Unformatted text preview:

DDoSJeff ChaseDuke UniversityFlood Attacks• Direct a stream of packets toward a victim.• Require the victim to do work per packet.– Classic: TCP SYN floods (2000pps sufficient)–ICMP floods• Victim has insufficient resources left over to perform useful functions.• Tools are out there:– WMDoS genie is out of the bottleTaxonomy• Single-source vs. “botnet” of zombies.– Zombies are good systems (e.g., yours) that have been penetrated and compromised.– Often a pathogen or trojan that leaves a back door for the attacker to use it as a proxy.• Randomly selected victim vs. targeted (vendetta)• Undisguised vs. IP spoofing of source address.– IP-spoofed source address randomly selected–Often generates backscatter from victim to spoofed source.• Direct vs. reflector– In a reflector attack, the backscatter is the attack traffic.• Focus the backscatterIntelligence Gathering• Honeypots and honeypot farms– Set up idle machines that present an attractive target to an attacker looking for zombies.– Most zombies are recruited by randomly sampling the IP address space: they will find you.–Honeypotoperation and ethics?•Network telescopes– Most spoofed source addresses are randomly selected from the IP address space.– Set up idle machines that listen for backscatter traffic on a sample of the address space.• IPv4 has a small address space– What would be the effect of IPv6?Countermeasures• Limit effectiveness (don’t become a victim)–Firewalls– TCP cookies• Don’t do the SYN work until the SYN-ACK-ACK.• Why doesn’t the attacker just respond to the SYN-ACK?• Suppress attacks (don’t be used as a weapon)– Good hygiene: don’t become a zombie.– Ingress filtering to suppress disguised attacks.• Edge routers detect spoofed source addresses originating from a stub network.– ACC and Pushback: suppress attack in transit.• Accountability and legal sanction– IP TracebackAnother Countermeasure• “Encourage” others to use good hygiene.Subject: you are vulnerableFrom: [email protected]: youGreetings,This is a message from your local white hat hacker. I own you. I can do anything you can do on your machine. Fortunately for you, I am your


View Full Document

Duke CPS 214 - DDoS

Download DDoS
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view DDoS and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view DDoS 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?