Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method:

Similar presentations


Presentation on theme: "Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method:"— Presentation transcript:

1 Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method: overwhelm the site with attack traffic Response: ?

2 Lecture 17 Page 2 CS 236, Spring 2008 The Problem

3 Lecture 17 Page 3 CS 236, Spring 2008 Characterizing the Problem An attacker compromises many hosts –Usually spread across Internet He orders them to send garbage traffic to a target site The combined packet flow overwhelms the target –Perhaps his machine –Perhaps his network link –Perhaps his ISP’s network link

4 Lecture 17 Page 4 CS 236, Spring 2008 Why Are These Attacks Made? Generally to annoy Sometimes for extortion If directed at infrastructure, might cripple parts of Internet –So who wants to do that...?

5 Lecture 17 Page 5 CS 236, Spring 2008 Attack Methods Pure flooding –Of network connection –Or of upstream network Overwhelm some other resource –SYN flood –CPU resources –Memory resources –Application level resource Direct or reflection

6 Lecture 17 Page 6 CS 236, Spring 2008 Why “Distributed”? Targets are often highly provisioned servers A single machine usually cannot overwhelm such a server So harness multiple machines to do so Also makes defenses harder

7 Lecture 17 Page 7 CS 236, Spring 2008 Yahoo Attack Occurred in February 2000 Resulted in intermittent outages for nearly three hours Attacker caught and successfully prosecuted Other companies (eBay, CNN, Microsoft) attacked in the same way at around the same time

8 Lecture 17 Page 8 CS 236, Spring 2008 DDoS Attack on DNS Root Servers Concerted ping flood attack on all 13 of the DNS root servers in October 2002 Successfully halted operations on 9 of them Lasted for 1 hour –Turned itself off, was not defeated Did not cause major impact on Internet –DNS uses caching aggressively Another (less effective) attack in February 2007

9 Lecture 17 Page 9 CS 236, Spring 2008 DDoS Attack on Estonia Occurred April-May 2007 Estonia removed a statue that Russians liked Then somebody launched large DDoS attack on Estonian gov’t sites Took much of Estonia off-line for ~ 3 weeks Recently, DDoS attack on Radio Free Europe sites in Belarus

10 Lecture 17 Page 10 CS 236, Spring 2008 How to Defend? A vital characteristic: –Don’t just stop a flood –ENSURE SERVICE TO LEGITIMATE CLIENTS!!! If you deliver a manageable amount of garbage, you haven’t solved the problem

11 Lecture 17 Page 11 CS 236, Spring 2008 Complicating Factors High availability of compromised machines –At least tens of thousands of zombie machines out there Internet is designed to deliver traffic –Regardless of its value IP spoofing allows easy hiding Distributed nature makes legal approaches hard Attacker can choose all aspects of his attack packets –Can be a lot like good ones

12 Lecture 17 Page 12 CS 236, Spring 2008 Basic Defense Approaches Overprovisioning Dynamic increases in provisioning Hiding Tracking attackers Legal approaches Reducing volume of attack

13 Lecture 17 Page 13 CS 236, Spring 2008 Overprovisioning Be able to handle more traffic than attacker can generate Works pretty well for Microsoft and Google Not a suitable solution for Mom and Pop Internet stores

14 Lecture 17 Page 14 CS 236, Spring 2008 Dynamic Increases in Provisioning As attack volume increases, increase your resources Dynamically replicate servers Obtain more bandwidth Not always feasible Probably expensive Might be easy for attacker to outpace you

15 Lecture 17 Page 15 CS 236, Spring 2008 Hiding Don’t let most people know where your server is If they can’t find it, they can’t overwhelm it Possible to direct your traffic through other sites first –Can they be overwhelmed...? Not feasible for sites that serve everyone

16 Lecture 17 Page 16 CS 236, Spring 2008 Tracking Attackers Almost trivial without IP spoofing With IP spoofing, more challenging Big issue: –Once you’ve found them, what do you do? Not clear tracking actually does much good Loads of fun for algorithmic designers, though

17 Lecture 17 Page 17 CS 236, Spring 2008 Legal Approaches Sic the FBI on them and throw them in jail Usually hard to do FBI might not be interested in “small fry” Slow, at best Very hard in international situations Generally only feasible if extortion is involved –By following the money

18 Lecture 17 Page 18 CS 236, Spring 2008 Reducing the Volume of Traffic Addresses the core problem: –Too much traffic coming in, so get rid of some of it Vital to separate the sheep from the goats Unless you have good discrimination techniques, not much help Most DDoS defense proposals are variants of this

