A%20Taxonomy%20of%20DDoS%20Attack%20and%20DDoS%20Defense%20Mechanisms

1
A Taxonomy of DDoS Attackand DDoS Defense
Mechanisms
Peter Reiher3564 Boelter HallComputer Science
DepartmentUCLA
Jelena MirkovicComputer and Information
Sciences DepartmentUniversity of Delaware

• CS495 Spring 2005
• Northwestern University
• Sausan Yazji

2
Overview

• Distributed denial-of-service (DDoS) is a rapidly
  growing problem
• Variety approaches for the attacks and the
  defense Mechanisms
• Two taxonomies for classifying attacks and
  defenses
• Highlight commonalities and important features of
  attack strategies
• Classify the body of existing DDoS defenses based
  on their design decisions

3
Background

• The DDoS attack mechanisms are changing
  consistently
• The Security measures to deal with the attacks
  are changing consistently
• Setting apart and emphasizing crucial features of
  attack and defense mechanisms
• Abstracting detailed differences between the
  attacks and defense mechanism

4
Why?

• What are the different ways of perpetrating a
  DDoS attack?
• Why is DDoS a difficult problem to handle?
• What attacks have been handled effectively by
  existing defense systems?
• What attacks still remain undressed and why?
• How would the defense mechanism behave in case of
  unrelated attack?
• What are the defense mechanism vulnerabilities?
• Can the defense mechanism complement each other
  and how?
• How can we contribute to the DDoS field?

5
Proposed Taxonomy

• Covers known attacks and also realistic potential
  threat
• Covers published and commercial approaches
• The proposed taxonomy is not
• as detailed as possible
• dividing attacks and defenses in an exclusive
  manner
• The depth and width of the proposed taxonomies
  are not
• suitable for a traditional numbering of headings
• proposing or advocating any specific DDoS defense
  mechanism

6
DDOS ATTACK OVERVIEW

• DoS is an explicit attempt to prevent the
  legitimate use of a service
• DDoS deploys multiple attacks to attain this goal

7
What makes DDoS attacks possible?

• Internet security is highly interdependent
• Internet resources are limited
• Intelligence and resources are not collocated
• Accountability is not enforced
• Control is distributed

8
How are DDoS attacks performed?

• Recruit multiple agent machines
• Exploit the vulnerable recruited machines
• Infect the exploited machines with the attack
  code
• Use the infected machines to recruit new agents
• Distribute the attack code using useful
  applications
• Hide the identity of agent machines through
  spoofing

9
Why do people perpetrate DDoS attacks?

• Personal reasons
• Prestige
• Material gain
• Political reasons

10
Taxonomy of DDoS Attack Mechanisms
11
DA Degree of Automation

• DA1 Manual
• DA2 CM2 Indirect Communication
• DA3Automatic
• DA2and DA3HSS Host Scanning and Vulnerability
  Scanning Strategy
• DA2 and DA3 HSS1 Random Scanning
• DA2 and DA3 HSS2 Hit list Scanning
• DA2 and DA3 HSS3 Signpost Scanning
• DA2 and DA3 HSS3 Signpost Scanning
• DA2 and DA3 HSS5Local Subnet Scanning

12
DA Degree of Automation - continued

• DA2 and DA3 VSS
• DA2 and DA3 VSS1Horizontal Scanning
• DA2 and DA3 VSS2Vertical Scanning
• DA2 and DA3 VSS3 Coordinated Scanning
• DA2 and DA3 VSS4Stealthy Scanning
• DA2 and DA3 PM Propagation Mechanism
• DA2 and DA3 PM1Central Source Propagation
• DA2 and DA3 PM2BackChaining Propagation
• DA2 and DA3 PM3Autonomous Propagation

13
EW ExploitedWeakness to Deny Service

• EW1 Semantic
• EW2 BruteForce

14
SAV Source Address Validity

• SAV1 Spoofed Source Address
• SAV1 AR Address Routability
• SAV1 AR1 Routable Source Address
• SAV1 AR2 NonRoutable Source Address
• SAV1 ST Spoofing Technique
• SAV1 ST1 Random Spoofed Source Address
• SAV1 ST2 Subnet Spoofed Source Address
• SAV1 ST3 En Route Spoofed Source Address
• SAV1 ST4 Fixed Spoofed Source Address
• SAV2 Valid Source Address

