Defending Against Flooding Based DoS Attacks : A tutorial

1
Defending Against Flooding Based DoS Attacks A
tutorial

• - Rocky K.C. Chang, The Hong Kong Polytechnic
  University
• Presented by Ashish Samant

2
Introduction
(http//www.denailinfo.com)
3
Introduction

• Denial of Service (DoS) Attack An incident that
  disables a victim from receiving or providing
  normal service.
• Relies on consuming limited or non-renewable
  system resources.
• Can be launched by using system design
  weaknesses, CPU intensive tasks, or flooding.
• Examples ping of death, teardrop, smurf.

4
Distributed Denial of Service (DDoS)

• Do not depend on system or protocol weaknesses.
• DDoS use the computing power of thousands of
  vulnerable, unpatched machines to overwhelm a
  target or a victim.
• Compromised host are gathered to send useless
  service requests, packets at the same time.
• The burst of traffic generated, crashes the
  victim or disables it.

5
Distributed Denial of Service (DDoS)

• Hard to detect and stop.
• Can spread within a few minutes.
• Usually period of flooding lasts for a few hours,
  and is sporadic.
• IP Spoofing makes it harder to identify
  attackers.
• This is a critical problem because of its
  potential of use in cyber warfare and ability to
  disrupt essential government services.

6
Timeline (http//staff.washington.edu/dittrich/mi
sc/ddos/timeline.html )

• May/June, 1998   First primitive DDoS tools
  developed in the underground -- small networks,
  only mildly worse than coordinated point-to-point
  DoS attack.
• August 17, 1999   Attack on the University of
  Minnesota reportedly using trinoo. Campus
  disconnected from the Internet for 3 days.
• Early October 1999 CERT reviews hundreds of
  Solaris intrusion reports and finds many match
  the trinoo analysis. They arrange the Distributed
  System Intruder Tools Workshop.
• February 8 - 12, 2000   Attacks on eCommerce
  sites. Yahoo, eBay, Amazon hacked.
• 2002 DoS attack on the 13 core root Internet DNS
  Servers.
• 2000-2001 Melissa, I Love You, Anna Kournikova.
  2002 Code Red 2003 Slammer

7
Direct DDoS Attacks

• Direct Attacks ( flooding of request packets )
• Attacker sends out packets directly towards the
  target.
• Uses TCP, UDP, ICMP packets and uses random
  spoofed IP addresses.
• Only a few compromised machines are sufficient.
• Examples
• TCP SYN flooding based on TCP three way
  handshake, the final ACK from source to victim
  never arrives.
• Congesting a victims incoming link using TCP RST
  packets, ICMP control packets or UDP packets.
• TCP ( 94 ) , UDP (2), ICMP ( 2)

8
Reflector DDoS Attacks

• Reflector Attacks ( flooding of response packets
  )
• Attackers initiate an attack that is relayed to
  reflector machines, such as routers, web servers
  etc.
• Reflectors may or may not be aware.
• In response to requests by attackers, reflectors
  flood victims with reply packets.
• Address of victim spoofed in requests to
  reflectors.
• Examples
• Smurf attacks. ICMP echo packets with spoofed
  victim addresses are broadcast.
• TCP SYN ACK flooding.
• Bandwidth amplification , attack requests that
  send response packets of much larger size to the
  victim.

9
Direct and Reflector Attacks
10
DDoS Attack Setups
11
Summary of Reflector Attacks
12
Amount of SYN Packets Needed
13
Solutions to DDoS

• Attack Prevention and Preemption
• Prevent hosts from becoming masters/agents this
  is hard and inadequate.
• Regular patching and security updates.
• Attack Source Traceback
• Identify source of attack and block it. Routers
  need to store packet source info.
• After the fact measure, cannot stop active
  attack.
• Cannot always trace packet origins.
• Ineffective against reflector attacks, because
  reflectors are legitimate.

14
Solutions to DDoS

• Attack Detection and Filtering
• Identify attack packets using anomaly or misuse
  detection.
• Drop suspect packets.
• False Positive Ratio (FPR), False Negative Ratio
  (FNR) measure efficiency of detection.
• While filtering packets, dropping of useful
  packets should be minimum measured by Normal
  Packet Survival Ratio (NPSR).

15
Ideal location for detection/filtering
16
Internet Firewall Approach

• Packet detection and filtering at source and
  victim networks not adequate.
• Internet Firewall approach
• Global defense mechanism that is deployed at the
  core and drops packets before they reach the
  victim.
• Potential to maintain a victims normal service,
  even during an attack.
• Based on Route Based Packet Filtering (RPF) and
  Distributed Attack Detection (DAD).

17
Route Based Packet Filtering (RPF)

• RPF
• Move the ingress packet filtering from source
  networks and next level ISP networks to the
  Internet core.
• Check to see if each packet arrives on the
  correct link, with respect to the source and
  destination address in the packet.
• Drop packet if it arrives from an unexpected link.

18
Route Based Packet Filtering (RPF)

• Drawbacks
• About 18 of ASs need to be equipped with
  filters. This is a lot and will increase !
• BGP messages need to also carry source addresses,
  which increases their size.
• Reflected packets and packets with legitimate
  source addresses will still survive.

19
Distributed Attack Detection (DAD)

• DAD
• Extend the packet detection function from the
  victim network to the core.
• Distributed Systems (DSs) are used that work
  locally to identify attack patterns and then
  collaborate to identify global attacks.
• Uses anomaly or misuse detection.
• Must process packets at a high speed. DSs must be
  placed strategically.

20
Distributed Attack Detection (DAD)

• Once an attack is confirmed, packet filters are
  installed and upstream networks notified to drop
  packets.
• The DSs must be available at all times and be
  able to flood other DS networks with attack alarm
  messages.
• Not very effective in stopping DDoS attacks that
  last for short periods.
• Not effective in stopping Degradation of Service
  (DeS) attacks.
• Consumes time to arrive at global decisions.

21
Comparison of DDoS Solutions

• Ubiquitous Ingress Packet Filtering (UIPF)
• Loacted at the ISP networks that connect to the
  leaves, spread towards the edges.
• Route Based Packet Filtering (RPF)
• Located at the core , away from the edges.
• Local Area Detection (LAD)
• Victims local network or their upstream ISP.
• Distributed Attack Detection (DAD)
• DSs spread in the core of the Internet.

22
Comparison of DDoS Solutions

• UIPF, RPF based on spoofed IP addresses and
  routing info.
• LAD, DAD based on traffic pattern anomalies and
  misuses. Less deterministic than UIPF, RPF, hence
  more false positives.
• All susceptible to false negatives because of
  problem of reflector packets.
• RPF, DAD require new protocols.
• UIPF difficult to deploy, huge number of hosts
  need to be covered.
• DAD requires highest computation , hence longest
  delay in detection.

23
Conclusion

• Current approaches inadequate.
• Attack mechanisms and tools continue to improve.
• A global defense mechanism, Internet Firewall may
  work.
• Internet Firewall has deployment issues.

24
References

• 1 http//dslab.csie.ncu.edu.tw/93html/paper/pdf/De
  fending20against20flooding-based20distributed2
  0denial-of-service20attacks2020a20tutorial.pdf
  
• 2 http//staff.washington.edu/dittrich/misc/ddos/
  timeline.html
• 3 http//www.denialinfo.com
• 4 http//www.cagle.com/news/hackers/hacker5.asp

25
http//www.cagle.com/news/hackers/hacker5.asp