DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
-
Upload
hannah-dickerson -
Category
Documents
-
view
219 -
download
0
Transcript of DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
DDoS Attack and Its Defense 2
Why DoS?
Sub-cultural status To gain access Revenge Political reasons Economic reasons Nastiness
DDoS Attack and Its Defense 3
How DoS (remotely)?
Consume host resources Memory Processor cycles Network state
Consume network resources Bandwidth Router resources (it’s a host too!)
Exploit protocol vulnerabilities Poison ARP cache Poison DNS cache
Etc…
DDoS Attack and Its Defense 4
Where DoS
End hosts Critical servers (disrupt C/S network)
Web, File, Authentication, Update DNS
Infrastructure Routers within org All routers in upstream path
DDoS Attack and Its Defense 6
What is DDoS attack?
• Internet DDoS attack is real threat
- on websites
· Yahoo, CNN, Amazon, eBay, etc (Feb. 2000)
services were unavailable for several hours
- on Internet infrastructure
· 13 root DNS servers (Oct, 2002)
7 of them were shut down, 2 others partially unavailable
• Lack of defense mechanism on current Internet
DDoS Attack and Its Defense 7
What is a DDos Attack?
Examples of DoS include: Flooding a network Disrupting connections between machines Disrupting a service
Distributed Denial-of-Service Attacks Many machines are involved in the attack against one or
more victim(s)
ESTONIAN CYBERWAR APRIL 27, 2007 Inoperability of the following state and commercial
sites:
The Estonian presidency and its parliament. Almost all of the country’s government
ministries. Political parties. Three news organizations. Two biggest banks and communication’s firms. Governmental ISP. Telecom companies.
» Source: Alexei Zhatechenko
DDoS Attack and Its Defense 19
What Makes DDoS Attacks Possible?
Internet was designed with functionality & not security in mind
Internet security is highly interdependent Internet resources are limited Power of many is greater than power of a few
DDoS Attack and Its Defense 20
To Address DDoS attack
Ingress Filtering - P. Ferguson and D. Senie, RFC 2267, Jan 1998 - Block packets that has illegitimate source addresses - Disadvantage : Overhead makes routing slow
Identification of the origins (Traceback problem)
- IP spoofing enables attackers to hide their identity
- Many IP traceback techniques are suggested
Mitigating the effect during the attack
- Pushback
DDoS Attack and Its Defense 21
IP Traceback - Allows victim to identify the origin of attackers - Several approaches ICMP trace messages, Probabilistic Packet Marking, Hash-based IP Traceback, etc.
DDoS Attack and Its Defense 22
PPM
Probabilistic Packet Marking scheme - Probabilistically inscribe local path info - Use constant space in the packet header - Reconstruct the attack path with high probability
Marking at router RFor each packet w Generate a random number x from [0,1)If x < p then Write IP address of R into w.head Write 0 into w.distance else if w.distance == 0 then write IP address of R into w.tail Increase w.distanceendif
DDoS Attack and Its Defense 26
What is Pushback?
A mechanism that allows a router to request adjacent upstream routers to limit the rate of traffic
Reference
DDoS Attack and Its Defense 27
How Does it Work?
A congested router requests adjacent routers to limit the rate of traffic for that particular aggregate
Router sends pushback message
Received routers propagate pushback
DDoS Attack and Its Defense 29
When is it invoked?
Drop rate for an aggregate exceeds the limit imposed on it (monitoring the queue)
Pushback agent receives information that a DoS attack is underway (packet drop history)
DDoS Attack and Its Defense 30
When does it stop?
Feedback messages are sent to upstream routers that report on how much traffic from the aggregates is still present
DDoS Attack and Its Defense 31
What are some advantages?
Pushback prevents bandwidth from being wasted on packets that will later be dropped (better when closer to the source)
Protects other traffic from the attack traffic
When network is under attack it can rate limit the malicious traffic
DDoS Attack and Its Defense 32
Any disadvantages?
Pushback will be ineffective against certain DoS attacks (reflector attack)
Can make matters worse (against flooding attacks)
Not the only solution