A Taxonomy of DDoS Attack and DDoS Defense Mechanisms

  • Published on

  • View

  • Download

Embed Size (px)


A Taxonomy of DDoS Attack and DDoS Defense Mechanisms. Written By Jelena Mirkovic and Peter Reiher In ACM SIGCOMM Computer Communication Review, April 2005 Presented by Jared Bott. Key Point!. DDoS attacks can be carried out in a wide variety of manners, with a wide variety of purposes - PowerPoint PPT Presentation


  • A Taxonomy of DDoS Attack and DDoS Defense MechanismsWritten By Jelena Mirkovic and Peter Reiher

    In ACM SIGCOMM Computer Communication Review, April 2005

    Presented by Jared Bott

  • Key Point!DDoS attacks can be carried out in a wide variety of manners, with a wide variety of purposesDDoS defenses show great variety

  • DDoS AttacksAn explicit attempt to prevent the legitimate use of a serviceMultiple attacking entities, known as agentsDDoS is a serious problemMany proposals about how to deal with itAgentTarget

  • What makes DDoS attacks possible?Answer: The end-to-end paradigmInternet security is highly interdependentSusceptibility of system depends on security of InternetInternet resources are limitedIntelligence and resources are not collocatedEnd systems are intelligent, intermediate systems are high in resources

  • Accountability is not enforcedIP Spoofing is possibleControl is distributedNo way to enforce global deployment of a security mechanism or policy

  • Taxonomy of Attacks

  • DA: Degree of AutomationHow involved is the attacker?Automation of the recruit, exploit, infect and scan phasesDA-1: ManualDA-2: Semi-AutomaticRecruit, exploit and infect phases are automatedDA-3: Automatic

  • DA-2:CM: Communication MechanismHow do semi-autonomous systems communicate?DA-2:CM-1: Direct CommunicationAgent/handlers know each others identitiesCommunication through TCP or UDPDA-2:CM-2: Indirect CommunicationCommunication through IRC

  • DA-2/DA-3:HSS: Host Scanning StrategyHow do attackers find computers to make into agents?Choose addresses of potentially vulnerable machines to scanDA-2/DA-3:HSS-1: Random ScanningDA-2/DA-3:HSS-2: Hitlist Scanning

  • DA-2/DA-3:HSS: Host Scanning StrategyDA-2/DA-3:HSS-3: Signpost ScanningTopological scanningEmail worms send emails to everyone in address bookWeb-server worms infect visitors vulnerable browsers to infect servers visited later

  • DA-2/DA-3:HSS: Host Scanning StrategyDA-2/DA-3:HSS-4: Permutation ScanningPseudo-random permutation of IP space is shared among all infected machinesNewly infected machine starts at a random pointDA-2/DA-3:HSS-5: Local Subnet ScanningExamples:HSS-1: Code Red v2HSS-5: Code Red II, Nimda

  • DA-2/DA-3:VSS: Vulnerability Scanning StrategyWe have found a machine, can it be infected?DA-2/DA-3:VSS-1: Horizontal ScanningDA-2/DA-3:VSS-2: Vertical ScanningDA-2/DA-3:VSS-3: Coordinated ScanningMachines probe the same port(s) at multiple machines within a local subnetDA-2/DA-3:VSS-4: Stealthy Scanning

  • DA-2/DA-3:PM: Propagation MethodHow does attack code get onto compromised machines?DA-2/DA-3:PM-1: Central Source PropagationAttack code resides on server(s)

  • DA-2/DA-3:PM: Propagation MethodDA-2/DA-3:PM-2: Back-Chaining PropagationAttack code is downloaded from the machine that exploited the system

  • DA-2/DA-3:PM: Propagation MethodDA-2/DA-3:PM-3: Autonomous PropagationInject attack instructions directly into the target host during the exploit phaseEx. Code Red, various email worms, Warhol worm idea

  • EW: Exploited Weakness to Deny ServiceWhat weakness of the target machine is exploited to deny service?EW-1: SemanticExploit a specific feature or implementation bugEx. TCP SYN attackExploited feature is allocation of substantial space in a connection queue immediately upon receipt of a TCP SYN.EW-2: Brute-Force

  • SAV: Source Address ValidityDo packets have the agents real IP addresses?SAV-1: Spoofed Source AddressSAV-2: Valid Source AddressFrequently originate from Windows machinesSAV-1:AR: Address RoutabilityThis is not the attackers address, but can it be routed?SAV-1:AR-1: Routable Source AddressSAV-1:AR-2: Non-Routable Source Address

  • SAV-1:ST: Spoofing TechniqueHow does an agent come up with an IP address?SAV-1:ST-1: Random Spoofed Source AddressRandom 32-bit numberPrevented using ingress filtering, route-based filteringSAV-1:ST-2: Subnet Spoofed Source AddressSpoofs a random address from the address space assigned to the machines subnetEx. A machine in the chooses in the range to

