Application Layer Attack. DDoS DDoS – Distributed Denial of Service Why would any one want to do...
15
Application Layer Attack
-
Upload
darrell-hill -
Category
Documents
-
view
214 -
download
0
description
Application Layer Attack There is a particular type of attack – simply ask bots to send requests to the victim for large files. Now, the victim, the server, has to send large files therefore the bandwidth is saturated and no more requests can be satisfied.
Transcript of Application Layer Attack. DDoS DDoS – Distributed Denial of Service Why would any one want to do...
Application Layer Attack
DDoS
• DDoS – Distributed Denial of Service• Why would any one want to do this? • In some cases, for bringing down service of
competitors, or for extortion money.
Application Layer Attack
• There is a particular type of attack – simply ask bots to send requests to the victim for large files.
• Now, the victim, the server, has to send large files therefore the bandwidth is saturated and no more requests can be satisfied.
CAPTCHA• One way is to see if we can distinguish human
from bots.• CAPTCHA -- Completely Automated Public Turing
test to tell Computers and Humans Apart • Below is a picture from wiki
CAPTCHA
• Was proposed by Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford.
• http://www.captcha.net/captcha_crypt.pdf
Other things you can do
• With the CAPTCHA idea, they actually did something else: scan an old book, and show a word in the book along with one from CAPTCHA.
• You don’t know which one is from where. • So while you login, you help the library to
recognize words.
Problem with CAPTCHA
• The problem is that you do not want to answer a CAPTCHA problem every 30 mins if you are watching a movie.
The other solution
• Ask the client to solve a puzzle, basically asking the client to spend some resource before getting service.
• Can you design some puzzles?
Puzzles
• Some puzzles include:– Finding a string such that the first k bits of its SHA-
1 hash are 0. – By controlling k, you control the difficulty of the
puzzle.– A problem is that this puzzle is biased toward
clients with fast machines.
Memory-bound puzzles are better
• Memory speed varies less significantly than CPU speed.
• Forcing the client to do a lot of read from main memory.
• How?
One memory bound puzzle
• There is a one-to-one function F() that cannot be reversed.
• Server started from x_0. x_i = F(x_i-1). • Server sends x_k to the client. Ask him to
return x_0.
Other solutions• Speak-up: When system is in trouble, instead waiting
to drown, you should speak up!• Meaning that you should also send a lot of requests.• The server serves the one with loudest voice.• From their 2006 sigcomm paper:
Speak-up
• Actually, every client has to pay the server some currency in the form of bandwidth.
• The hope is that the clients have spare bandwidths but the attackers already have used up their bandwidths.
• These dummy byes are a waste of resource.
What we are working on
• Introducing p2p to DDoS defense.
A useful link
• http://staff.washington.edu/dittrich/misc/ddos/
