An Overview and Classification of DDoS Attacks - PowerPoint PPT Presentation

About This Presentation

Title:

An Overview and Classification of DDoS Attacks

Description:

How to inflict, entities involved, phases of attack, possible motives ... rebooting the victim machine or reconfiguring it) for recovery, after the attack ... – PowerPoint PPT presentation

Number of Views:176

Avg rating:3.0/5.0

Slides: 22

Provided by: shreeg

Learn more at: https://www.cs.kent.edu

Category:

more less

Transcript and Presenter's Notes

Title: An Overview and Classification of DDoS Attacks

1
An Overview and Classification of DDoS Attacks

A Taxonomy of DDoS Attack
and DDoS Defense Mechanisms
Authors-Jelena Mirkovic, University of Delaware
Peter Reiher, UCLA
Presentation by Sagar Panchariya
Masters Student

2
Table of Contents

DDoS definition
How to inflict, entities involved, phases of
attack, possible motives behind a DDoS attack,
What makes DDoS possible?
Classification of Attacks.
Video
Conclusion
References

3
What is a DoS and DDoS attack?

In its simplest form, a Denial of Service (DoS)
attack is an attack against any system component
that attempts to force that system component to
limit, or even halt, normal services
In its simplest form, a Distributed Denial of
Service (DDoS) attack is a DoS attack that occurs
from more than one source, and/or from more than
one location, at the same time.

4
How to inflict a DDoS attack

Simplest form of attacks is to consistently send
a stream of packets to a victim, the stream
occupies substantial resources of the legitimate
client and rendering its services to be
unavailable to legitimate clients.
Another approach is to send malformed packets to
the victims machine to confuse the application
and force to freeze or reboot.
An attack may also subvert the machines in a
victims network so that the legal client cannot
get the service.

5
Entities involved in a DDoS attack
6
Procedure to launch a DDoS attack

1.The recruit phase It involves scanning of
remote machines looking for security holes that
will help breaking into.
2. The exploit phase After the discovery of
vulnerable hosts their security loop holes in
these machines are exploited to inject malicious
code.
3. The inject phase The insertion of malicious
code to control these hosts is the inject phase.
4. The Use Phase The infected machines are used
to infect further machines.

7
Reasons for a DDoS attacks

1. The ulterior motives are personal reasons a
significant number of DDoS attacks are
perpetrated against home computers, presumably
for purposes of revenge.
2. Prestige, a successful attack on popular Web
servers gains the respect of the hacker
community.
3. However, some DDoS attacks are performed for
material gain (damaging a competitor's resources
or blackmailing companies)
4. Political reasons (a country at war could
perpetrate attacks against its enemy's critical
resources, potentially enlisting a significant
portion of the entire country's computing power
for this action).

8
Why DDoS are easy?

The end to end service paradigm of the internet
Security is left up to end parties.
If one of the parties is misbehaving it can cause
damage to its peer.
Intermediate network makes its hard to detect
misbehaving peers and cant stop it.
The making of high bandwidth pathways in the
intermediate network, while the end networks
invested in as much bandwidth as they thought
they might need.
Thus, malicious clients can misuse the abundant
resources of the unwitting intermediate network
for delivery of numerous messages to a less
provisioned victim.

9
Need for Classification.

Classification can be useful in answering some
of these questions
Know different ways to perpetrate a DDoS attacks?
Solutions for what kind of attacks are designed
and what solutions are still left to be designed?
Any novel kinds of DDoS attacks that can take
place?
A classification gives a common vocabulary to the
researchers to discuss and implement solution
space for DDoS threats.
Understanding these threats, implementing them in
a test bed environment, and using them to test
defense systems will help researchers keep one
step ahead of the attackers.

10
(No Transcript)
11

DA1 Manual
The attacker does the entire phases recruit,
exploit, infect and use phase manually. These
kinds of attacks were the earliest kinds of DDoS
attacks.
DA2 Semi-Automatic
The recruit, exploit and infect phases are
automated. In the use phase, the attacker
specifies the attack type, onset, duration and
the victim via the handler to agents, who send
packets to the victim.
DA2 CM Communication Mechanism
Based on the communication mechanism
deployed between agent and handler machines,
attacks are further divide Direct and indirect
communication.
DA2CM1 Direct Communication
During attacks with direct communication,
the agent and handler machines need to know each
other's identity in order to communicate.

