Evil DDos Attacks and Strong Defenses

Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li

Distributed

Large-scale attacks

Denial of service

Deny the victim's access to a particular resource (service).

• Volume Based Attacks– The volume-based attack’s goal is to saturate the

bandwidth of the attacked site• Protocol Based Attacks– Exploit a specific feature or implementation bug of

some protocol installed at the victim in order to consume excess amounts of its resources

• Application Layer Attacks– goal of these attacks is to crash the web server

Volume Based Attacks

Volume Based Attacks

-->UDP floods

-->ICMP floods -->Other spoofed-packet floods

Published in:· ProceedingLEET'12 Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent ThreatsPages 7-7 USENIX Association Berkeley, CA, USA ©2012

Classification of UDP traffic for DDoS detection

Alexandru G.Bardas Loai Zomlot Sathya Chandran Sundaramurthy Xinming Qu S.Raj Rajagopalan Marc R.Eisenbarth

Basic points of the article

(1)Examine the “proportional packet rate ” assumption .Test a large number of production networks

(2)Algorithm for UDP traffic that aims at differentiating benign and flooding UDP flows based on the assumption

(3)Two operation modes of using the algorithm for thwarting UDP-based DDos flooding.

Background information

->UDP is a stateless, simple protocol

->UDP floods: easy to launch but hard to detect

->Existing DoS sensor and prevention mechanisms are either ineffective or non-applicable

->Assumption: under normal operations, the packet rate in one direction is proportional to the packet rate in the opposite direction

->Algorithm

Put into a NACK-queue rather than waiting queue.

Experiments

i.Validating the assumption

ii.Ratio function for UDP attack traffic

Iii.Performance, accuracy, calibration

Summary For this articleSince UDP flooding attack is a kind of volume-based attack, we should analyze the flow of the packets to determine whether the flow is benign or is a DDos attack.The paper gives a possible mechanism to detect and evaluate the flow.And it gives the possible protections to the detected DDos attack.

Protocol Based Attacks

Protocol based DDOS

• Definition:• This type of attack consumes actual server

resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in Packets per second.

• 2 popular Protocol based DDOS attacks.• Ping of Death, Syn Flood

Ping of Death

• Definition:• A ping of death is a type of attack on a computer that

involves sending a malformed or otherwise malicious ping to a computer.

• Reassemble• many computer systems could not handle a ping

packet larger than 65535 bytes. Larger packets could crash the target computer.

Syn Floods

Syn Floods

• Attack:• 1. Send a large number of TCP open request.• 2. OS allocate resources to track the TCP state.• 3. Since the sender's IP is forged, the returning

ACK will never be back.• 4. By continuing sending this request, the

attacker could exhaust the resource on the server machine.

Syn Floods

• Defend:• Syn Caches• Syn cookies

Application Layer Attacks

Comprised of seemingly legitimate and

innocent requests

• Crash the webserver

• Delay the response time or even block the

service

Application layer DDoS attack

Other Layer attack App-layer attack

Target: network bandwidth around Internet subsystems such as routers, Domain Name Servers, or web clusters.

• High level protocol such as HTTP.

• Legitimate lower level packets

• Harder to monitor and mitigate (more complicate and diverse)

Difference

Application layer DDoS attack

TypesRequest-flooding - many requests in a http session

Session-flooding - many sessions are set up by a client

Asymmetric - each request is every time-consuming

Application layer DDoS attack

DefenseDetermine suspicious session/client by previous collected data

Least suspicion first served, high suspicion blocked

Application layer DDoS attack

Our Opinion

Application layer DDoS attack

• Complex because it mimics legitimate user requests a lot

• Involve more human decision which is not as normalized as things in lower layer

• Solutions yield the case that some of the time-consuming or impatient user requests being postponed largely

• Still not a solution to the case that botnet being employed to perform the attack.

Comparison

Volume-based Protocol-based Application Layer

Request Bogus Bogus Legitimate

Protocol UDP, ICMP TCP, ICMP HTTP, HTTPS

Connection Not full Not full Full

High-bandwidth Yes Yes No

Detectable Yes Yes Stealthy

Protection Easy Easy Hard

Q&A