1 / 26

Distributed Denial-of-Services (DDoS)

Distributed Denial-of-Services (DDoS). Ho Jeong AN CSE 525 – Adv. Networking Reading Group #8. Reading Group # 8 – DDoS . Papers F. Kargl, J. Maier, M. Weber “Protecting Web Servers from Distributed Denial of Service Attacks”, WWW 2001

sheera
Download Presentation

Distributed Denial-of-Services (DDoS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Distributed Denial-of-Services (DDoS) Ho Jeong AN CSE 525 – Adv. Networking Reading Group #8

  2. Reading Group # 8 – DDoS • Papers • F. Kargl, J. Maier, M. Weber “Protecting Web Servers from Distributed Denial of Service Attacks”, WWW 2001 • V. Paxson, “An Analysis of Using Reflectors for Distributed Denail-of-Service Attacks”, CCR vol. 31, no. 3, July 2001 • Catherine Meadows, “A cost-based framework for analysis of denial of service in network”, Journal of Computer Security, 9(1—2):143-164, 20012

  3. Classification of IT Attacks • Denial of Service (DoS) • Main goal of the attack is the disruption of service • Intrusion • Intension is simply to get access to system and to circumvent certain barriers • Information Theft • Main goal of attack is access to restricted, sensitive information • Modification • Attacker tries to alter information.

  4. Definition of DoS • WWW Security FAQ (http://www.w3.org/Security/FAQ) • … an attack designed to render a computer or network incapable of providing normal services … • J.D. Howard (http://www.cert.org) • … Denial-of-service can be conceived to include both intentional and unintentional assaults on a system's availability. The most comprehensive perspective would be that regardless of the cause, if a service is supposed to be available and it is not, then service has been denied ...

  5. Definition of DDoS • WWW Security FAQ (http://www.w3.org/Security/FAQ) • … A Distributed Denial of Service attack uses many computer to launch a coordinated DoS attack against one or more targets. …

  6. DoS attack Classification • System Attacked • Router • Firewall • Load-balancer • Individual web server • Supporting services (i.e. database servers) • Part of the system attacked • Hardware failure • OS or TCP/IP stack of host/router • Application level (i.e. web server, database servers) • Bug or overload • Bugs • Overload

  7. DoS attack Classification • Example • Cisco 7xxx routers with IOS/700 Software version 4.1(1)/4.1(2) • Jolt2 – targeting most Microsoft Windows Systems (98/NT4/2000) • MIIS version 4.0/5.0 • Smurf • SYN Flood • Apache MIME flooding/Apache Sioux Attack

  8. DDoS tools • Trinoo • Known to the first DDoS tools • UDP flooding • Tribe Flood Network (TFN) • Trinoo’s UDP flooding, TCP SYN and ICMP flood • TFN2K • Encrypted communication between components • TARGA attack • stacheldraht • ICMP, UDP and TCP SYN flooding • Update to agents automatically

  9. Linux Kernel Immune to Teardrop, TARGA tcp_syn_cookie enabled against SYN flood attack Load Balancer Linux Virtual Server against overload attack DDoS Protection Environment

  10. DDoS Protection Environment • ipchains Firewall • Only port 80 is reachable directly • Only ICMP host unreachable messages are accepted • Class Based Queuing • Function of the Linux kernel • Setup different traffic queues • Determines what packets to put in what queue • Assign a bandwidth to each of the queue

  11. DDoS Protection Environment • Traffic Monitor • Monitor • Thread 1: monitors in and out packet • Thread 2: checks the hashtable • Thread 3: server thread • Manager • Analyzes the supplied data • Sorts the IPs in one of several classes, class 1 through class 4

  12. Test 1: http-attack using http_load and static html database

  13. Conclusion • DDoS attacks are substantial threat to today’s Internet infrastructure • Solution to the problem of handling massive http overload requests is based on class based routing and active traffic monitoring

  14. Reflector Any IP host that will return a packet if it receives request All web server, DNS server, router ICMP Victim eventually receive “huge” number of message and clogging every single path to victim from the rest of the Internet DDoS attack by using reflector

  15. Defense against Reflector • Ingress filtering • Traffic generated by reflector • Our pick • Reflector enable filtering • Require widespread deployment of filtering • Deploy trace back mechanism • Enormous deployment difficulties • IDS • Widespread deployment of security technology

  16. Filtering out reflector replies • IP • version, header length • TOS/DSCP • length • ID • fragments • TTL, protocol, checksum • source • destination

  17. Filtering out reflector replies • ICMP • Request/response • Generated ICMP messages • TCP • source port • SYN ACK • RST • guessable sequence number • T/TCP

  18. Filtering out reflector replies • UDP • DNS • DNS reply • DNS recursive query • SNMP • HTTP proxy server • Gnutella (TCP application) • Other UPD application

  19. Implications of reflector attacks for traceback • A major advantage to attackers in using reflectors in DDOS attack is difficult traceback • Low volume flows – SPIE • HTTP proxies • Logging • Reverse ITRACE

  20. Conclusion • DDoS attack by using reflector have a several significant threat • Most major threats are • TCP guessable sequence number • DNS query to name server • Gnutella

  21. Defender vs. Attacker • Defense against attack • Increase the resources of the defender • Introduce authentication • Goal of attacker • Waste resource of defender • Keep the defender from learning attacker’s identity • Formal method are good way to addressing problems.

  22. Station to Station protocol • Station to station protocol is a protocol that was makes use of the Diffie-Hellman protocol together with digital signatures in order to exchange and authenticate keys between two principals.

  23. Station to Station protocol

  24. Station to Station protocol • Compute the attack cost functions and the protocol engagement cost functions for each accept events • Compute the attack cost functions and the message processing cost functions for each verification event

  25. Station to Station protocol • It is vulnerable to DOS attack in several places • First message • Intruder could mount Lowe’s attack • Solution • Cookie exchange • Lowe’s attack – including the identity of intended receiver

  26. Conclusion • This framework shows how existing tools and methods could be modified against DoS attack.

More Related