DA2CM2 Indirect Communication
Attacks with indirect communication use some
legitimate communication service to synchronize
agent actions. Recent attacks have used IRC
(Internet chat program) channels.
DA3 Automatic
The start time of the attack, attack type,
duration and victim are preprogrammed in the
attack code. No need of further communication
needed.
DA2 and DA3HSS1 Random Scanning
During random scanning, each compromised
host probes random addresses in the IP address
space3, using a different seed. there is a high
amount of internetwork traffic. High number of
machines are infected.
DA2 and DA3HSS2 Local Subnet Scanning
Local subnet scanning can be added to any of
the previously described techniques to
preferentially scan for targets that reside on
the same subnet as the compromised host.

SAV1 Spoofed Source Address
This is the prevalent type of attack since
it is always to attacker's advantage to spoof the
source address, avoid accountability, and
possibly create more noise for detection.
SAV1 AR Address Routability
Based on the address routability we
differentiate between routable source address and
non-routable source address attacks.
SAV1AR1 Routable Source Address
Attacks that spoof routable addresses take
over the IP address of another machine. This is
sometimes done not to avoid accountability, but
to perform a reflector attack on the machine
whose address was hijacked.
SAV1AR2 NonRoutable Source Address
Attackers can spoof non-routable source
addresses, some of which can belong to a reserved
set of addresses (such as 192.168.0.0/16) or be
part of an assigned but not used address space of
some network.

DA2and DA3VSS1 Horizontal Scanning
This is the common type of the scan for
worms. Scanning machines are looking for a
specific vulnerability, scanning the same
destination port on all machines from the list,
assembled through host scanning techniques.
DA2and DA3VSS2 Vertical Scanning
This is the common type of the scan for
intrusions and multiple vector worms. Scanning
machines probe multiple ports at a single
destination, looking for any way to break in.
EW1Semantic
Semantic attacks exploit a specific feature
or implementation bug of some protocol or
application installed at the victim in order to
consume excess amounts of its resources.
EW2BruteForce
Brute-force attacks are performed by
initiating a vast amount of seemingly legitimate
transactions.
.

SAV1 ST Spoofing Technique
Spoofing technique defines how the attacker
chooses the spoofed source address in its attack
packets.
SAV1ST1 Random Spoofed Source Address
Many attacks spoof random source addresses
in the attack packets, since this can simply be
achieved by generating random 32-bit numbers and
stamping packets with them.
SAV1ST2 Subnet Spoofed Source Address
In subnet spoofing, the attacker spoofs a
random address from the address space assigned to
the agent machine's subnet.
SAV1ST4 Fixed Spoofed Source Address
Attacker performing a reflector attack or
wishing to place a blame for the attack on
several specific machines would use fixed
spoofing.

ARD Attack Rate Dynamics
RD1 Constant Rate
The majority of known attacks deploy a
constant rate mechanism. After the onset is
commanded, agent machines generate attack packets
at a steady rate, usually as many as their
resources permit.
RD2 Variable Rate
Variable rate attacks vary the attack rate
of an agent machine to delay or avoid detection
and response.
RD2 RC Rate Change Mechanism
RD2RC1 Increasing Rate
Attacks that have a gradually increasing
rate lead to a slow exhaustion of the
victim's resources.

RD2 RC2 Fluctuating Rate
Attacks that have a fluctuating rate adjust
the attack rate based on the victim's behavior or
preprogrammed timing, occasionally relieving the
effect to avoid detection.
IV Impact on the Victim
Based on victim type
IV1 Disruptive
The goal of disruptive attacks is to
completely deny the victim's service to its
clients.
IV1 RM1 Possibility of Dynamic Recovery
Depending on the possibility of dynamic
recovery during or after the attack, we
differentiate between self-recoverable,
human-recoverable and non-recoverable attacks.

IV1 RM2 Self-Recoverable
In the case of self-recoverable attacks,
the victim recovers without any human
intervention, as soon as the influx of attack
packets has stopped.
IV1RM3 Human-Recoverable
A victim of a human-recoverable attack
requires human intervention (e.g., rebooting the
victim machine or reconfiguring it) for recovery,
after the attack is stopped.
IV1RM3 Non-Recoverable
Non-recoverable attacks inflict permanent
damage to victim's hardware. A new piece of
hardware must be purchased for recovery.
IV Degrading
The goal of degrading attacks is to consume
some (presumably constant) portion of a victim's
resources, seriously degrading service to
legitimate customers.

19
Conclusion

Multitude types of DDoS exist and there is no
defined classification for them to study them
using a hierarchy.
An attempt to structure the various forms of DDoS
attacks known and some of the novel attacks which
could be possible in the future using a
classification scheme is made.
Future work
Many new coming forms of DDoS attacks could
be added to the classification under a existing
level or creating a separate class altogether.

20
Video