Distributed Denial of Service Attacks: Characterization and Defense

Will LefeversCS522 UCCS

Outline

Anatomy of a DDoS Attack: Gibson Research Corporation

DDoS Attack CharacterizationAdvanced DDoS with Traffic ReflectionAttack TaxonomyPotential DDoS DefensesDefense TaxonomyInitiatives at UCCSNext?

Anatomy of a DDoS: Gibson Research Corporation

May 4th, 2001, two direct-line 1.54Mb T1's flooded1500B UDP packets bound for port 666, plus some

ICMP and a little TCP; ISP didn't filter any of it17 hours initial downtime, then 5 more attacks

Anatomy of a DDoS: Attack Vector

474 “Zombie” systems (mostly from national ISPs), exclusively Win9X, directed by a 13-year old

Attacking hosts were unable to IP spoof because of a half-implemented TCP/IP stack in Win9x

Anatomy of a DDoS: Zombie Hosts

"Bot-farmers" preferred Cable ISPs over DSL because of upload bandwidth

Virus distributed widely, then coordinated through IRC

Target scarce resources (find the weakest link):Services provided, Connectivity, Physical network

hardware, possibly even bandwidth costsOther methods proven to work:

TCP SYN half-open or SYN/ACK which disables services/reserves all ports; no new connections

ICMP PoD can cause an OS dump when packets larger than 65536 are received; takes the system offline

Heavy UDP traffic – connectionless, 0 packet delay, quickly floods routers/gateways killing host and ISP

Virus/bot Networks (tribal flood network, stacheldraht, trinoo) typically using IRC for coordination

DDoS Characterization

Real connections, volumes of non-filterable traffic from widely-spread public internet servers at high rates

No single “reflector” will notice the flood if the packets are forged and spoofed well (from victim to reflector, correct TCP sequence numbers, legitimate service)

Coordinator/Initiator is much harder to find; traffic won't look suspect until you compare each reflector's logs

Traffic amplification can make things much worse (asynchronous payload) but is less common

Examples include DNS recursive queries, forged http file requests, FTP bounce techniques

Advanced DDoS: Traffic Reflection

DDoS Attack Taxonomy

Public Internet Routers/Gateways/Switches: Implement filters for malformed packets and common attacks (wide deployment, but feasible)

Require ingress route filters and mapping (which side is that host on?) to prevent packet injection

"Followup" packets (ITRACE) can be forwarded by all routers via ICMP along the data path. This could highlight the slave systems to the reflector and victim.

Implement QoS and rate-limiting across the board

DDoS: Potential Defenses

Operating System:Disable address spoofing at the OS (Win9x's half-implemented TCP/IP)

Implement quota systems for limited resources (ftp shares, TCP ports, etc)

Use TCP cookies -- do not allocate resources until the handshake is complete

Application:Make the TCP sequence numbers harder to guess

Network: Multi-homed bandwidth and server pools/clusters

DDoS: Potential Defenses

DDoS Defense Taxonomy

DDoS Initiatives at UCCSRate-limiting w/ Autonomous Anti-DDoS (A2D2)

Based on a SNORT plugin which interacts faster with the firewall and utilizes adaptive flood detection methods

Explores the efficient use of rate-limiting and content-based queuing

Network reconfiguration with Secure Collective Defense(SCOLD)

Extends the DNS system to supports update and retrieval of enhanced DNS entries including a set of proxy servers for indirect routes

Develops indirect routing protocol on Linux for setting up proxy-based indirect routes when the main route gets flooded.

Next Up?Route modification – is it possible to drop the attacked IP address and give it another?Can we “push” routing table changes to routers?Can we change the appearance of our topology from the outside and let the (more capable) ISP handle the problem?

*Contact me for sources/citations

Review

Anatomy of a DDoS Attack: Gibson Research Corporation

DDoS Attack CharacterizationAdvanced DDoS with Traffic ReflectionAttack TaxonomyPotential DDoS DefensesDefense TaxonomyInitiatives at UCCSNext?