a taxonomy of ddos attack and ddos defense mechanisms

A Taxonomy of DDoS Attack and DDoS Defense

MechanismsWritten By Jelena Mirkovic and Peter Reiher

In ACM SIGCOMM Computer Communication Review, April 2005

Presented by Jared Bott

Key Point!

• DDoS attacks can be carried out in a wide variety of manners, with a wide variety of purposes

• DDoS defenses show great variety

DDoS Attacks

• An explicit attempt to prevent the legitimate use of a service

• Multiple attacking entities, known as agents

• DDoS is a serious problem

• Many proposals about how to deal with it

Agent

Target

What makes DDoS attacks possible?• Answer: The end-to-end paradigm• Internet security is highly interdependent

• Susceptibility of system depends on security of Internet

• Internet resources are limited• Intelligence and resources are not collocated

• End systems are intelligent, intermediate systems are high in resources

• Accountability is not enforced• IP Spoofing is possible

• Control is distributed• No way to enforce global deployment of a

security mechanism or policy

Taxonomy of Attacks

DA: Degree of Automation

• How involved is the attacker?

• Automation of the recruit, exploit, infect and scan phases

• DA-1: Manual• DA-2: Semi-Automatic

• Recruit, exploit and infect phases are automated

• DA-3: Automatic

DA-2:CM: Communication Mechanism• How do semi-autonomous systems communicate?

• DA-2:CM-1: Direct Communication• Agent/handlers know each other’s identities• Communication through TCP or UDP

• DA-2:CM-2: Indirect Communication• Communication through IRC

DA-2/DA-3:HSS: Host Scanning Strategy• How do attackers find computers to make into agents?

• Choose addresses of potentially vulnerable machines to scan

• DA-2/DA-3:HSS-1: Random Scanning• DA-2/DA-3:HSS-2: Hitlist Scanning

DA-2/DA-3:HSS: Host Scanning Strategy

• DA-2/DA-3:HSS-3: Signpost Scanning• Topological scanning• Email worms send emails to everyone in

address book• Web-server worms infect visitors’ vulnerable

browsers to infect servers visited later

DA-2/DA-3:HSS: Host Scanning Strategy• DA-2/DA-3:HSS-4: Permutation Scanning

• Pseudo-random permutation of IP space is shared among all infected machines

• Newly infected machine starts at a random point

• DA-2/DA-3:HSS-5: Local Subnet Scanning• Examples:

• HSS-1: Code Red v2• HSS-5: Code Red II, Nimda

DA-2/DA-3:VSS: Vulnerability Scanning Strategy• We have found a machine, can it be “infected?”

• DA-2/DA-3:VSS-1: Horizontal Scanning• DA-2/DA-3:VSS-2: Vertical Scanning• DA-2/DA-3:VSS-3: Coordinated Scanning

• Machines probe the same port(s) at multiple machines within a local subnet

• DA-2/DA-3:VSS-4: Stealthy Scanning

DA-2/DA-3:PM: Propagation Method• How does attack code get onto

compromised machines?

• DA-2/DA-3:PM-1: Central Source Propagation• Attack code resides on

server(s)

DA-2/DA-3:PM: Propagation Method• DA-2/DA-3:PM-2:

Back-Chaining Propagation• Attack code is

downloaded from the machine that exploited the system

DA-2/DA-3:PM: Propagation Method• DA-2/DA-3:PM-3:

Autonomous Propagation• Inject attack instructions

directly into the target host during the exploit phase

• Ex. Code Red, various email worms, Warhol worm idea

EW: Exploited Weakness to Deny Service• What weakness of the target machine is exploited to deny service?

• EW-1: Semantic• Exploit a specific feature or implementation bug• Ex. TCP SYN attack

• Exploited feature is allocation of substantial space in a connection queue immediately upon receipt of a TCP SYN.

• EW-2: Brute-Force

SAV: Source Address Validity

• Do packets have the agents’ real IP addresses?

• SAV-1: Spoofed Source Address• SAV-2: Valid Source Address

• Frequently originate from Windows machines

• SAV-1:AR: Address Routability• This is not the attacker’s address, but can it be routed?

• SAV-1:AR-1: Routable Source Address• SAV-1:AR-2: Non-Routable Source Address

SAV-1:ST: Spoofing Technique

• How does an agent come up with an IP address?

• SAV-1:ST-1: Random Spoofed Source Address• Random 32-bit number• Prevented using ingress filtering, route-based filtering

• SAV-1:ST-2: Subnet Spoofed Source Address• Spoofs a random address from the address space

assigned to the machine’s subnet• Ex. A machine in the 131.179.192.0/24 chooses in the

range 131.179.192.0 to 131.179.192.255

SAV-1:ST: Spoofing Technique

• SAV-1:ST-3: En Route Spoofed Source Address• Spoof address of a machine or subnet along the path

to victim

• SAV-1:ST-4: Fixed Spoofed Source Address• Choose a source address from a specific list• Reflector attack

ARD: Attack Rate Dynamics

• Does the attack rate change?

