A Taxonomy of DDoS Attack and DDoS Defense Mechanisms

1
A Taxonomy of DDoS Attack and DDoS Defense
Mechanisms

• By Jelena Mirkovic and Peter Reiher

2
DDoS Attack Overview

• DDoS A distributed denial of service attack
  uses multiple machines to prevent the legitimate
  use of a service
• Examples
• Stream of packets consuming a key resource -
  renders resource unavailable to legitimate
  clients
• Malformed packets confusing an application or
  protocol - forces it to freeze or reboot
• Overload the Internet infrastructure

3
Why are DDoS attacks possible?

• Internet security is highly interdependent -
  each host depends on the state of security in the
  rest of global Internet
• Internet resources are limited - not enough
  resources to match the number of users
• Resources are not collocated - end networks
  only have small amount of bandwidth compared to
  abundant resources of network

4
Why are DDoS attacks possible?

• Accountability is not enforced - source address
  spoofing
• Control is distributed - networks run according
  to local policy - impossible to investigate
  cross-network traffic behavior

5
DDoS Attack Phases

• Recruiting- multiple agents (slaves, zombies)
  machines
• Exploiting- utilize discovered vulnerability
• Infecting- plant attack code
• Using- send attack packets via agents

6
Why make DDoS attacks?

• Personal reasons- target specific computers for
  revenge
• Prestige- gain respect of hacker community
• Material gain- damage resources
• Political reasons- compromise enemys resources

7
Taxonomy of DDoS Attacks

• DA Degree of Automation
• EV Exploited Vulnerability to Deny Service
• SAV Source Address Validity
• ARD Attack Rate Dynamics
• PC Possibility of Characterization
• PAS Persistence of Agent Set
• VT Victim Type
• IV Impact on the Victim

8
Figure 1 Taxonomy of DDoS Attack Mechanisms
9
DA-2 and DA-3SS Scanning Strategy

• Locate as many vulnerable machines as possible
  while creating a low traffic volume
• DA-2 and DA-3SS-1 Random Scanning- compromised
  hosts probe random addresses in the IP address
  space, using a different seed (ex Code Red)-
  high traffic volume can lead to detection
• DA-2 and DA-3SS-2 Hitlist Scanning- probe all
  addresses from an externally supplied list- if
  list is too large, high traffic volume results-
  if list is too small, small agent population
  results

10
DA-2 and DA-3SS Scanning Strategy

• DA-2 and DA-3SS-3 Signpost Scanning- uses
  information on compromised host to select new
  targets(ex address book)- depends on agent
  machines and their user behavior
• DA-2 and DA-3SS-4 Permutation Scanning-
  psuedo-random permutation of the IP address space
  with indexing- semi-coordinated, comprehensive
  scan with benefits of random probing
• DA-2 and DA-3SS-2 Local Subnet Scanning- scan
  for targets on the same subnet as the compromised
  host- a single copy of the scanning program can
  compromise many machines behind a firewall (ex
  Code Red II and Nimda Worm)

11
DA-2 and DA-3PM Propagation Mechanism

• Utilized during the infection phase
• DA-2 and DA-3PM-1 Central Source Propagation-
  attack code resides on central server- large
  burden on central server, creating high traffic
  and single point of failure (ex 1i0n worm)
• DA-2 and DA-3PM-2 Back-Chaining Propagation-
  attack code is downloaded from the machine that
  exploited the system- avoids single point of
  failure (ex Ramen and Morris Worms)
• DA-2 and DA-3PM-3 Autonomous Propagation-
  injecting attack instructions into target host
  during exploit phase- reduces frequency of
  network traffic needed (ex Code Red and Warhol
  Worm)

12
EV Exploited Vulnerability to Deny Service

• EV-1 Semantic- exploit a specific feature or
  implementation bug of some protocol or
  application- consume excess amounts of its
  resources- ex TCP SYN (connection queue space)
• EV-2 Brute-Force (aka flooding attacks)- high
  number of attack packets exhaust victims
  resources- misuse of legitimate services

