Defending Against Denial of
Service Attacks
Presented By: Jordan Deveroux
1
Outline
I. What are Denial of Service Attacks and
what makes the internet vulnerable to
them?
II. How do these attacks occur?
III. How do we defend against such attacks?
IV. What are the ethical implications of
Denial of Service Attacks and their effect
on our society ?
2
Denial of Service Attacks
 Denial of Service (Dos)- An attack that is
trying to deny access by legitimate users to
shared resources or services
 Distributed Denial of Service (DDoS)- A
denial of service attack where the traffic
comes from multiple sources
3
Attacker
Zombies
4
Victim
Zombies
• Malicious Payload is
Installed
• Communication takes
place on IRC channels
• Software contains a
flooding mechanism
• Software can be
updated by attacker
5
Internet Vulnerabilities
 IP Spoofing- creating an IP packet
with false information, often a
false address.
 Multipath routing makes packet
tracing difficult
 No centralized Internet authority
6
Outline
I. What are Denial of Service Attacks and
what makes the internet vulnerable to
them?
II. How do these attacks occur?
III. How do we defend against such attacks?
IV. What are the ethical implications of
Denial of Service Attacks and their effect
on our society ?
7
What does DoS Attack?
1. Consumes a host’s resources
 CPU
 Memory
2. Consumes network bandwidth
 Legitimate traffic is unable to go through
Attack Power- level of resources consumed
at the victim by the attack
8
Categories of Bandwidth Attacks
Protocol-Based
Application-Based
Distributed Reflector
Infrastructure Attacks
9
Protocol-Based: SYN Flood
10
Protocol-Based: ICMP Flood
INTERMEDIARY
NETWORK
INTERNET
ATTACKER
VICTIM
11
Application-Based: HTTP Flood
 Attacking web servers with many
http requests
 Used in DDoS because it requires a
genuine IP
 Multiple ways to flood using this
method
12
Application Based:
SIP FLOOD
 VOIP Attack
 Flood proxy servers with
many invite packets
 Affects not only proxy
servers but legitimate
callers
13
Distributed Reflector Attacks
14
Infrastructure Attacks
 Disable Critical components of the
Internet
 Significant Attack power is required to
successfully execute an infrastructure
attack
 These types of attacks are why we need
a globally-cooperative defense effort
15
Outline
I. What are Denial of Service Attacks and
what makes the internet vulnerable to
them?
II. How do these attacks occur?
III. How do we defend against such attacks?
IV. What are the ethical implications of
Denial of Service Attacks and their effect
on our society ?
16
Four Categories of Defense
Attack Prevention
Attack Detection
Attack Source Identification
Attack Reaction
17
Attack Prevention: Ingress/Egress
Filtering
18
Other Attack Prevention Techniques
 Router Based Packet Filtering
 Possible if Tier 1 ISPs are involved
 SAVE Protocol
 Needs to be universally deployed
These Techniques prevent IP spoofing and filter
traffic before it reaches the target, but need
wide adoption to be effective
19
Attack Detection Techniques
 Easy to detect
 Differentiate between flash crowds and DoS
attack
 Rely on certain assumptions
Attack Detection Techniques:
 DoS-attack-specific
 Anomaly-based
20
Dos-Specific






MULTOPS
SYN Detection
Kolmogorov Test
Spectral Analysis
Time Series Analysis



Anomaly-Based
Need to build a normal
profile
Block irregular traffic
Difficult to determine all
normal traffic
Lightweight Intrusion
Detection System (LISYS)
The only way to detect a DDoS effectively and early is to
monitor features attackers can’t change or are really
difficult to change, (e.g. : Percent of new IP’s)
21
Attack Source Identification
 Tracking IP traffic is difficult to do
Active IP traceback technique
 Probabilistic traceback technique
 Hash-Based IP traceback
22
Attack Reaction Techniques
23
Attack Reaction Techniques
 Bottleneck Resource Management
 Fix Software-Based Vulnerabilities
 History-Based IP Filtering
 Intermediate Network Reaction
 Harder to track the greater the distance
 Controller-Agent Scheme
 Source End Reaction
 D-WARD
24
Conclusion on Defense Techniques




Most of these are DoS defense
Limited progress made on DDoS
Attacker resources often surpass victim’s resources
Defenses are limited due to lack of central control of
the internet
 We need to increase the reliability of global network
infrastructure
 Most effective is to block attack close to source
25
Outline
I. What are Denial of Service Attacks and
what makes the internet vulnerable to
them?
II. How do these attacks occur?
III. How do we defend against such attacks?
IV. What are the ethical implications of
Denial of Service Attacks and their effect
on our society ?
26
Growth of DoS and DDoS attacks
 Security knowledge of users is decreasing while attacks
are becoming more and more sophisticated
 In 1988, 6 attacks were reported
 In 2003, 137, 529 attacks were reported
 CSI/FBI survey shows on average 35% percent who
participate suffered DoS attacks
 Vulnerabilities have increased to 35x the number reported
in 1995
 Only 4 out of 1127 customer-based system attacks used
spoofed addresses in 2004
27
What’s taking so long?
 Implementing defense schemes are
expensive
 Lack of economic incentive
 Personal users
 Internet Service Providers
 Don’t want to spend money to protect
someone else’s network
28
 “Code Red” Worm (2001)
 300,000 zombie army to launch DoS against White House
website
 Distributed Reflector Attack (2002)
 Brought down www.grc.com
 Internet DNS Root Servers (2002)
 SYN Flood and ICMP Flood
 All 13 DNS root servers were attacked at the same time
 Total Attack Volume: 900 Mb/s
 Most queries answered but some parts of internet
experienced congestion or were unreachable
 Blaster Worm (2003)
 Exploited vulnerability in RPC
 SYN Flood against windowsupdate.com
29
Ethics
 These attacks can have lasting effects,
including monetary damages
 Used as a political statement
 Wikileaks fiasco (2010)
 Operation : Payback
 Mastercard, PostFinance, Paypal
30
References
 Survery of Network Based Defense Mechanisms
Countering the DoS and DDoS Problems (Peng, Leckie,
Ramamohanarao)
 www.cert.org
 http://www.pcmag.com/article2/0,2817,2374023,00.asp
31