ddos by weingarte.pointer


									Defense Against DDoS

  Presented by Zhanxiang
  for [Crab] Apr. 15, 2004
                DoS & DDoS
   DoS: “an attack with the purpose of preventing
    legitimate users from using a victim computing
    system or network resource” [3]

   DDoS: “A Distributed Denial of Service (DDoS)
    attack uses many computers to launch a
    coordinated DoS attack against one or more
    targets. “ [4]

   You may have paid for the hardware, but do you
    really own your network?
         Typical Attack Skill
 SYN Flooding
 IP spoofing
 Bandwidth attack
 Filling victim’s hard disk space
        What can DoS lead to?
 Website
 Mail Server
 Emergency

   Many tools are available for DoS attack
    and teenagers must like to try them.[2]
                Case Study
   DDoS attack hits clickbank and
    spamcop.net, by Mirko Zorz, June 25,

   Super Bowl fuels gambling sites' extortion
    fears, by Paul Roberts, IDG News Service,
    January 28, 2004
   Two general area:
     Defense against IP spoofing
     Defense against bandwidth flooding attack

   Turn to Lingxuan
Against Bandwidth Flooding Attack
   Goal: stop attacks on their way to the victims
   Scheme: SIFF[1]
            SIFF: Assumptions
   Marking space in the IP header.

   Routers mark every packet.

   Short-term Route Stability.
   Divide all traffic into
       Privileged: Always get transfer
       Unprivileged: Transferred if not affect
        Privileged packets

   Unprivileged -------------------> Privileged
             (to get the privilege token)
                  Idea (cont.)
   Routers
     mark packets in hand shakes
     match privilege token while forwarding

   Recipient refuse the attack flow by
     not providing the privilege token
     or provide a false one
          Packet Identifier Design

   Flags field (3-bits).
       SF: Packet is non-legacy
       PT: EXP or DTA
       CU: Capability reply present or not
   Capability: Marks modified by routers
   C-R: recipients to signal to sender a capability
Client          Routers         Server

    EXP(0)                               Legend:
                      EXP(0) {α}         {Capability Reply}


        Router Marking Calculation
IP of the Interface
 that at which the
 packet arrived at

IP of the Last-hop
 router’s outgoing    Keyed Hash Fun   Last z bits   Marking

Source IP and
Destination IP of
  the packet
       Marking Scheme for EXP

   Packets with a capability field of all zeros get
    marked with an additional 1bit.
   Routers push their markings into the least
    significant bits of the capability field.
Authentication scheme for DTA

   Routers check the marking in the least
    significant bits of the capability field, and rotate it
    into the most significant bits, if it is equal to what
    the marking would be for an EXPLORER packet.
                    Key Switch
   Why?
       If the hash fun does not change periodically,
        an attacker can simply obtain a capability
        through a seemingly legitimate request, and
        then use it to flood the server with privileged

   Solution
       Windowed authentication and marking
      Windowed authentication and
           Marking for DTA

   Routers check that the marking equals one of
    the valid markings in its window and always
    rotate the newest marking in the window into the
    capability field.
Do Guesses work?
           x: # of markings each
            router maintains in its

           z: # of bits per router

           P(x, z): probability that a
            randomly guessed
            capability will pass a
            particular router.
   Can Privilege Channel be
Established Under Unprivileged
       Packet Flooding?
                  i: hops of the network;

                  εi: Probability of
                   getting dropped at
                   any one of those
   Depend on mechanism to detect attack

   Network with some router not
    implemented SIFF

   Colluding attacker

   Host granularity not application granularity
[1] SIFF: A Stateless Internet Flow Filter to Mitigate DDoS
     Flooding Attacks. With Avi Yaar and Dawn Song. Appears
     in 2004 IEEE Symposium on Security and Privacy

[2] Tools: http://staff.washington.edu/dittrich/misc/ddos/

[3] David Karig and Ruby Lee, “Remote Denial of Service
     Attacks and Countermeasures,” Princeton University
     Department of Electrical Engineering Technical Report CE-
     L2001-002, October 2001.

[4] Lincoln Stein and John N. Stuart. “The World Wide Web
      Security FAQ”, Version 3.1.2, February 4, 2002.
      http://www.w3.org/security/faq/ (8 April 2003).

To top