An Overview and Classification of DDoS Attacks - PowerPoint PPT Presentation

About This Presentation
Title:

An Overview and Classification of DDoS Attacks

Description:

How to inflict, entities involved, phases of attack, possible motives ... rebooting the victim machine or reconfiguring it) for recovery, after the attack ... – PowerPoint PPT presentation

Number of Views:177
Avg rating:3.0/5.0
Slides: 22
Provided by: shreeg
Learn more at: https://www.cs.kent.edu
Category:

less

Transcript and Presenter's Notes

Title: An Overview and Classification of DDoS Attacks


1
An Overview and Classification of DDoS Attacks
  • A Taxonomy of DDoS Attack
  • and DDoS Defense Mechanisms
  • Authors-Jelena Mirkovic, University of Delaware
  • Peter Reiher, UCLA
  • Presentation by Sagar Panchariya
  • Masters Student

2
Table of Contents
  • DDoS definition
  • How to inflict, entities involved, phases of
    attack, possible motives behind a DDoS attack,
  • What makes DDoS possible?
  • Classification of Attacks.
  • Video
  • Conclusion
  • References

3
What is a DoS and DDoS attack?
  • In its simplest form, a Denial of Service (DoS)
    attack is an attack against any system component
    that attempts to force that system component to
    limit, or even halt, normal services
  • In its simplest form, a Distributed Denial of
    Service (DDoS) attack is a DoS attack that occurs
    from more than one source, and/or from more than
    one location, at the same time.

4
How to inflict a DDoS attack
  • Simplest form of attacks is to consistently send
    a stream of packets to a victim, the stream
    occupies substantial resources of the legitimate
    client and rendering its services to be
    unavailable to legitimate clients.
  • Another approach is to send malformed packets to
    the victims machine to confuse the application
    and force to freeze or reboot.
  • An attack may also subvert the machines in a
    victims network so that the legal client cannot
    get the service.

5
Entities involved in a DDoS attack
6
Procedure to launch a DDoS attack
  • 1.The recruit phase It involves scanning of
    remote machines looking for security holes that
    will help breaking into.
  • 2. The exploit phase After the discovery of
    vulnerable hosts their security loop holes in
    these machines are exploited to inject malicious
    code.
  • 3. The inject phase The insertion of malicious
    code to control these hosts is the inject phase.
  • 4. The Use Phase The infected machines are used
    to infect further machines.

7
Reasons for a DDoS attacks
  • 1. The ulterior motives are personal reasons a
    significant number of DDoS attacks are
    perpetrated against home computers, presumably
    for purposes of revenge.
  • 2. Prestige, a successful attack on popular Web
    servers gains the respect of the hacker
    community.
  • 3. However, some DDoS attacks are performed for
    material gain (damaging a competitor's resources
    or blackmailing companies)
  • 4. Political reasons (a country at war could
    perpetrate attacks against its enemy's critical
    resources, potentially enlisting a significant
    portion of the entire country's computing power
    for this action).
  •  

8
Why DDoS are easy?
  • The end to end service paradigm of the internet
  • Security is left up to end parties.
  • If one of the parties is misbehaving it can cause
    damage to its peer.
  • Intermediate network makes its hard to detect
    misbehaving peers and cant stop it.
  • The making of high bandwidth pathways in the
    intermediate network, while the end networks
    invested in as much bandwidth as they thought
    they might need.
  • Thus, malicious clients can misuse the abundant
    resources of the unwitting intermediate network
    for delivery of numerous messages to a less
    provisioned victim.

9
Need for Classification.
  • Classification can be useful in answering some
    of these questions
  • Know different ways to perpetrate a DDoS attacks?
  • Solutions for what kind of attacks are designed
    and what solutions are still left to be designed?
  • Any novel kinds of DDoS attacks that can take
    place?
  • A classification gives a common vocabulary to the
    researchers to discuss and implement solution
    space for DDoS threats.
  • Understanding these threats, implementing them in
    a test bed environment, and using them to test
    defense systems will help researchers keep one
    step ahead of the attackers.

10
(No Transcript)
11
  • DA1 Manual
  • The attacker does the entire phases recruit,
    exploit, infect and use phase manually. These
    kinds of attacks were the earliest kinds of DDoS
    attacks.
  •  
  • DA2 Semi-Automatic
  •  The recruit, exploit and infect phases are
    automated. In the use phase, the attacker
    specifies the attack type, onset, duration and
    the victim via the handler to agents, who send
    packets to the victim.
  •  
  • DA2 CM Communication Mechanism
  • Based on the communication mechanism
    deployed between agent and handler machines,
    attacks are further divide Direct and indirect
    communication.
  • DA2CM1 Direct Communication
  • During attacks with direct communication,
    the agent and handler machines need to know each
    other's identity in order to communicate.
  •  

12
  • DA2CM2 Indirect Communication
  • Attacks with indirect communication use some
    legitimate communication service to synchronize
    agent actions. Recent attacks have used IRC
    (Internet chat program) channels.
  • DA3 Automatic
  • The start time of the attack, attack type,
    duration and victim are preprogrammed in the
    attack code. No need of further communication
    needed.
  • DA2 and DA3HSS1 Random Scanning
  • During random scanning, each compromised
    host probes random addresses in the IP address
    space3, using a different seed. there is a high
    amount of internetwork traffic. High number of
    machines are infected.
  • DA2 and DA3HSS2 Local Subnet Scanning
  • Local subnet scanning can be added to any of
    the previously described techniques to
    preferentially scan for targets that reside on
    the same subnet as the compromised host.