  • SAV-1:ST: Spoofing TechniqueSAV-1:ST-3: En Route Spoofed Source AddressSpoof address of a machine or subnet along the path to victimSAV-1:ST-4: Fixed Spoofed Source AddressChoose a source address from a specific listReflector attack

  • ARD: Attack Rate DynamicsDoes the attack rate change?ARD-1: Constant RateUsed in majority of known attacksBest cost-effectiveness: minimal number of computers neededObvious anomaly in trafficARD-2: Variable Rate

  • ARD-2:RCM: Rate Change MechanismHow does the rate change?ARD-2:RCM-1: Increasing RateGradually increasing rate leads to a slow exhaustion of victims resourcesCould manipulate defense that train their baseline modelsARD-2:RCM-2: Fluctuating RateAdjust the attack rate based on victims behavior or preprogrammed timingEx. Pulsing attack

  • PC: Possibility of CharacterizationCan the attacking traffic be characterized?Characterization may lead to filtering rulesPC-1: CharacterizableThose that target specific protocols or applications at the victimCan be identified by a combination of IP header and transport protocol header values or packet contentsEx. TCP SYN attackSYN bit set

  • PC-1:RAVS: Relation of Attack to Victim ServicesThe traffic is characterizable, but is it related to the targets services?PC-1:RAVS-1: FilterableTraffic made of malformed packets or packets for non-critical services of the victims operationEx. ICMP ECHO flood attack on a web serverPC-1:RAVS-2: Non-FilterableWell-formed packets that request legitimate and critical servicesFiltering all packets that match attack characterization would lead to a denial of service

  • PC: Possibility of CharacterizationPC-2: Non-CharacterizableTraffic that uses a variety of packets that engage different applications and protocolsClassification depends on resources that can be used to characterize and the level of characterizationEx. Attack uses a mixture of TCP packets with various combinations of TCP header fieldsCharacterizable as TCP attack, but nothing finer without vast resources

  • PAS: Persistence of Agent SetDo the same agents attack the whole time?Some attacks vary their set of active agent machinesAvoid detection and hinder tracebackPAS-1: Constant Agent SetPAS-2: Variable Agent SetBright red attacks for 4 hoursDark red attacks for next 4 hours

  • VT: Victim TypeWhat does the attack target?VT-1: ApplicationEx. Bogus signature attack on an authentication serverAuthentication not possible, but other applications still availableVT-2: HostDisable access to the target machineOverloading, disabling communications, crash machine, freeze machine, reboot machineEx. TCP SYN attack overloads communications of machine

  • VT: Victim TypeVT-3: Resource AttacksTarget a critical resource in the victims networkEx. DNS server, routerPrevented by replicating critical services, designing robust network topologyVT-4: Network AttacksConsume the incoming bandwidth of a target networkVictim must request help from upstream networks

  • VT: Victim TypeVT-5: InfrastructureTarget a distributed service that is crucial for global Internet operationEx. Root DNS server attacks in October 2002, February 2007

  • IV: Impact on the VictimHow does an attack affect the victims service?IV-1: DisruptiveCompletely deny the victims service to its clientsAll currently reported attacks are this kindIV-2: DegradingConsume some portion of a victims resources, seriously degrading service to customersCould remain undetected for long time

  • IV-1:PDR: Possibility of Dynamic RecoveryCan a system recover from an attack? How?IV-1:PDR-1: Self-RecoverableEx. UDP flooding attackIV-1:PDR-2: Human-RecoverableEx. Computer freezes, requires rebootIV-1:PDR-3: Non-RecoverablePermanent damage to victims hardwareNo reliable accounts of these attacks

  • DDoS DefenseSeveral factors hinder the advance of DDoS defense researchNeed for a distributed response at many points on the InternetMany attacks need upstream network resources to stop attacksEconomic and social factorsA distributed response system must be deployed by parties that arent directly damaged by a DDoS attack

  • DDoS DefenseLack of defense system benchmarksNo benchmark suite of attack scenarios or established evaluation methodologiesLack of detailed attack informationWe have information on control programsInformation on frequency of various attack types is lackingInformation on rate, duration, packet size, etc. are lacking

  • DDoS DefenseDifficulty of large-scale testingNo large-scale test bedsU.S. National Science Foundation is funding development of a large-scale cybersecurity test bedNo safe ways to perform live distributed experiments across the InternetNo detailed and realistic simulation tools that support thousands of nodes

  • Taxonomy of DDoS Defenses

  • AL: Activity LevelWhen does a defense system work?AL-1: PreventiveEliminate possibility of DDoS attacks or enable victims to endure the attack without denial of serviceAL-1:PG: Prevention GoalWhat is the system trying to do?AL-1:PG-1: Attack PreventionThe system is trying to prevent attacks

  • AL-1:PG-1:ST: Secured TargetWhat does a system try to secure to prevent an attack?AL-1:PG-1:ST-1: System SecuritySecure the systemGuard against illegitimate accesses to a machineRemove application bugs, Update protocol installationsEx. Firewall systems, IDSs, Automated updates

