CSE 5473: Network Security - PowerPoint PPT Presentation

About This Presentation
Title:

CSE 5473: Network Security

Description:

DDoS Attack and Its Defense CSE 5473: Network Security Prof. Dong Xuan DDoS Attack and Its Defense * – PowerPoint PPT presentation

Number of Views:204
Avg rating:3.0/5.0
Slides: 34
Provided by: DonT192
Category:
Tags: cse | attack | network | security

less

Transcript and Presenter's Notes

Title: CSE 5473: Network Security


1
DDoS Attack and Its Defense
  • CSE 5473 Network Security
  • Prof. Dong Xuan

2
Why DoS?
  • Sub-cultural status
  • To gain access
  • Revenge
  • Political reasons
  • Economic reasons
  • Nastiness

3
How DoS (remotely)?
  • Consume host resources
  • Memory
  • Processor cycles
  • Network state
  • Consume network resources
  • Bandwidth
  • Router resources (its a host too!)
  • Exploit protocol vulnerabilities
  • Poison ARP cache
  • Poison DNS cache
  • Etc

4
Where DoS
  • End hosts
  • Critical servers (disrupt C/S network)
  • Web, File, Authentication, Update
  • DNS
  • Infrastructure
  • Routers within org
  • All routers in upstream path

5
Outline
  • What is a DDOS attack?
  • How to defend a DDoS attack?

6
What is DDoS attack?
  • Internet DDoS attack is real threat
  • - on websites
  • Yahoo, CNN, Amazon, eBay, etc (Feb.
    2000)
  • ? services were unavailable for several
    hours
  • - on Internet infrastructure
  • 13 root DNS servers (Oct, 2002)
  • ? 7 of them were shut down, 2 others
    partially unavailable
  • Lack of defense mechanism on current Internet

7
What is a DDos Attack?
  • Examples of DoS include
  • Flooding a network
  • Disrupting connections between machines
  • Disrupting a service
  • Distributed Denial-of-Service Attacks
  • Many machines are involved in the attack against
    one or more victim(s)

8
attack Size in Gbps
9
Attack Size in GBPS
10
Main Targets
11
Estonian Cyberwar April 27, 2007
  • Inoperability of the following state and
    commercial sites
  • The Estonian presidency and its parliament.
  • Almost all of the countrys government
    ministries.
  • Political parties.
  • Three news organizations.
  • Two biggest banks and communications firms.
  • Governmental ISP.
  • Telecom companies.
  • Source Alexei Zhatechenko

12
Distributed Denial of Service (DDoS) Networks
13
DDoS Network
http//www.adelphi.edu/spock/lisa2000-shaft.pdf
14
You are here
15
Typical DDoS attack
16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
What Makes DDoS Attacks Possible?
  • Internet was designed with functionality not
    security in mind
  • Internet security is highly interdependent
  • Internet resources are limited
  • Power of many is greater than power of a few

20
To Address DDoS attack
  • Ingress Filtering
  • - P. Ferguson and D. Senie, RFC 2267, Jan
    1998
  • - Block packets that has illegitimate source
    addresses
  • - Disadvantage Overhead makes routing slow
  • Identification of the origins (Traceback problem)
  • - IP spoofing enables attackers to hide their
    identity
  • - Many IP traceback techniques are suggested
  • Mitigating the effect during the attack
  • - Pushback

21
IP Traceback
  • - Allows victim to identify the origin of
    attackers
  • - Several approaches
  • ICMP trace messages, Probabilistic Packet
    Marking,
  • Hash-based IP Traceback, etc.

22
PPM
  • Probabilistic Packet Marking scheme
  • - Probabilistically inscribe local path info
  • - Use constant space in the packet header
  • - Reconstruct the attack path with high
    probability

Marking at router R For each packet w
Generate a random number x from 0,1) If x lt p
then Write IP address of R into w.head
Write 0 into w.distance else if
w.distance 0 then write IP
address of R into w.tail Increase
w.distance endif
23
PPM (Cont.)
legitimate user
attacker
Victim
24
PPM (Cont.)
legitimate user
attacker
Victim
25
PPM (Cont.)
legitimate user
attacker
Victim
26
What is Pushback?
  • A mechanism that allows a router to request
    adjacent upstream routers to limit the rate of
    traffic
  • Reference

27
How Does it Work?
  • A congested router requests adjacent routers to
    limit the rate of traffic for that particular
    aggregate
  • Router sends pushback message
  • Received routers propagate pushback

28
How Does it Work?
29
When is it invoked?
  • Drop rate for an aggregate exceeds the limit
    imposed on it (monitoring the queue)
  • Pushback agent receives information that a DoS
    attack is underway (packet drop history)

30
When does it stop?
  • Feedback messages are sent to upstream routers
    that report on how much traffic from the
    aggregates is still present

31
What are some advantages?
  • Pushback prevents bandwidth from being wasted on
    packets that will later be dropped (better when
    closer to the source)
  • Protects other traffic from the attack traffic
  • When network is under attack it can rate limit
    the malicious traffic

32
Any disadvantages?
  • Pushback will be ineffective against certain DoS
    attacks (reflector attack)
  • Can make matters worse (against flooding attacks)
  • Not the only solution

33
Conclusion
  • What is a DDoS attack?
  • Defending a DDoS attack
  • Ingress filtering
  • Traceback
  • Pushback
Write a Comment
User Comments (0)
About PowerShow.com