Source Router Approach to DDoS Defense - PowerPoint PPT Presentation

About This Presentation
Title:

Source Router Approach to DDoS Defense

Description:

Title: Throttling Distributed Denial of Service Attacks Based on Statistical Analysis Of Two-way Traffic Author: Jelena Mirkovic Last modified by – PowerPoint PPT presentation

Number of Views:111
Avg rating:3.0/5.0
Slides: 17
Provided by: Jele68
Learn more at: https://lasr.cs.ucla.edu
Category:

less

Transcript and Presenter's Notes

Title: Source Router Approach to DDoS Defense


1
Source Router Approach to DDoS Defense
  • Jelena Mirkovic and Peter Reiher
  • UCLA
  • USENIX Work-In Progress Session
  • Washington DC, 08/17/2001

sunshine, reiher_at_cs.ucla.edu
2
Approach Overview
  • Goal Prevent our site from participating in DDoS
    attack
  • Monitor incoming and outgoing traffic looking for
    signs that some destination is in trouble
  • Reduce traffic to that destination
  • Separate attacking from normal flows
  • Shut down attacking machines

3
Approach Overview
I
A
B
J
C
H
D
G
F
E
4
Approach Overview
I
A
B
J
C
H
D
G
F
E
5
Approach Overview
I
A
B
J
C
H
D
G
F
E
6
Approach Overview
I
A
B
J
C
H
D
G
F
E
7
Approach Overview
I
A
B
J
C
H
D
G
F
E
8
Approach Overview
  • For every destination address router keeps
    lightweight statistics (number of packets/bytes,
    timing).
  • The statistics are used along with built-in
    models to characterize normal traffic.

9
Approach Overview
  • Router periodically matches the model with
    current packet statistics
  • Discrepancy gt threshold ?? router throttles all
    traffic to that destination and extends
    monitoring to separate good from bed flows.

10
Approach Overview
  • Attacking flows should stand out from legitimate
    flows by the number and frequency of packets in
    them.
  • Once attacking flows are identified measures can
    be taken to track and shut down the attacking
    machines.

11
Related Work - MULTOPS
  • Yes, it is similar to MULTOPS, but
  • It is located on source side only
  • Traffic models do not rely only on packet ratio
  • Discovery of attacking machines
  • Can be pushed further in the network

12
Stable Packet Ratio in Mixed Traffic
packet ratio
time
13
Stable Packet Ratio in TCP Traffic
packet ratio
time
14
Stable Packet Ratio in UDP Traffic
packet ratio
time
15
Stable Packet Ratio in UDP Traffic
packet ratio
time
16
Variable Packet Ratio in Mixed Traffic
packet ratio
time
17
Variable Packet Ratio in Attack Traffic
DDoS
packet ratio
DDoS FTP
FTP
time
18
Challenges
  • Router performance.
  • Why would ISP implement this?
  • False positives.
  • Multicast traffic is usually unidirectional.
  • Asymmetric routes.
  • Throttling and TCP congestion control mechanism.
  • Traffic patterns in the Internet change
    drastically over time.

19
For More Info...
http//fmg-www.cs.ucla.edu/ddos
Write a Comment
User Comments (0)
About PowerShow.com