1 / 19

The Problem

Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September 28, 2010. The Problem. Distributed Denial of Service (DDoS) Attacks. Goal: Prevent a network site from doing its normal business Method: overwhelm the site with attack traffic

tamah
Download Presentation

The Problem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed Denial of Service Attacks and DefensesCS 239Advanced Topics in Computer Security Peter ReiherSeptember 28, 2010

  2. The Problem

  3. Distributed Denial of Service (DDoS) Attacks • Goal: Prevent a network site from doing its normal business • Method: overwhelm the site with attack traffic • Response: ?

  4. Why Are These Attacks Made? • Sometimes to annoy • Sometimes for extortion • Sometimes for political reasons • If directed at infrastructure, might cripple parts of Internet • So who wants to do that . . .?

  5. Attack Methods • Pure flooding • Of network connection • Or of upstream network • Overwhelm some other resource • SYN flood • CPU resources • Memory resources • Application level resource • Direct or reflection

  6. Why “Distributed”? • Targets are often highly provisioned servers • A single machine usually cannot overwhelm such a server • So harness multiple machines to do so • Also makes defenses harder

  7. DDoS Attack on DNS Root Servers • Concerted ping flood attack on all 13 of the DNS root servers in October 2002 • Successfully halted operations on 9 of them • Lasted for 1 hour • Turned itself off, was not defeated • Did not cause major impact on Internet • DNS uses caching aggressively • Another (less effective) attack in February 2007

  8. DDoS Attack on Estonia • Occurred April-May 2007 • Estonia removed a statue that Russians liked • Then somebody launched large DDoS attack on Estonian government sites • Took much of Estonia off-line for ~ 3 weeks • DDoS attack on Radio Free Europe sites in Belarus in 2008

  9. How to Defend? • A vital characteristic: • Don’t just stop a flood • ENSURE SERVICE TO LEGITIMATE CLIENTS!!! • If you deliver a manageable amount of garbage, you haven’t solved the problem

  10. Complicating Factors • High availability of compromised machines • Millions of zombie machines out there • Internet is designed to deliver traffic • Regardless of its value • IP spoofing allows easy hiding • Distributed nature makes legal approaches hard • Attacker can choose all aspects of his attack packets • Can be a lot like good ones

  11. Basic Defense Approaches • Overprovisioning • Dynamic increases in provisioning • Hiding • Tracking attackers • Legal approaches • Reducing volume of attack

  12. Overprovisioning • Be able to handle more traffic than attacker can generate • Works pretty well for Microsoft and Google • Not a suitable solution for Mom and Pop Internet stores

  13. Dynamic Increases in Provisioning • As attack volume increases, increase your resources • Dynamically replicate servers • Obtain more bandwidth • Not always feasible • Probably expensive • Might be easy for attacker to outpace you

  14. Hiding • Don’t let most people know where your server is • If they can’t find it, they can’t overwhelm it • Possible to direct your traffic through other sites first • Can they be overwhelmed . . .? • Not feasible for sites that serve everyone

  15. Tracking Attackers • Almost trivial without IP spoofing • With IP spoofing, more challenging • Big issue: • Once you’ve found them, what do you do? • Not clear tracking actually does much good • Loads of fun for algorithmic designers, though

  16. Legal Approaches • Sic the FBI on them and throw them in jail • Usually hard to do • FBI might not be interested in “small fry” • Slow, at best • Very hard in international situations • Generally only feasible if extortion is involved • By following the money

  17. Reducing the Volume of Traffic • Addresses the core problem: • Too much traffic coming in, so get rid of some of it • Vital to separate the sheep from the goats • Unless you have good discrimination techniques, not much help • Most DDoS defense proposals are variants of this

  18. Approaches to Reducing the Volume • Give preference to your “friends” • Require “proof of work” from submitters • Detect difference between good and bad traffic • Drop the bad • Easier said than done

  19. Where To Defend? In the core? At the source? At the target? + Drops junk early + Cost paid close to attacker + May be easy to distinguish packets + Good knowledge of situation + Strong motivation to deploy + OK to do what’s needed + Scales nicely + Works with moderate deployment - Low per packet budget possible - Poor deployment incentive - Against end-to-end philosophy • Easy to overwhelm • Often limited defense resources • Poor deployment incentive • Requires wide deployment • May be subject to influence

More Related