• ARD-1: Constant Rate• Used in majority of known attacks• Best cost-effectiveness: minimal number of

computers needed• Obvious anomaly in traffic

• ARD-2: Variable Rate

ARD-2:RCM: Rate Change Mechanism• How does the rate change?

• ARD-2:RCM-1: Increasing Rate• Gradually increasing rate leads to a slow exhaustion of victim’s

resources• Could manipulate defense that train their baseline models

• ARD-2:RCM-2: Fluctuating Rate• Adjust the attack rate based on victim’s behavior or

preprogrammed timing• Ex. Pulsing attack

PC: Possibility of Characterization

• Can the attacking traffic be characterized?

• Characterization may lead to filtering rules

• PC-1: Characterizable• Those that target specific protocols or applications at

the victim• Can be identified by a combination of IP header and

transport protocol header values or packet contents• Ex. TCP SYN attack

• SYN bit set

PC-1:RAVS: Relation of Attack to Victim Services• The traffic is characterizable, but is it related to the target’s

services?

• PC-1:RAVS-1: Filterable• Traffic made of malformed packets or packets for non-critical

services of the victim’s operation• Ex. ICMP ECHO flood attack on a web server

• PC-1:RAVS-2: Non-Filterable• Well-formed packets that request legitimate and critical services• Filtering all packets that match attack characterization would

lead to a denial of service

PC: Possibility of Characterization

• PC-2: Non-Characterizable• Traffic that uses a variety of packets that engage

different applications and protocols

• Classification depends on resources that can be used to characterize and the level of characterization• Ex. Attack uses a mixture of TCP packets with various

combinations of TCP header fields• Characterizable as TCP attack, but nothing finer without vast

resources

PAS: Persistence of Agent Set

• Do the same agents attack the whole time?

• Some attacks vary their set of active agent machines

• Avoid detection and hinder traceback

• PAS-1: Constant Agent Set

• PAS-2: Variable Agent Set

Bright red attacks for 4 hoursDark red attacks for next 4 hours

VT: Victim Type

• What does the attack target?

• VT-1: Application• Ex. Bogus signature attack on an authentication server

• Authentication not possible, but other applications still available

• VT-2: Host• Disable access to the target machine• Overloading, disabling communications, crash machine, freeze

machine, reboot machine• Ex. TCP SYN attack overloads communications of machine

VT: Victim Type

• VT-3: Resource Attacks• Target a critical resource in the victim’s network

• Ex. DNS server, router

• Prevented by replicating critical services, designing robust network topology

• VT-4: Network Attacks• Consume the incoming bandwidth of a target network• Victim must request help from upstream networks

VT: Victim Type

• VT-5: Infrastructure• Target a distributed service that is crucial for

global Internet operation• Ex. Root DNS server attacks in October 2002,

February 2007

IV: Impact on the Victim

How does an attack affect the victim’s service?

IV-1: Disruptive Completely deny the victim’s service to its clients All currently reported attacks are this kind

IV-2: Degrading Consume some portion of a victim’s resources,

seriously degrading service to customers Could remain undetected for long time

IV-1:PDR: Possibility of Dynamic Recovery• Can a system recover from an attack? How?

• IV-1:PDR-1: Self-Recoverable• Ex. UDP flooding attack

• IV-1:PDR-2: Human-Recoverable• Ex. Computer freezes, requires reboot

• IV-1:PDR-3: Non-Recoverable• Permanent damage to victim’s hardware• No reliable accounts of these attacks

DDoS Defense

• Several factors hinder the advance of DDoS defense research• Need for a distributed response at many points on the

Internet• Many attacks need upstream network resources to stop

attacks

• Economic and social factors• A distributed response system must be deployed by parties

that aren’t directly damaged by a DDoS attack

DDoS Defense

• Lack of defense system benchmarks• No benchmark suite of attack scenarios or

established evaluation methodologies

• Lack of detailed attack information• We have information on control programs• Information on frequency of various attack types is

lacking• Information on rate, duration, packet size, etc. are

lacking

DDoS Defense

• Difficulty of large-scale testing• No large-scale test beds

• U.S. National Science Foundation is funding development of a large-scale cybersecurity test bed

• No safe ways to perform live distributed experiments across the Internet

• No detailed and realistic simulation tools that support thousands of nodes

Taxonomy of DDoS Defenses

AL: Activity Level

• When does a defense system work?

• AL-1: Preventive• Eliminate possibility of DDoS attacks or enable

victims to endure the attack without denial of service

• AL-1:PG: Prevention Goal• What is the system trying to do?• AL-1:PG-1: Attack Prevention

• The system is trying to prevent attacks

AL-1:PG-1:ST: Secured Target

• What does a system try to secure to prevent an attack?

