DDoS attacks
Download as PPTX, PDF0 likes364 views
This document discusses distributed denial of service (DDoS) attacks and potential defenses. It describes how DDoS attacks work by flooding a victim with useless traffic from many compromised systems to overwhelm the victim's bandwidth or resources. The document outlines different types of DDoS attacks like direct and reflector attacks. It also discusses challenges with detection and prevention, such as the difficulty of filtering reflected packets or widely deploying packet filters across networks. Promising defense approaches include developing a global firewall infrastructure with distributed detection systems that can identify anomalies and coordinate response. However, effective DDoS defense remains an ongoing challenge.
DDoS attacks
- 1. Distributed Denial of Service Team Members: Anus Irshad: 130909 Bilal Amjad: 130927
- 2. Distributed Denial of Service (DDoS) “This is a process in which many computer systems, comprimised by a host, send useless data to a network to stop internet connection”
- 3. DDoS: How It Can be Done? Find a weakness and then use that weakness as a ping to death Attack the victims with data encryption and decryption
- 4. Describing DDoS Attacks These attacks usually don’t depend on any of network protocols They have a large number of compromised hosts that send useless or harmful packets of data to a victim These have become a major problem because of availability of user friendly attack tools on one hand and lack of defending solutions of other hand
- 5. Recorded DDoS Attacks • One attack happened in may and June of 1998 when first primitive tool were developed in underground. This attack was on small networks only • One took place on august 17 1999 on the university of Minnesota and was reported to network operations and security teams • An attack happened in February 2000 on yahoo, eBay amazon and some other websites • Another report shows more than 12000 attacks during a three week period
- 6. Types of DDoS Attacks Attack Types Direct Reflector
- 7. Direct Attacks • A large number of packets is sent to a victim • Source addresses made spoofed to make the response go somewhere else
- 8. Reflector Attacks • Routers and servers are used as incorrect nodes and are known as reflectors • The attacker sends packets that need response to the reflectors with the packets’ source address set to victim’s address • TCP,UCP,ICMP can be used as RST packets • The victims don’t send any packets back so the backward analysis does not work here • The packets are legitimate so they can’t be filtered.
- 10. How Many Packets are Required to Attack? • If a victim has something that can be used to take N half open connections, then the following can be its capability of processing SYN packets • G/D/INFINITY/N queue where : – G = General arrival process for the SYN packets – D = Deterministic lifetime of each half-open connection if not receiving the third handshaking message
- 11. Minimal Rates of SYN Packets (to stall TCP servers in SYN flooding attacks)
- 12. Is There Any Solution to This Problem? The defense can be done in three ways: Preemption and prevention should be done before the attack The attack should be detected and then filtered if preemption and prevention is not done Attack source trace back and Identification
- 13. Prevention and Preemption • Hosts should be protected from masters and agent implants by using signatures and scanning procedures • Monitor network traffic for known attack messages sent between attackers and masters • Cyber informants and cyber spies should be there to detect attack
- 14. Attack Source Traceback and Identification • There should be after-the-fact response. • Traceback (This means to identify the real source of packet. For this information routers can be used because they can they can record information • Traceback can’t work out every time because of NATs and firewalls but it is still a helpful and efficient method to be used
- 15. Detection and Filtering • This happens in two phases. In the first phase the packets are identified and in the second phase the packets are classified and dropped • Effectiveness of Detection • FPR (False Positive Ratio): • No. of false positives/Total number of confirmed normal packets • FNR (False Negative Ratio): • No. of false negatives/Total number of confirmed attack packets • Effectiveness of filtering • It detects phases using victim identities so packets can be easily dropped. • Percentage of packets that can survive in an attack is called Normal Percentage Survive Ratio(NSPR).
- 17. Attack Detection and Filtering • Source networks – Packets based on address spoofing can be filtered – Direct attacks can be easily filtered but reflector attacks are difficult – It should be ensured that all the ISPs have ingress packet filtering. Very difficult (Impossible?) Victim’s network – The victim can detect attack on volume of incoming traffic or degraded performance. – Other mechanisms: IP Hopping (Host frequently changes it’s IP address when attack is detected. DNS tracing can still help the attackers) – Last Straw: If incoming link gets jammed then victim will have to shut down and ask the upstream ISP to filter the packets
- 18. Attack Detection and Filtering On the Victim’s Upstream ISP Network: • Victim sends requests frequently to filter packets • The automation can be done by designing intrusion alert systems • Normal packets may still be dropped, and the network can still be jammed On other Upstream ISP Networks: • This approach can be extended to some other upstream networks • It is effective only if ISP networks are willing to co-operate and install packet filters
- 19. The Internet Firewall • The bipolar defense scheme can’t achieve both effective packet detection and packet filtering • There are two methods, that employ a set of distributed nodes in the Internet for attack detection and packet filtering – Route-based Packet Filtering Approach (RPF) – Distributed Attack Detection Approach (DAD)
- 20. Route based • It extends the packet filtering approach to the Internet – Distributed packet filters examine the packets that are based on addresses and BGP routing information – A packet is considered an attack packet if it comes from an unexpected link • Some Disadvantages – It requires BGP messages to carry the source addresses - Overhead! – Deployment is tough! – Filters should be placed in almost 1800 AS (when there were 10,000 Ass) and the no. of AS is continuously increasing. – IT is unable to filter reflected packets
- 21. Distributed Attack Detection (DAD) • It deploys a set of distributed Detection Systems (DSs) to see if there are anomalies, misuses or any other problem with network • Anomaly detection: It observes and detects traffic patterns that are not normal (e.g., unusual traffic intensity for specific packet types • Misuse detection: It identifies traffic that matches a known attack signature • These usually rely on anomaly detection. Different DSs exchange attack information from their local observations • An effective and deployable architecture should be designed for DAD approach is a challenging task
- 22. Distributed Attack Detection (DAD)
- 23. Distributed Attack Detection (DAD) A quick way
- 24. Disadvantages • Limitations of Mathematical Nature: – Choices of global and local thresholds and traffic modeling, etc. • Performance problem: – Two-level detection can’t be useful for DDoS attacks that are of short durations – Sometimes the flash crowds trigger false alarms • Other ways of attack : – DeS attacks that use ‘pulsing agents’ with short bursts – Using different sets of attack agents each time
- 25. Summing Up Current defense mechanisms are far from adequate One promising direction is to develop a global infrastructure, an Internet Firewall Deployment and design considerations should be worked upon We see that DDoS Defense is possible through careful planning, and this topic covered defense mechanisms which try to discover and slow down bad clients
- 26. THANK YOU PLEASE FEEL FREE TO ASK YOUR QUESTIONS