SlideShare a Scribd company logo

DDoS Attacks

V
Vitor Jesus

The document discusses distributed denial of service (DDoS) attacks. It begins by defining DDoS and DoS attacks, noting that a DDoS attack involves coordinating multiple parties to overwhelm a server or application with traffic. The document then discusses the scale of DDoS attacks over time, how attacks on the scale of terabits per second can be achieved, and how DDoS attacks have become a business. It also summarizes the impact of the Mirai botnet and techniques for mitigating DDoS attacks through detection methods, split intelligence versus resource constraints, and the lack of built-in accountability on the internet.

Internet
1 of 36
Download to read offline
DDoS AttacksDDoS AttacksDDoS AttacksDDoS Attacks Vitor Jesus http://vitorjesus.com bcu@vitorjesus.com Birmingham 25-Aug-2017
for this online version, all figures and slides with copyright were removed
DoSDoSDoSDoS • a Denial-of-Service attack is one that prevents a [networked] function to work normally. • Overwhelming a server with traffic is DoS. • Remotely exhausting the available memory of an application is DoS. • It is distributed if there’s coordination of multiple parties to develop the attack.
DDoSDDoSDDoSDDoS DDoS unintended not meeting service demand not only for Internet applications unintended imperfect implementation or design of protocol intended
DDoSDDoSDDoSDDoS DDoS unintended not meeting service demand not only for Internet applications unintended imperfect implementation or design of protocol intended Cellular DoS
DDoSDDoSDDoSDDoS what is the Slashdot Effect?
DDoSDDoSDDoSDDoS DDoS unintended not meeting service demand not only for Internet applications unintended imperfect implementation or design of protocol intended Cellular DoS Slashdot effect
DDoSDDoSDDoSDDoS what is the oldest DDoS attack? (in the history of the Internet) (arguably) (not necessarily intended) (T&Cs apply)
DDoSDDoSDDoSDDoS what is the oldest DDoS attack? figures removed – OSPF flooding processes
DDoSDDoSDDoSDDoS DDoS unintended not meeting service demand not only for Internet applications unintended imperfect implementation or design of protocol intended Cellular DoS OSPF Slashdot effect
claimed author: r/verisimilarity
the scale of the problemthe scale of the problemthe scale of the problemthe scale of the problem (figures removed) DDoS peaks 2007: 20 Gbps 2010: 100 Gbps 2013: 300 Gbps 2016: ~1 Tbps 2017 TD: 100 Gbps
DDoS: it’s a businessDDoS: it’s a businessDDoS: it’s a businessDDoS: it’s a business • DDoS as a Service ran by two Israeli teenagers was shutdown • a 300sec DDoS attack with around 100Gbps could cost less than $10
ttttechniquesechniquesechniquesechniques 800Gbps: how can such a scale of bandwidth be created?
techniquestechniquestechniquestechniques step 1: find a widespread vulnerability in a protocol with good amplification (pps and size) step 2: find a way to reflect the traffic towards the victim step 3: (and/or) compromise hosts using another vulnerability – botnets Ballpark figures: • DNS amplification: 50% • NTP amplification: 30% • Chargen amplification: 10% • SSDP amplification: 10% • others: ~5%
aaaammmmpppplllliiiiffffiiiiccccaaaattttiiiioooonnnn ffffaaaaccccttttoooorrrr Christian Rossow, Amplification Hell: Revisiting Network Protocols for DDoS Abuse, NDSS ’14, 23-26 February 2014, San Diego, CA, USA
MiraiMiraiMiraiMirai bbbboooottttnnnneeeetttt•impact •it brought down Airbnb, Netflix, Amazon, Verizon, Twitter, PayPal, Spotify, etc. •it even impacted interdomain routing •then they attacked Brian Krebs •delivered peaks of 1 Tbps •Akamai (CDN) gave up. •Google offered Project Shield •Mirai compromised “things” •mostly IP cameras •source code available •traffic from 141 different countries •hundreds of thousands of devices •modus operandi •device tested for weak passwords •it connected to a C&C •multiple protocols: HTTP, GRE (VPN), plain TCP, DNS, plain UDP, … •20yo with minor contributions from others – arrested
a taxonomya taxonomya taxonomya taxonomy J Mirkovic, P Reiher, A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, ACM Comp Comm Review, 2004
mitigationmitigationmitigationmitigation • Why is it even possible to do DDoS to this scale? Is the Internet not policed in some way? • for example, why can’t the operators just stop it? Everything is connected to an operator anyway and someone is paying the bill.
mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • Internet security is highly interdependent • differentiation of legitimate and malicious traffic is not trivial • network and node resources will always be scarce • split intelligence vs resource • the Internet lacks in-built accountability • social: there’s often a void of legislation about DDoS; Authorities will investigate but that’s already after the fact.
mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • Future Internet maybe? Not something most people would like to change.
mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • perfect Security is impossible. That’s why we are all here in this room. • it combines Humans, Technologies, Standards, Practices, Regulations, Policies, Politics, Economics • Chargen: used in 11% attacks • mitigation of Mirai: • Secure Software Development practices – a semester on its own • Secure product delivery • Vendors should consider trading Features for Security • user awareness • better DNS and UPnP hardening; DNS with longer TTLs, discarding of stale records; redundant servers
mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • Internet security is highly interdependent • many administratively independent parties • Governments/States, ISPs, private organisations, users, machines • DDoS can start in minutes – coordination times is challenging • Cyber Threat Intelligence is key: TAXII, STIX, CybOX • messaging (TXII) + representation of threats (STIX) + observables (CybOX) • https://www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity • Jessica Steinberger, et al., Collaborative DDoS Defense using Flow-based Security Event Information, IEEE/IFIP NOMS, 2016 IETF DDoS Open Threat Signaling (DOTS), 2017 • François, Aib, Boutaba, FireCol: a collaborative protection network for the detection of flooding DDoS attacks, IEEE/ACM Trans. on Networking, v20, i6, Dec 2012 • distributed and collaborative IPS architecture on ISPs
aggregates of flows + context aggregates of flowsflowspackets mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • Internet security is highly interdependent • differentiation between legitimate and malicious traffic is not trivial • it builds on mathematical and statistical analysis • overall, math techniques are not quite cutting it • did not find a single paper on DDoS detection with context • context is a very complex topic • anyone wants to think about this? impossible unlikely possible  likely very likely how, why, when, where, who
mmmmiiiittttiiiiggggaaaattttiiiioooonnnn ((((ddddeeeetttteeeeccccttttiiiioooonnnn,,,, 1111////2222)))) • Y. Xiang, Y. Lin, W.L. Lei, S.J. Huang, Detecting DDOS attack based on network self-similarity, IEE Communications Letters, Volume: 151, Issue: 3, June 2004 • Self-similarity is a statistical/fractal analysis. If it is high, zooming in/out (so playing with scales), will essentially not change the picture. • Lan Li, Gyungho Lee, DDoS Attack Detection and Wavelets, Springer, Telecommunication Systems, March 2005, Volume 28, Issue 3–4 • wavelets • Yu Chen, Kai Hwang, Collaborative detection and filtering of shrew DDoS attacks using spectral analysis, J of Parallel and Distributed Computing, Volume 66, Issue 9, September 2006 • shrew attacks – TCP-based. Just like in the cartoon.
mmmmiiiittttiiiiggggaaaattttiiiioooonnnn ((((ddddeeeetttteeeeccccttttiiiioooonnnn 2222////2222)))) • Shui Yu, Wanlei Zhou, Robin Doss, Weijia Jia, Traceback of DDoS Attacks Using Entropy Variations, IEEE Trans on Parallel and Distributed Systems, Volume: 22, Issue: 3, March 2011 • fingerprinting the traffic and tracing the signature back to the source • Yang Xiang, Ke Li, Wanlei Zhou, Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics, IEEE Trans on Information Forensics and Security, Volume: 6, Issue: 2, June 2011 • low rate is harder to detect than a sharp pulse: DegDoS • S. Yu et al, Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient, IEEE Trans on Parallel and Distributed Systems, Volume: 23, Issue: 6, June 2012 • self-similarity of DDoS traffic is different than of flash crowds
mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • Internet security is highly interdependent • differentiation of legitimate and malicious traffic is not trivial • network and node resources will always be scarce • because everything is scarce. This makes more sense, however, combined with the next.
mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • Internet security is highly interdependent • differentiation of legitimate and malicious traffic is not trivial • network and node resources will always be scarce • split intelligence vs resource • interdomain, carrier-grade routers: built for packet switching speed • data centre application server: built for programmable functionality • this creates, however, the need for new types of elements: • L4+ firewalls, Load Balancers, Reverse Proxies, Web-Application Firewalls, CDNs, etc • their task is to be fast, resilient and simple (as possible) • cloud DDoS protection services: everything in the cloud
mmmmiiiittttiiiiggggaaaattttiiiioooonnnn ((((sssspppplllliiiitttt ffffeeeeaaaattttuuuurrrreeeessss)))) Cisco ASA F5 Barracuda nginx cloudflare incapsula
mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • Internet security is highly interdependent • differentiation of legitimate and malicious traffic is not trivial • network and node resources will always be scarce • split intelligence vs resource • the Internet lacks in-built accountability • David G. Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker, Accountable Internet Protocol (AIP), Sigcomm 2008 • very interesting paper. Utterly non-implementable nowadays. Future Internet maybe. • the source address is a public key; helps with DDoS, spoofing, routing trust • other approaches exist but one way or the other they requires disruptive changes to IP
mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • Internet security is highly interdependent • differentiation of legitimate and malicious traffic is not trivial • network and node resources will always be scarce • split intelligence vs resource • the Internet lacks in-built accountability • social: there’s often a void of legislation about DDoS; Authorities will investigate but that’s already after the fact. • helps as a deterrent but not much more • what public policies would help?
main takeawaysmain takeawaysmain takeawaysmain takeaways • the main enabling equation: • DDoS = amplifying vulnerabilities + reflecting traffic • DDoS is here to stay. • 20yo amateur software developer is able to bring down giants such as Amazon • There will always be a vulnerability to exploit. • it is a key concern, by far, of ISPs • Realtime defense progressed • detection techniques matured but only help so much • best solution so far: throw bandwidth back at it – horsepower + specialised nodes • It is a multidimensional problem • The Internet architecture does not help, deficient multiparty coordination, impossibility of detection assurances, limited accountability, there are economic incentives
ffffoooooooodddd ffffoooorrrr tttthhhhoooouuuugggghhhhtttt • a key problem is that sending a packet costs nothing • what if it costed a vestigial amount – so cheap for fair use but expensive for a DDoS • we do need an Accountable Internet • anybody sees where I am going? • imagine detection was perfect and just about 5min before it started • can we blackhole this traffic at the interdomain level? • inter-ISP coordination is the key • what would be an effective, and reasonable public policy? • hint 1: DfT guidance on Security for connected cars, August-2017 • hint 2: US Internet of Things Cybersecurity Improvement Act of 2017
further readingfurther readingfurther readingfurther reading • Alberto Compagno, Mauro Conti, Paolo Gasti, Gene Tsudik, Poseidon: Mitigating interest flooding DDoS attacks in Named Data Networking, 38th IEEE Local Computer Networks (LCN) Conf, 2013 • Rodrigo Braga, Edjard Mota, Alexandre Passito, Lightweight DDoS flooding attack detection using NOX/OpenFlow, 35th IEEE Local Computer Networks (LCN) Conf, 2010 • Bing Wang, Yao Zheng, Wenjing Lou, Y. Thomas Hou, DDoS attack protection in the era of cloud computing and Software-Defined Networking, Computer Networks (ComNet), Volume 81, 22 April 2015 • Qiao Yan, F. Richard Yu, Qingxiang Gong, Jianqiang Li, Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges, IEEE Communications Surveys & Tutorials, V 18, I 1, 1Q 2016 • very recommended and easy to read
Thank you.

