Overview of Distributed Denial of Service DDoS - PowerPoint PPT Presentation

About This Presentation
Title:

Overview of Distributed Denial of Service DDoS

Description:

Ingress/egress filtering. Ingress filtering ... Ferguson and D. Senie, 'Network Ingress Filtering: Defeating Denial of Service ... – PowerPoint PPT presentation

Number of Views:203
Avg rating:3.0/5.0
Slides: 20
Provided by: csU66
Learn more at: https://www.cs.utsa.edu
Category:

less

Transcript and Presenter's Notes

Title: Overview of Distributed Denial of Service DDoS


1
Overview of Distributed Denial of Service (DDoS)
Wei Zhou
2
Outline of the presentation
  • DDoS definition and its attacking architectures
  • DDoS classification
  • Defense mechanism classification
  • Reactive VS. Proactive
  • Classification by defending front-line
  • SOS a case study

3
What is it?
  • No ready-to-go definition available
  • Characteristics
  • Multiple attackers vs. single victim
  • To cause denial of service to legitimate users on
    the victim
  • Two major attacking architecture
  • Direct attack
  • Reflector attack

4
Attacking Architecture - Direct Attack
Zombies
Masters (handlers)
5
Attacking Architecture Reflector Attack
Reflectors
Hacker's DDoS attacking network
Reflector Attack
6
Classification of DDoS Attacks
  • Classification by exploited vulnerability
  • Protocol Attacks
  • TCP SYN attacks
  • CGI request attacks
  • Authentication server attacks
  • ... ...
  • Flooding-based Attacks
  • Filterable
  • Non-filterable

7
Defense Mechanisms
  • Classification by activity level
  • Reactive mechanisms
  • Easy to be deployed
  • Hard to tell good guys from bad guys
  • Inflexible to adapt new attacks
  • Proactive mechanisms
  • Motivations to deploy
  • Accuracy on differentiating packets

8
Defense Mechanisms (cont.)
  • Classification by defending front-line
  • Victim network
  • Intermediate network
  • Source network

9
At the victim side
  • IDS plus Firewall
  • Detect bogus packets based on well-known attack
    signatures
  • Flexibility
  • Puzzle solving by clients
  • Client must solve a puzzle (small scripts,
    cookies etc.) in order to access server's
    resources
  • Efficiency
  • Duplicate server resources
  • Distribute server resources into more places
  • Synchronization, costs etc.

Victim network can't do NOTHING if its link(s) to
the ISP is jammed
10
In the intermediate network
  • IP traceback
  • Can be used to collect forensic evidence
  • (Need further exploration on this topic)
  • Push-back mechanism
  • Route-Based packet filtering
  • Overlay network

11
Push-back the idea
  • Reactive mechanism
  • Accuracy of telling 'poor' packets from bad
    packets

Heavy traffic flow
12
Route-based packet filtering the idea
R8
R4
R3
R0
R7
R6
R9
R2
R1
R5
  • Proactive mechanism
  • Overheads
  • Need to change routers

Routes from node 2
13
At the source side
  • Ingress/egress filtering
  • Ingress filtering
  • To prevent packets with faked source IP addresses
    from entering the network
  • Egress filtering
  • To prevent packets with faked source IP addresses
    from leaving the network

14
At the source side (cont.)
  • D-WARD (DDoS netWork Attack Recognition and
    Defense)
  • Balance of inbound and outbound traffic

15
D-WARD (cont.)
  • Motivation of deployment
  • Asymmetric problems

16
SOS Security Overlay Service
  • To protect a dedicated server from DDoS attacks
  • Use high-performance filters to drop all the
    packets not from secret servlets
  • Path redundancy in overlay network is used to
    hide the identities of secret servlets
  • Legitimate users enter the overlay network at the
    point of SOAP (secure overlay access point)

17
SOS (cont.)
Big time delay
18
References
  • R. K. C. Chang, Defending against Flooding-Based
    Distributed Denial-of-Sevice Attacks A Tutorial
  • P. Ferguson and D. Senie, Network Ingress
    Filtering Defeating Denial of Service Attacks
    which employ IP Source Address Spoofing, RFC
    2827
  • J. Ioannidis and S. M. Bellovin, Implementing
    Pushback Router-Based Defense Against DDoS
    Attacks
  • A. D. Keromytis, V. Misra and D. Rubenstein,
    SOS Secure Overlay Services
  • R. Mahajan, S. M. Bellovin, S. Floyd, J.
    Ioannidis, V. Paxson and S. Shenker, Controlling
    High Bandwidth Aggregates in the Network
  • J. Mirkovic, J. Martin and P. Reiher, A Taxonomy
    of DDoS Attacks and DDoS Defense Mechanisms
  • J. Mirkovic, G. Prier and P. Reiher, Attacking
    DDoS at the Source
  • K. Park and H. Lee, A Proactive Approach to
    Distributed DoS Attack Prevention using
    Route-Based Packet Filtering

19
Thank you!
Write a Comment
User Comments (0)
About PowerShow.com