Defense Against DDoS
Presented by Zhanxiang
for [Crab] Apr. 15, 2004
DoS & DDoS

DoS: “an attack with the purpose of preventing
legitimate users from using a victim computing
system or network resource” [3]

DDoS: “A Distributed Denial of Service (DDoS)
attack uses many computers to launch a
coordinated DoS attack against one or more
targets. “ [4]

You may have paid for the hardware, but do you
really own your network?
Typical Attack Skill
SYN Flooding
 IP spoofing
 Bandwidth attack
 Filling victim’s hard disk space
…

What can DoS lead to?
Website
 DNS
 Mail Server
 Emergency


Many tools are available for DoS attack
and teenagers must like to try them.[2]
Case Study

DDoS attack hits clickbank and
spamcop.net, by Mirko Zorz, June 25,
2003

Super Bowl fuels gambling sites' extortion
fears, by Paul Roberts, IDG News Service,
January 28, 2004
Defense

Two general area:
Defense against IP spoofing
 Defense against bandwidth flooding attack


Turn to Lingxuan
Against Bandwidth Flooding Attack


Goal: stop attacks on their way to the victims
Scheme: SIFF[1]
SIFF: Assumptions

Marking space in the IP header.

Routers mark every packet.

Short-term Route Stability.
Idea

Divide all traffic into



Privileged: Always get transfer
Unprivileged: Transferred if not affect
Privileged packets
Unprivileged -------------------> Privileged
handshake
(to get the privilege token)
Idea (cont.)

Routers
mark packets in hand shakes
 match privilege token while forwarding
packets


Recipient refuse the attack flow by
not providing the privilege token
 or provide a false one

Packet Identifier Design

Flags field (3-bits).





SF: Packet is non-legacy
PT: EXP or DTA
CU: Capability reply present or not
Capability: Marks modified by routers
C-R: recipients to signal to sender a capability
Handshake
Client
Routers
Server
EXP(0)
Legend:
EXP(α)
EXP(0) {α}
EXP(β){α}
DTA(!α){β}
DTA(!α){β}
……
Packet-Type
(Capability)
{Capability Reply}
Router Marking Calculation
IP of the Interface
that at which the
packet arrived at
IP of the Last-hop
router’s outgoing
interface
Source IP and
Destination IP of
the packet
Keyed Hash Fun
Last z bits
Marking
Marking Scheme for EXP


Packets with a capability field of all zeros get
marked with an additional 1bit.
Routers push their markings into the least
significant bits of the capability field.
Authentication scheme for DTA
?

Routers check the marking in the least
significant bits of the capability field, and rotate it
into the most significant bits, if it is equal to what
the marking would be for an EXPLORER packet.
Key Switch

Why?


If the hash fun does not change periodically,
an attacker can simply obtain a capability
through a seemingly legitimate request, and
then use it to flood the server with privileged
traffic.
Solution

Windowed authentication and marking
Windowed authentication and
Marking for DTA

Routers check that the marking equals one of
the valid markings in its window and always
rotate the newest marking in the window into the
capability field.
Do Guesses work?

x: # of markings each
router maintains in its
window;

z: # of bits per router
marking;

P(x, z): probability that a
randomly guessed
capability will pass a
particular router.
Can Privilege Channel be
Established Under Unprivileged
Packet Flooding?

i: hops of the network;

εi: Probability of
getting dropped at
any one of those
routers
Limitations

Depend on mechanism to detect attack

Network with some router not
implemented SIFF

Colluding attacker

Host granularity not application granularity
Reference
[1] SIFF: A Stateless Internet Flow Filter to Mitigate DDoS
Flooding Attacks. With Avi Yaar and Dawn Song. Appears in
2004 IEEE Symposium on Security and Privacy
[2] Tools: http://staff.washington.edu/dittrich/misc/ddos/
[3] David Karig and Ruby Lee, “Remote Denial of Service
Attacks and Countermeasures,” Princeton University
Department of Electrical Engineering Technical Report CEL2001-002, October 2001.
[4] Lincoln Stein and John N. Stuart. “The World Wide Web
Security FAQ”, Version 3.1.2, February 4, 2002.
http://www.w3.org/security/faq/ (8 April 2003).