Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
-
Upload
eustace-oneal -
Category
Documents
-
view
212 -
download
0
Transcript of Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Distributed Denial of Service Attacks: Characterization and Defense
Will LefeversCS522 UCCS
Outline
Anatomy of a DDoS Attack: Gibson Research Corporation
DDoS Attack CharacterizationAdvanced DDoS with Traffic ReflectionAttack TaxonomyPotential DDoS DefensesDefense TaxonomyInitiatives at UCCSNext?
Anatomy of a DDoS: Gibson Research Corporation
May 4th, 2001, two direct-line 1.54Mb T1's flooded1500B UDP packets bound for port 666, plus some
ICMP and a little TCP; ISP didn't filter any of it17 hours initial downtime, then 5 more attacks
Anatomy of a DDoS: Attack Vector
474 “Zombie” systems (mostly from national ISPs), exclusively Win9X, directed by a 13-year old
Attacking hosts were unable to IP spoof because of a half-implemented TCP/IP stack in Win9x
Anatomy of a DDoS: Zombie Hosts
"Bot-farmers" preferred Cable ISPs over DSL because of upload bandwidth
Virus distributed widely, then coordinated through IRC
Target scarce resources (find the weakest link):Services provided, Connectivity, Physical network
hardware, possibly even bandwidth costsOther methods proven to work:
TCP SYN half-open or SYN/ACK which disables services/reserves all ports; no new connections
ICMP PoD can cause an OS dump when packets larger than 65536 are received; takes the system offline
Heavy UDP traffic – connectionless, 0 packet delay, quickly floods routers/gateways killing host and ISP
Virus/bot Networks (tribal flood network, stacheldraht, trinoo) typically using IRC for coordination
DDoS Characterization
Real connections, volumes of non-filterable traffic from widely-spread public internet servers at high rates
No single “reflector” will notice the flood if the packets are forged and spoofed well (from victim to reflector, correct TCP sequence numbers, legitimate service)
Coordinator/Initiator is much harder to find; traffic won't look suspect until you compare each reflector's logs
Traffic amplification can make things much worse (asynchronous payload) but is less common
Examples include DNS recursive queries, forged http file requests, FTP bounce techniques
Advanced DDoS: Traffic Reflection
DDoS Attack Taxonomy
Public Internet Routers/Gateways/Switches: Implement filters for malformed packets and common attacks (wide deployment, but feasible)
Require ingress route filters and mapping (which side is that host on?) to prevent packet injection
"Followup" packets (ITRACE) can be forwarded by all routers via ICMP along the data path. This could highlight the slave systems to the reflector and victim.
Implement QoS and rate-limiting across the board
DDoS: Potential Defenses
Operating System:Disable address spoofing at the OS (Win9x's half-implemented TCP/IP)
Implement quota systems for limited resources (ftp shares, TCP ports, etc)
Use TCP cookies -- do not allocate resources until the handshake is complete
Application:Make the TCP sequence numbers harder to guess
Network: Multi-homed bandwidth and server pools/clusters
DDoS: Potential Defenses
DDoS Defense Taxonomy
DDoS Initiatives at UCCSRate-limiting w/ Autonomous Anti-DDoS (A2D2)
Based on a SNORT plugin which interacts faster with the firewall and utilizes adaptive flood detection methods
Explores the efficient use of rate-limiting and content-based queuing
Network reconfiguration with Secure Collective Defense(SCOLD)
Extends the DNS system to supports update and retrieval of enhanced DNS entries including a set of proxy servers for indirect routes
Develops indirect routing protocol on Linux for setting up proxy-based indirect routes when the main route gets flooded.
Next Up?Route modification – is it possible to drop the attacked IP address and give it another?Can we “push” routing table changes to routers?Can we change the appearance of our topology from the outside and let the (more capable) ISP handle the problem?
*Contact me for sources/citations
Review
Anatomy of a DDoS Attack: Gibson Research Corporation
DDoS Attack CharacterizationAdvanced DDoS with Traffic ReflectionAttack TaxonomyPotential DDoS DefensesDefense TaxonomyInitiatives at UCCSNext?