ddos attacks and defensesdownload.nboard2.naver.net/download/1000003310...1. history of ddos attacks...
TRANSCRIPT
DDoS Attacks and Defenses
Prof. Heejo Lee
Computer & Communication Security Lab
Div. of Computer & Communication EngineeringKorea University, [email protected]
April 15, 2008
Overview
1. History of DDoS Attack
2. Types of DDoS Attack
3. DDoS Defenses
4. IP Spoofing Prevention
5. Attack Visualization
6. Botnet Detection
1. History of DDoS Attacks
DistributedReflector DoS
DistributedDoS
DoS
Spoofing
Botnet
1996 SYN flooding attacks
1997 Smurf attacks
1999 Distributed attack tools
2000 Yahoo, CNN, eBay attacks
2001 CodeRed worms
2002 DNS root server attack
2003 Slammer worms
2004 Botnet attacks
2007 2nd
DNS root server attack
2008 Prevalence of ransom attacks
DDoS Attacks
• Most significant threat to network operators
Source: Worldwide Infrastructure Security Report,Arbor Networks, Sep. 2007
DNS Backbone DDoS Attacks
Not-technical but political response implies the lack of
proper countermeasures.
Ransom DDoS Attacks
• Ransom attacks– Demand money to prevent the site being attacked
• Growing frequency– Online-game item-trading sites, Oct. 2007– M stock trading company, Mar. 2008
• Difficulty of incidence responses– Lack of network security awareness– Distributed attacks via a botnet– Attacking from overseas, e.g. China
Whoever sites, maybe yours?
Shopping, portal,
trading sites
Game, chatting,
adult sites
2. The Type of DDoS Attack
① DoS attacks
– “Denial of Service attack”
• Attempt to prevent legitimate users from using a service
– Examples of DoS include
• Flooding a network, disrupting a service
• Disrupting connections between machines
2. The Type of DDoS Attack
② DDoS attacks
– “Distributed Denial of Service” attack
– Many machines are involved in the attack against one or more victim(s)
2. The Type of DDoS Attack
③ DRDoS attacks
– “Distributed Reflector Denial of Service attack”
– DRDoS is much like a DDoS, but the attack source is spoofed
Web or name server reflection
Amplification attacks (broadcast ping, DNS queries)
2. The Type of DDoS Attack
④ Botnet
A botnet is a large pool of compromised hosts, which is remotely controllable by a server and can be used for sending spam mails, stealing personal information, and
launching DDoS attacks.
IP SpoofingDistributed Attacks
Botnets
3. DDoS Defenses
Prevention Detection Response
IP spoofingprevention
Attackdetection &visualization
Ratelimiting &distributedfiltering
4. IP Spoofing Prevention
① Ingress filtering [RFC 2827]
– Ingress filtering drops packets before the packets leave their
local networks.
– No benefits for early adopters, not suitable for multihomed networks
Here’spacket from A to B
S
AB
I know my addresses and A is
not one of them
4. IP Spoofing Prevention
② Unicast Reverse Path Forwarding (uRPF) [Cisco 2003]
– IP packets are checked to ensure that the route back to the source uses the same interface.
– RPF-enabled routers forward only packets that have valid source addresses consistent with the IP routing table.
– Ingress filtering for multihomed networks [RFC 3704]
– Not suitable for asymmetric routing paths (over 50%)
4. IP Spoofing Prevention
③ Route-based Distributed Packet Filtering (DPF) [ACM SIGCOMM, 2001]– It has been proposed for filtering spoofed packets using
routing information, also works for routing asymmetry.
– DPF does not provide direct incentives to deployers –everyone shares the benefits.
– DPF is difficult to maintain up-to-date routing information.
