Overview of Distributed Denial of Service (DDoS)

Wei Zhou

Outline of the presentation

● DDoS definition and its attacking architectures● DDoS classification● Defense mechanism classification

– Reactive VS. Proactive– Classification by defending front-line

● SOS – a case study

What is it?

– Two major attacking architecture● Direct attack● Reflector attack

– Characteristics● Multiple attackers vs. single victim● To cause denial of service to legitimate users

on the victim

– No ready-to-go definition available

Hacker's attacking network

Attacking Architecture - Direct Attack

Masters (handlers)Zombies

Attacking Architecture – Reflector Attack

Reflector Attack

Hacker's DDoS attacking network

TCP SYN, ICMP, UDP... (with victim's addr. as the src IP addr.)

Reflectors

Classification of DDoS Attacks

● Classification by exploited vulnerability– Protocol Attacks

● TCP SYN attacks● CGI request attacks● Authentication server attacks● ... ...

– Flooding-based Attacks● Filterable● Non-filterable

Defense Mechanisms

● Classification by activity level– Reactive mechanisms

● Easy to be deployed● Hard to tell good guys from bad guys● Inflexible to adapt new attacks

– Proactive mechanisms● Motivations to deploy● Accuracy on differentiating packets

Defense Mechanisms (cont.)

● Classification by defending front-line– Victim network– Intermediate network– Source network

At the victim side● IDS plus Firewall

– Detect bogus packets based on well-known attack signatures

– Flexibility

● Puzzle solving by clients

– Client must solve a puzzle (small scripts, cookies etc.) in order to access server's resources

– Efficiency

● Duplicate server resources

– Distribute server resources into more places

– Synchronization, costs etc.

Victim network can't do NOTHING if its link(s) to the ISP is jammed

In the intermediate network

● IP traceback– Can be used to collect forensic evidence– (Need further exploration on this topic)

● Push-back mechanism● Route-Based packet filtering● Overlay network

Push-back – the idea

R2

R0

R1 R3

R7

R6

R5R4

Heavy traffic flow

Push-back messages

● Reactive mechanism● Accuracy of telling 'poor' packets from bad packets

Route-based packet filtering – the idea

R2

R0

R1

R3R7

R6

R5

R4

R9

R8

Routes from node 2

Attack from node 7 with node 2 addresses

● Proactive mechanism● Overheads● Need to change routers

At the source side

● Ingress/egress filtering– Ingress filtering

● To prevent packets with faked source IP addresses from entering the network

– Egress filtering● To prevent packets with

faked source IP addresses from leaving the network

10.0.0.110.0.0.1

Egress filteringIngress

filtering

9.0.0.0/8

10.0.0.2

At the source side (cont.)● D-WARD (DDoS netWork Attack Recognition and

Defense)– Balance of inbound and outbound traffic

D-WARD (cont.)

● Motivation of deployment● Asymmetric problems

Source network

SOS – Security Overlay Service

● To protect a dedicated server from DDoS attacks● Use high-performance filters to drop all the

packets not from secret servlets● Path redundancy in overlay network is used to

hide the identities of secret servlets● Legitimate users enter the overlay network at the

point of SOAP (secure overlay access point)

SOS (cont.)

Big time delayOverlay network

SOAP(s) Secret servlet(s)

ServerFilter

References● R. K. C. Chang, “Defending against Flooding-Based Distributed Denial-of-

Sevice Attacks: A Tutorial”● P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of

Service Attacks which employ IP Source Address Spoofing”, RFC 2827● J. Ioannidis and S. M. Bellovin, “Implementing Pushback: Router-Based

Defense Against DDoS Attacks” ● A. D. Keromytis, V. Misra and D. Rubenstein, “SOS: Secure Overlay Services”● R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson and S. Shenker,

“Controlling High Bandwidth Aggregates in the Network”● J. Mirkovic, J. Martin and P. Reiher, “A Taxonomy of DDoS Attacks and

DDoS Defense Mechanisms”● J. Mirkovic, G. Prier and P. Reiher, “Attacking DDoS at the Source”● K. Park and H. Lee, “A Proactive Approach to Distributed DoS Attack

Prevention using Route-Based Packet Filtering”

Thank you!