DDoS Attacks and Defenses

Prof. Heejo Lee

Computer & Communication Security Lab

Div. of Computer & Communication EngineeringKorea University, heejo@korea.ac.kr

April 15, 2008

Overview

1. History of DDoS Attack

2. Types of DDoS Attack

3. DDoS Defenses

4. IP Spoofing Prevention

5. Attack Visualization

6. Botnet Detection

1. History of DDoS Attacks

DistributedReflector DoS

DistributedDoS

DoS

Spoofing

Botnet

1996 SYN flooding attacks

1997 Smurf attacks

1999 Distributed attack tools

2000 Yahoo, CNN, eBay attacks

2001 CodeRed worms

2002 DNS root server attack

2003 Slammer worms

2004 Botnet attacks

2007 2nd

DNS root server attack

2008 Prevalence of ransom attacks

DDoS Attacks

• Most significant threat to network operators

Source: Worldwide Infrastructure Security Report,Arbor Networks, Sep. 2007

DNS Backbone DDoS Attacks

Not-technical but political response implies the lack of

proper countermeasures.

Ransom DDoS Attacks

• Ransom attacks– Demand money to prevent the site being attacked

• Growing frequency– Online-game item-trading sites, Oct. 2007– M stock trading company, Mar. 2008

• Difficulty of incidence responses– Lack of network security awareness– Distributed attacks via a botnet– Attacking from overseas, e.g. China

Whoever sites, maybe yours?

Shopping, portal,

trading sites

Game, chatting,

adult sites

2. The Type of DDoS Attack

① DoS attacks

– “Denial of Service attack”

• Attempt to prevent legitimate users from using a service

– Examples of DoS include

• Flooding a network, disrupting a service

• Disrupting connections between machines

2. The Type of DDoS Attack

② DDoS attacks

– “Distributed Denial of Service” attack

– Many machines are involved in the attack against one or more victim(s)

2. The Type of DDoS Attack

③ DRDoS attacks

– “Distributed Reflector Denial of Service attack”

– DRDoS is much like a DDoS, but the attack source is spoofed

Web or name server reflection

Amplification attacks (broadcast ping, DNS queries)

2. The Type of DDoS Attack

④ Botnet

A botnet is a large pool of compromised hosts, which is remotely controllable by a server and can be used for sending spam mails, stealing personal information, and

launching DDoS attacks.

IP SpoofingDistributed Attacks

Botnets

3. DDoS Defenses

Prevention Detection Response

IP spoofingprevention

Attackdetection &visualization

Ratelimiting &distributedfiltering

4. IP Spoofing Prevention

① Ingress filtering [RFC 2827]

– Ingress filtering drops packets before the packets leave their

local networks.

– No benefits for early adopters, not suitable for multihomed networks

Here’spacket from A to B

S

AB

I know my addresses and A is

not one of them

4. IP Spoofing Prevention

② Unicast Reverse Path Forwarding (uRPF) [Cisco 2003]

– IP packets are checked to ensure that the route back to the source uses the same interface.

– RPF-enabled routers forward only packets that have valid source addresses consistent with the IP routing table.

– Ingress filtering for multihomed networks [RFC 3704]

– Not suitable for asymmetric routing paths (over 50%)

4. IP Spoofing Prevention

③ Route-based Distributed Packet Filtering (DPF) [ACM SIGCOMM, 2001]– It has been proposed for filtering spoofed packets using

routing information, also works for routing asymmetry.

– DPF does not provide direct incentives to deployers –everyone shares the benefits.

– DPF is difficult to maintain up-to-date routing information.

4. IP Spoofing Prevention

④ BGP Anti-Spoofing Extension (BASE) [ASIACCS, 2007]

① Distribution of marking values

② Filter invocation

③ Packet marking & filtering

④ Filter revocation

• Incremental deployability

– Initial benefits for the early adopters

– Incremental benefits for the early majority

– Effectiveness under partial deployment

• Strong filtering performance

– 30% deployment can drop about 97% of attack packets

5. DDoS Defense Location

3. Defense at sources

2. Defense at network

1. Defense at victim

16

Primary Attack Mitigation Techniques

• Attack packet dropping w/ ACLs, blackholing

Source: Worldwide Infrastructure Security Report,Arbor Networks, Sep. 2007

Rate Limiting for DDoS Mitigation

• Unified rate limiting, ISPEC 2008

– Works close to attack sources

– Deals with Internet worms and DDoS attacks

Anomaly Worm Detection

• ADUR, IEICE T COMM 2007

– Anomaly Detection Using Randomness check

state Description

Calm Normal state

Flowing Attacked by worm from other infected network

Ebbing Infected by worm on the monitoring network

Flooding Both Flowing and Ebbing

ADUR classifies network states under four characteristics

Anomaly DDoS Detection

• FDD (FE and DDoS Distinguisher)

