Survey of Distributed Denial of Service Attacks and Popular CountermeasuresAndrew Knotts, Kent State University

Referenced from:Charalampos Patrikakis,Michalis Masikos, and Olga Zouraraki. Denial of service attacks. Internet Protocol Journal, 7(4):13–25, December 2004.

Outline

Introduction/Overview Recruiting Zombie Machines Spreading the Virus A Typical DDoS Attack Defending Against a DDoS Attack

Confid

entia

lity

Inte

grity

Availa

bility

StoringProcessing

Transmitting

Education

Policies

Technology

DoS vs. DDoS Attacks

A DoS attack is targeted at a particular node (machine).

Attempts to deny service to that node Source of the attack:

Single node: DoS (Denial of Service) attack Multiple nodes: DDoS (Distributed Denial of

Service) attack

DDoS Attacks: A Tough Problem Victims are unable to communicate with other

machines, so the surrounding network may not know to help.

Traffic spikes very fast. It is hard to react quickly enough.

Traffic filtering will filter user traffic as well. The network may be the bottleneck, not the victim. IP spoofing makes it hard to back trace attack traffic.

Target Resources

A (D)DoS attack overwhelms the resources of the target: Network Bandwidth Computing Power

Processor Memory

Recruiting Zombie Machines

The attacker must infect a set of nodes to target the victim.

Unpatched machines are easily compromised.

Once infected these nodes are known as zombies.

Finding Vulnerable Machines Random Scanning

Targets machines at random IP addresses. Hit-list Scanning

Targets nodes from a hit-list. Topological Scanning

The hit-list is generated “on-the-fly” by scanning infected machines for valid URLs.

Local Subnet Scanning An infected machine on the same subnet may exploit

vulnerabilities of other machines normally protected by the firewall.

A Typical DDoS Attack

Typical DDoS Attack The zombies are divided into masters and slaves. The attacker signals the masters to start the

attack, the masters then signal the slaves. The slaves flood the victim. IP spoofing is usually used to hide the identity of

the slave zombies.

A Typical DDoS Attack

Attacker

Master Zombies

Slave Zombies

Victim

*Concept of Diagram referenced from [1]

A DRDoS Attack

DRDoS Attack Distributed Reflector Denial of Service Reflectors are uncompromised machines. The slave zombies send packets to the reflectors

with IP source addresses spoofed as the target. The reflectors carry out the flooding rather than

the slaves. More distributed than a typical DDoS attack.

A DRDoS Attack

Attacker

Master Zombies

Slave Zombies

Victim

*Concept of Diagram referenced from [1]

Reflectors

Defending Against a DDoS Attack Two General Approaches

Prevent the Attack Try to stop the attack from happening in the first place.

React to the Attack Detect the attack early, and react appropriately.

Defending Against a DDoS Attack Techniques to prevent attacks

Keep machines up-to-date with patches and antivirus. Hard to do because machines are distributed.

Filter spoofed IP traffic Source IPs of outbound packets should be from the local

network. Source IPs of inbound packets should not be from the

local network.

Defending Against a DDoS Attack Techniques to detect an attack early

Signature Detection Compare traffic signatures to known attack signatures. Cannot detect new attacks with new signatures.

Anomaly Detection Compare traffic behavior with “normal” traffic behavior. What constitutes “normal” traffic has to be updated.

Hybrid Systems Combine both signature detection and anomaly detection.

Anomaly Detection Signature DatabaseUpdate

Route Filtering

Blackhole routing Routes attack traffic to a “blackhole” (null

interface). Only useful if attack traffic can be differentiated

from legitimate traffic. Sinkhole routing

Detect suspicious traffic and redirect it to an analyzer.

If it is attack traffic, drop it (route to null interface). Otherwise route it to its original destination.

Real-time Analysis of Flow Data Flow data can be useful for analyzing the

behavior characteristics of traffic. In order for flow data to be useful for

detecting attacks, it must be processed fast enough to respond.

Munz and Carle [2] propose a system and framework to handle the real-time analysis of this flow data.

Real-time Analysis of Flow Data

Receiver ContainerDetection

Algorithm 1

ContainerDetection

Algorithm 2

ContainerDetection

Algorithm 3

Alert

Alert

Alert

*Concept of Diagram referenced from [2]

Ring Buffer

IPFIX/Netflow Data

A simplified diagram of the TOPAS system

Path Identification

IP spoofing is commonly used to mask the source of an attack.

Use a “Path Identifier” (Pi) to discover an approximate source of attack packets [3].

These packets can then be classified as malicious (based on their path identifier) and filtered accordingly.

Issues with Path Identification 16 bits used to store path information.

This is not very large and may be insufficient for long paths!

Packets from the same attacker are not guaranteed to follow the same path.

Network Overlays

To prevent malicious traffic, only allow the target to communicate with a confirmed user [4]. The target must give permission to this “user”.

Filter all traffic in the region around the target that is not confirmed.

Confirmed traffic originates from a list of pre-defined friendly nodes.

Protect the identity of these nodes by using a network overlay.

Filtered Region

The SOS System

*Concept of Diagram referenced from [4]

A simplified diagram of the SOS system

Target

Overlay Network

Overlay Nodes

“Secret Servlets”

Issues with the SOS system

Expensive to implement An entire overlay must be created to protect a

node. Overlay routers must implement a filtering protocol.

Future Work

IP is not a security-oriented protocol. Designing Internet protocols with security in mind will help mitigate DDoS attacks.

Most current work simply focuses on the target or the network around the target. It is useful to also utilize the entire network from attacker to target to help DdoS attacks (the Pi system touched on this concept).

References

[1] Charalampos Patrikakis,Michalis Masikos, and Olga Zouraraki. Denial of service attacks. Internet Protocol Journal, 7(4):13–25, December 2004.

[2] Gerhard Munz and Georg Carle. Real-time analysis of flow data for network attack detection. 10th IFIP/IEEE International Symposium on Integrated Network Management, pages 100–108, May 2007.

[3] Abraham Yaar, Adrian Perrig, and Dawn Song. Pi: A path identification mechanism to defend against ddos attacks. In Proceedings of the 2003 IEEE Symposium on Security and Privacy, pages 93–107, Washington, DC, USA, May 2003. IEEE Computer Society.

[4] Angelos D. Keromytis, Vishal Misra, and Dan Rubenstein. Sos: Secure overlay services. In SIGCOMM, Pittsburgh, PA, August 2002. ACM.