A Taxonomy of DDoS Attack and DDoS Defense Mechanisms
-
Upload
marshall-best -
Category
Documents
-
view
99 -
download
3
description
Transcript of A Taxonomy of DDoS Attack and DDoS Defense Mechanisms
![Page 1: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/1.jpg)
A Taxonomy of DDoS Attack and DDoS Defense
MechanismsWritten By Jelena Mirkovic and Peter Reiher
In ACM SIGCOMM Computer Communication Review, April 2005
Presented by Jared Bott
![Page 2: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/2.jpg)
Key Point!
• DDoS attacks can be carried out in a wide variety of manners, with a wide variety of purposes
• DDoS defenses show great variety
![Page 3: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/3.jpg)
DDoS Attacks
• An explicit attempt to prevent the legitimate use of a service
• Multiple attacking entities, known as agents
• DDoS is a serious problem
• Many proposals about how to deal with it
Agent
Target
![Page 4: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/4.jpg)
What makes DDoS attacks possible?• Answer: The end-to-end paradigm• Internet security is highly interdependent
• Susceptibility of system depends on security of Internet
• Internet resources are limited• Intelligence and resources are not collocated
• End systems are intelligent, intermediate systems are high in resources
![Page 5: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/5.jpg)
• Accountability is not enforced• IP Spoofing is possible
• Control is distributed• No way to enforce global deployment of a
security mechanism or policy
![Page 6: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/6.jpg)
Taxonomy of Attacks
![Page 7: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/7.jpg)
![Page 8: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/8.jpg)
DA: Degree of Automation
• How involved is the attacker?
• Automation of the recruit, exploit, infect and scan phases
• DA-1: Manual• DA-2: Semi-Automatic
• Recruit, exploit and infect phases are automated
• DA-3: Automatic
![Page 9: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/9.jpg)
DA-2:CM: Communication Mechanism• How do semi-autonomous systems communicate?
• DA-2:CM-1: Direct Communication• Agent/handlers know each other’s identities• Communication through TCP or UDP
• DA-2:CM-2: Indirect Communication• Communication through IRC
![Page 10: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/10.jpg)
DA-2/DA-3:HSS: Host Scanning Strategy• How do attackers find computers to make into agents?
• Choose addresses of potentially vulnerable machines to scan
• DA-2/DA-3:HSS-1: Random Scanning• DA-2/DA-3:HSS-2: Hitlist Scanning
![Page 11: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/11.jpg)
DA-2/DA-3:HSS: Host Scanning Strategy
• DA-2/DA-3:HSS-3: Signpost Scanning• Topological scanning• Email worms send emails to everyone in
address book• Web-server worms infect visitors’ vulnerable
browsers to infect servers visited later
![Page 12: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/12.jpg)
DA-2/DA-3:HSS: Host Scanning Strategy• DA-2/DA-3:HSS-4: Permutation Scanning
• Pseudo-random permutation of IP space is shared among all infected machines
• Newly infected machine starts at a random point
• DA-2/DA-3:HSS-5: Local Subnet Scanning• Examples:
• HSS-1: Code Red v2• HSS-5: Code Red II, Nimda
![Page 13: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/13.jpg)
DA-2/DA-3:VSS: Vulnerability Scanning Strategy• We have found a machine, can it be “infected?”
• DA-2/DA-3:VSS-1: Horizontal Scanning• DA-2/DA-3:VSS-2: Vertical Scanning• DA-2/DA-3:VSS-3: Coordinated Scanning
• Machines probe the same port(s) at multiple machines within a local subnet
• DA-2/DA-3:VSS-4: Stealthy Scanning
![Page 14: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/14.jpg)
DA-2/DA-3:PM: Propagation Method• How does attack code get onto
compromised machines?
• DA-2/DA-3:PM-1: Central Source Propagation• Attack code resides on
server(s)
![Page 15: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/15.jpg)
DA-2/DA-3:PM: Propagation Method• DA-2/DA-3:PM-2:
Back-Chaining Propagation• Attack code is
downloaded from the machine that exploited the system
![Page 16: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/16.jpg)
DA-2/DA-3:PM: Propagation Method• DA-2/DA-3:PM-3:
Autonomous Propagation• Inject attack instructions
directly into the target host during the exploit phase
• Ex. Code Red, various email worms, Warhol worm idea
![Page 17: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/17.jpg)
EW: Exploited Weakness to Deny Service• What weakness of the target machine is exploited to deny service?
