DDoS Defense by OffenseWhat is this paper aboutIntroductionSlide 4Defenses usedMechanism UsedAttacked Server with “speakup” and without “speakup”Applicability of SpeakupThreat ModelConditions necessary for “Speakup” to be successfulDesign of Speak UpRequired mechanismRandom drops and Aggressive triesExplicit payment channelImplementationSlide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Objections to Speak UpConclusions01/14/1901/14/19Samarpita Hurkute DDoS Samarpita Hurkute DDoS Defense By OffenseDefense By Offense11DDoS Defense by OffenseDDoS Defense by OffenseMichael Walfish,Mythili Michael Walfish,Mythili Vutukuru,Hari Vutukuru,Hari Balakrishnan,David Balakrishnan,David Karger,Scott ShenkerKarger,Scott Shenker01/14/1901/14/19Samarpita Hurkute DDoS Samarpita Hurkute DDoS Defense By OffenseDefense By Offense22What is this paper aboutWhat is this paper about““Speak-up” a defense mechanism Speak-up” a defense mechanism against application level DDoS.against application level DDoS.It’s a defense mechanism against It’s a defense mechanism against legitimate looking requests that legitimate looking requests that consume computational resources.consume computational resources.The server encourages clients to send The server encourages clients to send higher volumes of traffic wherein the higher volumes of traffic wherein the inflated traffic volume from good clients inflated traffic volume from good clients crowd out the bad ones.crowd out the bad ones.01/14/1901/14/19Samarpita Hurkute DDoS Samarpita Hurkute DDoS Defense By OffenseDefense By Offense33IntroductionIntroductionApplication level DDoS – It is a noxious attack Application level DDoS – It is a noxious attack where in an “open clientele” environment the where in an “open clientele” environment the attacker forces the victim server to spend attacker forces the victim server to spend much of its resources on spurious requests.much of its resources on spurious requests.Carried over an ICMP link its effect is two-fold Carried over an ICMP link its effect is two-fold – First the servers resources are often – First the servers resources are often depleted by “proper-looking”requests.Second depleted by “proper-looking”requests.Second the traffic is the traffic is in-band so is harder to identify.in-band so is harder to identify.01/14/1901/14/19Samarpita Hurkute DDoS Samarpita Hurkute DDoS Defense By OffenseDefense By Offense44IntroductionIntroductionExamples of such attack – Using bots Examples of such attack – Using bots to attack web sites by : requesting to attack web sites by : requesting large files,making queries of search large files,making queries of search engines and issuing computationally engines and issuing computationally expensive requests.expensive requests.Approach to counter this attack is Approach to counter this attack is encourage all clients to speak …encourage all clients to speak …01/14/1901/14/19Samarpita Hurkute DDoS Samarpita Hurkute DDoS Defense By OffenseDefense By Offense55Defenses usedDefenses usedDetect and Block : Distinguish between Detect and Block : Distinguish between good clients and bad clients.eg. Profiling good clients and bad clients.eg. Profiling IP address ,rate limiting IP address ,rate limiting alone,CAPATCHA based defenses.alone,CAPATCHA based defenses.Charge clients some currency – An Charge clients some currency – An attacked server gives a client a services attacked server gives a client a services only after it pays some currency in form only after it pays some currency in form of CPU cycles and money.of CPU cycles and money.01/14/1901/14/19Samarpita Hurkute DDoS Samarpita Hurkute DDoS Defense By OffenseDefense By Offense66Mechanism UsedMechanism UsedIn a speakup the “thinner” protects the server In a speakup the “thinner” protects the server from overload and performs encouragements.from overload and performs encouragements.When the server is overloaded the thinner When the server is overloaded the thinner causes each new client to automatically send causes each new client to automatically send a congestion controlled stream of dummy a congestion controlled stream of dummy bytes on a separate payment channel.bytes on a separate payment channel.When the server is ready to process requests When the server is ready to process requests the thinner selects a client that has sent the the thinner selects a client that has sent the most bytes.most bytes.01/14/1901/14/19Samarpita Hurkute DDoS Samarpita Hurkute DDoS Defense By OffenseDefense By Offense77Attacked Server with Attacked Server with “speakup” and without “speakup” and without “speakup”“speakup”01/14/1901/14/19Samarpita Hurkute DDoS Samarpita Hurkute DDoS Defense By OffenseDefense By Offense88Applicability of SpeakupApplicability of SpeakupHow much aggregate bandwidth does How much aggregate bandwidth does the legitimate client need for speakup the legitimate client need for speakup to be effective ?to be effective ?Could small Web sites eben when Could small Web sites eben when defended by speakup be harmed ?defended by speakup be harmed ?As bandwidth is a communal resource As bandwidth is a communal resource doesn't the encouragement to send doesn't the encouragement to send more traffic damage the network ?more traffic damage the network ?01/14/1901/14/19Samarpita Hurkute DDoS Samarpita Hurkute DDoS Defense By OffenseDefense By Offense99Threat ModelThreat ModelThe attacker can send difficult The attacker can send difficult requests intentionally.requests intentionally.An attacker can repeatedly request An attacker can repeatedly request service from a site while having service from a site while having different IP addresses.different IP addresses.01/14/1901/14/19Samarpita Hurkute DDoS Samarpita Hurkute DDoS Defense By OffenseDefense By Offense1010Conditions necessary for Conditions necessary for “Speakup” to be successful“Speakup” to be successfulAdequate link bandwidth : enough bandwidth to handle Adequate link bandwidth : enough bandwidth to handle incoming stream of requests.ISP’s which have incoming stream of requests.ISP’s which have significant bandwidth offering speakup as a service.significant bandwidth offering speakup as a service.Adequate client bandwidth – the good clients must Adequate client bandwidth – the good clients must