The Problem Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Network Security Peter Reiher May 3, 2006 Lecture 9 Lecture 9 Page 1 Page 2 CS 239, Spring 2006 CS 239, Spring 2006 Distributed Denial of Service Why Are These Attacks Made? (DDoS) Attacks • Goal: Prevent a network site from • Generally to annoy doing its normal business • Sometimes for extortion • Method: overwhelm the site with • If directed at infrastructure, might attack traffic cripple parts of Internet • Response: ? –So who wants to do that . . .? Lecture 9 Lecture 9 Page 3 Page 4 CS 239, Spring 2006 CS 239, Spring 2006 Attack Methods Why “Distributed”? • Pure flooding • Targets are often highly provisioned – Of network connection servers – Or of upstream network • Overwhelm some other resource • A single machine usually cannot – SYN flood overwhelm such a server – CPU resources • So harness multiple machines to do so – Memory resources – Application level resource • Also makes defenses harder • Direct or reflection Lecture 9 Lecture 9 Page 5 Page 6 CS 239, Spring 2006 CS 239, Spring 2006 1
DDoS Attack on DNS Root Servers Yahoo Attack • Concerted ping flood attack on all 13 of • Occurred in February 2000 the DNS root servers in October 2002 • Resulted in intermittent outages for • Successfully halted operations on 9 of nearly three hours them • Attacker caught and successfully • Lasted for 1 hour prosecuted –Turned itself off, was not defeated • Other companies (eBay, CNN, • Did not cause major impact on Internet Microsoft) attacked in the same way at around the same time –DNS uses caching aggressively Lecture 9 Lecture 9 Page 7 Page 8 CS 239, Spring 2006 CS 239, Spring 2006 How to Defend? Complicating Factors • High availability of compromised machines • A vital characteristic: – At least tens of thousands of zombie machines –Don’t just stop a flood out there • Internet is designed to deliver traffic –ENSURE SERVICE TO – Regardless of its value LEGITIMATE CLIENTS!!! • IP spoofing allows easy hiding • If you deliver a manageable amount of • Distributed nature makes legal approaches hard garbage, you haven’t solved the • Attacker can choose all aspects of his attack packets problem – Can be a lot like good ones Lecture 9 Lecture 9 Page 9 Page 10 CS 239, Spring 2006 CS 239, Spring 2006 Basic Defense Approaches Overprovisioning • Overprovisioning • Be able to handle more traffic than attacker can generate • Dynamic increases in provisioning • Works pretty well for Microsoft and • Hiding Google • Tracking attackers • Not a suitable solution for Mom and • Legal approaches Pop Internet stores • Reducing volume of attack Lecture 9 Lecture 9 Page 11 Page 12 CS 239, Spring 2006 CS 239, Spring 2006 2
Dynamic Increases in Provisioning Hiding • As attack volume increases, increase your • Don’t let most people know where your resources server is • Dynamically replicate servers • If they can’t find it, they can’t overwhelm it • Obtain more bandwidth • Possible to direct your traffic through other sites first • Not always feasible – Can they be overwhelmed . . .? • Probably expensive • Not feasible for sites that serve everyone • Might be easy for attacker to outpace you Lecture 9 Lecture 9 Page 13 Page 14 CS 239, Spring 2006 CS 239, Spring 2006 Tracking Attackers Legal Approaches • Sic the FBI on them and throw them in jail • Almost trivial without IP spoofing • Usually hard to do • With IP spoofing, more challenging • FBI might not be interested in “smal fry” • Big issue: • Slow, at best – Once you’ve found them, what do you • Very hard in international situations do? • Generally only feasible if extortion is • Not clear tracking actually does much good involved • Loads of fun for algorithmic designers, – By following the money though Lecture 9 Lecture 9 Page 15 Page 16 CS 239, Spring 2006 CS 239, Spring 2006 Approaches to Reducing the Volume Reducing the Volume of Traffic • Addresses the core problem: • Give preference to your “friends” – Too much traffic coming in, so get rid of • Require “proof of work” from some of it submitters • Vital to separate the sheep from the goats • Detect difference between good and • Unless you have good discrimination bad traffic techniques, not much help –Drop the bad • Most DDoSdefense proposals are variants –Easier said than done of this Lecture 9 Lecture 9 Page 17 Page 18 CS 239, Spring 2006 CS 239, Spring 2006 3
D-WARD D-WARD in Action • Source-end, inline defense system requests • Compares observed flows with protocol-based D-WARD replies models: attacks – Mismatching flow statistics indicate attack • Dynamic and selective rate-limit algorithm: – Fast decrease to relieve the victim – Fast increase when the attack stops and on false D-WARD alarms – Detects, forwards legitimate connection packets • Major questions: – Deployment incentives – Partial deployment issues Lecture 9 Lecture 9 Page 19 Page 20 CS 239, Spring 2006 CS 239, Spring 2006 DefCOM Classifiers can assure DefCOM instructs priority for good traffic core nodes to apply rate limits core alert core generator Core nodes use information from classifier classifiers to classifier prioritize traffic Lecture 9 Page 21 CS 239, Spring 2006 4
Recommend
More recommend
