Title: Survey of Distributed Denial of Service Attacks and Popular Countermeasures
1Survey of Distributed Denial of Service Attacks
and Popular Countermeasures
- Andrew Knotts, Kent State University
Referenced from Charalampos Patrikakis,Michalis
Masikos, and Olga Zouraraki. Denial of service
attacks. Internet Protocol Journal, 7(4)1325,
December 2004.
2Outline
- Introduction/Overview
- Recruiting Zombie Machines
- Spreading the Virus
- A Typical DDoS Attack
- Defending Against a DDoS Attack
3Technology
Policies
Education
Transmitting
Processing
Storing
Integrity
Availability
Confidentiality
4DoS vs. DDoS Attacks
- A DoS attack is targeted at a particular node
(machine). - Attempts to deny service to that node
- Source of the attack
- Single node DoS (Denial of Service) attack
- Multiple nodes DDoS (Distributed Denial of
Service) attack
5DDoS Attacks A Tough Problem
- Victims are unable to communicate with other
machines, so the surrounding network may not know
to help. - Traffic spikes very fast. It is hard to react
quickly enough. - Traffic filtering will filter user traffic as
well. - The network may be the bottleneck, not the
victim. - IP spoofing makes it hard to back trace attack
traffic.
6Target Resources
- A (D)DoS attack overwhelms the resources of the
target - Network Bandwidth
- Computing Power
- Processor
- Memory
7Recruiting Zombie Machines
- The attacker must infect a set of nodes to target
the victim. - Unpatched machines are easily compromised.
- Once infected these nodes are known as zombies.
8Finding Vulnerable Machines
- Random Scanning
- Targets machines at random IP addresses.
- Hit-list Scanning
- Targets nodes from a hit-list.
- Topological Scanning
- The hit-list is generated on-the-fly by
scanning infected machines for valid URLs. - Local Subnet Scanning
- An infected machine on the same subnet may
exploit vulnerabilities of other machines
normally protected by the firewall.
9Spreading the Virus
- Central Source Propagation
- A central source contains the code.
- The central source copies the code to the victim
once infected.
10Central Source Propagation
Attacker
Victim
Next Victim
1) Infect Victim
4) Repeat Again
2) Request Code
3) Transfer Code
Central Source
Concept of Diagram referenced from 1
11Spreading the Virus (cont.)?
- Back-chaining Propagation
- The attacker contains the code.
- The new victim requests the code from the
attacker once infected. - Alleviates the need for a central source.
- Requires the attacker to be able to accept
connections and transfer code.
12Back-chaining Propagation
3) Transfer Code
Attacker
Victim
Next Victim
1) Infect Victim
4) Repeat Again
2) Request Code
Concept of Diagram referenced from 1
13Spreading the Virus (cont.)?
- Autonomous Propagation
- Sends the code at the same time the victim is
compromised. - Avoids both a central source and file transfer
requirements of other methods.
14Autonomous Propagation
Attacker
Victim
Next Victim
1) Infect Victim Transfer Code
2) Repeat Again
Concept of Diagram referenced from 1
15A Typical DDoS Attack
- Typical DDoS Attack
- The zombies are divided into masters and slaves.
- The attacker signals the masters to start the
attack, the masters then signal the slaves. - The slaves flood the victim.
- IP spoofing is usually used to hide the identity
of the slave zombies.
16A Typical DDoS Attack
Slave Zombies
Master Zombies
Victim
Attacker
Concept of Diagram referenced from 1
17A DRDoS Attack
- DRDoS Attack
- Distributed Reflector Denial of Service
- Reflectors are uncompromised machines.
- The slave zombies send packets to the reflectors
with IP source addresses spoofed as the target. - The reflectors carry out the flooding rather than
the slaves. - More distributed than a typical DDoS attack.
18A DRDoS Attack
Slave Zombies
Reflectors
Master Zombies
Victim
Attacker
Concept of Diagram referenced from 1
19Defending Against a DDoS Attack
- Two General Approaches
- Prevent the Attack
- Try to stop the attack from happening in the
first place. - React to the Attack
- Detect the attack early, and react appropriately.
