Defense Against DDoS - PowerPoint PPT Presentation

About This Presentation
Title:

Defense Against DDoS

Description:

DoS: 'an attack with the purpose of preventing legitimate users from using a ... sites' extortion fears, by Paul Roberts, IDG News Service, January 28, 2004 ... – PowerPoint PPT presentation

Number of Views:281
Avg rating:3.0/5.0
Slides: 22
Provided by: csVir
Category:

less

Transcript and Presenter's Notes

Title: Defense Against DDoS


1
Defense Against DDoS
  • Presented by Zhanxiang
  • for Crab Apr. 15, 2004

2
DoS DDoS
  • DoS an attack with the purpose of preventing
    legitimate users from using a victim computing
    system or network resource 3
  • DDoS A Distributed Denial of Service (DDoS)
    attack uses many computers to launch a
    coordinated DoS attack against one or more
    targets. 4
  • You may have paid for the hardware, but do you
    really own your network?

3
Typical Attack Skill
  • SYN Flooding
  • IP spoofing
  • Bandwidth attack
  • Filling victims hard disk space

4
What can DoS lead to?
  • Website
  • DNS
  • Mail Server
  • Emergency
  • Many tools are available for DoS attack and
    teenagers must like to try them.2

5
Case Study
  • DDoS attack hits clickbank and spamcop.net, by
    Mirko Zorz, June 25, 2003
  • Super Bowl fuels gambling sites' extortion fears,
    by Paul Roberts, IDG News Service, January 28,
    2004

6
Defense
  • Two general area
  • Defense against IP spoofing
  • Defense against bandwidth flooding attack
  • Turn to Lingxuan

7
Against Bandwidth Flooding Attack
  • Goal stop attacks on their way to the victims
  • Scheme SIFF1

8
SIFF Assumptions
  • Marking space in the IP header.
  • Routers mark every packet.
  • Short-term Route Stability.

9
Idea
  • Divide all traffic into
  • Privileged Always get transfer
  • Unprivileged Transferred if not affect
    Privileged packets
  • Unprivileged -------------------gt Privileged
  • handshake
  • (to get the privilege token)

10
Idea (cont.)
  • Routers
  • mark packets in hand shakes
  • match privilege token while forwarding packets
  • Recipient refuse the attack flow by
  • not providing the privilege token
  • or provide a false one

11
Packet Identifier Design
  • Flags field (3-bits).
  • SF Packet is non-legacy
  • PT EXP or DTA
  • CU Capability reply present or not
  • Capability Marks modified by routers
  • C-R recipients to signal to sender a capability

12
Handshake
Client
Server
Routers
EXP(0)
Legend Packet-Type (Capability) Capability
Reply
EXP(a)
EXP(0) a
EXP(ß)a
DTA(!a)ß
DTA(!a)ß

13
Router Marking Calculation
IP of the Interface that at which the packet
arrived at
IP of the Last-hop routers outgoing interface
Keyed Hash Fun
Marking
Last z bits
Source IP and Destination IP of the packet
14
Marking Scheme for EXP
  • Packets with a capability field of all zeros get
    marked with an additional 1bit.
  • Routers push their markings into the least
    significant bits of the capability field.

15
Authentication scheme for DTA
?
  • Routers check the marking in the least
    significant bits of the capability field, and
    rotate it into the most significant bits, if it
    is equal to what the marking would be for an
    EXPLORER packet.

16
Key Switch
  • Why?
  • If the hash fun does not change periodically, an
    attacker can simply obtain a capability through a
    seemingly legitimate request, and then use it to
    flood the server with privileged traffic.
  • Solution
  • Windowed authentication and marking

17
Windowed authentication and Marking for DTA
  • Routers check that the marking equals one of the
    valid markings in its window and always rotate
    the newest marking in the window into the
    capability field.

18
Do Guesses work?
  • x of markings each router maintains in its
    window
  • z of bits per router marking
  • P(x, z) probability that a randomly guessed
    capability will pass a particular router.

19
Can Privilege Channel be Established Under
Unprivileged Packet Flooding?
  • i hops of the network
  • ei Probability of getting dropped at any one of
    those routers

20
Limitations
  • Depend on mechanism to detect attack
  • Network with some router not implemented SIFF
  • Colluding attacker
  • Host granularity not application granularity

21
Reference
  • 1 SIFF A Stateless Internet Flow Filter to
    Mitigate DDoS Flooding Attacks. With Avi Yaar and
    Dawn Song. Appears in 2004 IEEE Symposium on
    Security and Privacy
  • 2 Tools http//staff.washington.edu/dittrich/mi
    sc/ddos/
  • 3 David Karig and Ruby Lee, Remote Denial of
    Service Attacks and Countermeasures, Princeton
    University Department of Electrical Engineering
    Technical Report CE-L2001-002, October 2001.
  • 4 Lincoln Stein and John N. Stuart. The World
    Wide Web Security FAQ, Version 3.1.2, February
    4, 2002. http//www.w3.org/security/faq/ (8
    April 2003).
Write a Comment
User Comments (0)
About PowerShow.com