Embed Size (px)
Citation preview
An Overview and Classification of DDoS Attacks
A Taxonomy of DDoS Attackand DDoS Defense Mechanisms
Authors-Jelena Mirkovic, University of DelawarePeter Reiher, UCLA
Presentation by: Sagar Panchariya Masters Student
1
Table of Contents
• DDoS definition• How to inflict, entities involved, phases of attack, possible motives
behind a DDoS attack, • What makes DDoS possible?• Classification of Attacks.• Video• Conclusion• References
2
What is a DoS and DDoS attack?
• In its simplest form, a Denial of Service (DoS) attack is an attack against any system component that attempts to force that system component to limit, or even halt, normal services
• In its simplest form, a Distributed Denial of Service (DDoS) attack is a DoS attack that occurs from more than one source, and/or from more than one location, at the same time.
3
How to inflict a DDoS attack
• Simplest form of attacks is to consistently send a stream of packets to a victim, the stream occupies substantial resources of the legitimate client and rendering it’s services to be unavailable to legitimate clients.
• Another approach is to send malformed packets to the victim’s machine to confuse the application and force to freeze or reboot.
• An attack may also subvert the machines in a victim’s network so that the legal client cannot get the service.
4
Entities involved in a DDoS attack
5
Procedure to launch a DDoS attack:
• 1.The recruit phase: It involves scanning of remote machines looking for security holes that will help breaking into.
• 2. The exploit phase: After the discovery of vulnerable hosts their security loop holes in these machines are exploited to inject malicious code.
• 3. The inject phase: The insertion of malicious code to control these hosts is the inject phase.
• 4. The Use Phase: The infected machines are used to infect further machines.
6
Reasons for a DDoS attacks:
• 1. The ulterior motives are personal reasons; a significant number of DDoS attacks are perpetrated against home computers, presumably for purposes of revenge.
• 2. Prestige, a successful attack on popular Web servers gains the respect of the hacker community.
• 3. However, some DDoS attacks are performed for material gain (damaging a competitor's resources or blackmailing companies)
• 4. Political reasons (a country at war could perpetrate attacks against its enemy's critical resources, potentially enlisting a significant portion of the entire country's computing power for this action).
7
Why DDoS are easy?• The end to end service paradigm of the internet• Security is left up to end parties.• If one of the parties is misbehaving it can cause damage to its peer.• Intermediate network makes its hard to detect misbehaving peers
and cant stop it.• The making of high bandwidth pathways in the intermediate
network, while the end networks invested in as much bandwidth as they thought they might need.
• Thus, malicious clients can misuse the abundant resources of the unwitting intermediate network for delivery of numerous messages to a less provisioned victim.
8
Need for Classification.• Classification can be useful in answering some of these questions:
• Know different ways to perpetrate a DDoS attacks?
• Solutions for what kind of attacks are designed and what solutions are still left to be designed?
• Any novel kinds of DDoS attacks that can take place?
• A classification gives a common vocabulary to the researchers to discuss and implement solution space for DDoS threats.
• Understanding these threats, implementing them in a test bed environment, and using them to test defense systems will help researchers keep one step ahead of the attackers.
9
10
• DA1: Manual
The attacker does the entire phases recruit, exploit, infect and use phase manually. These kinds of attacks were the earliest kinds of DDoS attacks.
• DA2: Semi-Automatic
The recruit, exploit and infect phases are automated. In the use phase, the attacker specifies the attack type, onset, duration and the victim via the handler to agents, who send packets to the victim.
• DA2: CM: Communication Mechanism
Based on the communication mechanism deployed between agent and handler machines, attacks are further divide Direct and indirect communication.
• DA2:CM1: Direct Communication
During attacks with direct communication, the agent and handler machines need to know each other's identity in order to communicate.
11
• DA2:CM2: Indirect Communication Attacks with indirect communication use some legitimate
communication service to synchronize agent actions. Recent attacks have used IRC (Internet chat program) channels.
• DA3: Automatic The start time of the attack, attack type, duration and victim are
preprogrammed in the attack code. No need of further communication needed.
• DA2 and DA3:HSS1: Random Scanning During random scanning, each compromised host probes random
addresses in the IP address space3, using a different seed. there is a high amount of internetwork traffic. High number of machines are infected.
• DA2 and DA3:HSS2: Local Subnet Scanning Local subnet scanning can be added to any of the previously
described techniques to preferentially scan for targets that reside on the same subnet as the compromised host.
12
• SAV1: Spoofed Source Address
This is the prevalent type of attack since it is always to attacker's advantage to spoof the source address, avoid accountability, and possibly create more noise for detection.
