The document discusses distributed denial of service (DDoS) attacks. It begins by defining DDoS and DoS attacks, noting that a DDoS attack involves coordinating multiple parties to overwhelm a server or application with traffic. The document then discusses the scale of DDoS attacks over time, how attacks on the scale of terabits per second can be achieved, and how DDoS attacks have become a business. It also summarizes the impact of the Mirai botnet and techniques for mitigating DDoS attacks through detection methods, split intelligence versus resource constraints, and the lack of built-in accountability on the internet.
2. for this online version, all figures and slides with copyright were removed
3. DoSDoSDoSDoS
• a Denial-of-Service attack is one that prevents a [networked] function to
work normally.
• Overwhelming a server with traffic is DoS.
• Remotely exhausting the available memory of an application is DoS.
• It is distributed if there’s coordination of multiple parties to develop the
attack.
13. the scale of the problemthe scale of the problemthe scale of the problemthe scale of the problem
(figures removed)
DDoS peaks
2007: 20 Gbps
2010: 100 Gbps
2013: 300 Gbps
2016: ~1 Tbps
2017 TD: 100 Gbps
14. DDoS: it’s a businessDDoS: it’s a businessDDoS: it’s a businessDDoS: it’s a business
• DDoS as a Service ran by two Israeli teenagers was shutdown
• a 300sec DDoS attack with around 100Gbps could cost less than $10
16. techniquestechniquestechniquestechniques
step 1: find a widespread vulnerability in a protocol with good amplification (pps and
size)
step 2: find a way to reflect the traffic towards the victim
step 3: (and/or) compromise hosts using another vulnerability – botnets
Ballpark figures:
• DNS amplification: 50%
• NTP amplification: 30%
• Chargen amplification: 10%
• SSDP amplification: 10%
• others: ~5%
18. MiraiMiraiMiraiMirai bbbboooottttnnnneeeetttt•impact
•it brought down Airbnb, Netflix, Amazon, Verizon, Twitter, PayPal, Spotify, etc.
•it even impacted interdomain routing
•then they attacked Brian Krebs
•delivered peaks of 1 Tbps
•Akamai (CDN) gave up.
•Google offered Project Shield
•Mirai compromised “things”
•mostly IP cameras
•source code available
•traffic from 141 different countries
•hundreds of thousands of devices
•modus operandi
•device tested for weak passwords
•it connected to a C&C
•multiple protocols: HTTP, GRE (VPN), plain TCP, DNS, plain UDP, …
•20yo with minor contributions from others – arrested
19. a taxonomya taxonomya taxonomya taxonomy
J Mirkovic, P Reiher,
A Taxonomy of DDoS
Attack and DDoS
Defense Mechanisms,
ACM Comp Comm
Review,
2004
20. mitigationmitigationmitigationmitigation
• Why is it even possible to do DDoS to this scale? Is the Internet not
policed in some way?
• for example, why can’t the operators just stop it? Everything is
connected to an operator anyway and someone is paying the bill.
21. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr
• end to end paradigm is still valid to a large extent
• vulnerabilities, at different levels, will always exist
• Internet security is highly interdependent
• differentiation of legitimate and malicious traffic is not trivial
• network and node resources will always be scarce
• split intelligence vs resource
• the Internet lacks in-built accountability
• social: there’s often a void of legislation about DDoS; Authorities will
investigate but that’s already after the fact.
22. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr
• end to end paradigm is still valid to a large extent
• Future Internet maybe? Not something most people would like to change.
23. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr
• end to end paradigm is still valid to a large extent
• vulnerabilities, at different levels, will always exist
• perfect Security is impossible. That’s why we are all here in this room.