15
ARD Attack Rate Dynamics

• ARD1 Constant Rate
• ARD2 Variable Rate
• ARD2 RCM Rate Change Mechanism
• ARD2 RCM1 Increasing Rate
• ARD2 RCM2 Fluctuating Rate

16
PC Possibility of Characterization

• PC1 Characterizable
• PC1RAVS Relation of Attack to Victim Services
• PC1 RAVS1Filterable
• PC1 RAVS2 NonFilterable
• PC2 NonCharacterizable

17
PAS Persistence of Agent Set

• PAS1 Constant Agent Set
• PAS2 Variable Agent Set

18
VT Victim Type

• VT1 Application
• VT2 Host
• VT3 Resource Attacks
• VT4 Network Attacks
• VT5 Infrastructure

19
IV Impact on the Victim

• IV1 Disruptive
• IV1 PDR Possibility of Dynamic Recovery
• IV1 PDR1 Self Recoverable
• IV1 PDR2 Human Recoverable
• IV1 PDR3 Non Recoverable
• IV2 Degrading

20
DDOS DEFENSE CHALLENGE

• No real complete solution is proposed for the
  DDoS yet
• Need for a distributed response at many points on
  the Internet
• Economic and social factors
• Lack of detailed attack information
• Lack of defense system benchmarks
• Difficulty of large-scale testing

21
Taxonomy of DDoS Defense Mechanisms
22
AL Activity Level

• AL1 Preventive
• AL1 PG Prevention Goal
• AL1PG1Attack Prevention
• AL1PG1ST Secured Target
• AL1 PG1 ST1 System Security
• AL1 PG1 ST2 Protocol Security
• AL1 PG2 DoS Prevention
• AL1 PG2 PM Prevention Method
• AL1 PG2 PM1 Resource Accounting
• AL1 PG2 PM2 Resource Multiplication

23
AL Activity Level - Continued

• AL2 Reactive
• AL2 ADS Attack Detection Strategy
• AL2 ADS1 Pattern Detection
• AL2 ADS2 Anomaly Detection
• AL2 ADS2 NBS Normal Behavior Specification
• AL2 ADS2 NBS1Standard
• AL2 ADS2 NBS2Trained
• AL2 ADS3 Third Party Detection
• AL2 ARS Attack Response Strategy
• AL2 ARS1 Agent Identification
• AL2 ARS2 Rate Limiting
• AL2 ARS3 Filtering
• AL2 ARS4 Reconfiguration

24
CD Cooperation Degree

• CD1 Autonomous
• Firewalls
• Intrusion Detection Systems
• CD2 Cooperative
• Can operate autonomously at a single deployment
  point
• Aggregate Congestion Control (ACC) System
• CD3 Interdependent
• Cannot operate autonomously at a single
  deployment point
• Trace Back Mechanism
• Secure Overlay Services

25
DL Deployment Location

• DL1 Victim Network
• Protect this network from DDoS attacks
• Respond to attacks by alleviating the impact on
  the victim
• DL2 Intermediate Network
• Provide defense service to a large number of
  Internet hosts
• Push-back and trace-back techniques
• DL3 Source Network
• Prevent network customers from generating DDoS
  attacks
• Low motivation

26
USING THE TAXONOMIES

• A map of DDoS research field
• Exploring new attack strategies
• DDoS benchmark generation
• Common vocabulary
• Design of attack class-specific solutions
• Understanding solution constrains
• Identifying unexplored research areas

27
RELATEDWORK

• Classification of DoS attacks according to
• Target Type
• Consumed Resource
• Exploited Vulnerability
• Number of Agent Machines
• Focusing on computer attacks in general
• Discussion of the DDoS problem and of some
  defense approaches
• Classification of the DDoS defense field only,
  Intrusion Detection
• New studies
• focus on taxonomy of computer incidents
• Generation of a DDoS attack overview

28
CONCLUSION

• Help the community think about the threats we
  face and the possible countermeasures
• Foster easier cooperation among researchers
• Facilitate communication and offer common
  language for discussing solutions
• Clarify how different mechanisms are likely to
  work in concert
• Identify areas of remaining weaknesses that
  require additional work
• Help developing common metrics and benchmarks for
  DDoS defense evaluation
• Offer a foundation for classifying threats and
  defenses in DDoS field

29
A Taxonomy of DDoS Attack and DDoS Defense
Mechanisms

• QUESTIONS?