• EW-1: Semantic• Exploit a specific feature or implementation bug• Ex. TCP SYN attack
• Exploited feature is allocation of substantial space in a connection queue immediately upon receipt of a TCP SYN.
• EW-2: Brute-Force
![Page 18: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/18.jpg)
SAV: Source Address Validity
• Do packets have the agents’ real IP addresses?
• SAV-1: Spoofed Source Address• SAV-2: Valid Source Address
• Frequently originate from Windows machines
• SAV-1:AR: Address Routability• This is not the attacker’s address, but can it be routed?
• SAV-1:AR-1: Routable Source Address• SAV-1:AR-2: Non-Routable Source Address
![Page 19: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/19.jpg)
SAV-1:ST: Spoofing Technique
• How does an agent come up with an IP address?
• SAV-1:ST-1: Random Spoofed Source Address• Random 32-bit number• Prevented using ingress filtering, route-based filtering
• SAV-1:ST-2: Subnet Spoofed Source Address• Spoofs a random address from the address space
assigned to the machine’s subnet• Ex. A machine in the 131.179.192.0/24 chooses in the
range 131.179.192.0 to 131.179.192.255
![Page 20: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/20.jpg)
SAV-1:ST: Spoofing Technique
• SAV-1:ST-3: En Route Spoofed Source Address• Spoof address of a machine or subnet along the path
to victim
• SAV-1:ST-4: Fixed Spoofed Source Address• Choose a source address from a specific list• Reflector attack
![Page 21: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/21.jpg)
ARD: Attack Rate Dynamics
• Does the attack rate change?
• ARD-1: Constant Rate• Used in majority of known attacks• Best cost-effectiveness: minimal number of
computers needed• Obvious anomaly in traffic
• ARD-2: Variable Rate
![Page 22: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/22.jpg)
ARD-2:RCM: Rate Change Mechanism• How does the rate change?
• ARD-2:RCM-1: Increasing Rate• Gradually increasing rate leads to a slow exhaustion of victim’s
resources• Could manipulate defense that train their baseline models
• ARD-2:RCM-2: Fluctuating Rate• Adjust the attack rate based on victim’s behavior or
preprogrammed timing• Ex. Pulsing attack
![Page 23: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/23.jpg)
PC: Possibility of Characterization
• Can the attacking traffic be characterized?
• Characterization may lead to filtering rules
• PC-1: Characterizable• Those that target specific protocols or applications at
the victim• Can be identified by a combination of IP header and
transport protocol header values or packet contents• Ex. TCP SYN attack
• SYN bit set
![Page 24: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/24.jpg)
PC-1:RAVS: Relation of Attack to Victim Services• The traffic is characterizable, but is it related to the target’s
services?
• PC-1:RAVS-1: Filterable• Traffic made of malformed packets or packets for non-critical
services of the victim’s operation• Ex. ICMP ECHO flood attack on a web server
• PC-1:RAVS-2: Non-Filterable• Well-formed packets that request legitimate and critical services• Filtering all packets that match attack characterization would
lead to a denial of service
![Page 25: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/25.jpg)
PC: Possibility of Characterization
• PC-2: Non-Characterizable• Traffic that uses a variety of packets that engage
different applications and protocols
• Classification depends on resources that can be used to characterize and the level of characterization• Ex. Attack uses a mixture of TCP packets with various
combinations of TCP header fields• Characterizable as TCP attack, but nothing finer without vast
resources
![Page 26: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/26.jpg)
PAS: Persistence of Agent Set
• Do the same agents attack the whole time?
• Some attacks vary their set of active agent machines
• Avoid detection and hinder traceback
• PAS-1: Constant Agent Set
• PAS-2: Variable Agent Set
Bright red attacks for 4 hoursDark red attacks for next 4 hours
![Page 27: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/27.jpg)
VT: Victim Type
• What does the attack target?