• SAV1: AR: Address Routability
Based on the address routability we differentiate between routable source address and non-routable source address attacks.
• SAV1:AR1: Routable Source Address
Attacks that spoof routable addresses take over the IP address of another machine. This is sometimes done not to avoid accountability, but to perform a reflector attack on the machine whose address was hijacked.
• SAV1:AR2: NonRoutable Source Address
Attackers can spoof non-routable source addresses, some of which can belong to a reserved set of addresses (such as 192.168.0.0/16) or be part of an assigned but not used address space of some network.
13
• DA2and DA3:VSS1: Horizontal Scanning
This is the common type of the scan for worms. Scanning machines are looking for a specific vulnerability, scanning the same destination port on all machines from the list, assembled through host scanning techniques.
• DA2and DA3:VSS2: Vertical Scanning
This is the common type of the scan for intrusions and multiple vector worms. Scanning machines probe multiple ports at a single destination, looking for any way to break in.
• EW1:Semantic
Semantic attacks exploit a specific feature or implementation bug of some protocol or application installed at the victim in order to consume excess amounts of its resources.
• EW2:BruteForce
Brute-force attacks are performed by initiating a vast amount of seemingly legitimate transactions. .
14
• SAV1: ST: Spoofing Technique
Spoofing technique defines how the attacker chooses the spoofed source address in its attack packets.
• SAV1:ST1: Random Spoofed Source Address
Many attacks spoof random source addresses in the attack packets, since this can simply be achieved by generating random 32-bit numbers and stamping packets with them.
• SAV1:ST2: Subnet Spoofed Source Address
In subnet spoofing, the attacker spoofs a random address from the address space assigned to the agent machine's subnet.
• SAV1:ST4: Fixed Spoofed Source Address
Attacker performing a reflector attack or wishing to place a blame for the attack on several specific machines would use fixed spoofing.
15
• ARD: Attack Rate Dynamics• RD1: Constant Rate
The majority of known attacks deploy a constant rate mechanism. After the onset is commanded, agent machines generate attack packets at a steady rate, usually as many as their resources permit.
• RD2: Variable Rate
Variable rate attacks vary the attack rate of an agent machine to delay or avoid detection and response.
• RD2: RC: Rate Change Mechanism
RD2:RC1: Increasing Rate
Attacks that have a gradually increasing rate lead to a slow exhaustion of the victim's resources.
16
• RD2: RC2: Fluctuating Rate
Attacks that have a fluctuating rate adjust the attack rate based on the victim's behavior or preprogrammed timing, occasionally relieving the effect to avoid detection.
• IV: Impact on the Victim
Based on victim type
IV1: Disruptive
The goal of disruptive attacks is to completely deny the victim's service to its clients.
• IV1: RM1: Possibility of Dynamic Recovery
Depending on the possibility of dynamic recovery during or after the attack, we differentiate between self-recoverable, human-recoverable and non-recoverable attacks.
17
• IV1 RM2: Self-Recoverable In the case of self-recoverable attacks, the victim recovers without any
human intervention, as soon as the influx of attack packets has stopped.
• IV1:RM3: Human-Recoverable A victim of a human-recoverable attack requires human intervention
(e.g., rebooting the victim machine or reconfiguring it) for recovery, after the attack is stopped.
• IV1:RM3: Non-Recoverable Non-recoverable attacks inflict permanent damage to victim's
hardware. A new piece of hardware must be purchased for recovery.
• IV: Degrading The goal of degrading attacks is to consume some (presumably
constant) portion of a victim's resources, seriously degrading service to legitimate customers.
18
Conclusion
• Multitude types of DDoS exist and there is no defined classification for them to study them using a hierarchy.
• An attempt to structure the various forms of DDoS attacks known and some of the novel attacks which could be possible in the future using a classification scheme is made.
• Future work
Many new coming forms of DDoS attacks could be added to the classification under a existing level or creating a separate class altogether.
19
Video• Shut Down A Website-Perl (with myspace hacker)• http://www.youtube.com/watch?v=5pzh5zqQ4ic
20
References
• J. Mirkovic and P. Reiher, ”A Taxonomy of DDoS Attack and DDoS Defense Mechanisms,” ACM SIGCOMM Computer Communications Review(CCR), vol. 34, no. 2, April 2004, pp
39-54• Denial of Service Attack http://en.wikipedia.org/wiki/Denial-of-service_attack• Network Security: DoS vs DDoS attacks http://www.crime-research.org/articles/network-security-dos-ddos-attacks/
21
