1 / 29

A Taxonomy of DDoS Attack and DDoS Defense Mechanisms ¤

A Taxonomy of DDoS Attack and DDoS Defense Mechanisms ¤. Peter Reiher 3564 Boelter Hall Computer Science Department UCLA. Jelena Mirkovic Computer and Information Sciences Department University of Delaware. CS495 – Spring 2005 Northwestern University Sausan Yazji. Overview.

kentc
Download Presentation

A Taxonomy of DDoS Attack and DDoS Defense Mechanisms ¤

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Taxonomy of DDoS Attackand DDoS Defense Mechanisms¤ Peter Reiher3564 Boelter HallComputer Science DepartmentUCLA Jelena MirkovicComputer and Information Sciences DepartmentUniversity of Delaware CS495 – Spring 2005 Northwestern University Sausan Yazji

  2. Overview • Distributed denial-of-service (DDoS) is a rapidly growing problem • Variety approaches for the attacks and the defense Mechanisms • Two taxonomies for classifying attacks and defenses: • Highlight commonalities and important features of attack strategies • Classify the body of existing DDoS defenses based on their design decisions

  3. Background • The DDoS attack mechanisms are changing consistently • The Security measures to deal with the attacks are changing consistently • Setting apart and emphasizing crucial features of attack and defense mechanisms • Abstracting detailed differences between the attacks and defense mechanism

  4. Why? • What are the different ways of perpetrating a DDoS attack? • Why is DDoS a difficult problem to handle? • What attacks have been handled effectively by existing defense systems? • What attacks still remain undressed and why? • How would the defense mechanism behave in case of unrelated attack? • What are the defense mechanism vulnerabilities? • Can the defense mechanism complement each other and how? • How can we contribute to the DDoS field?

  5. Proposed Taxonomy • Covers known attacks and also realistic potential threat • Covers published and commercial approaches • The proposed taxonomy is not: • as detailed as possible • dividing attacks and defenses in an exclusive manner • The depth and width of the proposed taxonomies are not • suitable for a traditional numbering of headings • proposing or advocating any specific DDoS defense mechanism

  6. DDOS ATTACK OVERVIEW • DoS is an explicit attempt to prevent the legitimate use of a service • DDoS deploys multiple attacks to attain this goal

  7. What makes DDoS attacks possible? • Internet security is highly interdependent • Internet resources are limited • Intelligence and resources are not collocated • Accountability is not enforced • Control is distributed

  8. How are DDoS attacks performed? • Recruit multiple agent machines • Exploit the vulnerable recruited machines • Infect the exploited machines with the attack code • Use the infected machines to recruit new agents • Distribute the attack code using useful applications • Hide the identity of agent machines through spoofing

  9. Why do people perpetrate DDoS attacks? • Personal reasons • Prestige • Material gain • Political reasons

  10. Taxonomy of DDoS Attack Mechanisms

  11. DA: Degree of Automation • DA1: Manual • DA2: CM2: Indirect Communication • DA3:Automatic • DA2and DA3:HSS: Host Scanning and Vulnerability Scanning Strategy • DA2 and DA3: HSS1: Random Scanning • DA2 and DA3: HSS2: Hit list Scanning • DA2 and DA3: HSS3: Signpost Scanning • DA2 and DA3: HSS3: Signpost Scanning • DA2 and DA3: HSS5:Local Subnet Scanning

  12. DA: Degree of Automation - continued • DA2 and DA3: VSS • DA2 and DA3: VSS1:Horizontal Scanning • DA2 and DA3: VSS2:Vertical Scanning • DA2 and DA3: VSS3: Coordinated Scanning • DA2 and DA3: VSS4:Stealthy Scanning • DA2 and DA3: PM: Propagation Mechanism • DA2 and DA3: PM1:Central Source Propagation • DA2 and DA3: PM2:BackChaining Propagation • DA2 and DA3: PM3:Autonomous Propagation

  13. EW: ExploitedWeakness to Deny Service • EW1: Semantic • EW2: BruteForce

  14. SAV: Source Address Validity • SAV1: Spoofed Source Address • SAV1: AR: Address Routability • SAV1: AR1: Routable Source Address • SAV1: AR2: NonRoutable Source Address • SAV1: ST: Spoofing Technique • SAV1: ST1: Random Spoofed Source Address • SAV1: ST2: Subnet Spoofed Source Address • SAV1: ST3: En Route Spoofed Source Address • SAV1: ST4: Fixed Spoofed Source Address • SAV2: Valid Source Address

