33
DDoS Attack and Its Defense 1 DDoS Attack and Its Defense CSE 5473: Network Security Prof. Dong Xuan

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan

Embed Size (px)

Citation preview

DDoS Attack and Its Defense 1

DDoS Attack and Its Defense

CSE 5473: Network SecurityProf. Dong Xuan

DDoS Attack and Its Defense 2

Why DoS?

Sub-cultural status To gain access Revenge Political reasons Economic reasons Nastiness

DDoS Attack and Its Defense 3

How DoS (remotely)?

Consume host resources Memory Processor cycles Network state

Consume network resources Bandwidth Router resources (it’s a host too!)

Exploit protocol vulnerabilities Poison ARP cache Poison DNS cache

Etc…

DDoS Attack and Its Defense 4

Where DoS

End hosts Critical servers (disrupt C/S network)

Web, File, Authentication, Update DNS

Infrastructure Routers within org All routers in upstream path

DDoS Attack and Its Defense 5

Outline

What is a DDOS attack?

How to defend a DDoS attack?

DDoS Attack and Its Defense 6

What is DDoS attack?

• Internet DDoS attack is real threat

- on websites

· Yahoo, CNN, Amazon, eBay, etc (Feb. 2000)

services were unavailable for several hours

- on Internet infrastructure

· 13 root DNS servers (Oct, 2002)

7 of them were shut down, 2 others partially unavailable

• Lack of defense mechanism on current Internet

DDoS Attack and Its Defense 7

What is a DDos Attack?

Examples of DoS include: Flooding a network Disrupting connections between machines Disrupting a service

Distributed Denial-of-Service Attacks Many machines are involved in the attack against one or

more victim(s)

ATTACK SIZE IN GBPS

ATTACK SIZE IN GBPS

MAIN TARGETS

ESTONIAN CYBERWAR APRIL 27, 2007 Inoperability of the following state and commercial

sites:

The Estonian presidency and its parliament. Almost all of the country’s government

ministries. Political parties. Three news organizations. Two biggest banks and communication’s firms. Governmental ISP. Telecom companies.

» Source: Alexei Zhatechenko

DDoS Attack and Its Defense 12

Distributed Denial of Service (DDoS) Networks

DDoS Attack and Its Defense 13

DDoS Network

http://www.adelphi.edu/~spock/lisa2000-shaft.pdf

DDoS Attack and Its Defense 14

You are here…

DDoS Attack and Its Defense 15

Typical DDoS attack

DDoS Attack and Its Defense 16

DDoS Attack and Its Defense 17

DDoS Attack and Its Defense 18

DDoS Attack and Its Defense 19

What Makes DDoS Attacks Possible?

Internet was designed with functionality & not security in mind

Internet security is highly interdependent Internet resources are limited Power of many is greater than power of a few

DDoS Attack and Its Defense 20

To Address DDoS attack

Ingress Filtering - P. Ferguson and D. Senie, RFC 2267, Jan 1998 - Block packets that has illegitimate source addresses - Disadvantage : Overhead makes routing slow

Identification of the origins (Traceback problem)

- IP spoofing enables attackers to hide their identity

- Many IP traceback techniques are suggested

Mitigating the effect during the attack

- Pushback

DDoS Attack and Its Defense 21

IP Traceback - Allows victim to identify the origin of attackers - Several approaches ICMP trace messages, Probabilistic Packet Marking, Hash-based IP Traceback, etc.

DDoS Attack and Its Defense 22

PPM

Probabilistic Packet Marking scheme - Probabilistically inscribe local path info - Use constant space in the packet header - Reconstruct the attack path with high probability

Marking at router RFor each packet w Generate a random number x from [0,1)If x < p then Write IP address of R into w.head Write 0 into w.distance else if w.distance == 0 then write IP address of R into w.tail Increase w.distanceendif

DDoS Attack and Its Defense 23

PPM (Cont.)

Victim

legitimate user attacker

DDoS Attack and Its Defense 24

PPM (Cont.)

Victim

legitimate user attacker

DDoS Attack and Its Defense 25

PPM (Cont.)

Victim

legitimate user attacker

V

R

R R

R R

DDoS Attack and Its Defense 26

What is Pushback?

A mechanism that allows a router to request adjacent upstream routers to limit the rate of traffic

Reference

DDoS Attack and Its Defense 27

How Does it Work?

A congested router requests adjacent routers to limit the rate of traffic for that particular aggregate

Router sends pushback message

Received routers propagate pushback

DDoS Attack and Its Defense 28

How Does it Work?

DDoS Attack and Its Defense 29

When is it invoked?

Drop rate for an aggregate exceeds the limit imposed on it (monitoring the queue)

Pushback agent receives information that a DoS attack is underway (packet drop history)

DDoS Attack and Its Defense 30

When does it stop?

Feedback messages are sent to upstream routers that report on how much traffic from the aggregates is still present

DDoS Attack and Its Defense 31

What are some advantages?

Pushback prevents bandwidth from being wasted on packets that will later be dropped (better when closer to the source)

Protects other traffic from the attack traffic

When network is under attack it can rate limit the malicious traffic

DDoS Attack and Its Defense 32

Any disadvantages?

Pushback will be ineffective against certain DoS attacks (reflector attack)

Can make matters worse (against flooding attacks)

Not the only solution

DDoS Attack and Its Defense 33

Conclusion

What is a DDoS attack?

Defending a DDoS attack Ingress filtering Traceback Pushback