Recommended

5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS AttackRedZone Technologies
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiProfessor Lili Saghafi
 
DDoS attacks
DDoS attacksDDoS attacks
DDoS attacksCh Anas Irshad
 
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/... Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...Suhail Khan
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
What is DDoS ?
What is DDoS ?What is DDoS ?
What is DDoS ?Vikas Phonsa
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningeSAT Publishing House
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackAhmed Ghazey
 

Recommended

5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS AttackRedZone Technologies
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiProfessor Lili Saghafi
 
DDoS attacks
DDoS attacksDDoS attacks
DDoS attacksCh Anas Irshad
 
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/... Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...Suhail Khan
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
What is DDoS ?
What is DDoS ?What is DDoS ?
What is DDoS ?Vikas Phonsa
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningeSAT Publishing House
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackAhmed Ghazey
 
DDoS Attack
DDoS AttackDDoS Attack
DDoS AttackGopi Krishnan S
 
DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOGZobair Khan
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attackschris zlatis
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and MitigationDevang Badrakiya
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dosleminhvuong
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service laxmi chandolia
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddoskalyan kumar
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKSShaurya Gogia
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKSAnil Antony
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptxOzkan E
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
Ddos
DdosDdos
Ddosuniversity of Gujrat, pakistan
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dossadhana21297
 
DDos
DDosDDos
DDosrohit verma
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Denail of Service
Denail of ServiceDenail of Service
Denail of ServiceRamasubbu .P
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation TechniquesIntruGuard
 
Cloud security
Cloud securityCloud security
Cloud securityTushar Kayande
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsEmulex Corporation
 

More Related Content

What's hot

Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attackschris zlatis
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and MitigationDevang Badrakiya
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service laxmi chandolia
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddoskalyan kumar
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptxOzkan E
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation TechniquesIntruGuard
 

What's hot (20)

DDoS Attack
DDoS AttackDDoS Attack
DDoS Attack
 
DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOG
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attacks
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and Mitigation
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddos
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
Ddos
DdosDdos
Ddos
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dos
 
DDos
DDosDDos
DDos
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Denail of Service
Denail of ServiceDenail of Service
Denail of Service
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
 

Similar to DDoS Attacks

Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsEmulex Corporation
 
Cybersecurity.pptx
Cybersecurity.pptxCybersecurity.pptx
Cybersecurity.pptxJohn Donahue
 
Cyber security by Gaurav Singh
Cyber security by Gaurav SinghCyber security by Gaurav Singh
Cyber security by Gaurav SinghGaurav Singh
 
Distributed Denial Of Service ( Ddos )
Distributed Denial Of Service ( Ddos )Distributed Denial Of Service ( Ddos )
Distributed Denial Of Service ( Ddos )Sharon Lee
 
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCThe Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCCloudflare
 
ICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationTejaswi Agarwal
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed Great Bay Software
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022PECB
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
Second line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : BlockchainSecond line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : BlockchainAhmed Banafa
 
A new way to prevent Botnet Attack
A new way to prevent Botnet AttackA new way to prevent Botnet Attack
A new way to prevent Botnet Attackyennhi2812
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...Eric Vanderburg
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...TI Safe
 
security in IOT.pptx
security in IOT.pptxsecurity in IOT.pptx
security in IOT.pptxTulasi72
 
Android vulnerability study
Android vulnerability studyAndroid vulnerability study
Android vulnerability studySri Harsha Pamu
 
ITSecurity_DDOS_Mitigation
ITSecurity_DDOS_MitigationITSecurity_DDOS_Mitigation
ITSecurity_DDOS_MitigationR. Blake Martin
 
Presentation1 shweta
Presentation1 shweta Presentation1 shweta
Presentation1 shweta swet4
 
TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...
TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...
TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...EC-Council
 

Similar to DDoS Attacks (20)

Cloud security
Cloud securityCloud security
Cloud security
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
 
Cybersecurity.pptx
Cybersecurity.pptxCybersecurity.pptx
Cybersecurity.pptx
 
Brooks18
Brooks18Brooks18
Brooks18
 
Cyber security by Gaurav Singh
Cyber security by Gaurav SinghCyber security by Gaurav Singh
Cyber security by Gaurav Singh
 
Distributed Denial Of Service ( Ddos )
Distributed Denial Of Service ( Ddos )Distributed Denial Of Service ( Ddos )
Distributed Denial Of Service ( Ddos )
 
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCThe Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
 
ICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference Publication
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
 
Second line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : BlockchainSecond line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : Blockchain
 
A new way to prevent Botnet Attack
A new way to prevent Botnet AttackA new way to prevent Botnet Attack
A new way to prevent Botnet Attack
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
 
security in IOT.pptx
security in IOT.pptxsecurity in IOT.pptx
security in IOT.pptx
 
Android vulnerability study
Android vulnerability studyAndroid vulnerability study
Android vulnerability study
 
ITSecurity_DDOS_Mitigation
ITSecurity_DDOS_MitigationITSecurity_DDOS_Mitigation
ITSecurity_DDOS_Mitigation
 
Presentation1 shweta
Presentation1 shweta Presentation1 shweta
Presentation1 shweta
 
TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...
TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...
TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...
 

