A%20Taxonomy%20of%20DDoS%20Attack%20and%20DDoS%20Defense%20Mechanisms - PowerPoint PPT Presentation

About This Presentation

Title:

A%20Taxonomy%20of%20DDoS%20Attack%20and%20DDoS%20Defense%20Mechanisms

Description:

ARD-1: Constant Rate. Used in majority of known attacks ... ARD-2:RCM-1: Increasing Rate ... ARD-2:RCM-2: Fluctuating Rate ... – PowerPoint PPT presentation

Number of Views:122

Avg rating:3.0/5.0

Slides: 57

Provided by: IR0157

Learn more at: http://www.cs.ucf.edu

Category:

more less

Transcript and Presenter's Notes

Title: A%20Taxonomy%20of%20DDoS%20Attack%20and%20DDoS%20Defense%20Mechanisms

1
A Taxonomy of DDoS Attack and DDoS Defense
Mechanisms

Written By Jelena Mirkovic and Peter Reiher
In ACM SIGCOMM Computer Communication Review,
April 2005
Presented by Jared Bott

2
Key Point!

DDoS attacks can be carried out in a wide variety
of manners, with a wide variety of purposes
DDoS defenses show great variety

3
DDoS Attacks
Agent

An explicit attempt to prevent the legitimate use
of a service
Multiple attacking entities, known as agents
DDoS is a serious problem
Many proposals about how to deal with it

Target
4
What makes DDoS attacks possible?

Answer The end-to-end paradigm
Internet security is highly interdependent
Susceptibility of system depends on security of
Internet
Internet resources are limited
Intelligence and resources are not collocated
End systems are intelligent, intermediate systems
are high in resources

Accountability is not enforced
IP Spoofing is possible
Control is distributed
No way to enforce global deployment of a security
mechanism or policy

6
Taxonomy of Attacks
7
(No Transcript)
8
DA Degree of Automation

How involved is the attacker?
Automation of the recruit, exploit, infect and
scan phases
DA-1 Manual
DA-2 Semi-Automatic
Recruit, exploit and infect phases are automated
DA-3 Automatic

9
DA-2CM Communication Mechanism

How do semi-autonomous systems communicate?
DA-2CM-1 Direct Communication
Agent/handlers know each others identities
Communication through TCP or UDP
DA-2CM-2 Indirect Communication
Communication through IRC

10
DA-2/DA-3HSS Host Scanning Strategy

How do attackers find computers to make into
agents?
Choose addresses of potentially vulnerable
machines to scan
DA-2/DA-3HSS-1 Random Scanning
DA-2/DA-3HSS-2 Hitlist Scanning

11
DA-2/DA-3HSS Host Scanning Strategy

DA-2/DA-3HSS-3 Signpost Scanning
Topological scanning
Email worms send emails to everyone in address
book
Web-server worms infect visitors vulnerable
browsers to infect servers visited later

12
DA-2/DA-3HSS Host Scanning Strategy

DA-2/DA-3HSS-4 Permutation Scanning
Pseudo-random permutation of IP space is shared
among all infected machines
Newly infected machine starts at a random point
DA-2/DA-3HSS-5 Local Subnet Scanning
Examples
HSS-1 Code Red v2
HSS-5 Code Red II, Nimda

13
DA-2/DA-3VSS Vulnerability Scanning Strategy

We have found a machine, can it be infected?
DA-2/DA-3VSS-1 Horizontal Scanning
DA-2/DA-3VSS-2 Vertical Scanning
DA-2/DA-3VSS-3 Coordinated Scanning
Machines probe the same port(s) at multiple
machines within a local subnet
DA-2/DA-3VSS-4 Stealthy Scanning

14
DA-2/DA-3PM Propagation Method

How does attack code get onto compromised
machines?
DA-2/DA-3PM-1 Central Source Propagation
Attack code resides on server(s)

15
DA-2/DA-3PM Propagation Method

DA-2/DA-3PM-2 Back-Chaining Propagation
Attack code is downloaded from the machine that
exploited the system

16
DA-2/DA-3PM Propagation Method

DA-2/DA-3PM-3 Autonomous Propagation
Inject attack instructions directly into the
target host during the exploit phase
Ex. Code Red, various email worms, Warhol worm
idea

17
EW Exploited Weakness to Deny Service

What weakness of the target machine is exploited
to deny service?
EW-1 Semantic
Exploit a specific feature or implementation bug
Ex. TCP SYN attack
Exploited feature is allocation of substantial
space in a connection queue immediately upon
receipt of a TCP SYN.
EW-2 Brute-Force

18
SAV Source Address Validity

Do packets have the agents real IP addresses?
SAV-1 Spoofed Source Address
SAV-2 Valid Source Address
Frequently originate from Windows machines
SAV-1AR Address Routability
This is not the attackers address, but can it be
routed?
SAV-1AR-1 Routable Source Address
SAV-1AR-2 Non-Routable Source Address

