Title: CSE 5473: Network Security
1DDoS Attack and Its Defense
- CSE 5473 Network Security
- Prof. Dong Xuan
2Why DoS?
- Sub-cultural status
- To gain access
- Revenge
- Political reasons
- Economic reasons
- Nastiness
3How DoS (remotely)?
- Consume host resources
- Memory
- Processor cycles
- Network state
- Consume network resources
- Bandwidth
- Router resources (its a host too!)
- Exploit protocol vulnerabilities
- Poison ARP cache
- Poison DNS cache
- Etc
4Where DoS
- End hosts
- Critical servers (disrupt C/S network)
- Web, File, Authentication, Update
- DNS
- Infrastructure
- Routers within org
- All routers in upstream path
5Outline
- What is a DDOS attack?
- How to defend a DDoS attack?
6What is DDoS attack?
- Internet DDoS attack is real threat
- - on websites
- Yahoo, CNN, Amazon, eBay, etc (Feb.
2000) - ? services were unavailable for several
hours - - on Internet infrastructure
- 13 root DNS servers (Oct, 2002)
- ? 7 of them were shut down, 2 others
partially unavailable - Lack of defense mechanism on current Internet
7What is a DDos Attack?
- Examples of DoS include
- Flooding a network
- Disrupting connections between machines
- Disrupting a service
- Distributed Denial-of-Service Attacks
- Many machines are involved in the attack against
one or more victim(s)
8attack Size in Gbps
9Attack Size in GBPS
10Main Targets
11Estonian Cyberwar April 27, 2007
- Inoperability of the following state and
commercial sites - The Estonian presidency and its parliament.
- Almost all of the countrys government
ministries. - Political parties.
- Three news organizations.
- Two biggest banks and communications firms.
- Governmental ISP.
- Telecom companies.
- Source Alexei Zhatechenko
12Distributed Denial of Service (DDoS) Networks
13DDoS Network
http//www.adelphi.edu/spock/lisa2000-shaft.pdf
14You are here
15Typical DDoS attack
16(No Transcript)
17(No Transcript)
18(No Transcript)
19What Makes DDoS Attacks Possible?
- Internet was designed with functionality not
security in mind - Internet security is highly interdependent
- Internet resources are limited
- Power of many is greater than power of a few
20To Address DDoS attack
- Ingress Filtering
- - P. Ferguson and D. Senie, RFC 2267, Jan
1998 - - Block packets that has illegitimate source
addresses - - Disadvantage Overhead makes routing slow
- Identification of the origins (Traceback problem)
- - IP spoofing enables attackers to hide their
identity - - Many IP traceback techniques are suggested
- Mitigating the effect during the attack
- - Pushback
-
21IP Traceback
- - Allows victim to identify the origin of
attackers - - Several approaches
- ICMP trace messages, Probabilistic Packet
Marking, - Hash-based IP Traceback, etc.
22PPM
- Probabilistic Packet Marking scheme
- - Probabilistically inscribe local path info
- - Use constant space in the packet header
- - Reconstruct the attack path with high
probability
Marking at router R For each packet w
Generate a random number x from 0,1) If x lt p
then Write IP address of R into w.head
Write 0 into w.distance else if
w.distance 0 then write IP
address of R into w.tail Increase
w.distance endif
23PPM (Cont.)
legitimate user
attacker
Victim
24PPM (Cont.)
legitimate user
attacker
Victim
25PPM (Cont.)
legitimate user
attacker
Victim
26What is Pushback?
- A mechanism that allows a router to request
adjacent upstream routers to limit the rate of
traffic - Reference
27How Does it Work?
- A congested router requests adjacent routers to
limit the rate of traffic for that particular
aggregate - Router sends pushback message
- Received routers propagate pushback
28How Does it Work?
29When is it invoked?
- Drop rate for an aggregate exceeds the limit
imposed on it (monitoring the queue) - Pushback agent receives information that a DoS
attack is underway (packet drop history)
30When does it stop?
- Feedback messages are sent to upstream routers
that report on how much traffic from the
aggregates is still present
31What are some advantages?
- Pushback prevents bandwidth from being wasted on
packets that will later be dropped (better when
closer to the source) - Protects other traffic from the attack traffic
- When network is under attack it can rate limit
the malicious traffic
32Any disadvantages?
- Pushback will be ineffective against certain DoS
attacks (reflector attack) - Can make matters worse (against flooding attacks)
- Not the only solution
33Conclusion
- What is a DDoS attack?
- Defending a DDoS attack
- Ingress filtering
- Traceback
- Pushback