Recently uploaded

ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?Linksys Velop Login
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfSiskaFitrianingrum
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理aagad
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxlaozhuseo02
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxGal Baras
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyDamar Juniarto
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxabhinandnam9997
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shoplaozhuseo02
 

Recently uploaded (12)

ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdf
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
The Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI StudioThe Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI Studio
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 

DDoS Attacks

  • 1. DDoS AttacksDDoS AttacksDDoS AttacksDDoS Attacks Vitor Jesus http://vitorjesus.com bcu@vitorjesus.com Birmingham 25-Aug-2017
  • 2. for this online version, all figures and slides with copyright were removed
  • 3. DoSDoSDoSDoS • a Denial-of-Service attack is one that prevents a [networked] function to work normally. • Overwhelming a server with traffic is DoS. • Remotely exhausting the available memory of an application is DoS. • It is distributed if there’s coordination of multiple parties to develop the attack.
  • 4. DDoSDDoSDDoSDDoS DDoS unintended not meeting service demand not only for Internet applications unintended imperfect implementation or design of protocol intended
  • 5. DDoSDDoSDDoSDDoS DDoS unintended not meeting service demand not only for Internet applications unintended imperfect implementation or design of protocol intended Cellular DoS
  • 6. DDoSDDoSDDoSDDoS what is the Slashdot Effect?
  • 7. DDoSDDoSDDoSDDoS DDoS unintended not meeting service demand not only for Internet applications unintended imperfect implementation or design of protocol intended Cellular DoS Slashdot effect
  • 8. DDoSDDoSDDoSDDoS what is the oldest DDoS attack? (in the history of the Internet) (arguably) (not necessarily intended) (T&Cs apply)
  • 9. DDoSDDoSDDoSDDoS what is the oldest DDoS attack? figures removed – OSPF flooding processes
  • 10. DDoSDDoSDDoSDDoS DDoS unintended not meeting service demand not only for Internet applications unintended imperfect implementation or design of protocol intended Cellular DoS OSPF Slashdot effect
  • 12.
  • 13. the scale of the problemthe scale of the problemthe scale of the problemthe scale of the problem (figures removed) DDoS peaks 2007: 20 Gbps 2010: 100 Gbps 2013: 300 Gbps 2016: ~1 Tbps 2017 TD: 100 Gbps
  • 14. DDoS: it’s a businessDDoS: it’s a businessDDoS: it’s a businessDDoS: it’s a business • DDoS as a Service ran by two Israeli teenagers was shutdown • a 300sec DDoS attack with around 100Gbps could cost less than $10
  • 15. ttttechniquesechniquesechniquesechniques 800Gbps: how can such a scale of bandwidth be created?
  • 16. techniquestechniquestechniquestechniques step 1: find a widespread vulnerability in a protocol with good amplification (pps and size) step 2: find a way to reflect the traffic towards the victim step 3: (and/or) compromise hosts using another vulnerability – botnets Ballpark figures: • DNS amplification: 50% • NTP amplification: 30% • Chargen amplification: 10% • SSDP amplification: 10% • others: ~5%
  • 17. aaaammmmpppplllliiiiffffiiiiccccaaaattttiiiioooonnnn ffffaaaaccccttttoooorrrr Christian Rossow, Amplification Hell: Revisiting Network Protocols for DDoS Abuse, NDSS ’14, 23-26 February 2014, San Diego, CA, USA
  • 18. MiraiMiraiMiraiMirai bbbboooottttnnnneeeetttt•impact •it brought down Airbnb, Netflix, Amazon, Verizon, Twitter, PayPal, Spotify, etc. •it even impacted interdomain routing •then they attacked Brian Krebs •delivered peaks of 1 Tbps •Akamai (CDN) gave up. •Google offered Project Shield •Mirai compromised “things” •mostly IP cameras •source code available •traffic from 141 different countries •hundreds of thousands of devices •modus operandi •device tested for weak passwords •it connected to a C&C •multiple protocols: HTTP, GRE (VPN), plain TCP, DNS, plain UDP, … •20yo with minor contributions from others – arrested
  • 19. a taxonomya taxonomya taxonomya taxonomy J Mirkovic, P Reiher, A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, ACM Comp Comm Review, 2004
