You are on page 1of 50

Adi Glucksam

6/2/2010 1
 The problem.
 Attack types.
 Defense Proposals classification.
 Integrated solutions to DDoS attacks.
 Conclusion.
 Stop-it.

6/2/2010 2
6/2/2010 3
 The internet was designed for openness &
scalability, resulting in poor security.

 The big problem is how to discriminate


legitimate requests for service from malicious
access attempts?

6/2/2010 4
Supports ease of attachment.

× Does not verify the content of IP packets headers.

× Does not check whether a source is authorized to


access a service.

6/2/2010 5
Now, if:

The effort to generate The effort to check


a service request validity of a request

Then we have an opportunity for an attack


known as DoS (Denial of Service) attack.

6/2/2010 6
(1) Sending one or more packets to exploit
software vulnerability.
Example: the “ping of death”

(2) Use massive volumes of useless traffic to


occupy all the resources that could service
legitimate traffic.

6/2/2010 7
 Both forms occupy a significant proportion of
the available bandwidth. Hence DoS is also
called “bandwidth attacks”.

 Possible target resources:


◦ server’s CPU capacity
◦ Stack space in network protocol software
◦ Internet link capacity

6/2/2010 8
 DDoS- Distributed Denial of Service.

 When the traffic of a DoS attack comes from


multiple sources.

 WHAT FOR???
◦ the power of a DDoS attack is amplified.
◦ the problem of defense is made more complicated.

6/2/2010 9
 Users inconvenience can result in loosing
them, hence an economical result.
 Essential

services.

6/2/2010 10
6/2/2010 11
 A typical DDoS attack contains 3 stages:
1. Compromise vulnerable systems available in the
Internet.
2. Install attack tools in those systems.

3. Send an attack command to the “zombies” through


a Secure channel.

6/2/2010 12
 Online computers.
◦ Direct attack: include malicious payload.
◦ Indirect attack: exploit insecure actions that may be
performed by users.

 Once these attackers have compromised a


computer, they install a “bot,” (another name
for a “zombie”).

6/2/2010 13
 Botnet: A compromised computer that can
be managed by an attacker through the IRC
channel.

 Ability to update software from a remote


server.

 The consequence: the botnet owner has the


capability to design a specific attack for a particular
target.

6/2/2010 14
 There are 2 main ways to attack a server:

(1)Consumption of the host’s resources.

(2)Consumption of network bandwidth.

6/2/2010 15
 Definition: the level of resources consumed at
the victim by the attack.

 The attack power consists of two parameters-

(1)Traffic volume

(2)Resources consumed per packet.

6/2/2010 16
 We classify attacks according to the way the
attack power is magnified.

1. Internet protocols.

2. Aim at a particular application.

3. Using third parties.

4. Disrupt the Internet infrastructure.

6/2/2010 17
 Can be launched effectively from a single
attack source.

 Examples:

◦ SYN Flood.

◦ ICMP flood.

6/2/2010 18
 Forces the target to execute expensive
operations.

 Examples:

◦ HTTP Flood.

◦ SIP flood.

6/2/2010 19
 Aims to obscure the sources of attack traffic
by using third parties(reflectors) to relay attack
traffic to the victim.

 Examples:
◦ DNS Amplification Attacks.

 In theory, 140 Mb/s initiating traffic from


a botnet can result in a 10 Gb/s DNS
flood to the victim.

6/2/2010 20
 The attack contains three stages:

(1) Gain control of a certain number of “zombies”.

(2) Instructing them to send to the third parties


spoofed traffic with the victim’s IP as source.

(3) Third parties will send the reply traffic to the


victim, which constitutes a DDoS attack.

6/2/2010 21
 Aims to disable the services of critical
components of the Internet.
 As a result- the whole Internet may be

affected.
{DNS root servers of top-level domains, such as .com}

 Normally, critical network infrastructure is


highly provisioned. Significant attack power is
required to launch a successful attack.