• AL-1:PG-1:ST-1: System Security• Secure the system• Guard against illegitimate accesses to a machine• Remove application bugs, Update protocol

installations• Ex. Firewall systems, IDSs, Automated updates

AL-1:PG-1:ST: Secured Target

• AL-1:PG-1:ST-2: Protocol Security• Secure the protocols• Bad protocol design examples: TCP SYN Attack,

Authentication server attack, IP source address spoofing• Ex. Deployment of a powerful proxy server that

completes TCP connections• Ex. TCP SYN cookies

AL-1:PG: Prevention Goal

• AL-1:PG-2: DoS Prevention• The system is trying to prevent a denial of service• Enable the victim to endure attack attempts without

denying service• Enforce policies for resource consumption• Ensure that abundant resources exist

AL-1:PG-2:PM: Prevention Method• How do the defense systems prevent DoS?

• AL-1:PG-2:PM-1: Resource Accounting• Police the access of each user to resources based on the

privileges of the user and user’s behavior• Let real, good users have access• Coupled with legitimacy-based access mechanisms

• AL-1:PG-2:PM-2: Resource Multiplication• Ex. Pool of servers with load balancer, high bandwidth

network

AL-2: Reactive

• Defense systems try to alleviate the impact of an attack• Detect attack and respond to it as early as possible

• AL-2:ADS: Attack Detection Strategy• How does the system detect attacks?

• AL-2:ADS-1: Pattern Detection• Store signatures of known attacks and monitor communications

for the presence of patterns• Only known attacks can be detected• Ex. Snort

AL-2:ADS-2: Anomaly Detection

• Compare current state of system to a model of normal system behavior

• Previously unknown attacks can be discovered• Tradeoff between detecting all attacks and false

positives

AL-2:ADS-2:NBS: Normal Behavior Specification

• How is normal behavior defined?

• AL-2:ADS-2:NBS-1: Standard• Rely on some protocol standard or set of rules• Ex. TCP protocol specification describes

three-way handshake• Detect half-open TCP connections

• No false positives, but sophisticated attacks can be left undetected

AL-2:ADS-2:NBS-2: Trained

• Monitor network traffic and system behavior• Generate threshold values for different parameters

• Communications exceeding one or more thresholds are marked as anomalous

• Low threshold leads to many false positives, high threshold reduces sensitivity

• Model of normal behavior must be updated• Attacker can slowly increase traffic rate so that new models are

higher and higher

AL-2: Reactive

• AL-2:ADS-3: Third-Party Detection• Rely on external message that signals occurrence of

attack and attack characterization

• AL-2:ARS: Attack Response Strategy• What does the system do to minimize impact of attack?

• Goal is to relieve impact of attack on victim with minimal collateral damage

AL-2:ARS: Attack Response Strategy

• AL-2:ARS-1: Agent Identification• Provides victim with information about the ID

of the attacking machines• Ex. Traceback techniques

• AL-2:ARS-2: Rate-Limiting• Extremely high-scale attacks might still be

effective

AL-2:ARS: Attack Response Strategy• AL-2:ARS-3: Filtering

• Filter out attack streams• Risk of accidental DoS to legitimate traffic, clever attackers

might use as DoS tools

• Ex. Dynamically deployed firewalls• AL-2:ARS-4: Reconfiguration

• Change topology of victim or intermediate network• Add more resources or isolate attack machines

• Ex. Reconfigurable overlay networks, replication services

CD: Cooperation Degree

• How much do defense systems work together?

• CD-1: Autonomous• Independent defense at point of deployment• Ex. Firewalls, IDSs

• CD-2: Cooperative• Capable of autonomous detection/response• Cooperate with other entities for better performance• Ex. Aggregate Congestion Control (ACC) with pushback

mechanism• Autonomously detect, characterize and act on attack• Better performance if rate-limit requests sent to upstream routers

CD-3: Interdependent

• Cannot operate on own• Require deployment at multiple networks

or rely on other entities for attack prevention, detection or efficient response

• Ex. Traceback mechanism on one router is useless

DL: Deployment Location

• Where are defense systems located?

• DL-1: Victim Network• Ex. Resource accounting, protocol security mechanisms

• DL-2: Intermediate Network• Provide defense service to a large number of hosts• Ex. Pushback, traceback techniques

• DL-3: Source Network• Prevent network customers from generating DDoS attacks

Using The Taxonomies

• How can the taxonomies be used?• A map of DDoS research• Common vocabulary• Understanding of solution constraints• DDoS benchmark generation• Exploring new attack strategies• Design of attack class-specific solutions• Identifying unexplored research areas

Strengths

• Primary Contribution• Obviously the taxonomy of DDoS

mechanisms and defenses

• Fosters easier cooperation among researchers

• Covers current attacks and research

Weaknesses

• Clearly non-exhaustive categorization of attacks

• Naming conventions• AL-2:ADS-2:NBS-1 is not easily

understandable

Improvements

• Use taxonomy to create defenses

• How do you improve a taxonomy?

Summary

• Taxonomy of DDoS attacks and defenses• There are many characteristics of DDoS

attacks and defenses

• Hard to design a defense against all attack types