DoS/DoS Detection and
Mujahid Khan
[email protected]
Three Parts to Dealing With a
(D)DoS Attack:
• Detection
• Tracking
• Mitigation
Limited Tools available to proactively monitor and report
(D)DoS attacks
Proactive detection comes with a price tag attached
Different approaches to detection
Inline detection
passive tapping detectors
Flow based detection IDS integration
Most attacks are detected by sudden increase in
bandwidth and resource utilization
Need to identify DoS/DDoS attacks and eliminate false
alarms – also need to classify attacks based on
protocol and source address
Issues with detection
• Methods used to track the attack depends on the available
features on the deployed infrastructure
• Some of the issues with tracking the attack are:
– Randomness of attacks
– Distributed nature of the attacks
– Address spoofing
• Fast and wide deployment of the tracking scheme needed
to track and mitigate attacks effectively – especially
needed in case of a large number of sources for the attack
• Some of the methods used to trace back the attack
blackhole the the targeted victim – this could be a
• Most current approaches for traceback are manual,
therefore slow
• Most actions to mitigate involve putting filters –
Usually away from the source and close to the
ingress points to the network
• Rate-limiting the attack
• Sometime the targeted IP address is
• uRPF has helped – please deploy where