  • 20. mitigationmitigationmitigationmitigation • Why is it even possible to do DDoS to this scale? Is the Internet not policed in some way? • for example, why can’t the operators just stop it? Everything is connected to an operator anyway and someone is paying the bill.
  • 21. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • Internet security is highly interdependent • differentiation of legitimate and malicious traffic is not trivial • network and node resources will always be scarce • split intelligence vs resource • the Internet lacks in-built accountability • social: there’s often a void of legislation about DDoS; Authorities will investigate but that’s already after the fact.
  • 22. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • Future Internet maybe? Not something most people would like to change.
  • 23. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • perfect Security is impossible. That’s why we are all here in this room. • it combines Humans, Technologies, Standards, Practices, Regulations, Policies, Politics, Economics • Chargen: used in 11% attacks • mitigation of Mirai: • Secure Software Development practices – a semester on its own • Secure product delivery • Vendors should consider trading Features for Security • user awareness • better DNS and UPnP hardening; DNS with longer TTLs, discarding of stale records; redundant servers
  • 24. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • Internet security is highly interdependent • many administratively independent parties • Governments/States, ISPs, private organisations, users, machines • DDoS can start in minutes – coordination times is challenging • Cyber Threat Intelligence is key: TAXII, STIX, CybOX • messaging (TXII) + representation of threats (STIX) + observables (CybOX) • https://www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity • Jessica Steinberger, et al., Collaborative DDoS Defense using Flow-based Security Event Information, IEEE/IFIP NOMS, 2016 IETF DDoS Open Threat Signaling (DOTS), 2017 • François, Aib, Boutaba, FireCol: a collaborative protection network for the detection of flooding DDoS attacks, IEEE/ACM Trans. on Networking, v20, i6, Dec 2012 • distributed and collaborative IPS architecture on ISPs
  • 25. aggregates of flows + context aggregates of flowsflowspackets mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • Internet security is highly interdependent • differentiation between legitimate and malicious traffic is not trivial • it builds on mathematical and statistical analysis • overall, math techniques are not quite cutting it • did not find a single paper on DDoS detection with context • context is a very complex topic • anyone wants to think about this? impossible unlikely possible  likely very likely how, why, when, where, who
  • 26. mmmmiiiittttiiiiggggaaaattttiiiioooonnnn ((((ddddeeeetttteeeeccccttttiiiioooonnnn,,,, 1111////2222)))) • Y. Xiang, Y. Lin, W.L. Lei, S.J. Huang, Detecting DDOS attack based on network self-similarity, IEE Communications Letters, Volume: 151, Issue: 3, June 2004 • Self-similarity is a statistical/fractal analysis. If it is high, zooming in/out (so playing with scales), will essentially not change the picture. • Lan Li, Gyungho Lee, DDoS Attack Detection and Wavelets, Springer, Telecommunication Systems, March 2005, Volume 28, Issue 3–4 • wavelets • Yu Chen, Kai Hwang, Collaborative detection and filtering of shrew DDoS attacks using spectral analysis, J of Parallel and Distributed Computing, Volume 66, Issue 9, September 2006 • shrew attacks – TCP-based. Just like in the cartoon.
  • 27. mmmmiiiittttiiiiggggaaaattttiiiioooonnnn ((((ddddeeeetttteeeeccccttttiiiioooonnnn 2222////2222)))) • Shui Yu, Wanlei Zhou, Robin Doss, Weijia Jia, Traceback of DDoS Attacks Using Entropy Variations, IEEE Trans on Parallel and Distributed Systems, Volume: 22, Issue: 3, March 2011 • fingerprinting the traffic and tracing the signature back to the source • Yang Xiang, Ke Li, Wanlei Zhou, Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics, IEEE Trans on Information Forensics and Security, Volume: 6, Issue: 2, June 2011 • low rate is harder to detect than a sharp pulse: DegDoS • S. Yu et al, Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient, IEEE Trans on Parallel and Distributed Systems, Volume: 23, Issue: 6, June 2012 • self-similarity of DDoS traffic is different than of flash crowds