19
SAV-1ST Spoofing Technique

How does an agent come up with an IP address?
SAV-1ST-1 Random Spoofed Source Address
Random 32-bit number
Prevented using ingress filtering, route-based
filtering
SAV-1ST-2 Subnet Spoofed Source Address
Spoofs a random address from the address space
assigned to the machines subnet
Ex. A machine in the 131.179.192.0/24 chooses in
the range 131.179.192.0 to 131.179.192.255

20
SAV-1ST Spoofing Technique

SAV-1ST-3 En Route Spoofed Source Address
Spoof address of a machine or subnet along the
path to victim
SAV-1ST-4 Fixed Spoofed Source Address
Choose a source address from a specific list
Reflector attack

21
ARD Attack Rate Dynamics

Does the attack rate change?
ARD-1 Constant Rate
Used in majority of known attacks
Best cost-effectiveness minimal number of
computers needed
Obvious anomaly in traffic
ARD-2 Variable Rate

22
ARD-2RCM Rate Change Mechanism

How does the rate change?
ARD-2RCM-1 Increasing Rate
Gradually increasing rate leads to a slow
exhaustion of victims resources
Could manipulate defense that train their
baseline models
ARD-2RCM-2 Fluctuating Rate
Adjust the attack rate based on victims behavior
or preprogrammed timing
Ex. Pulsing attack

23
PC Possibility of Characterization

Can the attacking traffic be characterized?
Characterization may lead to filtering rules
PC-1 Characterizable
Those that target specific protocols or
applications at the victim
Can be identified by a combination of IP header
and transport protocol header values or packet
contents
Ex. TCP SYN attack
SYN bit set

24
PC-1RAVS Relation of Attack to Victim Services

The traffic is characterizable, but is it related
to the targets services?
PC-1RAVS-1 Filterable
Traffic made of malformed packets or packets for
non-critical services of the victims operation
Ex. ICMP ECHO flood attack on a web server
PC-1RAVS-2 Non-Filterable
Well-formed packets that request legitimate and
critical services
Filtering all packets that match attack
characterization would lead to a denial of service

25
PC Possibility of Characterization

PC-2 Non-Characterizable
Traffic that uses a variety of packets that
engage different applications and protocols
Classification depends on resources that can be
used to characterize and the level of
characterization
Ex. Attack uses a mixture of TCP packets with
various combinations of TCP header fields
Characterizable as TCP attack, but nothing finer
without vast resources

26
PAS Persistence of Agent Set

Do the same agents attack the whole time?
Some attacks vary their set of active agent
machines
Avoid detection and hinder traceback
PAS-1 Constant Agent Set
PAS-2 Variable Agent Set

Bright red attacks for 4 hours Dark red attacks
for next 4 hours
27
VT Victim Type

What does the attack target?
VT-1 Application
Ex. Bogus signature attack on an authentication
server
Authentication not possible, but other
applications still available
VT-2 Host
Disable access to the target machine
Overloading, disabling communications, crash
machine, freeze machine, reboot machine
Ex. TCP SYN attack overloads communications of
machine

28
VT Victim Type

VT-3 Resource Attacks
Target a critical resource in the victims
network
Ex. DNS server, router
Prevented by replicating critical services,
designing robust network topology
VT-4 Network Attacks
Consume the incoming bandwidth of a target
network
Victim must request help from upstream networks

29
VT Victim Type

VT-5 Infrastructure
Target a distributed service that is crucial for
global Internet operation
Ex. Root DNS server attacks in October 2002,
February 2007

30
IV Impact on the Victim

How does an attack affect the victims service?
IV-1 Disruptive
Completely deny the victims service to its
clients
All currently reported attacks are this kind
IV-2 Degrading
Consume some portion of a victims resources,
seriously degrading service to customers
Could remain undetected for long time

31
IV-1PDR Possibility of Dynamic Recovery

Can a system recover from an attack? How?
IV-1PDR-1 Self-Recoverable
Ex. UDP flooding attack
IV-1PDR-2 Human-Recoverable
Ex. Computer freezes, requires reboot
IV-1PDR-3 Non-Recoverable
Permanent damage to victims hardware
No reliable accounts of these attacks

32
DDoS Defense

Several factors hinder the advance of DDoS
defense research
Need for a distributed response at many points on
the Internet
Many attacks need upstream network resources to
stop attacks
Economic and social factors
A distributed response system must be deployed by
parties that arent directly damaged by a DDoS
attack

33
DDoS Defense

Lack of defense system benchmarks
No benchmark suite of attack scenarios or
established evaluation methodologies
Lack of detailed attack information
We have information on control programs
Information on frequency of various attack types
is lacking
Information on rate, duration, packet size, etc.
are lacking