13
  • SAV1 Spoofed Source Address
  • This is the prevalent type of attack since
    it is always to attacker's advantage to spoof the
    source address, avoid accountability, and
    possibly create more noise for detection.
  •  
  • SAV1 AR Address Routability
  • Based on the address routability we
    differentiate between routable source address and
    non-routable source address attacks.
  • SAV1AR1 Routable Source Address
  • Attacks that spoof routable addresses take
    over the IP address of another machine. This is
    sometimes done not to avoid accountability, but
    to perform a reflector attack on the machine
    whose address was hijacked.
  • SAV1AR2 NonRoutable Source Address
  • Attackers can spoof non-routable source
    addresses, some of which can belong to a reserved
    set of addresses (such as 192.168.0.0/16) or be
    part of an assigned but not used address space of
    some network.

14
  • DA2and DA3VSS1 Horizontal Scanning
  • This is the common type of the scan for
    worms. Scanning machines are looking for a
    specific vulnerability, scanning the same
    destination port on all machines from the list,
    assembled through host scanning techniques.
  •  
  • DA2and DA3VSS2 Vertical Scanning
  • This is the common type of the scan for
    intrusions and multiple vector worms. Scanning
    machines probe multiple ports at a single
    destination, looking for any way to break in.
  • EW1Semantic
  • Semantic attacks exploit a specific feature
    or implementation bug of some protocol or
    application installed at the victim in order to
    consume excess amounts of its resources.
  •  
  • EW2BruteForce
  • Brute-force attacks are performed by
    initiating a vast amount of seemingly legitimate
    transactions.
    .

15
  • SAV1 ST Spoofing Technique
  • Spoofing technique defines how the attacker
    chooses the spoofed source address in its attack
    packets.
  •  
  • SAV1ST1 Random Spoofed Source Address
  • Many attacks spoof random source addresses
    in the attack packets, since this can simply be
    achieved by generating random 32-bit numbers and
    stamping packets with them.
  •  
  • SAV1ST2 Subnet Spoofed Source Address
  • In subnet spoofing, the attacker spoofs a
    random address from the address space assigned to
    the agent machine's subnet.
  • SAV1ST4 Fixed Spoofed Source Address
  • Attacker performing a reflector attack or
    wishing to place a blame for the attack on
    several specific machines would use fixed
    spoofing.

16
  • ARD Attack Rate Dynamics
  • RD1 Constant Rate
  • The majority of known attacks deploy a
    constant rate mechanism. After the onset is
    commanded, agent machines generate attack packets
    at a steady rate, usually as many as their
    resources permit.
  • RD2 Variable Rate
  • Variable rate attacks vary the attack rate
    of an agent machine to delay or avoid detection
    and response.
  • RD2 RC Rate Change Mechanism
  • RD2RC1 Increasing Rate
  • Attacks that have a gradually increasing
    rate lead to a slow exhaustion of the
    victim's resources.

17
  •  
  • RD2 RC2 Fluctuating Rate
  • Attacks that have a fluctuating rate adjust
    the attack rate based on the victim's behavior or
    preprogrammed timing, occasionally relieving the
    effect to avoid detection.
  • IV Impact on the Victim
  • Based on victim type
  • IV1 Disruptive
  • The goal of disruptive attacks is to
    completely deny the victim's service to its
    clients.
  • IV1 RM1 Possibility of Dynamic Recovery
  • Depending on the possibility of dynamic
    recovery during or after the attack, we
    differentiate between self-recoverable,
    human-recoverable and non-recoverable attacks.
  •  

18
  • IV1 RM2 Self-Recoverable
  • In the case of self-recoverable attacks,
    the victim recovers without any human
    intervention, as soon as the influx of attack
    packets has stopped.
  • IV1RM3 Human-Recoverable
  • A victim of a human-recoverable attack
    requires human intervention (e.g., rebooting the
    victim machine or reconfiguring it) for recovery,
    after the attack is stopped.
  • IV1RM3 Non-Recoverable
  • Non-recoverable attacks inflict permanent
    damage to victim's hardware. A new piece of
    hardware must be purchased for recovery.
  • IV Degrading
  • The goal of degrading attacks is to consume
    some (presumably constant) portion of a victim's
    resources, seriously degrading service to
    legitimate customers.

19
Conclusion
  • Multitude types of DDoS exist and there is no
    defined classification for them to study them
    using a hierarchy.
  • An attempt to structure the various forms of DDoS
    attacks known and some of the novel attacks which
    could be possible in the future using a
    classification scheme is made.
  • Future work
  • Many new coming forms of DDoS attacks could
    be added to the classification under a existing
    level or creating a separate class altogether.

20
Video
  • Shut Down A Website-Perl (with myspace hacker)
  • http//www.youtube.com/watch?v5pzh5zqQ4ic

21
References
  •  
  • J. Mirkovic and P. Reiher, A Taxonomy of
    DDoS Attack and
  • DDoS Defense Mechanisms, ACM SIGCOMM
    Computer
  • Communications Review(CCR), vol. 34, no.
    2, April 2004, pp 39-54
  • Denial of Service Attack
  • http//en.wikipedia.org/wiki/Denial-of-service
    _attack
  • Network Security DoS vs DDoS attacks
  • http//www.crime-research.org/articles/network-sec
    urity-dos-ddos-attacks/
  •  
  •  
Write a Comment
User Comments (0)
About PowerShow.com