source router approach to ddos defense jelena mirković and peter reiher ucla usenix work-in...
TRANSCRIPT
![Page 1: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/1.jpg)
Source Router Approach Source Router Approach to DDoS Defenseto DDoS Defense
Jelena Mirković and Peter ReiherUCLA
USENIX Work-In Progress SessionWashington DC, 08/17/2001
{sunshine, reiher}@cs.ucla.edu
![Page 2: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/2.jpg)
Approach OverviewApproach Overview Goal: Prevent our site from participating
in DDoS attack Monitor incoming and outgoing traffic
looking for signs that some destination is in trouble
Reduce traffic to that destination Separate attacking from normal flows Shut down attacking machines
![Page 3: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/3.jpg)
Approach OverviewApproach Overview
A
B
C
DE F G
I
J
H
![Page 4: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/4.jpg)
A
B
C
DE F G
I
J
H
Approach OverviewApproach Overview
![Page 5: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/5.jpg)
A
B
C
DE F G
I
J
H
Approach OverviewApproach Overview
![Page 6: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/6.jpg)
A
B
C
DE F G
I
J
H
Approach OverviewApproach Overview
![Page 7: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/7.jpg)
A
B
C
DE F G
I
J
H
Approach OverviewApproach Overview
![Page 8: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/8.jpg)
Related Work - MULTOPSRelated Work - MULTOPS Yes, it is similar to MULTOPS, but:
It is located on source side only Traffic models do not rely only on packet
ratio Discovery of attacking machines Can be pushed further in the network
![Page 9: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/9.jpg)
time
Stable Packet Ratio Stable Packet Ratio in Mixed Trafficin Mixed Trafficpa
cket
rat
io
![Page 10: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/10.jpg)
time
pack
et r
atio
Stable Packet Ratio Stable Packet Ratio in TCP Trafficin TCP Traffic
![Page 11: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/11.jpg)
time
pack
et r
atio
Stable Packet Ratio Stable Packet Ratio in UDP Trafficin UDP Traffic
![Page 12: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/12.jpg)
time
pack
et r
atio
Stable Packet Ratio Stable Packet Ratio in UDP Trafficin UDP Traffic
![Page 13: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/13.jpg)
time
pack
et r
atio
Variable Packet Ratio Variable Packet Ratio in Mixed Trafficin Mixed Traffic
![Page 14: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/14.jpg)
DDoS + FTP
FTP
DDoS
time
pack
et r
atio
Variable Packet Ratio Variable Packet Ratio in Attack Trafficin Attack Traffic
![Page 15: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/15.jpg)
ChallengesChallengesRouter performance.Why would ISP implement this?False positives.Multicast traffic is usually
unidirectional.Asymmetric routes. Throttling and
TCP congestion control mechanism.Traffic patterns in the Internet change
drastically over time.
![Page 16: Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649da85503460f94a9472a/html5/thumbnails/16.jpg)
For More Info...For More Info...
http://fmg-www.cs.ucla.edu/ddos