6/2/2010 22
6/2/2010 23
1. The traffic volume.

2. Multiple sources.

3. Difficulty filtering the attack traffic from the


legitimate one.

6/2/2010 24
 Resource sharing.
 Keep it simple on the server side, let

the host work hard.


 packets can travel on any path.
 provision links according to their

usage.
 Decentralized Internet Management.

6/2/2010 25
(1) Attack Prevention.

(2) Attack Detection.

(3) Attack Source Identification.

(4) Attack Reaction.

6/2/2010 26
6/2/2010 27
 There has been only limited progress in
solving the DDoS problem.

 Most approaches focus on detecting and


filtering attack traffic near the target of the
attack.

 The main limitation: the computational and


network resources available to the attacker
can readily exceed that of the target.

6/2/2010 28
 Limit the rate at which sources can generate
requests.

 New users must first complete an admission


challenge that requires human judgment.

 Effectiveness- Challenge still require some


computational resources at the target, which
can become a bottleneck during an attack.

6/2/2010 29
 Combines filtering and admission challenges
with a pushback scheme between the target
and the upstream ISPs.

 Issues of pushback:

1. Finding a pushback signaling scheme.


2. Prevent manipulation by attackers.
3. Dealing with risks of incorrect decisions.
4. Ensure the scalability when using multiple ISPs.

6/2/2010 30
6/2/2010 31
 New operating systemsusers are given
more power over computer resources.

 Number of Internet users and the users’


bandwidth have kept increasing dramatically.

 As a result, average security knowledge for


current Internet users is decreasing.

6/2/2010 32
 And attacks are becoming more and more
sophisticated

 Causing attack power to expand rapidly.

 In addition, lack of central control of the


Internet makes is harder & harder to find a
solution.

6/2/2010 33
 Securable Intra-AS communication.

 Attack traffic classification.

 The battle Ground.

 Upgradable components.

 Dependable Routing.
 Under the above assumptions:
1. Effective Algorithm.

2. Resistant to strategic attacks.

3. Fail safe.

4. Incremental & incentive-compatible


deployment.
1. Destination host Hd sends a router stop-it
request.

2. The router, Rd, verifies the attack & sends a stop-


it request to the AS’s stop-it server, Sd.

3. Sd forwards an inter-domain stop-it request to


the stop-it server in Hs’s AS.

4. Ss locates Rs (router) & send a stop-it request.

5. The access router Rs sends stop-it requests to Hs.


6. After Hs receives a stop-it request it will install a
filter to stop sending packets to Hd.
! If it will not stop, it will be punished by Rs.

 Important note:
◦ Each node must verify that the stop-it request
comes from the right peer before it honors the
request to prevent malicious hosts from blocking
legitimate traffic
 Passport for source identification.

 Closed control to mitigate request floods.

 Guard stop-it requests from packets floods.

 Confirm attacks before taking action.

 Manage source router filters.

 Authenticate stop-it requests.


 Aggregate misbehaving source’s filters.

 Avoid responding to malicious AS’es.

 Authenticate stop-it requests.

 Random filter replacement.


 Number of stop-it requests generated without
installing a filter:

 Number of attack without being caught


misbehaving:

 Calculations shows that is Fs=10M, Nf=10M then a


source can attack a destination without being
caught 3 times a day.
 Destination flooding attack- attackers send traffic
floods to a destination in order to disrupt the
destination’s communications.

 Link-flooding attack- aims to congest a link and


disrupt the legitimate communications that share
the link.

 ***The destinations of the attack traffic will not attempt to


stop the attack traffic.
 Causes of DoS attacks.
 Steps to combat DoS attacks:
a) Increase the reliability of global network
infrastructure.
b) Global cooperation.
 Lack of economic incentives to invest money on security is
the main reason not to achieve those goals.
 Stop-It:
◦ Basic architecture.
◦ Secure stop-it.
◦ Effectiveness comparing to known methods.

6/2/2010 50

You might also like