• it combines Humans, Technologies, Standards, Practices, Regulations, Policies,
Politics, Economics
• Chargen: used in 11% attacks
• mitigation of Mirai:
• Secure Software Development practices – a semester on its own
• Secure product delivery
• Vendors should consider trading Features for Security
• user awareness
• better DNS and UPnP hardening; DNS with longer TTLs, discarding of stale records; redundant
servers
24. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr
• end to end paradigm is still valid to a large extent
• vulnerabilities, at different levels, will always exist
• Internet security is highly interdependent
• many administratively independent parties
• Governments/States, ISPs, private organisations, users, machines
• DDoS can start in minutes – coordination times is challenging
• Cyber Threat Intelligence is key: TAXII, STIX, CybOX
• messaging (TXII) + representation of threats (STIX) + observables (CybOX)
• https://www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity
• Jessica Steinberger, et al., Collaborative DDoS Defense using Flow-based Security Event
Information, IEEE/IFIP NOMS, 2016 IETF DDoS Open Threat Signaling (DOTS), 2017
• François, Aib, Boutaba, FireCol: a collaborative protection network for the detection of flooding
DDoS attacks, IEEE/ACM Trans. on Networking, v20, i6, Dec 2012
• distributed and collaborative IPS architecture on ISPs
25. aggregates of flows
+ context
aggregates of flowsflowspackets
mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr
• end to end paradigm is still valid to a large extent
• vulnerabilities, at different levels, will always exist
• Internet security is highly interdependent
• differentiation between legitimate and malicious traffic is not trivial
• it builds on mathematical and statistical analysis
• overall, math techniques are not quite cutting it
• did not find a single paper on DDoS detection with context
• context is a very complex topic
• anyone wants to think about this?
impossible unlikely possible likely very likely
how, why, when,
where, who
26. mmmmiiiittttiiiiggggaaaattttiiiioooonnnn ((((ddddeeeetttteeeeccccttttiiiioooonnnn,,,, 1111////2222))))
• Y. Xiang, Y. Lin, W.L. Lei, S.J. Huang, Detecting DDOS attack based on network
self-similarity, IEE Communications Letters, Volume: 151, Issue: 3, June 2004
• Self-similarity is a statistical/fractal analysis. If it is high, zooming in/out (so playing with scales), will
essentially not change the picture.
• Lan Li, Gyungho Lee, DDoS Attack Detection and Wavelets, Springer,
Telecommunication Systems, March 2005, Volume 28, Issue 3–4
• wavelets
• Yu Chen, Kai Hwang, Collaborative detection and filtering of shrew DDoS
attacks using spectral analysis, J of Parallel and Distributed Computing, Volume
66, Issue 9, September 2006
• shrew attacks – TCP-based. Just like in the cartoon.
27. mmmmiiiittttiiiiggggaaaattttiiiioooonnnn ((((ddddeeeetttteeeeccccttttiiiioooonnnn 2222////2222))))
• Shui Yu, Wanlei Zhou, Robin Doss, Weijia Jia, Traceback of DDoS Attacks Using
Entropy Variations, IEEE Trans on Parallel and Distributed Systems, Volume: 22,
Issue: 3, March 2011
• fingerprinting the traffic and tracing the signature back to the source
• Yang Xiang, Ke Li, Wanlei Zhou, Low-Rate DDoS Attacks Detection and
Traceback by Using New Information Metrics, IEEE Trans on Information
Forensics and Security, Volume: 6, Issue: 2, June 2011
• low rate is harder to detect than a sharp pulse: DegDoS
• S. Yu et al, Discriminating DDoS Attacks from Flash Crowds Using Flow
Correlation Coefficient, IEEE Trans on Parallel and Distributed Systems, Volume:
23, Issue: 6, June 2012
• self-similarity of DDoS traffic is different than of flash crowds
28. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr
• end to end paradigm is still valid to a large extent
• vulnerabilities, at different levels, will always exist
• Internet security is highly interdependent
• differentiation of legitimate and malicious traffic is not trivial
• network and node resources will always be scarce
• because everything is scarce. This makes more sense, however, combined with the next.
29. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr
• end to end paradigm is still valid to a large extent
• vulnerabilities, at different levels, will always exist
• Internet security is highly interdependent
• differentiation of legitimate and malicious traffic is not trivial
• network and node resources will always be scarce
• split intelligence vs resource
• interdomain, carrier-grade routers: built for packet switching speed
• data centre application server: built for programmable functionality
• this creates, however, the need for new types of elements:
• L4+ firewalls, Load Balancers, Reverse Proxies, Web-Application Firewalls, CDNs, etc
• their task is to be fast, resilient and simple (as possible)
• cloud DDoS protection services: everything in the cloud
31. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr
• end to end paradigm is still valid to a large extent
• vulnerabilities, at different levels, will always exist
• Internet security is highly interdependent
• differentiation of legitimate and malicious traffic is not trivial
• network and node resources will always be scarce
• split intelligence vs resource
• the Internet lacks in-built accountability
• David G. Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott
Shenker, Accountable Internet Protocol (AIP), Sigcomm 2008
• very interesting paper. Utterly non-implementable nowadays. Future Internet maybe.
• the source address is a public key; helps with DDoS, spoofing, routing trust
• other approaches exist but one way or the other they requires disruptive changes to IP
32. mitigationmitigationmitigationmitigation –––– nnnnoooo eeeeaaaassssyyyy aaaannnnsssswwwweeeerrrr
• end to end paradigm is still valid to a large extent
• vulnerabilities, at different levels, will always exist
• Internet security is highly interdependent
• differentiation of legitimate and malicious traffic is not trivial
• network and node resources will always be scarce
• split intelligence vs resource
• the Internet lacks in-built accountability
• social: there’s often a void of legislation about DDoS; Authorities will
investigate but that’s already after the fact.
• helps as a deterrent but not much more
• what public policies would help?
33. main takeawaysmain takeawaysmain takeawaysmain takeaways
• the main enabling equation:
• DDoS = amplifying vulnerabilities + reflecting traffic
• DDoS is here to stay.
• 20yo amateur software developer is able to bring down giants such as Amazon
• There will always be a vulnerability to exploit.
• it is a key concern, by far, of ISPs
• Realtime defense progressed
• detection techniques matured but only help so much
• best solution so far: throw bandwidth back at it – horsepower + specialised nodes
• It is a multidimensional problem
• The Internet architecture does not help, deficient multiparty coordination, impossibility of detection
assurances, limited accountability, there are economic incentives
34. ffffoooooooodddd ffffoooorrrr tttthhhhoooouuuugggghhhhtttt
• a key problem is that sending a packet costs nothing
• what if it costed a vestigial amount – so cheap for fair use but expensive for a DDoS
• we do need an Accountable Internet
• anybody sees where I am going?
• imagine detection was perfect and just about 5min before it started
• can we blackhole this traffic at the interdomain level?
• inter-ISP coordination is the key
• what would be an effective, and reasonable public policy?
• hint 1: DfT guidance on Security for connected cars, August-2017
• hint 2: US Internet of Things Cybersecurity Improvement Act of 2017
35. further readingfurther readingfurther readingfurther reading
• Alberto Compagno, Mauro Conti, Paolo Gasti, Gene Tsudik, Poseidon: Mitigating interest flooding
DDoS attacks in Named Data Networking, 38th IEEE Local Computer Networks (LCN) Conf, 2013
• Rodrigo Braga, Edjard Mota, Alexandre Passito, Lightweight DDoS flooding attack detection
using NOX/OpenFlow, 35th IEEE Local Computer Networks (LCN) Conf, 2010
• Bing Wang, Yao Zheng, Wenjing Lou, Y. Thomas Hou, DDoS attack protection in the era of cloud
computing and Software-Defined Networking, Computer Networks (ComNet), Volume 81, 22 April
2015
• Qiao Yan, F. Richard Yu, Qingxiang Gong, Jianqiang Li, Software-Defined Networking (SDN) and
Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey,
Some Research Issues, and Challenges, IEEE Communications Surveys & Tutorials, V 18, I 1, 1Q
2016
• very recommended and easy to read