A Taxonomy of DDoS Attacks

1
A Taxonomy of DDoS Attacks DDos Defense
Mechanisms

• Written by
• Jelena Mirkovic, Janice Martin Peter Reiher
• Department of Computer Science, UCLA
• Professor L. Gao
• Presented by Karim Mattar Lei Liang

2
Overview of the Paper

• Part 1 Proposes a taxonomy of distributed
  denial-of-service attacks
• Part 2 Proposes a taxonomy of defense mechanisms
  to counter these attacks

3
What is a DDos Attack?

• DoS attacks attempt to prevent legitimate users
  of a service from using it
• Examples of DoS include
• Flooding a network
• Disrupting connections between machines
• Disrupting a service
• Distributed Denial-of-Service Attacks imply
  that many machines are involved in the attack
  against one or more victim(s).

4
DDos Modes of Attack

• Consumption of scare resources
• Network connectivity (SYN flooding)
• Bandwidth consumption (Flooding of ICMP packets)
• Consumption of Memory, disk space or data
  structures
• Destruction or alteration of configuration files
• Physical destruction or alteration of network
  components

5
What Makes DDoS Attacks Possible?

• Internet was designed with functionality not
  security in mind
• Internet security is highly interdependent
• Internet resources are limited
• Power of many is greater than power of a few

6
DDoS Attack Strategy

• Automatically scan remote machines to identify
  vulnerable ones
• Infect vulnerable machines with the attack code
• Infected machines are used for further
  recruitment of new agents (slaves)

7
Goal of DDoS Attacks

• The main goal of DDoS attacks is to inflict
  damage for one of the following reasons
• Personal reasons (revenge)
• Material gain
• Popularity in the hacker community

8
Classification By Degree of Automation

• Manual attacks
• Semi-Automatic attacks
• Direct communication
• Master slave know each others identity
• Indirect Communication
• Use IRC channels to communicate
• Automatic Attacks
• Attacker is only involved in issuing a single
  command

9
Classification by Scanning Strategy

• Random scanning
• Probes random addresses in the IP address space
  (CRv2)
• Hitlist scanning
• Probes addresses from an externally supplied list
• Topological scanning
• Uses information on the compromised host (Email
  worms)
• Permutation scanning
• Uses a pseudo-random permutation of the IP
  address space (Not yet deployed)
• Local subnet scanning
• Preferentially scans targets that reside on the
  same subnet as the compromised host. (Code Red II
  Nimda Worm)

10
Classification by Propagation Mechanism

• Central source propagation (li0n Worm)
• Attack code resides on central server(s)
• Back-chaining propagation (Ramen Morris Worms)
• Attack code is downloaded from the machine that
  was used to exploit the system
• Avoids a single point of failure
• Autonomous propagation (Code Red, Warhol Email
  Worms)
• Attack code is directly injected into the target
  host during the exploitation phase

11
Classification by Exploited Vulnerability

• Protocol attacks
• TCP SYN attack
• CGI request attack
• Authentication server attack
• Brute-force attacks
• Filterable attacks
• UDP flood attack
• ICMP request flood attack on a web server
• Non-filterable attacks
• HTTP request
• DNS request

12
Classification by Attack Rate Dynamics

• Continuous attack rates
• Sometimes suffers from fast detection
• Variable attack rates
• Increasing rate attacks
• Slow exhaustion of victims resources
• Delays detection of the attack
• Fluctuating rate attacks
• Adjusts the rate of the attack based on the
  victims behavior or response to avoid detection

13
Classification by Impact

• Disruptive attacks
• Completely deny the victims service to its
  clients
• Degrading attacks
• Goal is to consume some portion of the victims
  resources
• Could remain undetected for a very long time

14
End of Part I

• Any Questions?