Title: 563'7'1 Classification of DoS Attacks
1563.7.1Classification of DoS Attacks
- Daniel Rebolledo
- University of Illinois
- Fall 2007
2Definition
Denial of Service (DoS) is an attack designed to
render a computer or network incapable of
providing normal services.
W3C
A "denial-of-service" attack is characterized by
an explicit attempt by attackers to prevent
legitimate users of a service from using that
service.
3Defense Challenge
- Internet security is highly inter-dependent
- The network is optimized for packet delivery, not
monitoring nor accountability. - Security requires coordination between parties
- DoS Attacks are hard to detect
- It is hard to distinguish malicious packets from
legitimate ones - Internet resources are limited
- Automated tools exist
- Environment is target-rich
Mitrokotsa, Dougligeris 03, 07
4DoS vs. DDoS
- DoS a few packets are enough to deny access to a
service - DDoS the attack is performed by a network of
compromised machines. - Possibly recognized by
- attack packet header info
- IP Address, or Fragment ID and TTL fields
- attack packet stream dynamics
- ramp-up behavior slower ramp-up suggests
multiple attackers - spectral analysis frequency analysis of packet
trace
Hussain, Heidemann, Papadopoulos, 04
5(No Transcript)
6Defining Characteristics
Who?
What?
When?
Where?
How?
- Agent recruitment
- Persistence of agent sets
7Agent recruitment
- Agents
- select an IP address scanning strategy
- random / hit list / signpost / permutation /
local subnet - probe for vulnerabilities
- horizontally / vertically / coordinated
stealthily - may download attack code
- from a centralized server (central source) / from
the old host (back-chaining) - or code may be included (autonomous propagation)
Specht, Lee, 04
8Persistence of Agent Sets
- constant agent set
- agent machines act in unison
- may 'pulse' the attack, but the 'on'/'off'
periods match - variable agent set
- agents don't act in unison
- agent set may be divided into groups
- different groups take turns pulsing the victim
- hinders traceback!
Mirkovic, Reiher 04
9Defining Characteristics
Who?
What?
When?
Where?
How?
10Victim Type
- Specific Application
- Detection is difficult
- host operates normally except for targeted
application - attack volume usually small and packets difficult
to tell apart - Host
- Disabling all legitimate access to target host by
disable network communication subsystem or cause
otherwise cause host to crash, freeze, or reboot - Patches help but defense requires help from
upstream firewalls or routers. - Critical Network Resource (DNS server / router /
link) - Network
- Consume all available bandwidth
- Infrastructure
- Targets distributed systems critical to the
operation of the Internet (extension of the
host victim type)
Mirkovic, Reiher 04 Douligeris, Mitrokotsa 07
11Defining Characteristics
Who?
What?
When?
Where?
How?
12Attack Rate Dynamics
- Constant Rate (most common)
- agents send packets as fast as they can after
attack is started - large traffic stream may aid detection
- Variable Rate
- used in an attempt to avoid or delay detection
- Increasing Rate
- Fluctuating Rate
- based on e.g. victim behavior or preprogrammed
timing - may confuse sysadmins
Mirkovic, Reiher 04
13Defining Characteristics
Who?
What?
When?
From Where?
How?
- Source address validity
- Spoofed address selection
- Reflector attacks
14Source Address Validity
- Spoofed Address
- avoids accountability, helps avoid detection
- makes brute force attacks hard to filter
- otherwise, servers could manage by allocating
resources intelligently - Valid Address
- some attacks (NAPTHA) require a valid source
address, since the attack mechanism requires
several request/reply exchanges between agent
victim - older Windows (NT) didn't allow user-level
processes to modify packet headers
Mirkovic, Reiher 04
15Spoofed Address Selection
- Types of Spoofed Addresses
- Routable vs. Non-Routable
- Fixed
- reflector attacks, or an attack trying to place
blame on a 3rd party - Random
- filtering techniques can be useful
- Subnet
- choose an address randomly from same subnet as
agent - defeats ingress filtering
- subnet where agent is located may be able to
detect filter - En Route
- choose address from some host on the route from
agent to victim - not used by any known attack, but foreseeable,
since it counters some existing filtering
techniques
Mirkovic, Reiher 04
16Reflector Attacks
- Reflector any machine or service that responds
to a packet with one or more packets. - Attacker sends packets to reflector
- spoofed source address victims IP address
- response from reflectors overwhelms the victim
- SMURF (1998)
- ICMP echo requests sent to various IP broadcast
addresses - amplifier effect many responses from a single
packet - DNS Reflector Flood (2000)
- agents generate a large number of DNS requests,
with the spoofed source address of the victim - amplifier effect DNS responses can be
significantly larger than the DNS request
CERT Advisory CA-1998-01, Incident Note
IN-2000-04
17Defining Characteristics
Who?
