![Page 1: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/1.jpg)
DDoS Attacks and Defenses
Prof. Heejo Lee
Computer & Communication Security Lab
Div. of Computer & Communication EngineeringKorea University, [email protected]
April 15, 2008
![Page 2: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/2.jpg)
Overview
1. History of DDoS Attack
2. Types of DDoS Attack
3. DDoS Defenses
4. IP Spoofing Prevention
5. Attack Visualization
6. Botnet Detection
![Page 3: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/3.jpg)
1. History of DDoS Attacks
DistributedReflector DoS
DistributedDoS
DoS
Spoofing
Botnet
1996 SYN flooding attacks
1997 Smurf attacks
1999 Distributed attack tools
2000 Yahoo, CNN, eBay attacks
2001 CodeRed worms
2002 DNS root server attack
2003 Slammer worms
2004 Botnet attacks
2007 2nd
DNS root server attack
2008 Prevalence of ransom attacks
![Page 4: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/4.jpg)
DDoS Attacks
• Most significant threat to network operators
Source: Worldwide Infrastructure Security Report,Arbor Networks, Sep. 2007
![Page 5: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/5.jpg)
DNS Backbone DDoS Attacks
Not-technical but political response implies the lack of
proper countermeasures.
![Page 6: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/6.jpg)
Ransom DDoS Attacks
• Ransom attacks– Demand money to prevent the site being attacked
• Growing frequency– Online-game item-trading sites, Oct. 2007– M stock trading company, Mar. 2008
• Difficulty of incidence responses– Lack of network security awareness– Distributed attacks via a botnet– Attacking from overseas, e.g. China
Whoever sites, maybe yours?
Shopping, portal,
trading sites
Game, chatting,
adult sites
![Page 7: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/7.jpg)
2. The Type of DDoS Attack
① DoS attacks
– “Denial of Service attack”
• Attempt to prevent legitimate users from using a service
– Examples of DoS include
• Flooding a network, disrupting a service
• Disrupting connections between machines
![Page 8: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/8.jpg)
2. The Type of DDoS Attack
② DDoS attacks
– “Distributed Denial of Service” attack
– Many machines are involved in the attack against one or more victim(s)
![Page 9: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/9.jpg)
2. The Type of DDoS Attack
③ DRDoS attacks
– “Distributed Reflector Denial of Service attack”
– DRDoS is much like a DDoS, but the attack source is spoofed
Web or name server reflection
Amplification attacks (broadcast ping, DNS queries)
![Page 10: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/10.jpg)
2. The Type of DDoS Attack
④ Botnet
A botnet is a large pool of compromised hosts, which is remotely controllable by a server and can be used for sending spam mails, stealing personal information, and
launching DDoS attacks.
![Page 11: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/11.jpg)
IP SpoofingDistributed Attacks
Botnets
3. DDoS Defenses
Prevention Detection Response
IP spoofingprevention
Attackdetection &visualization
Ratelimiting &distributedfiltering
![Page 12: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/12.jpg)
4. IP Spoofing Prevention
① Ingress filtering [RFC 2827]
– Ingress filtering drops packets before the packets leave their
local networks.
– No benefits for early adopters, not suitable for multihomed networks
Here’spacket from A to B
S
AB
I know my addresses and A is
not one of them
![Page 13: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/13.jpg)
4. IP Spoofing Prevention
② Unicast Reverse Path Forwarding (uRPF) [Cisco 2003]
– IP packets are checked to ensure that the route back to the source uses the same interface.
– RPF-enabled routers forward only packets that have valid source addresses consistent with the IP routing table.
– Ingress filtering for multihomed networks [RFC 3704]
– Not suitable for asymmetric routing paths (over 50%)
![Page 14: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/14.jpg)
4. IP Spoofing Prevention
③ Route-based Distributed Packet Filtering (DPF) [ACM SIGCOMM, 2001]– It has been proposed for filtering spoofed packets using
routing information, also works for routing asymmetry.
– DPF does not provide direct incentives to deployers –everyone shares the benefits.
– DPF is difficult to maintain up-to-date routing information.
![Page 15: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/15.jpg)
4. IP Spoofing Prevention
④ BGP Anti-Spoofing Extension (BASE) [ASIACCS, 2007]
① Distribution of marking values
② Filter invocation
③ Packet marking & filtering
④ Filter revocation
• Incremental deployability
– Initial benefits for the early adopters
– Incremental benefits for the early majority
– Effectiveness under partial deployment
• Strong filtering performance
– 30% deployment can drop about 97% of attack packets
![Page 16: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/16.jpg)
5. DDoS Defense Location
3. Defense at sources
2. Defense at network
1. Defense at victim
16
![Page 17: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/17.jpg)
Primary Attack Mitigation Techniques
• Attack packet dropping w/ ACLs, blackholing
Source: Worldwide Infrastructure Security Report,Arbor Networks, Sep. 2007
![Page 18: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/18.jpg)
Rate Limiting for DDoS Mitigation
• Unified rate limiting, ISPEC 2008
– Works close to attack sources
– Deals with Internet worms and DDoS attacks
![Page 19: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/19.jpg)
Anomaly Worm Detection
• ADUR, IEICE T COMM 2007
– Anomaly Detection Using Randomness check
state Description
Calm Normal state
Flowing Attacked by worm from other infected network
Ebbing Infected by worm on the monitoring network
Flooding Both Flowing and Ebbing
ADUR classifies network states under four characteristics
![Page 20: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/20.jpg)
Anomaly DDoS Detection
• FDD (FE and DDoS Distinguisher)
– Distinguishing between flash events and DDoS attacks using randomness check
![Page 21: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/21.jpg)
VoIP Malformed & Flooding Detection
• Internet telephony attack detection, IFIP SEC’08
– Rule matching + state transition models
– Detects malformed msg and flooding attacks
![Page 22: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/22.jpg)
6. Attack Visualization
Visualization
B
E
C
D
A
Deal large noisy data easily
Intuitive
Come up with new hypotheses
Higher degree of confidence Faster
Benefits of Visualization
![Page 23: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/23.jpg)
Visualization Methods
<NSFNET T1 backbone in 1991 ><City Scape: SDM (Chuah et al., 1995) >
<Parallel coordinates><H-h Chi et al., IEEE InfoVis'97 A Spreadsheet Approach >
![Page 24: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/24.jpg)
Visualization in Security
< J. McPherson et.al., PortVis, ACM CCS 2004> <S.Kim et.al.,IEEE INFOCOM 2005>
<CAIDA skitter project> <I-V Ounut et.al. Svision, Computers & Security 2007>
![Page 25: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/25.jpg)
Parallel Coordinate Attack Visualization
1. Worm Graph - Slammer 2. DDoS attack
3. Hostscan 4. Portscan
![Page 26: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/26.jpg)
Application Program of PCAV
• PCAV 2.0 demonstration
http://ccs.korea.ac.kr/PCAV
![Page 27: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/27.jpg)
What is a “bot”?
