 3 http://www.denialinfo.com 4 http://www.cagle.com/news/hackers/hacker5.asp

25. CS577 Spring 05 25 http://www.cagle.com/news/hackers/hacker5.asp