• VT-1: Application• Ex. Bogus signature attack on an authentication server
• Authentication not possible, but other applications still available
• VT-2: Host• Disable access to the target machine• Overloading, disabling communications, crash machine, freeze
machine, reboot machine• Ex. TCP SYN attack overloads communications of machine
![Page 28: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/28.jpg)
VT: Victim Type
• VT-3: Resource Attacks• Target a critical resource in the victim’s network
• Ex. DNS server, router
• Prevented by replicating critical services, designing robust network topology
• VT-4: Network Attacks• Consume the incoming bandwidth of a target network• Victim must request help from upstream networks
![Page 29: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/29.jpg)
VT: Victim Type
• VT-5: Infrastructure• Target a distributed service that is crucial for
global Internet operation• Ex. Root DNS server attacks in October 2002,
February 2007
![Page 30: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/30.jpg)
IV: Impact on the Victim
How does an attack affect the victim’s service?
IV-1: Disruptive Completely deny the victim’s service to its clients All currently reported attacks are this kind
IV-2: Degrading Consume some portion of a victim’s resources,
seriously degrading service to customers Could remain undetected for long time
![Page 31: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/31.jpg)
IV-1:PDR: Possibility of Dynamic Recovery• Can a system recover from an attack? How?
• IV-1:PDR-1: Self-Recoverable• Ex. UDP flooding attack
• IV-1:PDR-2: Human-Recoverable• Ex. Computer freezes, requires reboot
• IV-1:PDR-3: Non-Recoverable• Permanent damage to victim’s hardware• No reliable accounts of these attacks
![Page 32: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/32.jpg)
DDoS Defense
• Several factors hinder the advance of DDoS defense research• Need for a distributed response at many points on the
Internet• Many attacks need upstream network resources to stop
attacks
• Economic and social factors• A distributed response system must be deployed by parties
that aren’t directly damaged by a DDoS attack
![Page 33: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/33.jpg)
DDoS Defense
• Lack of defense system benchmarks• No benchmark suite of attack scenarios or
established evaluation methodologies
• Lack of detailed attack information• We have information on control programs• Information on frequency of various attack types is
lacking• Information on rate, duration, packet size, etc. are
lacking
![Page 34: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/34.jpg)
DDoS Defense
• Difficulty of large-scale testing• No large-scale test beds
• U.S. National Science Foundation is funding development of a large-scale cybersecurity test bed
• No safe ways to perform live distributed experiments across the Internet
• No detailed and realistic simulation tools that support thousands of nodes
![Page 35: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/35.jpg)
Taxonomy of DDoS Defenses
![Page 36: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/36.jpg)
![Page 37: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/37.jpg)
AL: Activity Level
• When does a defense system work?
• AL-1: Preventive• Eliminate possibility of DDoS attacks or enable
victims to endure the attack without denial of service
• AL-1:PG: Prevention Goal• What is the system trying to do?• AL-1:PG-1: Attack Prevention
• The system is trying to prevent attacks
![Page 38: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/38.jpg)
AL-1:PG-1:ST: Secured Target
• What does a system try to secure to prevent an attack?
• AL-1:PG-1:ST-1: System Security• Secure the system• Guard against illegitimate accesses to a machine• Remove application bugs, Update protocol
installations• Ex. Firewall systems, IDSs, Automated updates
![Page 39: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/39.jpg)
AL-1:PG-1:ST: Secured Target
• AL-1:PG-1:ST-2: Protocol Security• Secure the protocols• Bad protocol design examples: TCP SYN Attack,
Authentication server attack, IP source address spoofing• Ex. Deployment of a powerful proxy server that
completes TCP connections• Ex. TCP SYN cookies
![Page 40: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/40.jpg)
AL-1:PG: Prevention Goal
• AL-1:PG-2: DoS Prevention• The system is trying to prevent a denial of service• Enable the victim to endure attack attempts without
denying service• Enforce policies for resource consumption• Ensure that abundant resources exist
![Page 41: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/41.jpg)
AL-1:PG-2:PM: Prevention Method• How do the defense systems prevent DoS?
• AL-1:PG-2:PM-1: Resource Accounting• Police the access of each user to resources based on the
privileges of the user and user’s behavior• Let real, good users have access• Coupled with legitimacy-based access mechanisms
• AL-1:PG-2:PM-2: Resource Multiplication• Ex. Pool of servers with load balancer, high bandwidth
network
![Page 42: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/42.jpg)
AL-2: Reactive
• Defense systems try to alleviate the impact of an attack• Detect attack and respond to it as early as possible
• AL-2:ADS: Attack Detection Strategy• How does the system detect attacks?