4. IP Spoofing Prevention
④ BGP Anti-Spoofing Extension (BASE) [ASIACCS, 2007]
① Distribution of marking values
② Filter invocation
③ Packet marking & filtering
④ Filter revocation
• Incremental deployability
– Initial benefits for the early adopters
– Incremental benefits for the early majority
– Effectiveness under partial deployment
• Strong filtering performance
– 30% deployment can drop about 97% of attack packets
5. DDoS Defense Location
3. Defense at sources
2. Defense at network
1. Defense at victim
16
Primary Attack Mitigation Techniques
• Attack packet dropping w/ ACLs, blackholing
Source: Worldwide Infrastructure Security Report,Arbor Networks, Sep. 2007
Rate Limiting for DDoS Mitigation
• Unified rate limiting, ISPEC 2008
– Works close to attack sources
– Deals with Internet worms and DDoS attacks
Anomaly Worm Detection
• ADUR, IEICE T COMM 2007
– Anomaly Detection Using Randomness check
state Description
Calm Normal state
Flowing Attacked by worm from other infected network
Ebbing Infected by worm on the monitoring network
Flooding Both Flowing and Ebbing
ADUR classifies network states under four characteristics
Anomaly DDoS Detection
• FDD (FE and DDoS Distinguisher)
– Distinguishing between flash events and DDoS attacks using randomness check
VoIP Malformed & Flooding Detection
• Internet telephony attack detection, IFIP SEC’08
– Rule matching + state transition models
– Detects malformed msg and flooding attacks
6. Attack Visualization
Visualization
B
E
C
D
A
Deal large noisy data easily
Intuitive
Come up with new hypotheses
Higher degree of confidence Faster
Benefits of Visualization
Visualization Methods
<NSFNET T1 backbone in 1991 ><City Scape: SDM (Chuah et al., 1995) >
<Parallel coordinates><H-h Chi et al., IEEE InfoVis'97 A Spreadsheet Approach >
Visualization in Security
< J. McPherson et.al., PortVis, ACM CCS 2004> <S.Kim et.al.,IEEE INFOCOM 2005>
<CAIDA skitter project> <I-V Ounut et.al. Svision, Computers & Security 2007>
Parallel Coordinate Attack Visualization
1. Worm Graph - Slammer 2. DDoS attack
3. Hostscan 4. Portscan
Application Program of PCAV
• PCAV 2.0 demonstration
http://ccs.korea.ac.kr/PCAV
What is a “bot”?
• Bot
– A bot is a servant process on a compromised system
– Communicate with a handler or controller often running public or other compromised systems
– A botmaster or botherder commands bots to perform any kinds of malicious activities
• Botnet
– A network of bots and controller(s) is referred to as a botnet or zombie network
Malicious Activities of Botnet
Most of recent incidents are related with botnets
Botnet Group Activity
• Group Activity (inherent property), IEEE CIT 2007
– A large number of bots always act as a group
Botnet
DNS
Queries
…
Connection
&
Command
Execution
Group
Activity
Botnet
Activity
Experimental Results
• Similarity of botnet and normal DNS traffic
– Similarity of botnet exceeds a given threshold
Botnet domain name detection
Coordinated Defense Approach
• DDoS attack information sharing
– Fingerprint Sharing Alliance by Arbor Networks
ISP A DDoS attack
detection
Sending “fingerprint” to upstream IPS’s
Blockingattacktraffic
Proposal: DDoS Coordination Center
• Motivation
– Who can help corporate urgency?
– Including small and medium enterprises
– ISP’s roles are becoming crucial
• Roles for the DDoS coordination center
– Systematic monitoring
– Coordination of responses to DDoS attacks
– Protocol development and implementation
– Technical supports
DDoS Defenses at Corporate Networks
• DDoS-resilient network design
– Distribution of gateways, and servers
– Name server placements for robust DNS
• Developments of secure applications
– Human-robot identification
– Mitigating abnormal resource consumptions
• Security teams for planning and responses
– Monitoring DDoS attacks for quicker responses
– Preparing response plans, including ISP contacts
– On-demand filtering for attack traffic
7. Concluding Remarks
• Prevalence of DDoS attacks
– Increasing ransom attacks
– Hard to find a proper countermeasure
• Mitigating botnet attacks
– Botnet monitoring (IRC/HTTP/P2P bots)
– Blacklisting and punishment
• Responding to DDoS attacks
– Need good incident response plan, including ISP contacts
– Identify type of attack and filter attack traffic upstream
References
• K. Park, D. Seo, J. Yoo, H. Lee, H. Kim, “Unified Rate Limiting in Broadband Access Networks for Defeating Internet Worms and DDoS Attacks”, ISPEC, Apr. 2008.
• H. Choi, H. Lee, H. Lee, H. Kim, “Botnet Detection by Monitoring Group Activities in DNS Traffic”, IEEE CIT, Oct. 2007.
• H. Park, H. Lee, H. Kim, "Detecting Unknown Worms using Randomness Check", IEICE Trans. Comm., Vol. E90-B, No. 4, pp. 894-903, Apr. 2007.
• H. Lee, M. Kwon, G. Hasker, A. Perrig, "BASE: An Incrementally Deployable Mechanism for Viable IP Spoofing Prevention", ACM Symp. on Information, Computer and Communications Security (ASIACCS), Mar. 2007.
• H. Lee, J. Kim, W. Lee, "Resiliency of Network Topologies under Path-Based Attacks", IEICE Trans. Comm., Vol. E89-B, No. 10, pp. 2878-2884, Oct. 2006.
• H. Choi, H. Lee, "PCAV: Internet Attack Visualization on Parallel Coordinates", Int'l Conf. on Information and Communications Security (ICICS), LNCS 3783, pp. 454-466, Dec. 2005.
• K. Park, H. Lee, "On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets", ACM SIGCOMM, pp. 15-26, Aug. 2001.
• K. Park, H. Lee, "On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack", IEEE INFOCOM, Apr. 2001.
• Further information is available at http://ccs.korea.ac.kr.