DDoS Attack and Its Defense

1
DDoS Attack and Its Defense

• CSE551 Introduction to Information Security

2
Outline

• What is a DDOS attack?
• How to defend a DDoS attack?

3
What is DDoS attack?

• Internet DDoS attack is real threat
• - on websites
• Yahoo, CNN, Amazon, eBay, etc (Feb.
  2000)
• ? services were unavailable for several
  hours
• - on Internet infrastructure
• 13 root DNS servers (Oct, 2002)
• ? 7 of them were shut down, 2 others
  partially unavailable
• Lack of defense mechanism on current Internet

4
What is a DDos Attack?

• DoS attacks
• Attempt to prevent legitimate users of a service
  from using it
• Examples of DoS include
• Flooding a network
• Disrupting connections between machines
• Disrupting a service
• Distributed Denial-of-Service Attacks
• Many machines are involved in the attack against
  one or more victim(s)

5
(No Transcript)
6
(No Transcript)
7
(No Transcript)
8
What Makes DDoS Attacks Possible?

• Internet was designed with functionality not
  security in mind
• Internet security is highly interdependent
• Internet resources are limited
• Power of many is greater than power of a few

9
To Address DDoS attack

• Ingress Filtering
• - P. Ferguson and D. Senie, RFC 2267, Jan
  1998
• - Block packets that has illegitimate source
  addresses
• - Disadvantage Overhead makes routing slow
• Identification of the origins (Traceback problem)
• - IP spoofing enables attackers to hide their
  identity
• - Many IP traceback techniques are suggested
• Mitigating the effect during the attack
• - Pushback

10
IP Traceback

• - Allows victim to identify the origin of
  attackers
• - Several approaches
• ICMP trace messages, Probabilistic Packet
  Marking,
• Hash-based IP Traceback, etc.

11
PPM

• Probabilistic Packet Marking scheme
• - Probabilistically inscribe local path info
• - Use constant space in the packet header
• - Reconstruct the attack path with high
  probability

Making at router R For each packet w
Generate a random number x from 0,1) If x lt p
then Write IP address of R into w.head
Write 0 into w.distance else if
w.distance 0 then wirte IP
address of R into w.tail Increase
w.distance endif
12
PPM (Cont.)
legitimate user
attacker
Victim
13
PPM (Cont.)
legitimate user
attacker
Victim
14
PPM (Cont.)
legitimate user
attacker
Victim
15
PPM (Cont.)
legitimate user
attacker
Victim
16
What is Pushback?

• A mechanism that allows a router to request
  adjacent upstream routers to limit the rate of
  traffic

17
How Does it Work?

• A congested router request other adjacent routers
  to limit the rate of traffic for that particular
  aggregate.
• Router sends pushback message
• Received routers propagates pushback

18
Conclusion

• What is a DDoS attack?
• Defending a DDoS attack
• Ingress filtering
• Trace-back
• Push-back

19
Active Worm and Its Defense

• CSE551 Introduction to Information Security

20
Worm vs. Virus

• Worm
• A program that propagates itself over a network,
  reproducing itself as it goes
• Virus
• A program that searches out other programs and
  infects them by embedding a copy of itself in them

21
Active Worm VS. DDoS

• Propagation method
• Goal congestion, resource appropriation
• Rate of distribution
• Scope of infection

22
Historical Analysis

• Morris Worm (1988, http//www.worm.net/worm-src/wo
  rm-src.html)
• Code Red v.2 (2001, nearly 8 infections/sec.)
• Nimbda (2001, netbios, UDP)
• SQL Slammer (2003, UDP)

23
Recent Worms

• July 13, 2001, Code Red V1
• July 19, 2001, Code Red V2
• Aug. 04, 2001, Code Red II
• Sep. 18, 2001, Nimba
• Jan. 25, 2003, SQL Slammer
• More recent
• SoBigF, MSBlast

24
How an Active Worm Spreads

• Autonomous
• No need of human interaction

Infected
25
Scanning Strategy

• Random scanning
• Probes random addresses in the IP address space
  (CRv2)
• Hitlist scanning
• Probes addresses from an externally supplied list
• Topological scanning
• Uses information on the compromised host (Email
  worms)
• Local subnet scanning
• Preferentially scans targets that reside on the
  same subnet. (Code Red II Nimda Worm)

26
Techniques for Exploiting Vulnerability

• fingerd (buffer overflow)
• sendmail (bug in the debug mode)
• rsh/rexec (guess weak passwords)

27
Active Worm Defense

• Modeling
• Infection Mitigation

28
Worm Behavior Modeling

• Propagation model mirrors epidemic

• V is the total number of vulnerable nodes
• N is the size of address space
• i(t) is the percentage of infected nodes among V
• r is the scanning speed of a infected node

29
Infection Mitigation

• Patching
• Filtering/intrusion detection (signature based)
• TCP/IP stack reimplementation, bound connection
  requests

30
Summary

• Worms can spread quickly
• 359,000 hosts in lt 14 hours
• Home / small business hosts play significant role
  in global internet health
• No system administrator ? slow response
• Cant estimate infected machines by of unique
  IP addresses
• DHCP effect appears to be real and significant
• Active Worm Defense
• Modeling
• Infection Mitigation