34
DDoS Defense

Difficulty of large-scale testing
No large-scale test beds
U.S. National Science Foundation is funding
development of a large-scale cybersecurity test
bed
No safe ways to perform live distributed
experiments across the Internet
No detailed and realistic simulation tools that
support thousands of nodes

35
Taxonomy of DDoS Defenses
36
(No Transcript)
37
AL Activity Level

When does a defense system work?
AL-1 Preventive
Eliminate possibility of DDoS attacks or enable
victims to endure the attack without denial of
service
AL-1PG Prevention Goal
What is the system trying to do?
AL-1PG-1 Attack Prevention
The system is trying to prevent attacks

38
AL-1PG-1ST Secured Target

What does a system try to secure to prevent an
attack?
AL-1PG-1ST-1 System Security
Secure the system
Guard against illegitimate accesses to a machine
Remove application bugs, Update protocol
installations
Ex. Firewall systems, IDSs, Automated updates

39
AL-1PG-1ST Secured Target

AL-1PG-1ST-2 Protocol Security
Secure the protocols
Bad protocol design examples TCP SYN Attack,
Authentication server attack, IP source address
spoofing
Ex. Deployment of a powerful proxy server that
completes TCP connections
Ex. TCP SYN cookies

40
AL-1PG Prevention Goal

AL-1PG-2 DoS Prevention
The system is trying to prevent a denial of
service
Enable the victim to endure attack attempts
without denying service
Enforce policies for resource consumption
Ensure that abundant resources exist

41
AL-1PG-2PM Prevention Method

How do the defense systems prevent DoS?
AL-1PG-2PM-1 Resource Accounting
Police the access of each user to resources based
on the privileges of the user and users behavior
Let real, good users have access
Coupled with legitimacy-based access mechanisms
AL-1PG-2PM-2 Resource Multiplication
Ex. Pool of servers with load balancer, high
bandwidth network

42
AL-2 Reactive

Defense systems try to alleviate the impact of an
attack
Detect attack and respond to it as early as
possible
AL-2ADS Attack Detection Strategy
How does the system detect attacks?
AL-2ADS-1 Pattern Detection
Store signatures of known attacks and monitor
communications for the presence of patterns
Only known attacks can be detected
Ex. Snort

43
AL-2ADS-2 Anomaly Detection

Compare current state of system to a model of
normal system behavior
Previously unknown attacks can be discovered
Tradeoff between detecting all attacks and false
positives

44
AL-2ADS-2NBS Normal Behavior Specification

How is normal behavior defined?
AL-2ADS-2NBS-1 Standard
Rely on some protocol standard or set of rules
Ex. TCP protocol specification describes
three-way handshake
Detect half-open TCP connections
No false positives, but sophisticated attacks can
be left undetected

45
AL-2ADS-2NBS-2 Trained

Monitor network traffic and system behavior
Generate threshold values for different
parameters
Communications exceeding one or more thresholds
are marked as anomalous
Low threshold leads to many false positives, high
threshold reduces sensitivity
Model of normal behavior must be updated
Attacker can slowly increase traffic rate so that
new models are higher and higher

46
AL-2 Reactive

AL-2ADS-3 Third-Party Detection
Rely on external message that signals occurrence
of attack and attack characterization
AL-2ARS Attack Response Strategy
What does the system do to minimize impact of
attack?
Goal is to relieve impact of attack on victim
with minimal collateral damage

47
AL-2ARS Attack Response Strategy

AL-2ARS-1 Agent Identification
Provides victim with information about the ID of
the attacking machines
Ex. Traceback techniques
AL-2ARS-2 Rate-Limiting
Extremely high-scale attacks might still be
effective

48
AL-2ARS Attack Response Strategy

AL-2ARS-3 Filtering
Filter out attack streams
Risk of accidental DoS to legitimate traffic,
clever attackers might use as DoS tools
Ex. Dynamically deployed firewalls
AL-2ARS-4 Reconfiguration
Change topology of victim or intermediate network
Add more resources or isolate attack machines
Ex. Reconfigurable overlay networks, replication
services

49
CD Cooperation Degree

How much do defense systems work together?
CD-1 Autonomous
Independent defense at point of deployment
Ex. Firewalls, IDSs
CD-2 Cooperative
Capable of autonomous detection/response
Cooperate with other entities for better
performance
Ex. Aggregate Congestion Control (ACC) with
pushback mechanism
Autonomously detect, characterize and act on
attack
Better performance if rate-limit requests sent to
upstream routers

50
CD-3 Interdependent

Cannot operate on own
Require deployment at multiple networks or rely
on other entities for attack prevention,
detection or efficient response
Ex. Traceback mechanism on one router is useless

51
DL Deployment Location