13
SAV Source Address Validity

• SAV-1 Spoofed Source Address
• SAV-1AR-1 Routable Source Address- reflection
  attack multiple requests made using spoofed
  address
• SAV-1AR-2 Non-Routable Source Address- spoof
  address belonging to reserved set of addresses or
  part of assigned but not used address space of
  some network

14
SAV Source Address Validity

• SAV-1ST-1 Random Spoofed Source Address-
  random source addresses in attack packets
• SAV-1ST-2 Subnet Spoofed Source Address-
  random address from address space assigned to the
  agent machines subnet
• SAV-1ST-3 En Route Spoofed Source Address-
  address spoofed en route from agent machine to
  victim

15
SAV Source Address Validity

• SAV-2 Valid Source Address- used when attack
  strategy requires several request/reply exchanges
  between an agent and the victim machine- target
  specific applications or protocol features

16
ARD Attack Rate Dynamics

• Agent machine sends a stream of packets to the
  victim
• ARD-1 Constant Rate- attack packets generated
  at constant rate, usually as many as resources
  allow
• ARD-2 Variable Rate- delay or avoid detection
  and response

17
ARD Attack Rate Dynamics

• ARD-2RCM Rate Change Mechanism
• ARD-2RCM-1 Increasing Rate- gradually
  increasing rate causes a slow exhaustion of the
  victims resources
• ARD-2RCM-2 Fluctuating Rate- occasionally
  relieving the effect- victim can experience
  periodic service disruptions

18
PC Possibility of Characterization

• Looking at the content and header fields of
  attack packets
• PC-1 Characterizable- target specific protocols
  or applications at the victim- identifiable by
  content and header fields
• PC-2 Non-Characterizable- attack attempts to
  consume network bandwidth using a variety of
  packets that engage different applications and
  protocols- ex various combinations of TCP is
  actually characterizable as a TCP attack

19
PC Possibility of Characterization

• PC-1RAVS Relation of Attack to Victim Services
• PC-1RAVS-1 Filterable- malformed packets or
  packets for non-critical services of victims
  operation- use firewall- ex UDP flood
• PC-1RAVS-2 Non-Filterable- well-formed packets
  that request legitimate victim services-
  indistinguishable from legitimate client- ex
  HTTP flood

20
PAS Persistence of Agent Set

• Recently, attacks have varied the set of agents
  active at any one time
• PAS-1 Constant Agent Set- all agent machines
  act in a similar manner- pulsing attack can
  provide a constant agent set if the on and
  off periods match over all agent machines
• PAS-2 Variable Agent Set- attacker divides all
  available agents into several groups, engaging
  only one group of agents at any one time

21
VT Victim Type

• Not necessarily a single host machine
• VT-1 Application- exploit some feature of a
  specific application on victim host- disables
  legitimate client use of that application and
  possibly strains resources- indistinguishable
  from legitimate packets- semantics of
  application must be heavily used in detection
• VT-2 Host- disable access to the target machine
  completely by overloading or disabling its
  communication mechanism (ex TCP SYN attack)-
  attack packets carry real destination address of
  target host

22
VT Victim Type

• VT-1 Network Attacks- consume incoming
  bandwidth of a target networks- attack packets
  have destination addresses within address space
  of network- high volume makes detection easy
• VT-2 Infrastructure- target some distributed
  service that is crucial for the global Internet
  operation or operation of a sub-network- ex DNS
  server attacks

23
DDoS Defense Challenges

• Distributed response needed at many points on
  Internet- attacks target more than one host-
  wide deployment of any defense system cannot be
  enforce because Internet is administered in a
  distributed manner
• Economic and social factors- distributed
  response system must be deployed by parties that
  do not suffer direct damage from DDoS attacks-
  many good distributed solutions will achieve only
  sparse deployment