19 Lecture 17 Page 19 CS 236, Spring 2008 Approaches to Reducing the Volume Give preference to your “friends” Require “proof of work” from submitters Detect difference between good and bad traffic –Drop the bad –Easier said than done

20 Lecture 17 Page 20 CS 236, Spring 2008 Some Sample Defenses D-Ward Pushback DefCOM SOS

21 Lecture 17 Page 21 CS 236, Spring 2008 D-WARD Core idea is to leverage a difference between DDoS traffic and good traffic Good traffic responds to congestion by backing off DDoS traffic responds to congestion by piling on Look for the sites that are piling on, not backing of

22 Lecture 17 Page 22 CS 236, Spring 2008 The D-Ward Approach Deploy D-Ward defense boxes at exit points of networks –Use ingress filtering here to stop most spoofing Observe two-way traffic to different destinations Throttle “poorly behaved” traffic If it continues to behave badly, throttle it more If it behaves well under throttling, back off and give it more bandwidth

23 Lecture 17 Page 23 CS 236, Spring 2008 D-WARD in Action requests replies D-WARD attacks

24 Lecture 17 Page 24 CS 236, Spring 2008 A Sample of D-Ward’s Effectiveness

25 Lecture 17 Page 25 CS 236, Spring 2008 The Problem With D-Ward D-Ward defends other people’s networks from your network’s DDoS attacks It doesn’t defend your network from other people’s DDoS attacks So why would anyone deploy it? No one did, even though, if fully deployed, it could stop DDoS attacks

26 Lecture 17 Page 26 CS 236, Spring 2008 Pushback Goal: Drop attack traffic to relieve congestion Detect congestion locally –Drop traffic from high-bandwidth aggregates Push back the rate limits to the routers sending those aggregates –Who will then iterate Rate limits pushed towards attack sites –Or other sites with high volume

27 Lecture 17 Page 27 CS 236, Spring 2008 Can Pushback Work? Even a few core routers are able to control high-volume attacks –But issues of partial deployment Only traffic for the victim is dropped Drops affect a portion containing the attack traffic But will inflict collateral damage on legitimate traffic –Traffic sharing controlled links with attack traffic likely to be harmed

28 Lecture 17 Page 28 CS 236, Spring 2008 DefCOM Different network locations are better for different elements Near source good for characterizing traffic Core nodes can filter effectively with small deployments Near target it’s easier to detect and characterize an attack DefCOM combines defense in all locations

29 Lecture 17 Page 29 CS 236, Spring 2008 DefCOM in Action alert generator classifier core DefCOM instructs core nodes to apply rate limits Core nodes use information from classifiers to prioritize traffic Classifiers can assure priority for good traffic

30 Lecture 17 Page 30 CS 236, Spring 2008 Benefits of DefCOM Provides effective DDoS defense Without ubiquitous deployment Able to handle higher volume attacks than target end defenses Offers deployment incentives for those who need to deploy things

31 Lecture 17 Page 31 CS 236, Spring 2008 DefCOM Performance

32 Lecture 17 Page 32 CS 236, Spring 2008 SOS A hiding approach Don’t let the attackers send packets to the possible target Use an overlay network to deliver traffic to the destination Filter out bad stuff in the overlay –Which can be highly provisioned

33 Lecture 17 Page 33 CS 236, Spring 2008 How SOS Defends Clients are authenticated at the overlay entrance A few source addresses are allowed to reach the protected node –All other traffic is filtered out Several overlay nodes designated as “approved” –Nobody else can route traffic to protected node Good traffic tunneled to “approved” nodes – They forward it to the server

34 Lecture 17 Page 34 CS 236, Spring 2008 Can SOS Work? Should successfully protect communication with a private server: –Access points distinguish legitimate from attack communications –Overlay protects traffic flow –Firewall drops attack packets What about attacking overlay? –Redundancy and secrecy might help here

35 Lecture 17 Page 35 CS 236, Spring 2008 SOS Advantages and Limitations +Ensures communication of “confirmed” user with the victim +Resilient to overlay node failure +Resilient to DoS –Does not work for public service –Clients must be aware of overlay and use it to access the victim –Traffic routed through suboptimal path –Still allows brute force attack on links entering the filtering router in front of client –If the attacker can find it


Download ppt "Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method:"

Similar presentations


Ads by Google