------ An Overview Zhang Fu zhafu@chalmers.se Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence Some noticeable solutions Crux issues Discussion The “battle” is going on. DDoS Attacks A Denial of Service (DoS) attack is an attempt by the attacker to prevent the legitimate users of a service from using that service. If the attack is launched from multiple compromised machines, then it is a Distributed Denial of Service (DDoS) attack. Basic Types of DDoS attacks: Sending malformed packets to confuse systems (protocol or application). Can be also called semantic attack. Example: SYN-flooding, Teardrop Attacks Flooding packets to the victim to depleting key resources (bandwidth). Can be also called brute-force attack. Example: DNS request flooding, Smurf attack. DDoS Attacks (cont.) What makes DDoS possible? End-to-End paradigm : intermediate network provides best-effort packets delivery service. Different networks do not have effective cooperation. Victim’s security relies on the rest of the network End hosts can not control the bandwidth allocation or queuing mechanism of the network Zhang Fu Control is distributed.zhafu@chalmers.se Steps of launching DDoS attacks Recruiting and Exploit. Propagation. Launching attacks. order attack Victim Types Application Target on a given application. If the resource is not completely consumed, other application maybe still available. The attack traffic volume is usually small, and seems to be normal packets. E.g. signature attack. Host Overwhelming the host’s communication mechanism. Or make the host crash/reboot. The attack traffic is usually big. The host can not solve the problem alone. Resource Attack Attack some critical entities in the victim’s network, such as DNS server. Congest some critical links of the network. The attack traffic is big and easy to detect. But need cooperation to defense. Victim Types (cont.) Infrastructure Aim to disable the critical service of the whole Internet, such as root DNS server, core network, certificate server. The attack can aggregate a huge volume of traffic with in a very short time period. Need cooperation to defend against this attack. Impact of the attack Disruptive: completely disable the victim’s service. The victim can recover automatically after the attack. Some may need human to be involved. And some may be not recoverable. Degrading: consume some portion of the victim’s resource. Success depends on the service. QoS plays an important role. Not easy to detect. Tradeoff between deploying a defense mechanism and losing market caused by the degradation. Summary of DDoS attacks What is a DoS / DDoS attack? Why DDoS attacks can be launched successfully? DDoS attacks target both in application layer and network layer. Some DDoS attacks aims to completely deplete the resource of the victim, while others aims to degrade the quality of the victim’s service. Challenges for defense mechanisms DDoS is a problem in distributed manner. It needs to be solved in a distributed way. However, assumption of global deployment would be rather strong. Some attacks can be hardly defined. Many factors may be involved, such as number of compromised machines, attack rate, attack duration, impact of the attack. Lack of universal benchmark. Lack of test platforms for large scale network. Principles for counter measures Security The attacker can hardly break the secrets used in the system. Or find a semantic flaw to attack the system. Accuracy The system should filter out the malicious traffic as much as possible and affect the legitimate traffic as little as possible. Efficiency Keep the overhead within a acceptable threshold Safe Failure When the system is fail, the situation can not be worse than that before the deployment. Which way to go? Proactive VS Reactive Proactive solutions aim at prevent the DDoS attacks from beginning. Or the victim’s service is not denied during the attacks. How to prevent DDoS attacks? Secure the hosts, Build DDoS-resilient protocol. We need both police and doctor! How to make system tolerate DDoS attacks? Resource accounting, provide more resource. Examples of proactive solutions: puzzle based solutions, network capability, secure overlay. Proactive VS Reactive (cont.) Reactive solutions aims at mitigate DDoS attacks when the victim suffers those attacks, or some DDoS attacks are detected. Need some detection mechanisms. Less overhead in the normal situation. The problem is how to identify DDoS attacks, what are the proper responses for different kinds of attacks? • • Use models of attacks to detect. We can also define abnormal behaviors for detection, But have to be careful with false positive. Block identified zombies, or rate limiting /filtering. Network Layer Defense Network Capability Choose a path from source to the destination Capability Establishment (Sending Request and getting Capability) Sending Packets with Capability Capability Refreshing Internet 14 Packet Marking (Trace back) • Packets will be marked by the routers along the path. • When DDoS attacks occur, the victim will identify the attacking sources. • Victim will also send control command to the router which is near to the sources to limit the malicious traffic. What’re the advantages and disadvantages? SOS: Secure Overlay Service Application Layer Defense How can network-based applications defend by themselves? Solutions inspired by Frequency Hopping. ACK-based port hopping (Badishi et al. 2005) Port hopping with bounded clock offset (Lee and Ting 2004) Hopping authentication code (Srivatsa et al 2006) Port hopping in the presence of clock drifts. (Zhang et al.2008) Crux Issues IP spoofing. Network topology dependency. Refreshing secrets. Feedback mechanisms. Space efficiency. We can hardly solve DDoS problem completely. The ideal solution could be very complicated. We might need an integrated solution. However, it’s unclear about the optimal integration. Summary What is DDoS Why it is possible What is the main category of defence mechanisms We want secure, robust, efficient solutions for the problem. Zhang Fu zhafu@chalmers.se The End Thank You 20