Overview of Distributed Denial of Service DDoS

1
Overview of Distributed Denial of Service (DDoS)
Wei Zhou
2
Outline of the presentation

• DDoS definition and its attacking architectures
• DDoS classification
• Defense mechanism classification
• Reactive VS. Proactive
• Classification by defending front-line
• SOS a case study

3
What is it?

• No ready-to-go definition available

• Characteristics
• Multiple attackers vs. single victim
• To cause denial of service to legitimate users on
  the victim

• Two major attacking architecture
• Direct attack
• Reflector attack

4
Attacking Architecture - Direct Attack
Zombies
Masters (handlers)
5
Attacking Architecture Reflector Attack
Reflectors
Hacker's DDoS attacking network
Reflector Attack
6
Classification of DDoS Attacks

• Classification by exploited vulnerability
• Protocol Attacks
• TCP SYN attacks
• CGI request attacks
• Authentication server attacks
• ... ...
• Flooding-based Attacks
• Filterable
• Non-filterable

7
Defense Mechanisms

• Classification by activity level
• Reactive mechanisms
• Easy to be deployed
• Hard to tell good guys from bad guys
• Inflexible to adapt new attacks
• Proactive mechanisms
• Motivations to deploy
• Accuracy on differentiating packets

8
Defense Mechanisms (cont.)

• Classification by defending front-line
• Victim network
• Intermediate network
• Source network

9
At the victim side

• IDS plus Firewall
• Detect bogus packets based on well-known attack
  signatures
• Flexibility
• Puzzle solving by clients
• Client must solve a puzzle (small scripts,
  cookies etc.) in order to access server's
  resources
• Efficiency
• Duplicate server resources
• Distribute server resources into more places
• Synchronization, costs etc.

Victim network can't do NOTHING if its link(s) to
the ISP is jammed
10
In the intermediate network

• IP traceback
• Can be used to collect forensic evidence
• (Need further exploration on this topic)
• Push-back mechanism
• Route-Based packet filtering
• Overlay network

11
Push-back the idea

• Reactive mechanism
• Accuracy of telling 'poor' packets from bad
  packets

Heavy traffic flow
12
Route-based packet filtering the idea
R8
R4
R3
R0
R7
R6
R9
R2
R1
R5

• Proactive mechanism
• Overheads
• Need to change routers

Routes from node 2
13
At the source side

• Ingress/egress filtering
• Ingress filtering
• To prevent packets with faked source IP addresses
  from entering the network
• Egress filtering
• To prevent packets with faked source IP addresses
  from leaving the network

14
At the source side (cont.)

• D-WARD (DDoS netWork Attack Recognition and
  Defense)
• Balance of inbound and outbound traffic

15
D-WARD (cont.)

• Motivation of deployment
• Asymmetric problems

16
SOS Security Overlay Service

• To protect a dedicated server from DDoS attacks
• Use high-performance filters to drop all the
  packets not from secret servlets
• Path redundancy in overlay network is used to
  hide the identities of secret servlets
• Legitimate users enter the overlay network at the
  point of SOAP (secure overlay access point)

17
SOS (cont.)
Big time delay
18
References

• R. K. C. Chang, Defending against Flooding-Based
  Distributed Denial-of-Sevice Attacks A Tutorial
• P. Ferguson and D. Senie, Network Ingress
  Filtering Defeating Denial of Service Attacks
  which employ IP Source Address Spoofing, RFC
  2827
• J. Ioannidis and S. M. Bellovin, Implementing
  Pushback Router-Based Defense Against DDoS
  Attacks
• A. D. Keromytis, V. Misra and D. Rubenstein,
  SOS Secure Overlay Services
• R. Mahajan, S. M. Bellovin, S. Floyd, J.
  Ioannidis, V. Paxson and S. Shenker, Controlling
  High Bandwidth Aggregates in the Network
• J. Mirkovic, J. Martin and P. Reiher, A Taxonomy
  of DDoS Attacks and DDoS Defense Mechanisms
• J. Mirkovic, G. Prier and P. Reiher, Attacking
  DDoS at the Source
• K. Park and H. Lee, A Proactive Approach to
  Distributed DoS Attack Prevention using
  Route-Based Packet Filtering

19
Thank you!