  • 28. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • Internet security is highly interdependent • differentiation of legitimate and malicious traffic is not trivial • network and node resources will always be scarce • because everything is scarce. This makes more sense, however, combined with the next.
  • 29. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • Internet security is highly interdependent • differentiation of legitimate and malicious traffic is not trivial • network and node resources will always be scarce • split intelligence vs resource • interdomain, carrier-grade routers: built for packet switching speed • data centre application server: built for programmable functionality • this creates, however, the need for new types of elements: • L4+ firewalls, Load Balancers, Reverse Proxies, Web-Application Firewalls, CDNs, etc • their task is to be fast, resilient and simple (as possible) • cloud DDoS protection services: everything in the cloud
  • 31. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • Internet security is highly interdependent • differentiation of legitimate and malicious traffic is not trivial • network and node resources will always be scarce • split intelligence vs resource • the Internet lacks in-built accountability • David G. Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker, Accountable Internet Protocol (AIP), Sigcomm 2008 • very interesting paper. Utterly non-implementable nowadays. Future Internet maybe. • the source address is a public key; helps with DDoS, spoofing, routing trust • other approaches exist but one way or the other they requires disruptive changes to IP
  • 32. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr • end to end paradigm is still valid to a large extent • vulnerabilities, at different levels, will always exist • Internet security is highly interdependent • differentiation of legitimate and malicious traffic is not trivial • network and node resources will always be scarce • split intelligence vs resource • the Internet lacks in-built accountability • social: there’s often a void of legislation about DDoS; Authorities will investigate but that’s already after the fact. • helps as a deterrent but not much more • what public policies would help?
  • 33. main takeawaysmain takeawaysmain takeawaysmain takeaways • the main enabling equation: • DDoS = amplifying vulnerabilities + reflecting traffic • DDoS is here to stay. • 20yo amateur software developer is able to bring down giants such as Amazon • There will always be a vulnerability to exploit. • it is a key concern, by far, of ISPs • Realtime defense progressed • detection techniques matured but only help so much • best solution so far: throw bandwidth back at it – horsepower + specialised nodes • It is a multidimensional problem • The Internet architecture does not help, deficient multiparty coordination, impossibility of detection assurances, limited accountability, there are economic incentives
  • 34. ffffoooooooodddd ffffoooorrrr tttthhhhoooouuuugggghhhhtttt • a key problem is that sending a packet costs nothing • what if it costed a vestigial amount – so cheap for fair use but expensive for a DDoS • we do need an Accountable Internet • anybody sees where I am going? • imagine detection was perfect and just about 5min before it started • can we blackhole this traffic at the interdomain level? • inter-ISP coordination is the key • what would be an effective, and reasonable public policy? • hint 1: DfT guidance on Security for connected cars, August-2017 • hint 2: US Internet of Things Cybersecurity Improvement Act of 2017
  • 35. further readingfurther readingfurther readingfurther reading • Alberto Compagno, Mauro Conti, Paolo Gasti, Gene Tsudik, Poseidon: Mitigating interest flooding DDoS attacks in Named Data Networking, 38th IEEE Local Computer Networks (LCN) Conf, 2013 • Rodrigo Braga, Edjard Mota, Alexandre Passito, Lightweight DDoS flooding attack detection using NOX/OpenFlow, 35th IEEE Local Computer Networks (LCN) Conf, 2010 • Bing Wang, Yao Zheng, Wenjing Lou, Y. Thomas Hou, DDoS attack protection in the era of cloud computing and Software-Defined Networking, Computer Networks (ComNet), Volume 81, 22 April 2015 • Qiao Yan, F. Richard Yu, Qingxiang Gong, Jianqiang Li, Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges, IEEE Communications Surveys & Tutorials, V 18, I 1, 1Q 2016 • very recommended and easy to read