  15. ARD: Attack Rate Dynamics • ARD1: Constant Rate • ARD2: Variable Rate • ARD2: RCM: Rate Change Mechanism • ARD2: RCM1: Increasing Rate • ARD2: RCM2: Fluctuating Rate

  16. PC: Possibility of Characterization • PC1: Characterizable • PC1:RAVS: Relation of Attack to Victim Services • PC1: RAVS1:Filterable • PC1: RAVS2: NonFilterable • PC2: NonCharacterizable

  17. PAS: Persistence of Agent Set • PAS1: Constant Agent Set • PAS2: Variable Agent Set

  18. VT: Victim Type • VT1: Application • VT2: Host • VT3: Resource Attacks • VT4: Network Attacks • VT5: Infrastructure

  19. IV: Impact on the Victim • IV1: Disruptive • IV1: PDR: Possibility of Dynamic Recovery • IV1: PDR1: Self Recoverable • IV1: PDR2: Human Recoverable • IV1: PDR3: Non Recoverable • IV2: Degrading

  20. DDOS DEFENSE CHALLENGE No real complete solution is proposed for the DDoS yet: • Need for a distributed response at many points on the Internet • Economic and social factors • Lack of detailed attack information • Lack of defense system benchmarks • Difficulty of large-scale testing

  21. Taxonomy of DDoS Defense Mechanisms

  22. AL: Activity Level • AL1: Preventive • AL1: PG: Prevention Goal • AL1:PG1:Attack Prevention • AL1:PG1:ST: Secured Target • AL1: PG1: ST1: System Security • AL1: PG1: ST2: Protocol Security • AL1: PG2: DoS Prevention • AL1: PG2: PM: Prevention Method • AL1: PG2: PM1: Resource Accounting • AL1: PG2: PM2: Resource Multiplication

  23. AL: Activity Level - Continued • AL2: Reactive • AL2: ADS: Attack Detection Strategy • AL2: ADS1: Pattern Detection • AL2: ADS2: Anomaly Detection • AL2: ADS2: NBS: Normal Behavior Specification • AL2: ADS2: NBS1:Standard • AL2: ADS2: NBS2:Trained • AL2: ADS3: Third Party Detection • AL2: ARS: Attack Response Strategy • AL2: ARS1: Agent Identification • AL2: ARS2: Rate Limiting • AL2: ARS3: Filtering • AL2: ARS4: Reconfiguration

  24. CD: Cooperation Degree • CD1: Autonomous • Firewalls • Intrusion Detection Systems • CD2: Cooperative • Can operate autonomously at a single deployment point • Aggregate Congestion Control (ACC) System • CD3: Interdependent • Cannot operate autonomously at a single deployment point • Trace Back Mechanism • Secure Overlay Services

  25. DL: Deployment Location • DL1: Victim Network • Protect this network from DDoS attacks • Respond to attacks by alleviating the impact on the victim • DL2: Intermediate Network • Provide defense service to a large number of Internet hosts • Push-back and trace-back techniques • DL3: Source Network • Prevent network customers from generating DDoS attacks • Low motivation

  26. USING THE TAXONOMIES • A map of DDoS research field • Exploring new attack strategies • DDoS benchmark generation • Common vocabulary • Design of attack class-specific solutions • Understanding solution constrains • Identifying unexplored research areas

  27. RELATEDWORK • Classification of DoS attacks according to: • Target Type • Consumed Resource • Exploited Vulnerability • Number of Agent Machines • Focusing on computer attacks in general • Discussion of the DDoS problem and of some defense approaches • Classification of the DDoS defense field only, Intrusion Detection • New studies: • focus on taxonomy of computer incidents • Generation of a DDoS attack overview

  28. CONCLUSION • Help the community think about the threats we face and the possible countermeasures • Foster easier cooperation among researchers • Facilitate communication and offer common language for discussing solutions • Clarify how different mechanisms are likely to work in concert • Identify areas of remaining weaknesses that require additional work • Help developing common metrics and benchmarks for DDoS defense evaluation • Offer a foundation for classifying threats and defenses in DDoS field

  29. A Taxonomy of DDoS Attack and DDoS Defense Mechanisms QUESTIONS?

More Related