1 / 19

Overview of Distributed Denial of Service (DDoS)

Overview of Distributed Denial of Service (DDoS). Wei Zhou. Outline of the presentation. DDoS definition and its attacking architectures DDoS classification Defense mechanism classification Reactive VS. Proactive Classification by defending front-line SOS – a case study. What is it?.

kiley
Télécharger la présentation

Overview of Distributed Denial of Service (DDoS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview of Distributed Denial of Service (DDoS) Wei Zhou

  2. Outline of the presentation • DDoS definition and its attacking architectures • DDoS classification • Defense mechanism classification • Reactive VS. Proactive • Classification by defending front-line • SOS – a case study

  3. What is it? • No ready-to-go definition available • Characteristics • Multiple attackers vs. single victim • To cause denial of service to legitimate users on the victim • Two major attacking architecture • Direct attack • Reflector attack

  4. Hacker's attacking network Attacking Architecture - Direct Attack Zombies Masters (handlers)

  5. TCP SYN, ICMP, UDP... (with victim's addr. as the src IP addr.) Attacking Architecture – Reflector Attack Reflectors Hacker's DDoS attacking network Reflector Attack

  6. Classification of DDoS Attacks • Classification by exploited vulnerability • Protocol Attacks • TCP SYN attacks • CGI request attacks • Authentication server attacks • ... ... • Flooding-based Attacks • Filterable • Non-filterable

  7. Defense Mechanisms • Classification by activity level • Reactive mechanisms • Easy to be deployed • Hard to tell good guys from bad guys • Inflexible to adapt new attacks • Proactive mechanisms • Motivations to deploy • Accuracy on differentiating packets

  8. Defense Mechanisms (cont.) • Classification by defending front-line • Victim network • Intermediate network • Source network

  9. At the victim side • IDS plus Firewall • Detect bogus packets based on well-known attack signatures • Flexibility • Puzzle solving by clients • Client must solve a puzzle (small scripts, cookies etc.) in order to access server's resources • Efficiency • Duplicate server resources • Distribute server resources into more places • Synchronization, costs etc. Victim network can't do NOTHING if its link(s) to the ISP is jammed

  10. In the intermediate network • IP traceback • Can be used to collect forensic evidence • (Need further exploration on this topic) • Push-back mechanism • Route-Based packet filtering • Overlay network

  11. R5 R4 R6 R2 R7 R3 R1 R0 Push-back messages Push-back – the idea • Reactive mechanism • Accuracy of telling 'poor' packets from bad packets Heavy traffic flow

  12. Attack from node 7 with node 2 addresses Route-based packet filtering – the idea R8 R4 R3 R0 R7 R6 R9 R2 R1 R5 • Proactive mechanism • Overheads • Need to change routers Routes from node 2

  13. 10.0.0.1 10.0.0.1 Egress filtering 10.0.0.2 Ingress filtering 9.0.0.0/8 At the source side • Ingress/egress filtering • Ingress filtering • To prevent packets with faked source IP addresses from entering the network • Egress filtering • To prevent packets with faked source IP addresses from leaving the network

  14. At the source side (cont.) • D-WARD (DDoS netWork Attack Recognition and Defense) • Balance of inbound and outbound traffic

  15. Source network D-WARD (cont.) • Motivation of deployment • Asymmetric problems

  16. SOS – Security Overlay Service • To protect a dedicated server from DDoS attacks • Use high-performance filters to drop all the packets not from secret servlets • Path redundancy in overlay network is used to hide the identities of secret servlets • Legitimate users enter the overlay network at the point of SOAP (secure overlay access point)

  17. Filter Server SOAP(s) Secret servlet(s) Overlay network SOS (cont.) Big time delay

  18. References • R. K. C. Chang, “Defending against Flooding-Based Distributed Denial-of-Sevice Attacks: A Tutorial” • P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing”, RFC 2827 • J. Ioannidis and S. M. Bellovin, “Implementing Pushback: Router-Based Defense Against DDoS Attacks” • A. D. Keromytis, V. Misra and D. Rubenstein, “SOS: Secure Overlay Services” • R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson and S. Shenker, “Controlling High Bandwidth Aggregates in the Network” • J. Mirkovic, J. Martin and P. Reiher, “A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms” • J. Mirkovic, G. Prier and P. Reiher, “Attacking DDoS at the Source” • K. Park and H. Lee, “A Proactive Approach to Distributed DoS Attack Prevention using Route-Based Packet Filtering”

  19. Thank you!

More Related