1 / 8

Using Multiple Gateways to Foil DDOS Attack

Using Multiple Gateways to Foil DDOS Attack. by David Wilkinson. DDOS - Distributed Denial of Service. DDOS attack - host is flooded with packets that consume network bandwidth. Site becomes unavailable to legitimate users. February 2000: DDOS attacks shut down Yahoo, Ebay, Amazon.com, et al.

valin
Download Presentation

Using Multiple Gateways to Foil DDOS Attack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Using Multiple Gateways to Foil DDOS Attack by David Wilkinson

  2. DDOS - Distributed Denial of Service • DDOS attack - host is flooded with packets that consume network bandwidth. Site becomes unavailable to legitimate users. • February 2000: DDOS attacks shut down Yahoo, Ebay, Amazon.com, et al. • October 2002: 13 root DNS servers attacked (not successful)

  3. Intrusion and attack phases Client (Intruder) ... Handler Handler Handler Systems Compromised ... ... ... A A A A A A Messages to broadcast addresses ... Replies to Victim Victim A = Agent

  4. Detail of attack net-a.com net-b.com net-c.com ... ... ... ... A A A A A A A A reflecting networks DNS DNS R DNS R reflecting networks R R R R R R R A = Agent R = Router Victim

  5. Solution: reroute traffic through multiple gateways • Idea: expand capability of DNS software, BIND, to handle ‘reroute’ command (opcode = 3) • reroute is sent to the authority DNS name server for each IP address in victim database; DNS message contains {victim host name, victim IP address, proxy server IP address} • named in each DNS server stores threetuple • resolver gets IP addresses of victim & proxy server from named and returns them to requesting application (ftp, telnet, http, etc.) • application stores IP address of victim in IP header (‘options’ field), and sends message to proxy server • proxy server forwards message to victim

  6. Traffic rerouted; attack foiled net-a.com net-b.com net-c.com ... ... ... ... A A A A A A A A reflecting networks DNS DNS R DNS R reflecting networks proxy proxy R proxy proxy R blocked by IDS blocked by IDS R blocked R R R blocked blocked A = Agent R = Router Victim reroute “Help!”

  7. Results thus far • Installed BIND9 on experimental machine, set up as primary DNS name server • client.c dispatches DNS message based on opcode. Added new branch for opcode = 3. • Compiled in new file, reroute.c, in the named directory to handle reroute msgs (not imp.) • Compiled in new file, detour.c, in the dig directory that will send the reroute command (not implemented) • Still three days left to accomplish something more impressive

  8. References • DNS and BIND. Paul Albitz and Cricket Liu, O’Reilly, 2001. • TCP/IP Illustrated, Volume 1: The Protocols. W. Richard Stevens, Addison Wesley, 1994. • Counter Hack. Ed Skoudis, Prentice-Hall, Inc., 2002. • “The ‘stacheldraht’ distributed denial of service attack tool.” David Dittrich, Univ. of Wash., Dec. 31, 1999. • “DRDoS: Distributed Reflection Denial of Service.” Steve Gibson, grc.com, Feb. 22, 2002. • “Consensus Roadmap for Defeating Distributed Denial of Service Attacks.” SANS Institute, sans.org, Feb. 23, 2000. • “Attacks Exposed Internet’s Vulnerabilities.” Brian Krebs and David McGuire, washingtonpost.com, Oct. 31, 2002.

More Related