  • AL-1:PG-1:ST: Secured TargetAL-1:PG-1:ST-2: Protocol SecuritySecure the protocolsBad protocol design examples: TCP SYN Attack, Authentication server attack, IP source address spoofingEx. Deployment of a powerful proxy server that completes TCP connectionsEx. TCP SYN cookies

  • AL-1:PG: Prevention GoalAL-1:PG-2: DoS PreventionThe system is trying to prevent a denial of serviceEnable the victim to endure attack attempts without denying serviceEnforce policies for resource consumptionEnsure that abundant resources exist

  • AL-1:PG-2:PM: Prevention MethodHow do the defense systems prevent DoS?AL-1:PG-2:PM-1: Resource AccountingPolice the access of each user to resources based on the privileges of the user and users behaviorLet real, good users have accessCoupled with legitimacy-based access mechanismsAL-1:PG-2:PM-2: Resource MultiplicationEx. Pool of servers with load balancer, high bandwidth network

  • AL-2: ReactiveDefense systems try to alleviate the impact of an attackDetect attack and respond to it as early as possibleAL-2:ADS: Attack Detection StrategyHow does the system detect attacks?AL-2:ADS-1: Pattern DetectionStore signatures of known attacks and monitor communications for the presence of patternsOnly known attacks can be detectedEx. Snort

  • AL-2:ADS-2: Anomaly DetectionCompare current state of system to a model of normal system behaviorPreviously unknown attacks can be discoveredTradeoff between detecting all attacks and false positives

  • AL-2:ADS-2:NBS: Normal Behavior SpecificationHow is normal behavior defined?AL-2:ADS-2:NBS-1: StandardRely on some protocol standard or set of rulesEx. TCP protocol specification describes three-way handshakeDetect half-open TCP connectionsNo false positives, but sophisticated attacks can be left undetected

  • AL-2:ADS-2:NBS-2: TrainedMonitor network traffic and system behaviorGenerate threshold values for different parametersCommunications exceeding one or more thresholds are marked as anomalousLow threshold leads to many false positives, high threshold reduces sensitivityModel of normal behavior must be updatedAttacker can slowly increase traffic rate so that new models are higher and higher

  • AL-2: ReactiveAL-2:ADS-3: Third-Party DetectionRely on external message that signals occurrence of attack and attack characterizationAL-2:ARS: Attack Response StrategyWhat does the system do to minimize impact of attack?Goal is to relieve impact of attack on victim with minimal collateral damage

  • AL-2:ARS: Attack Response StrategyAL-2:ARS-1: Agent IdentificationProvides victim with information about the ID of the attacking machinesEx. Traceback techniquesAL-2:ARS-2: Rate-LimitingExtremely high-scale attacks might still be effective

  • AL-2:ARS: Attack Response StrategyAL-2:ARS-3: FilteringFilter out attack streamsRisk of accidental DoS to legitimate traffic, clever attackers might use as DoS toolsEx. Dynamically deployed firewallsAL-2:ARS-4: ReconfigurationChange topology of victim or intermediate networkAdd more resources or isolate attack machinesEx. Reconfigurable overlay networks, replication services

  • CD: Cooperation DegreeHow much do defense systems work together?CD-1: AutonomousIndependent defense at point of deploymentEx. Firewalls, IDSsCD-2: CooperativeCapable of autonomous detection/responseCooperate with other entities for better performanceEx. Aggregate Congestion Control (ACC) with pushback mechanismAutonomously detect, characterize and act on attackBetter performance if rate-limit requests sent to upstream routers

  • CD-3: InterdependentCannot operate on ownRequire deployment at multiple networks or rely on other entities for attack prevention, detection or efficient responseEx. Traceback mechanism on one router is useless

  • DL: Deployment LocationWhere are defense systems located?DL-1: Victim NetworkEx. Resource accounting, protocol security mechanismsDL-2: Intermediate NetworkProvide defense service to a large number of hostsEx. Pushback, traceback techniquesDL-3: Source NetworkPrevent network customers from generating DDoS attacks

  • Using The TaxonomiesHow can the taxonomies be used?A map of DDoS researchCommon vocabularyUnderstanding of solution constraintsDDoS benchmark generationExploring new attack strategiesDesign of attack class-specific solutionsIdentifying unexplored research areas

  • StrengthsPrimary ContributionObviously the taxonomy of DDoS mechanisms and defensesFosters easier cooperation among researchersCovers current attacks and research

  • WeaknessesClearly non-exhaustive categorization of attacksNaming conventionsAL-2:ADS-2:NBS-1 is not easily understandable

  • ImprovementsUse taxonomy to create defensesHow do you improve a taxonomy?

  • SummaryTaxonomy of DDoS attacks and defensesThere are many characteristics of DDoS attacks and defensesHard to design a defense against all attack types