Attacking DDoS at the Source

1
Attacking DDoS at the Source

• Jelena Mirkovic, Gregory Prier, Peter Reiher
• University of California Los Angeles
• Presentation by David Allen

2
Overview

• Denial-of-Service (DoS) attack
• Packet streams from disparate sources converge on
  victim.
• Consume key resource rendering it unavailable to
  legitimate clients.
• Traceback and mitigation are difficult.
• Some system attempt to block at victim
• Can be difficult to determine attack packets from
  valid ones.
• Attack volume may overwhelm defenses.

3
Overview

• Ideally stop attacks as close to source as
  possible.
• Facilitates traceback.
• Easier to separate from legitimate traffic.
• Less traffic to manage.
• System described in paper D-WARD

4
D-WARD

• Implemented within a router in cooperation with a
  router.
• Traffic is monitored and flow statistics are
  gathered.
• These are compared to a normal flow model.
• Attack flows are throttled exponentially based on
  rate.

5
D-WARD

• Flows that return to normal are allowed to
  recover.
• Speed of recovery is slow at first, then fast.

6
D-WARD Model

• TCP ratio of packets sent and received.
• Flow considered an attack if TCP ratio is above a
  threshold.
• Certain ICMP packets must be paired with a reply.
• Flow considered attack if ICMP ratio is above a
  threshold.
• Limits on the number of UDP connections per
  destination and sending rate.
• Flow considered attack if limits on UDP are
  exceeded.

7
D-WARD Implementation

• Linux based software router.
• Limited size connection hash-table is used to
  store stats.
• Connections are purged if they are considered
  transient and are old, or
• If table is full, bad connections are deleted.
• Good connection records are never deleted.

8
Results
9
Results