Download presentation
Presentation is loading. Please wait.
Published byAnn Bridges Modified over 9 years ago
1
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September 28, 2010
2
Lecture 1 Page 2 CS 239, Fall 2010 The Problem
3
Lecture 1 Page 3 CS 239, Fall 2010 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method: overwhelm the site with attack traffic Response: ?
4
Lecture 1 Page 4 CS 239, Fall 2010 Why Are These Attacks Made? Sometimes to annoy Sometimes for extortion Sometimes for political reasons If directed at infrastructure, might cripple parts of Internet –So who wants to do that...?
5
Lecture 1 Page 5 CS 239, Fall 2010 Attack Methods Pure flooding –Of network connection –Or of upstream network Overwhelm some other resource –SYN flood –CPU resources –Memory resources –Application level resource Direct or reflection
6
Lecture 1 Page 6 CS 239, Fall 2010 Why “Distributed”? Targets are often highly provisioned servers A single machine usually cannot overwhelm such a server So harness multiple machines to do so Also makes defenses harder
7
Lecture 1 Page 7 CS 239, Fall 2010 DDoS Attack on DNS Root Servers Concerted ping flood attack on all 13 of the DNS root servers in October 2002 Successfully halted operations on 9 of them Lasted for 1 hour –Turned itself off, was not defeated Did not cause major impact on Internet –DNS uses caching aggressively Another (less effective) attack in February 2007
8
Lecture 1 Page 8 CS 239, Fall 2010 DDoS Attack on Estonia Occurred April-May 2007 Estonia removed a statue that Russians liked Then somebody launched large DDoS attack on Estonian government sites Took much of Estonia off-line for ~ 3 weeks DDoS attack on Radio Free Europe sites in Belarus in 2008
9
Lecture 1 Page 9 CS 239, Fall 2010 How to Defend? A vital characteristic: –Don’t just stop a flood –ENSURE SERVICE TO LEGITIMATE CLIENTS!!! If you deliver a manageable amount of garbage, you haven’t solved the problem
10
Lecture 1 Page 10 CS 239, Fall 2010 Complicating Factors High availability of compromised machines –Millions of zombie machines out there Internet is designed to deliver traffic –Regardless of its value IP spoofing allows easy hiding Distributed nature makes legal approaches hard Attacker can choose all aspects of his attack packets –Can be a lot like good ones
11
Lecture 1 Page 11 CS 239, Fall 2010 Basic Defense Approaches Overprovisioning Dynamic increases in provisioning Hiding Tracking attackers Legal approaches Reducing volume of attack
12
Lecture 1 Page 12 CS 239, Fall 2010 Overprovisioning Be able to handle more traffic than attacker can generate Works pretty well for Microsoft and Google Not a suitable solution for Mom and Pop Internet stores
13
Lecture 1 Page 13 CS 239, Fall 2010 Dynamic Increases in Provisioning As attack volume increases, increase your resources Dynamically replicate servers Obtain more bandwidth Not always feasible Probably expensive Might be easy for attacker to outpace you
14
Lecture 1 Page 14 CS 239, Fall 2010 Hiding Don’t let most people know where your server is If they can’t find it, they can’t overwhelm it Possible to direct your traffic through other sites first –Can they be overwhelmed...? Not feasible for sites that serve everyone
15
Lecture 1 Page 15 CS 239, Fall 2010 Tracking Attackers Almost trivial without IP spoofing With IP spoofing, more challenging Big issue: –Once you’ve found them, what do you do? Not clear tracking actually does much good Loads of fun for algorithmic designers, though
16
Lecture 1 Page 16 CS 239, Fall 2010 Legal Approaches Sic the FBI on them and throw them in jail Usually hard to do FBI might not be interested in “small fry” Slow, at best Very hard in international situations Generally only feasible if extortion is involved –By following the money
17
Lecture 1 Page 17 CS 239, Fall 2010 Reducing the Volume of Traffic Addresses the core problem: –Too much traffic coming in, so get rid of some of it Vital to separate the sheep from the goats Unless you have good discrimination techniques, not much help Most DDoS defense proposals are variants of this
18
Lecture 1 Page 18 CS 239, Fall 2010 Approaches to Reducing the Volume Give preference to your “friends” Require “proof of work” from submitters Detect difference between good and bad traffic –Drop the bad –Easier said than done
19
Lecture 1 Page 19 CS 239, Fall 2010 Where To Defend? At the target? + Good knowledge of situation + Strong motivation to deploy + OK to do what’s needed At the source? + Drops junk early + Cost paid close to attacker + May be easy to distinguish packets - Poor deployment incentive - Requires wide deployment - May be subject to influence In the core? + Scales nicely + Works with moderate deployment - Low per packet budget possible - Poor deployment incentive - Against end-to-end philosophy - Easy to overwhelm - Often limited defense resources
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.