• Bot
– A bot is a servant process on a compromised system
– Communicate with a handler or controller often running public or other compromised systems
– A botmaster or botherder commands bots to perform any kinds of malicious activities
• Botnet
– A network of bots and controller(s) is referred to as a botnet or zombie network
![Page 28: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/28.jpg)
Malicious Activities of Botnet
Most of recent incidents are related with botnets
![Page 29: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/29.jpg)
Botnet Group Activity
• Group Activity (inherent property), IEEE CIT 2007
– A large number of bots always act as a group
Botnet
DNS
Queries
…
Connection
&
Command
Execution
Group
Activity
Botnet
Activity
![Page 30: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/30.jpg)
Experimental Results
• Similarity of botnet and normal DNS traffic
– Similarity of botnet exceeds a given threshold
Botnet domain name detection
![Page 31: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/31.jpg)
Coordinated Defense Approach
• DDoS attack information sharing
– Fingerprint Sharing Alliance by Arbor Networks
ISP A DDoS attack
detection
Sending “fingerprint” to upstream IPS’s
Blockingattacktraffic
![Page 32: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/32.jpg)
Proposal: DDoS Coordination Center
• Motivation
– Who can help corporate urgency?
– Including small and medium enterprises
– ISP’s roles are becoming crucial
• Roles for the DDoS coordination center
– Systematic monitoring
– Coordination of responses to DDoS attacks
– Protocol development and implementation
– Technical supports
![Page 33: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/33.jpg)
DDoS Defenses at Corporate Networks
• DDoS-resilient network design
– Distribution of gateways, and servers
– Name server placements for robust DNS
• Developments of secure applications
– Human-robot identification
– Mitigating abnormal resource consumptions
• Security teams for planning and responses
– Monitoring DDoS attacks for quicker responses
– Preparing response plans, including ISP contacts
– On-demand filtering for attack traffic
![Page 34: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/34.jpg)
7. Concluding Remarks
• Prevalence of DDoS attacks
– Increasing ransom attacks
– Hard to find a proper countermeasure
• Mitigating botnet attacks
– Botnet monitoring (IRC/HTTP/P2P bots)
– Blacklisting and punishment
• Responding to DDoS attacks
– Need good incident response plan, including ISP contacts
– Identify type of attack and filter attack traffic upstream
![Page 35: DDoS Attacks and Defensesdownload.nboard2.naver.net/download/1000003310...1. History of DDoS Attacks Distributed Reflector DoS Distributed DoS DoS Spoofing Botnet 1996 SYN flooding](https://reader034.vdocument.in/reader034/viewer/2022052500/5f1fb5fbe30d49132341a10a/html5/thumbnails/35.jpg)
References
• K. Park, D. Seo, J. Yoo, H. Lee, H. Kim, “Unified Rate Limiting in Broadband Access Networks for Defeating Internet Worms and DDoS Attacks”, ISPEC, Apr. 2008.
• H. Choi, H. Lee, H. Lee, H. Kim, “Botnet Detection by Monitoring Group Activities in DNS Traffic”, IEEE CIT, Oct. 2007.
• H. Park, H. Lee, H. Kim, "Detecting Unknown Worms using Randomness Check", IEICE Trans. Comm., Vol. E90-B, No. 4, pp. 894-903, Apr. 2007.
• H. Lee, M. Kwon, G. Hasker, A. Perrig, "BASE: An Incrementally Deployable Mechanism for Viable IP Spoofing Prevention", ACM Symp. on Information, Computer and Communications Security (ASIACCS), Mar. 2007.
• H. Lee, J. Kim, W. Lee, "Resiliency of Network Topologies under Path-Based Attacks", IEICE Trans. Comm., Vol. E89-B, No. 10, pp. 2878-2884, Oct. 2006.
• H. Choi, H. Lee, "PCAV: Internet Attack Visualization on Parallel Coordinates", Int'l Conf. on Information and Communications Security (ICICS), LNCS 3783, pp. 454-466, Dec. 2005.
• K. Park, H. Lee, "On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets", ACM SIGCOMM, pp. 15-26, Aug. 2001.
• K. Park, H. Lee, "On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack", IEEE INFOCOM, Apr. 2001.
• Further information is available at http://ccs.korea.ac.kr.