Distributed Denial of Service Attack and Prevention

1
Distributed Denial of Service Attack and
Prevention

• Andrew Barkley
• Quoc Thong Le Gia
• Matt Dingfield
• Yashodhan Gokhale

2
Goals

• Implement a system to demonstrate how smart
  packet filtering can mitigate Distributed Denial
  of Service (DDoS) attacks
• Monitor and control attacks centrally in a test
  environment

3
The System Components

• Custom routers for remotely controlled packet
  filtering (Linux machines)
• Distributed HTTP-based attackers
• Apache integration for detection, monitoring and
  router control
• Unified control and observation of experiments

4
System Architecture
Central control
Apache server
Tree of custom routers to choke excess traffic
Generated HTTP traffic
5
The Attackers

• An attacker is a daemon process sleeping on a
  machine until activated
• When activated, it starts a great number of
  connections to the web server
• Combined with other attackers, the rate higher of
  requests is higher than can be serviced

6
The Web Server

• The web server is a modified version of Apache
  that signals a counter process about incoming
  connections
• The counter process detects an attack when the
  rate of connections exceeds a threshold
• When an attack is detected, the neighboring
  routers are signaled to filter web traffic for a
  while, so the web server may catch up.

7
The Routers

• The routers in the experiment are in a tree
  topology with static routes, although this is not
  a requirement
• Each router knows its neighboring routers
• When triggered by a detector process, the routers
  begin filtering the specified traffic toward that
  server

8
The Control Software

• Provides consolidation and visualization for all
  Apache and router generated data
• Control interface for attacker processes

9
The Filtering Algorithm

• Detection is removed from the router software, as
  monitoring all types of traffic is unrealistic
• When enabled for a certain type of traffic (HTTP
  in the experiment), routers will begin to count
  packets of that type destined for the detecting
  server

10
The Filtering Algorithm (2)

• A router detects traffic when its threshold is
  reached, then blocks it (drops the packets) for a
  short duration, so that the server may catch up

11
Algorithm Limitations

• The threshold an duration for blocking in the
  experiment are fixed for each router, leaving
  much to be developed in the algorithm
• The tree topology is fixed throughout, so that
  only one node can be properly defended (needs a
  concept of relatively upstream or downstream)

12
Results

• The system effectively chokes high traffic
• Availability of the server to non-offending
  networks is compromised only before attack
  detection
• Non-offending traffic is unscathed beyond
  bandwidth limitations in offending networks
• The attacked server system is stable the whole
  time