Survey of Distributed Denial of Service Attacks and Popular Countermeasures - PowerPoint PPT Presentation

About This Presentation
Title:

Survey of Distributed Denial of Service Attacks and Popular Countermeasures

Description:

The zombies are divided into masters and slaves. ... The slave zombies send packets to the reflectors with IP source addresses spoofed as the target. ... – PowerPoint PPT presentation

Number of Views:133
Avg rating:3.0/5.0
Slides: 26
Provided by: andyk
Learn more at: https://www.cs.kent.edu
Category:

less

Transcript and Presenter's Notes

Title: Survey of Distributed Denial of Service Attacks and Popular Countermeasures


1
Survey of Distributed Denial of Service Attacks
and Popular Countermeasures
  • Andrew Knotts, Kent State University

Referenced from Charalampos Patrikakis,Michalis
Masikos, and Olga Zouraraki. Denial of service
attacks. Internet Protocol Journal, 7(4)1325,
December 2004.
2
Outline
  • Introduction/Overview
  • Recruiting Zombie Machines
  • Spreading the Virus
  • A Typical DDoS Attack
  • Defending Against a DDoS Attack

3
Technology
Policies
Education
Transmitting
Processing
Storing
Integrity
Availability
Confidentiality
4
DoS vs. DDoS Attacks
  • A DoS attack is targeted at a particular node
    (machine).
  • Attempts to deny service to that node
  • Source of the attack
  • Single node DoS (Denial of Service) attack
  • Multiple nodes DDoS (Distributed Denial of
    Service) attack

5
DDoS Attacks A Tough Problem
  • Victims are unable to communicate with other
    machines, so the surrounding network may not know
    to help.
  • Traffic spikes very fast. It is hard to react
    quickly enough.
  • Traffic filtering will filter user traffic as
    well.
  • The network may be the bottleneck, not the
    victim.
  • IP spoofing makes it hard to back trace attack
    traffic.

6
Target Resources
  • A (D)DoS attack overwhelms the resources of the
    target
  • Network Bandwidth
  • Computing Power
  • Processor
  • Memory

7
Recruiting Zombie Machines
  • The attacker must infect a set of nodes to target
    the victim.
  • Unpatched machines are easily compromised.
  • Once infected these nodes are known as zombies.

8
Finding Vulnerable Machines
  • Random Scanning
  • Targets machines at random IP addresses.
  • Hit-list Scanning
  • Targets nodes from a hit-list.
  • Topological Scanning
  • The hit-list is generated on-the-fly by
    scanning infected machines for valid URLs.
  • Local Subnet Scanning
  • An infected machine on the same subnet may
    exploit vulnerabilities of other machines
    normally protected by the firewall.

9
Spreading the Virus
  • Central Source Propagation
  • A central source contains the code.
  • The central source copies the code to the victim
    once infected.

10
Central Source Propagation
Attacker
Victim
Next Victim
1) Infect Victim
4) Repeat Again
2) Request Code
3) Transfer Code
Central Source
Concept of Diagram referenced from 1
11
Spreading the Virus (cont.)?
  • Back-chaining Propagation
  • The attacker contains the code.
  • The new victim requests the code from the
    attacker once infected.
  • Alleviates the need for a central source.
  • Requires the attacker to be able to accept
    connections and transfer code.

12
Back-chaining Propagation
3) Transfer Code
Attacker
Victim
Next Victim
1) Infect Victim
4) Repeat Again
2) Request Code
Concept of Diagram referenced from 1
13
Spreading the Virus (cont.)?
  • Autonomous Propagation
  • Sends the code at the same time the victim is
    compromised.
  • Avoids both a central source and file transfer
    requirements of other methods.

14
Autonomous Propagation
Attacker
Victim
Next Victim
1) Infect Victim Transfer Code
2) Repeat Again
Concept of Diagram referenced from 1
15
A Typical DDoS Attack
  • Typical DDoS Attack
  • The zombies are divided into masters and slaves.
  • The attacker signals the masters to start the
    attack, the masters then signal the slaves.
  • The slaves flood the victim.
  • IP spoofing is usually used to hide the identity
    of the slave zombies.

16
A Typical DDoS Attack
Slave Zombies
Master Zombies
Victim
Attacker
Concept of Diagram referenced from 1
17
A DRDoS Attack
  • DRDoS Attack
  • Distributed Reflector Denial of Service
  • Reflectors are uncompromised machines.
  • The slave zombies send packets to the reflectors
    with IP source addresses spoofed as the target.
  • The reflectors carry out the flooding rather than
    the slaves.
  • More distributed than a typical DDoS attack.