– Distinguishing between flash events and DDoS attacks using randomness check

VoIP Malformed & Flooding Detection

• Internet telephony attack detection, IFIP SEC’08

– Rule matching + state transition models

– Detects malformed msg and flooding attacks

6. Attack Visualization

Visualization

B

E

C

D

A

Deal large noisy data easily

Intuitive

Come up with new hypotheses

Higher degree of confidence Faster

Benefits of Visualization

Visualization Methods

<NSFNET T1 backbone in 1991 ><City Scape: SDM (Chuah et al., 1995) >

<Parallel coordinates><H-h Chi et al., IEEE InfoVis'97 A Spreadsheet Approach >

Visualization in Security

< J. McPherson et.al., PortVis, ACM CCS 2004> <S.Kim et.al.,IEEE INFOCOM 2005>

<CAIDA skitter project> <I-V Ounut et.al. Svision, Computers & Security 2007>

Parallel Coordinate Attack Visualization

1. Worm Graph - Slammer 2. DDoS attack

3. Hostscan 4. Portscan

Application Program of PCAV

• PCAV 2.0 demonstration

http://ccs.korea.ac.kr/PCAV

What is a “bot”?

• Bot

– A bot is a servant process on a compromised system

– Communicate with a handler or controller often running public or other compromised systems

– A botmaster or botherder commands bots to perform any kinds of malicious activities

• Botnet

– A network of bots and controller(s) is referred to as a botnet or zombie network

Malicious Activities of Botnet

Most of recent incidents are related with botnets

Botnet Group Activity

• Group Activity (inherent property), IEEE CIT 2007

– A large number of bots always act as a group

Botnet

DNS

Queries

…

Connection

&

Command

Execution

Group

Activity

Botnet

Activity

Experimental Results

• Similarity of botnet and normal DNS traffic

– Similarity of botnet exceeds a given threshold

Botnet domain name detection

Coordinated Defense Approach

• DDoS attack information sharing

– Fingerprint Sharing Alliance by Arbor Networks

ISP A DDoS attack

detection

Sending “fingerprint” to upstream IPS’s

Blockingattacktraffic

Proposal: DDoS Coordination Center

• Motivation

– Who can help corporate urgency?

– Including small and medium enterprises

– ISP’s roles are becoming crucial

• Roles for the DDoS coordination center

– Systematic monitoring

– Coordination of responses to DDoS attacks

– Protocol development and implementation

– Technical supports

DDoS Defenses at Corporate Networks

• DDoS-resilient network design

– Distribution of gateways, and servers

– Name server placements for robust DNS

• Developments of secure applications

– Human-robot identification

– Mitigating abnormal resource consumptions

• Security teams for planning and responses

– Monitoring DDoS attacks for quicker responses

– Preparing response plans, including ISP contacts

– On-demand filtering for attack traffic

7. Concluding Remarks

• Prevalence of DDoS attacks

– Increasing ransom attacks

– Hard to find a proper countermeasure

• Mitigating botnet attacks

– Botnet monitoring (IRC/HTTP/P2P bots)

– Blacklisting and punishment

• Responding to DDoS attacks

– Need good incident response plan, including ISP contacts

– Identify type of attack and filter attack traffic upstream

References

• K. Park, D. Seo, J. Yoo, H. Lee, H. Kim, “Unified Rate Limiting in Broadband Access Networks for Defeating Internet Worms and DDoS Attacks”, ISPEC, Apr. 2008.

• H. Choi, H. Lee, H. Lee, H. Kim, “Botnet Detection by Monitoring Group Activities in DNS Traffic”, IEEE CIT, Oct. 2007.

• H. Park, H. Lee, H. Kim, "Detecting Unknown Worms using Randomness Check", IEICE Trans. Comm., Vol. E90-B, No. 4, pp. 894-903, Apr. 2007.

• H. Lee, M. Kwon, G. Hasker, A. Perrig, "BASE: An Incrementally Deployable Mechanism for Viable IP Spoofing Prevention", ACM Symp. on Information, Computer and Communications Security (ASIACCS), Mar. 2007.

• H. Lee, J. Kim, W. Lee, "Resiliency of Network Topologies under Path-Based Attacks", IEICE Trans. Comm., Vol. E89-B, No. 10, pp. 2878-2884, Oct. 2006.

• H. Choi, H. Lee, "PCAV: Internet Attack Visualization on Parallel Coordinates", Int'l Conf. on Information and Communications Security (ICICS), LNCS 3783, pp. 454-466, Dec. 2005.

• K. Park, H. Lee, "On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets", ACM SIGCOMM, pp. 15-26, Aug. 2001.

• K. Park, H. Lee, "On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack", IEEE INFOCOM, Apr. 2001.

• Further information is available at http://ccs.korea.ac.kr.

Computer and Communication

Security Laboratory