DoS/DoS Detection and
Mitigation
Mujahid Khan
mkhan@sprint.net
Three Parts to Dealing With a
(D)DoS Attack:
• Detection
• Tracking
• Mitigation
Detection

Limited Tools available to proactively monitor and report
(D)DoS attacks

Proactive detection comes with a price tag attached

Different approaches to detection
Inline detection
passive tapping detectors
Flow based detection IDS integration

Most attacks are detected by sudden increase in
bandwidth and resource utilization

Need to identify DoS/DDoS attacks and eliminate false
alarms – also need to classify attacks based on
protocol and source address
Detection
Issues with detection
???
Tracking
• Methods used to track the attack depends on the available
features on the deployed infrastructure
• Some of the issues with tracking the attack are:
– Randomness of attacks
– Distributed nature of the attacks
– Address spoofing
• Fast and wide deployment of the tracking scheme needed
to track and mitigate attacks effectively – especially
needed in case of a large number of sources for the attack
• Some of the methods used to trace back the attack
blackhole the the targeted victim – this could be a
problem
• Most current approaches for traceback are manual,
therefore slow
Mitigation
• Most actions to mitigate involve putting filters –
Usually away from the source and close to the
ingress points to the network
• Rate-limiting the attack
• Sometime the targeted IP address is
blackholed
• uRPF has helped – please deploy where
possible