18
A DRDoS Attack
Slave Zombies
Reflectors
Master Zombies
Victim
Attacker
Concept of Diagram referenced from 1
19
Defending Against a DDoS Attack
  • Two General Approaches
  • Prevent the Attack
  • Try to stop the attack from happening in the
    first place.
  • React to the Attack
  • Detect the attack early, and react appropriately.

20
Defending Against a DDoS Attack
  • Techniques to prevent attacks
  • Keep machines up-to-date with patches and
    antivirus.
  • Hard to do because machines are distributed.
  • Filter spoofed IP traffic
  • Source IPs of outbound packets should be from the
    local network.
  • Source IPs of inbound packets should not be from
    the local network.

21
Defending Against a DDoS Attack
  • Techniques to detect an attack early
  • Signature Detection
  • Compare traffic signatures to known attack
    signatures.
  • Cannot detect new attacks with new signatures.
  • Anomaly Detection
  • Compare traffic behavior with normal traffic
    behavior.
  • What constitutes normal traffic has to be
    updated.
  • Hybrid Systems
  • Combine both signature detection and anomaly
    detection.

Update
Anomaly Detection
Signature Database
22
Honeypots
  • Attempt to lure the attacker into a trap.
  • This trap may be
  • A machine masquerading as a service provider
    (increasing its chances of being attacked).
  • An entire network designed to be targeted.
  • Honeypots monitor the attackers actions, and can
    extract patterns useful in detecting future
    attacks.

23
Route Filtering
  • Blackhole routing
  • Routes attack traffic to a blackhole (null
    interface).
  • Only useful if attack traffic can be
    differentiated from legitimate traffic.
  • Sinkhole routing
  • Detect suspicious traffic and redirect it to an
    analyzer.
  • If it is attack traffic, drop it (route to null
    interface). Otherwise route it to its original
    destination.

24
Real-time Analysis of Flow Data
  • Flow data can be useful for analyzing the
    behavior characteristics of traffic.
  • In order for flow data to be useful for detecting
    attacks, it must be processed fast enough to
    respond.
  • Munz and Carle 2 propose a system and framework
    to handle the real-time analysis of this flow
    data.

25
Real-time Analysis of Flow Data
A simplified diagram of the TOPAS system
IPFIX/Netflow Data
Container
Detection Algorithm 1
Alert
Receiver
Container
Detection Algorithm 2
Alert
Container
Detection Algorithm 3
Alert
Ring Buffer
Concept of Diagram referenced from 2
26
Path Identification
  • IP spoofing is commonly used to mask the source
    of an attack.
  • Use a Path Identifier (Pi) to discover an
    approximate source of attack packets 3.
  • These packets can then be classified as malicious
    (based on their path identifier) and filtered
    accordingly.

27
Issues with Path Identification
  • 16 bits used to store path information.
  • This is not very large and may be insufficient
    for long paths!
  • Packets from the same attacker are not guaranteed
    to follow the same path.

28
Network Overlays
  • To prevent malicious traffic, only allow the
    target to communicate with a confirmed user 4.
    The target must give permission to this user.
  • Filter all traffic in the region around the
    target that is not confirmed.
  • Confirmed traffic originates from a list of
    pre-defined friendly nodes.
  • Protect the identity of these nodes by using a
    network overlay.

29
The SOS System
A simplified diagram of the SOS system
Overlay Network
Secret Servlets
Filtered Region
Overlay Nodes
Target
Concept of Diagram referenced from 4
30
Issues with the SOS system
  • Expensive to implement
  • An entire overlay must be created to protect a
    node. Overlay routers must implement a filtering
    protocol.

31
Future Work
  • IP is not a security-oriented protocol. Designing
    Internet protocols with security in mind will
    help mitigate DDoS attacks.
  • Most current work simply focuses on the target or
    the network around the target. It is useful to
    also utilize the entire network from attacker to
    target to help DdoS attacks (the Pi system
    touched on this concept).

32
References
  • 1 Charalampos Patrikakis,Michalis Masikos, and
    Olga Zouraraki. Denial of service attacks.
    Internet Protocol Journal, 7(4)1325, December
    2004.
  • 2 Gerhard Munz and Georg Carle. Real-time
    analysis of flow data for network attack
    detection. 10th IFIP/IEEE International Symposium
    on Integrated Network Management, pages 100108,
    May 2007.
  • 3 Abraham Yaar, Adrian Perrig, and Dawn Song.
    Pi A path identification mechanism to defend
    against ddos attacks. In Proceedings of the 2003
    IEEE Symposium on Security and Privacy, pages
    93107, Washington, DC, USA, May 2003. IEEE
    Computer Society.
  • 4 Angelos D. Keromytis, Vishal Misra, and Dan
    Rubenstein. Sos Secure overlay services. In
    SIGCOMM, Pittsburgh, PA, August 2002. ACM.
Write a Comment
User Comments (0)
About PowerShow.com