1 / 29

Distributed Denial of Service (DDoS) Attacks

Distributed Denial of Service (DDoS) Attacks. Goal: Prevent a network site from doing its normal business Method: overwhelm the site with attack traffic Response: ?. The Problem . Characterizing the Problem. An attacker compromises many hosts Usually spread across Internet

marla
Télécharger la présentation

Distributed Denial of Service (DDoS) Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed Denial of Service (DDoS) Attacks • Goal: Prevent a network site from doing its normal business • Method: overwhelm the site with attack traffic • Response: ?

  2. The Problem

  3. Characterizing the Problem • An attacker compromises many hosts • Usually spread across Internet • He orders them to send garbage traffic to a target site • The combined packet flow overwhelms the target • Perhaps his machine • Perhaps his network link • Perhaps his ISP’s network link

  4. Why Are These Attacks Made? • Generally to annoy • Sometimes for extortion • Sometimes to disable opponent’s network operations • If directed at infrastructure, might cripple parts of Internet • So who wants to do that . . .?

  5. Attack Methods • Pure flooding • Of network connection • Or of upstream network • Overwhelm some other resource • SYN flood • CPU resources • Memory resources • Application level resource • Direct or reflection

  6. Why “Distributed”? • Targets are often highly provisioned servers • A single machine usually cannot overwhelm such a server • So harness multiple machines to do so • Also makes defenses harder

  7. DDoS Attack on DNS Root Servers • Concerted ping flood attack on all 13 of the DNS root servers in October 2002 • Successfully halted operations on 9 of them • Lasted for 1 hour • Turned itself off, was not defeated • Did not cause major impact on Internet • DNS uses caching aggressively • Another (less effective) attack in February 2007

  8. DDoS Attack on Estonia • Occurred April-May 2007 • Estonia removed a statue that Russians liked • Then somebody launched large DDoS attack on Estonian government sites • Took much of Estonia off-line for ~ 3 weeks • DDoS attack on Radio Free Europe sites in Belarus in 2008

  9. How to Defend? • A vital characteristic: • Don’t just stop a flood • ENSURE SERVICE TO LEGITIMATE CLIENTS!!! • If you deliver a manageable amount of garbage, you haven’t solved the problem

  10. Complicating Factors • High availability of compromised machines • At least tens of thousands of zombie machines out there • Internet is designed to deliver traffic • Regardless of its value • IP spoofing allows easy hiding • Distributed nature makes legal approaches hard • Attacker can choose all aspects of his attack packets • Can be a lot like good ones

  11. Basic Defense Approaches • Overprovisioning • Dynamic increases in provisioning • Hiding • Tracking attackers • Legal approaches • Reducing volume of attack

  12. Overprovisioning • Be able to handle more traffic than attacker can generate • Works well for Microsoft and Google • Not a suitable solution for Mom and Pop Internet stores • Can sometimes dynamically increase provisioning • Some attackers are highly provisioned

  13. Hiding • Don’t let most people know where your server is • If they can’t find it, they can’t overwhelm it • Possible to direct your traffic through other sites first • Can they be overwhelmed . . .? • Not feasible for sites that serve everyone

  14. Tracking Attackers • Almost trivial without IP spoofing • With IP spoofing, more challenging • Big issue: • Once you’ve found them, now what? • Not clear tracking actually does much good • Not usually feasible for law enforcement to use this information effectively • Law enforcement approaches are slow

  15. Reducing the Volume of Traffic • Addresses the core problem: • Too much traffic coming in, so get rid of some of it • Vital to separate the sheep from the goats • Unless you have good discrimination techniques, not much help • Most DDoS defense proposals are variants of this

  16. Approaches to Reducing the Volume • Give preference to your “friends” • Require “proof of work” from submitters • Detect difference between good and bad traffic • Drop the bad • Easier said than done

  17. Some Sample Defenses • D-Ward • DefCOM • SOS

  18. D-WARD • Core idea is to leverage a difference between DDoS traffic and good traffic • Good traffic responds to congestion by backing off • DDoS traffic responds to congestion by piling on • Look for the sites that are piling on, not backing of

  19. The D-Ward Approach • Deploy D-Ward defense boxes at exit points of networks • Use ingress filtering here to stop most spoofing • Observe two-way traffic to different destinations • Throttle “poorly behaved” traffic • If it continues to behave badly, throttle it more • If it behaves well under throttling, back off and give it more bandwidth

  20. attacks D-WARD in Action requests replies D-WARD D-WARD

  21. A Sample of D-Ward’s Effectiveness

  22. The Problem With D-Ward • D-Ward defends other people’s networks from your network’s DDoS attacks • It doesn’t defend your network from other people’s DDoS attacks • So why would anyone deploy it? • No one did, even though, if fully deployed, it could stop DDoS attacks

  23. DefCOM • Different network locations are better for different elements • Near source good for characterizing traffic • Core nodes can filter effectively with small deployments • Near target it’s easier to detect and characterize an attack • DefCOM combines defense in all locations

  24. core core classifier classifier DefCOM in Action Classifiers can assure priority for good traffic DefCOM instructs core nodes to apply rate limits alert generator Core nodes use information from classifiers to prioritize traffic

  25. Benefits of DefCOM • Provides effective DDoS defense • Without ubiquitous deployment • Able to handle higher volume attacks than target end defenses • Offers deployment incentives for those who need to deploy things

  26. DefCOM Performance

  27. SOS • A hiding approach • Don’t let the attackers send packets to the possible target • Use an overlay network to deliver traffic to the destination • Filter out bad stuff in the overlay • Which can be highly provisioned

  28. How SOS Defends • Clients are authenticated at the overlay entrance • A few source addresses are allowed to reach the protected node • All other traffic is filtered out • Several overlay nodes designated as “approved” • Nobody else can route traffic to protected node • Good traffic tunneled to “approved” nodes • They forward it to the server • Most suited for “private” services

  29. SOS Advantages and Limitations • Ensures communication of “confirmed” user with the victim • Resilient to overlay node failure • Resilient to DoS • Problematic for public service • Clients must be aware of and use overlay to access victim • Traffic routed through suboptimal path • Still allows brute force attack on links entering the filtering router in front of client • If the attacker can find it • Basically dependent on a secret

More Related