• AL-2:ADS-1: Pattern Detection• Store signatures of known attacks and monitor communications
for the presence of patterns• Only known attacks can be detected• Ex. Snort
![Page 43: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/43.jpg)
AL-2:ADS-2: Anomaly Detection
• Compare current state of system to a model of normal system behavior
• Previously unknown attacks can be discovered• Tradeoff between detecting all attacks and false
positives
![Page 44: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/44.jpg)
AL-2:ADS-2:NBS: Normal Behavior Specification
• How is normal behavior defined?
• AL-2:ADS-2:NBS-1: Standard• Rely on some protocol standard or set of rules• Ex. TCP protocol specification describes
three-way handshake• Detect half-open TCP connections
• No false positives, but sophisticated attacks can be left undetected
![Page 45: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/45.jpg)
AL-2:ADS-2:NBS-2: Trained
• Monitor network traffic and system behavior• Generate threshold values for different parameters
• Communications exceeding one or more thresholds are marked as anomalous
• Low threshold leads to many false positives, high threshold reduces sensitivity
• Model of normal behavior must be updated• Attacker can slowly increase traffic rate so that new models are
higher and higher
![Page 46: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/46.jpg)
AL-2: Reactive
• AL-2:ADS-3: Third-Party Detection• Rely on external message that signals occurrence of
attack and attack characterization
• AL-2:ARS: Attack Response Strategy• What does the system do to minimize impact of attack?
• Goal is to relieve impact of attack on victim with minimal collateral damage
![Page 47: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/47.jpg)
AL-2:ARS: Attack Response Strategy
• AL-2:ARS-1: Agent Identification• Provides victim with information about the ID
of the attacking machines• Ex. Traceback techniques
• AL-2:ARS-2: Rate-Limiting• Extremely high-scale attacks might still be
effective
![Page 48: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/48.jpg)
AL-2:ARS: Attack Response Strategy• AL-2:ARS-3: Filtering
• Filter out attack streams• Risk of accidental DoS to legitimate traffic, clever attackers
might use as DoS tools
• Ex. Dynamically deployed firewalls• AL-2:ARS-4: Reconfiguration
• Change topology of victim or intermediate network• Add more resources or isolate attack machines
• Ex. Reconfigurable overlay networks, replication services
![Page 49: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/49.jpg)
CD: Cooperation Degree
• How much do defense systems work together?
• CD-1: Autonomous• Independent defense at point of deployment• Ex. Firewalls, IDSs
• CD-2: Cooperative• Capable of autonomous detection/response• Cooperate with other entities for better performance• Ex. Aggregate Congestion Control (ACC) with pushback
mechanism• Autonomously detect, characterize and act on attack• Better performance if rate-limit requests sent to upstream routers
![Page 50: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/50.jpg)
CD-3: Interdependent
• Cannot operate on own• Require deployment at multiple networks
or rely on other entities for attack prevention, detection or efficient response
• Ex. Traceback mechanism on one router is useless
![Page 51: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/51.jpg)
DL: Deployment Location
• Where are defense systems located?
• DL-1: Victim Network• Ex. Resource accounting, protocol security mechanisms
• DL-2: Intermediate Network• Provide defense service to a large number of hosts• Ex. Pushback, traceback techniques
• DL-3: Source Network• Prevent network customers from generating DDoS attacks
![Page 52: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/52.jpg)
Using The Taxonomies
• How can the taxonomies be used?• A map of DDoS research• Common vocabulary• Understanding of solution constraints• DDoS benchmark generation• Exploring new attack strategies• Design of attack class-specific solutions• Identifying unexplored research areas
![Page 53: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/53.jpg)
Strengths
• Primary Contribution• Obviously the taxonomy of DDoS
mechanisms and defenses
• Fosters easier cooperation among researchers
• Covers current attacks and research
![Page 54: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/54.jpg)
Weaknesses
• Clearly non-exhaustive categorization of attacks
• Naming conventions• AL-2:ADS-2:NBS-1 is not easily
understandable
![Page 55: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/55.jpg)
Improvements
• Use taxonomy to create defenses
• How do you improve a taxonomy?
![Page 56: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms](https://reader033.fdocuments.in/reader033/viewer/2022052317/56812ae5550346895d8ecc64/html5/thumbnails/56.jpg)
Summary
• Taxonomy of DDoS attacks and defenses• There are many characteristics of DDoS
attacks and defenses
• Hard to design a defense against all attack types