24
DDoS Defense Challenges

• Lack of detailed attack information- attacks are
  only reported to government (it is believed
  making this knowledge public damages the business
  reputation of the victim network)
• Lack of defense system benchmarks- currently no
  benchmark suite of attack scenarios that would
  enable comparison between defense systems
• Difficulty of large-scale testing- defenses need
  to be tested in a realistic environment- lack of
  large-scale testbeds

25
Figure 2 Taxonomy of DDoS Defense Mechanisms
26
AL Activity Level

• AL-1 Preventive- eliminate possibility of DDoS
  attack altogether- enable potential victims to
  endure attack without denying services to
  legitimate clients
• AL-2 Reactive- alleviate the impact of the
  attack on the victim- must detect and respond to
  attack

27
AL Activity Level

• AL-1PG Prevention Goal
• AL-1PG-1 Attack Prevention- modify systems and
  protocol- never 100 effective because global
  deployment cannot be guaranteed
• AL-1PG-2 DoS Prevention- enforce policies for
  resource consumption- ensure that abundant
  resources exists

28
AL Activity Level

• AL-1PG-1ST Secured Target
• AL-1PG-1ST-1 System Security- removing
  application bugs and updating protocol
  installations- ex security patches, firewall
  systems, etc.
• AL-1PG-1ST-2 Protocol Security- address
  problem of a bad protocol design- ex
  authentication server attack, fragmented packet
  attack

29
AL Activity Level

• AL-1PG-2PM Prevention Method
• AL-1PG-2PM-1 Resource Accounting- resources
  access based on the privileges and behavior of
  the user
• AL-1PG-2PM-2 Resource Multiplication-
  abundance of resources to counter threat(costly
  but proven sufficient)- ex pool of servers with
  high bandwidth links

30
AL Activity Level

• AL-2ADS Attack Detection Strategy
• AL-2ADS-1 Pattern Detections- store signatures
  of known attacks in a database- known attacks
  are reliably detected- helpless against new
  attacks
• AL-2ADS-2 Anomaly Detection- have a model of
  normal system behavior with which to compare
• AL-2ADS-3 Third-Party Detection- rely on an
  external message that signals the occurrence of
  the attack and provides attack confirmation

31
AL Activity Level

• AL-2ADS-2NBS Normal Behavior Specification
• AL-2ADS-2NBS-1 Standard- rely on some
  protocol standard or a set of rules- all
  legitimate traffic must comply
• AL-2ADS-2NBS-2 Trained- monitor network
  traffic and system behavior and generate
  threshold values for different traffic
  parameters- threshold setting too low leads to
  too many false positives and too high reduces
  sensitivity- model update to reflect evolution
  with time

32
AL Activity Level

• AL-2ARS Attack Response Strategy- relieve the
  impact of the attack while imposing minimal
  collateral damage to legitimate clients
• AL-2ARS-1 Agent Identification- necessary for
  enforcement of liability for attack traffic- ex
  traceback
• AL-2ARS-2 Rate-Limiting- impose a rate limit
  on a stream that has been characterized as
  malicious- lenient response technique because it
  will allow some attack traffic through

33
AL Activity Level

• AL-2ARS-3 Filtering- filter our attack streams
  completely- ex dynamically deployed firewalls,
  TrafficMaster
• AL-2ARS-4 Reconfiguration- change the topology
  to either add more resources to the victim or to
  isolate the attack machines

34
DL Deployment Location

• DL-1 Victim Network- defense mechanisms
  deployed here protect this network from attacks
  and respond to detected attacks by alleviating
  the impact on the victim- ex resource
  accounting, protocol security mechanisms
• DL-2 Intermediate Network- provide
  infrastructural protection service to a large
  number of Internet hosts- ex pushback and
  traceback
• DL-3 Source Network- prevent network customers
  from generating DDoS attacks

35
Conclusion

• DDoS attacks are complex and serious problem-
  affecting not only a victim but the victims
  legitimate clients
• DDoS defense approaches are numerous- need to
  learn how to combine the approaches to completely
  solve the problem
• Internet community must cooperate to counter
  threat- global deployment of defense mechanisms