20Defending Against a DDoS Attack
- Techniques to prevent attacks
- Keep machines up-to-date with patches and
antivirus. - Hard to do because machines are distributed.
- Filter spoofed IP traffic
- Source IPs of outbound packets should be from the
local network. - Source IPs of inbound packets should not be from
the local network.
21Defending Against a DDoS Attack
- Techniques to detect an attack early
- Signature Detection
- Compare traffic signatures to known attack
signatures. - Cannot detect new attacks with new signatures.
- Anomaly Detection
- Compare traffic behavior with normal traffic
behavior. - What constitutes normal traffic has to be
updated. - Hybrid Systems
- Combine both signature detection and anomaly
detection.
Update
Anomaly Detection
Signature Database
22Honeypots
- Attempt to lure the attacker into a trap.
- This trap may be
- A machine masquerading as a service provider
(increasing its chances of being attacked). - An entire network designed to be targeted.
- Honeypots monitor the attackers actions, and can
extract patterns useful in detecting future
attacks.
23Route Filtering
- Blackhole routing
- Routes attack traffic to a blackhole (null
interface). - Only useful if attack traffic can be
differentiated from legitimate traffic. - Sinkhole routing
- Detect suspicious traffic and redirect it to an
analyzer. - If it is attack traffic, drop it (route to null
interface). Otherwise route it to its original
destination.
24Real-time Analysis of Flow Data
- Flow data can be useful for analyzing the
behavior characteristics of traffic. - In order for flow data to be useful for detecting
attacks, it must be processed fast enough to
respond. - Munz and Carle 2 propose a system and framework
to handle the real-time analysis of this flow
data.
25Real-time Analysis of Flow Data
A simplified diagram of the TOPAS system
IPFIX/Netflow Data
Container
Detection Algorithm 1
Alert
Receiver
Container
Detection Algorithm 2
Alert
Container
Detection Algorithm 3
Alert
Ring Buffer
Concept of Diagram referenced from 2
26Path Identification
- IP spoofing is commonly used to mask the source
of an attack. - Use a Path Identifier (Pi) to discover an
approximate source of attack packets 3. - These packets can then be classified as malicious
(based on their path identifier) and filtered
accordingly.
27Issues with Path Identification
- 16 bits used to store path information.
- This is not very large and may be insufficient
for long paths! - Packets from the same attacker are not guaranteed
to follow the same path. -
28Network Overlays
- To prevent malicious traffic, only allow the
target to communicate with a confirmed user 4.
The target must give permission to this user. - Filter all traffic in the region around the
target that is not confirmed. - Confirmed traffic originates from a list of
pre-defined friendly nodes. - Protect the identity of these nodes by using a
network overlay.
29The SOS System
A simplified diagram of the SOS system
Overlay Network
Secret Servlets
Filtered Region
Overlay Nodes
Target
Concept of Diagram referenced from 4
30Issues with the SOS system
- Expensive to implement
- An entire overlay must be created to protect a
node. Overlay routers must implement a filtering
protocol.
31Future Work
- IP is not a security-oriented protocol. Designing
Internet protocols with security in mind will
help mitigate DDoS attacks. - Most current work simply focuses on the target or
the network around the target. It is useful to
also utilize the entire network from attacker to
target to help DdoS attacks (the Pi system
touched on this concept).
32References
- 1 Charalampos Patrikakis,Michalis Masikos, and
Olga Zouraraki. Denial of service attacks.
Internet Protocol Journal, 7(4)1325, December
2004. - 2 Gerhard Munz and Georg Carle. Real-time
analysis of flow data for network attack
detection. 10th IFIP/IEEE International Symposium
on Integrated Network Management, pages 100108,
May 2007. - 3 Abraham Yaar, Adrian Perrig, and Dawn Song.
Pi A path identification mechanism to defend
against ddos attacks. In Proceedings of the 2003
IEEE Symposium on Security and Privacy, pages
93107, Washington, DC, USA, May 2003. IEEE
Computer Society. - 4 Angelos D. Keromytis, Vishal Misra, and Dan
Rubenstein. Sos Secure overlay services. In
SIGCOMM, Pittsburgh, PA, August 2002. ACM.