This document discusses distributed denial of service (DDoS) attacks and potential defenses. It describes how DDoS attacks work by flooding a victim with useless traffic from many compromised systems to overwhelm the victim's bandwidth or resources. The document outlines different types of DDoS attacks like direct and reflector attacks. It also discusses challenges with detection and prevention, such as the difficulty of filtering reflected packets or widely deploying packet filters across networks. Promising defense approaches include developing a global firewall infrastructure with distributed detection systems that can identify anomalies and coordinate response. However, effective DDoS defense remains an ongoing challenge.
2. Distributed Denial of Service (DDoS)
“This is a process in which many computer
systems, comprimised by a host, send useless
data to a network to stop internet connection”
3. DDoS: How It Can be Done?
Find a weakness and
then use that weakness
as a ping to death
Attack the victims with
data encryption and
decryption
4. Describing DDoS Attacks
These attacks usually don’t depend on any of network
protocols
They have a large number of compromised hosts that send
useless or harmful packets of data to a victim
These have become a major problem because of availability of
user friendly attack tools on one hand and lack of defending
solutions of other hand
5. Recorded DDoS Attacks
• One attack happened in may and June of 1998 when first primitive tool were developed in
underground. This attack was on small networks only
• One took place on august 17 1999 on the university of Minnesota and was reported to network
operations and security teams
• An attack happened in February 2000 on yahoo, eBay amazon and some other websites
• Another report shows more than 12000 attacks during a three week period
7. Direct Attacks
• A large number of
packets is sent to a victim
• Source addresses made
spoofed to make the
response go somewhere
else
8. Reflector Attacks
• Routers and servers are used as incorrect
nodes and are known as reflectors
• The attacker sends packets that need
response to the reflectors with the
packets’ source address set to victim’s
address
• TCP,UCP,ICMP can be used as RST packets
• The victims don’t send any packets back so
the backward analysis does not work here
• The packets are legitimate so they can’t be
filtered.
10. How Many Packets are Required to Attack?
• If a victim has something that can be used to take N half open connections,
then the following can be its capability of processing SYN packets
• G/D/INFINITY/N queue where :
– G = General arrival process for the SYN packets
– D = Deterministic lifetime of each half-open connection if not receiving the third handshaking
message
11. Minimal Rates of SYN Packets
(to stall TCP servers in SYN flooding attacks)
12. Is There Any Solution to This Problem?
The defense can be done in three ways:
Preemption and
prevention should be
done before the
attack
The attack should be
detected and then
filtered if preemption
and prevention is not
done
Attack source trace
back and
Identification
13. Prevention and Preemption
• Hosts should be protected from masters
and agent implants by using signatures
and scanning procedures
• Monitor network traffic for known attack
messages sent between attackers and
masters
• Cyber informants and cyber spies should
be there to detect attack
14. Attack Source Traceback and Identification
• There should be after-the-fact response.
• Traceback (This means to identify the real
source of packet. For this information
routers can be used because they can they
can record information
• Traceback can’t work out every time
because of NATs and firewalls but it is still
a helpful and efficient method to be used
15. Detection and Filtering
• This happens in two phases. In the first phase the packets are identified and in
the second phase the packets are classified and dropped
• Effectiveness of Detection
• FPR (False Positive Ratio):
• No. of false positives/Total number of confirmed normal packets
• FNR (False Negative Ratio):
• No. of false negatives/Total number of confirmed attack packets
• Effectiveness of filtering
• It detects phases using victim identities so packets can be easily dropped.
• Percentage of packets that can survive in an attack is called Normal Percentage
Survive Ratio(NSPR).
17. Attack Detection and Filtering
• Source networks
– Packets based on address spoofing can be filtered
– Direct attacks can be easily filtered but reflector attacks are difficult
– It should be ensured that all the ISPs have ingress packet filtering. Very difficult
(Impossible?)
Victim’s network
– The victim can detect attack on volume of incoming traffic or degraded performance.
– Other mechanisms: IP Hopping (Host frequently changes it’s IP address when attack is
detected. DNS tracing can still help the attackers)
– Last Straw: If incoming link gets jammed then victim will have to shut down and ask the
upstream ISP to filter the packets
18. Attack Detection and Filtering
On the Victim’s Upstream ISP Network:
• Victim sends requests frequently to filter packets
• The automation can be done by designing intrusion alert systems
• Normal packets may still be dropped, and the network can still be jammed
On other Upstream ISP Networks:
• This approach can be extended to some other upstream networks
• It is effective only if ISP networks are willing to co-operate and install packet filters
19. The Internet Firewall
• The bipolar defense scheme can’t achieve
both effective packet detection and packet
filtering
• There are two methods, that employ a set
of distributed nodes in the Internet for
attack detection and packet filtering
– Route-based Packet Filtering Approach
(RPF)
– Distributed Attack Detection Approach
(DAD)
20. Route based
• It extends the packet filtering approach to the Internet
– Distributed packet filters examine the packets that are based on addresses and BGP routing
information
– A packet is considered an attack packet if it comes from an unexpected link
• Some Disadvantages
– It requires BGP messages to carry the source addresses - Overhead!
– Deployment is tough! – Filters should be placed in almost 1800 AS (when there were
10,000 Ass) and the no. of AS is continuously increasing.
– IT is unable to filter reflected packets
21. Distributed Attack Detection (DAD)
• It deploys a set of distributed Detection Systems (DSs) to see
if there are anomalies, misuses or any other problem with
network
• Anomaly detection: It observes and detects traffic patterns
that are not normal (e.g., unusual traffic intensity for specific
packet types
• Misuse detection: It identifies traffic that matches a known
attack signature
• These usually rely on anomaly detection. Different DSs
exchange attack information from their local observations
• An effective and deployable architecture should be designed
for DAD approach is a challenging task
24. Disadvantages
• Limitations of Mathematical Nature:
– Choices of global and local thresholds and
traffic modeling, etc.
• Performance problem:
– Two-level detection can’t be useful for DDoS
attacks that are of short durations
– Sometimes the flash crowds trigger false
alarms
• Other ways of attack :
– DeS attacks that use ‘pulsing agents’ with
short bursts
– Using different sets of attack agents each
time
25. Summing Up
Current defense mechanisms are far from adequate
One promising direction is to develop a global infrastructure, an
Internet Firewall
Deployment and design considerations should be worked upon
We see that DDoS Defense is possible through careful planning, and
this topic covered defense mechanisms which try to discover and slow
down bad clients