Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.
-
Upload
christiana-miller -
Category
Documents
-
view
218 -
download
0
Transcript of Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.
![Page 1: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/1.jpg)
Evil DDos Attacks and Strong Defenses
Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li
![Page 2: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/2.jpg)
Distributed
Large-scale attacks
![Page 3: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/3.jpg)
Denial of service
Deny the victim's access to a particular resource (service).
![Page 4: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/4.jpg)
• Volume Based Attacks– The volume-based attack’s goal is to saturate the
bandwidth of the attacked site• Protocol Based Attacks– Exploit a specific feature or implementation bug of
some protocol installed at the victim in order to consume excess amounts of its resources
• Application Layer Attacks– goal of these attacks is to crash the web server
![Page 5: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/5.jpg)
Volume Based Attacks
![Page 6: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/6.jpg)
Volume Based Attacks
-->UDP floods
-->ICMP floods -->Other spoofed-packet floods
![Page 7: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/7.jpg)
Published in:· ProceedingLEET'12 Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent ThreatsPages 7-7 USENIX Association Berkeley, CA, USA ©2012
Classification of UDP traffic for DDoS detection
Alexandru G.Bardas Loai Zomlot Sathya Chandran Sundaramurthy Xinming Qu S.Raj Rajagopalan Marc R.Eisenbarth
![Page 8: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/8.jpg)
Basic points of the article
(1)Examine the “proportional packet rate ” assumption .Test a large number of production networks
(2)Algorithm for UDP traffic that aims at differentiating benign and flooding UDP flows based on the assumption
(3)Two operation modes of using the algorithm for thwarting UDP-based DDos flooding.
![Page 9: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/9.jpg)
Background information
->UDP is a stateless, simple protocol
->UDP floods: easy to launch but hard to detect
->Existing DoS sensor and prevention mechanisms are either ineffective or non-applicable
![Page 10: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/10.jpg)
->Assumption: under normal operations, the packet rate in one direction is proportional to the packet rate in the opposite direction
->Algorithm
Put into a NACK-queue rather than waiting queue.
![Page 11: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/11.jpg)
Experiments
i.Validating the assumption
ii.Ratio function for UDP attack traffic
Iii.Performance, accuracy, calibration
![Page 12: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/12.jpg)
Summary For this articleSince UDP flooding attack is a kind of volume-based attack, we should analyze the flow of the packets to determine whether the flow is benign or is a DDos attack.The paper gives a possible mechanism to detect and evaluate the flow.And it gives the possible protections to the detected DDos attack.
![Page 13: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/13.jpg)
Protocol Based Attacks
![Page 14: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/14.jpg)
Protocol based DDOS
• Definition:• This type of attack consumes actual server
resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in Packets per second.
• 2 popular Protocol based DDOS attacks.• Ping of Death, Syn Flood
![Page 15: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/15.jpg)
Ping of Death
• Definition:• A ping of death is a type of attack on a computer that
involves sending a malformed or otherwise malicious ping to a computer.
• Reassemble• many computer systems could not handle a ping
packet larger than 65535 bytes. Larger packets could crash the target computer.
![Page 16: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/16.jpg)
Syn Floods
![Page 17: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/17.jpg)
Syn Floods
• Attack:• 1. Send a large number of TCP open request.• 2. OS allocate resources to track the TCP state.• 3. Since the sender's IP is forged, the returning
ACK will never be back.• 4. By continuing sending this request, the
attacker could exhaust the resource on the server machine.
![Page 18: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/18.jpg)
Syn Floods
• Defend:• Syn Caches• Syn cookies
![Page 19: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/19.jpg)
Application Layer Attacks
![Page 20: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/20.jpg)
Comprised of seemingly legitimate and
innocent requests
• Crash the webserver
• Delay the response time or even block the
service
Application layer DDoS attack
![Page 21: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/21.jpg)
Other Layer attack App-layer attack
Target: network bandwidth around Internet subsystems such as routers, Domain Name Servers, or web clusters.
• High level protocol such as HTTP.
• Legitimate lower level packets
• Harder to monitor and mitigate (more complicate and diverse)
Difference
Application layer DDoS attack
![Page 22: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/22.jpg)
TypesRequest-flooding - many requests in a http session
Session-flooding - many sessions are set up by a client
Asymmetric - each request is every time-consuming
Application layer DDoS attack
![Page 23: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/23.jpg)
DefenseDetermine suspicious session/client by previous collected data
Least suspicion first served, high suspicion blocked
Application layer DDoS attack
![Page 24: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/24.jpg)
Our Opinion
Application layer DDoS attack
• Complex because it mimics legitimate user requests a lot
• Involve more human decision which is not as normalized as things in lower layer
• Solutions yield the case that some of the time-consuming or impatient user requests being postponed largely
• Still not a solution to the case that botnet being employed to perform the attack.
![Page 25: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/25.jpg)
Comparison
Volume-based Protocol-based Application Layer
Request Bogus Bogus Legitimate
Protocol UDP, ICMP TCP, ICMP HTTP, HTTPS
Connection Not full Not full Full
High-bandwidth Yes Yes No
Detectable Yes Yes Stealthy
Protection Easy Easy Hard
![Page 26: Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d9f5503460f94a89dbd/html5/thumbnails/26.jpg)
Q&A