What?
When?
To Where?
How?
- Exploited vulnerabilities
18Exploited Vulnerabilities
- Semantic (e.g. TCP SYN, NAPTHA)
- exploits features or bugs of protocols/application
s on the victim in order to deplete its resources - asymmetrically cheap for attacker but expensive
for victim - targets buffers, network resources, process
space, processor time - Brute Force (e.g. ping flood)
- overwhelms the victim with seemingly legitimate
transactions - intermediate network can deliver more packets
than the victim can handle but more packets
required (raises the bar) - attack packets are difficult to distinguish
- Either / both (e.g. ping flood)
- semantic attacks can become brute force attacks
(e.g. SYN flood) - hybrid attacks e.g. SMURF
Mirkovic, Reiher 04
19Defining Characteristics
Who?
What?
When?
Where?
How?
- Degree of automation
- Possibility of characterization
- Impact on victim
20Operation - Degree of Automation
- Manual (early DDoS attacks)
- The attacker manually scans, breaks in, installs
attack code, then directs the attack - Fully Automatic (some viruses)
- exploit/recruitment phase and attack phase both
automated - Reduces the attackers exposure
- Inflexible often they leave a backdoor for
future modification - Semi-Automated
- recruitment phase automated, attack phase
manually initiated - requires master-agent communication
- direct comm. is risky (e.g. hard-coding IP addr.)
- indirect communication (e.g. through IRC)
Mirkovic, Reiher 04
21Possibility of Characterization
- Characterizable
- Filterable vs. Non-Filterable
- Filterable
- packets may be malformed
- protocol or application may not be needed by
target - ex UDP flood against a web server, http flood
against an SMTP server - Non-Filterable
- well formed packets that request
legitimate/critical services - no way to distinguish attack packets from
legitimate service requests - ex http flooding a web server
- Non-characterizable
- attack packets use a variety of
protocols/applications - may be randomly generated
- some attacks characterizable in theory, but not
in practice
Mirkovic, Reiher 04
22Impact on Victim
- Disruptive completely deny access
- Self-recoverable
- Service recovers without human intervention as
soon as the attack ends. - Human-recoverable
- Non-recoverable
- Human-recoverable
- Degrading
- Consume a portion of the victims resources.
- Hard to detect
- Can be very costly (lost business)
- Most existing DDoS countermeasures fail to
address this threat -
Mirkovic, Reiher 04
23Learn More
- Christos Douligeris and Aikaterini Mitrokotsa,
DDoS attacks and defense mechanisms
classification and state-of-the-art, Computer
Networks, Volume 44, Issue 5, 5 April 2004, Pages
643-666.Christos Douligeris and Aikaterini
Mitrokotsa, Denial-of-Service Attacks, Network
Security Current Status and Future Directions,
Wiley, 2007, ISBN 978-0-471-70355-6Mirkovic, J.
and Reiher, P. 2004. A taxonomy of DDoS attack
and DDoS defense mechanisms. SIGCOMM Comput.
Commun. Rev. 34, 2 (Apr. 2004), 39-53.Stephen
M. Specht, Ruby B. Lee, Distributed Denial of
Service Taxonomies of Attacks, Tools and
Countermeasures, Proceedings of the 17th
International Conference on Parallel and
Distributed Computing Systems, 2004 International
Workshop on Security in Parallel and Distributed
Systems, pp. 543-550, September 2004.