Distributed Denial of Service AttacksPresentation OverviewIntroduction to DDoSBackground Information: Denial of Service AttacksClassification of DoS Attacks[1]Countermeasures for DoS Attacks[1]DoS ShortfallsSlide 8DDoS ArchitectureWidely Used DDoS ProgramsTrinooAnalysis of trinoo[4]TFN (Tribe Flood Network)Analysis of TFN[5]TFN2KstacheldrahtAnalysis of stacheldraht[6]Common DDoS Countermeasures [2]DDoS Protection Environment [2]DDoS Case Study: GRC.com[7]GRC.com Network[7]GRC.COM Case Study: Initial Attack [7]GRC.COM Case Study: Initial Response to DDoS Attack [7]GRC.COM Case Study: Additional Attacks [7]GRC.COM Case Study: Attacker’s Mistake [7]GRC.COM Case Study: Difficulty in Getting Help Stopping DDoS Attacks [7]GRC.COM Case Study: GRC’s Infiltration [7]GRC.COM Case Study: GRC’s Infiltration Network [7]GRC.COM Attack Network SetupGRC.COM Attack Network AttackingDefending Against DDoS AttacksConceptual Model for Defending Against DDoS AttacksSlide 33Slide 34Layer 1: Coordinated Technical SolutionsSlide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42IDIP: An Example of Anti-flood SystemSlide 44Slide 45Slide 46Layer 2: Consistent Incentive StructureSlide 48Slide 49Slide 50Special Issue: Wireless Network Against DDoSSlide 52Slide 53Slide 54Slide 55Slide 56Conceptual Model for Wireless Network Against DDoSSlide 58Slide 59Slide 60Slide 61Slide 62Slide 63Wireless Network Against DDoSGeneral Protections against DDoSMotivationNetwork Tracking SolutionsProbabilistic Packet MarkingITraceSPIEComputer Based ProtectionIntrusion Detection SystemsOperating SystemFilteringProblems with FilteringFiltering In DetailDefending Against ReflectorsWhat can be filtered?What Can Be Filtered?Slide 80Defending Against DDoS – Traffic TrackingNetwork Traffic Tracking Systems [8]Model of Network Anonymity [8]Desirable properties of an NTTS [8]Three Model Environments [8]ReferencesSeptember 23, 2002 Princeton University Electrical Engineering DepartmentStephen [email protected](609) 986-9572Prepared By:Ali Bayazit Qiang [email protected] [email protected](609) 986- (609) 947-3131Distributed Denial of Service AttacksPrepared For:Prof. Ruby LeeELE 572September 23, 2002 Princeton University Electrical Engineering DepartmentPresentation Overview•Introduction to DDoS–Overview of DoS - Specht–Overview of DDoS – Specht–Case Study of DDoS victim GRC.com - Specht•Defending Against DDoS Attacks –Conceptual Model – Huang–Layer 1 Coordinated Technical Solutions – Huang–IDIP: An Example of Anti-Flooding – Huang–Layer 2 Consistent Incentive Structure – Huang–Defending Wireless Networks Against DDoS – Huang–Reflectors Analysis – Bayazit–Traffic Tracking – SpechtSeptember 23, 2002 Princeton University Electrical Engineering DepartmentIntroduction to DDoS•Overview of DoS–Background Information: Denial of Service Attacks–Classification of Denial of Service Attacks–Countermeasures for Denial of Service Attacks–Denial of Service Attacks Shortfalls•Overview of DDoS–Distributed Denial of Service Attacks–Distributed Denial of Service Attack Architecture–Widely Used Distributed Denial of Service Tools•Trinoo•TFN/TFN2K•Stacheldraht–Common DDoS Countermeasures–DDoS Protection Environment•Case Study of DDoS victim GRC.comSpechtSeptember 23, 2002 Princeton University Electrical Engineering DepartmentBackground Information: Denial of Service Attacks•Denial of Service Attack: an attack on a computer or network that prevents legitimate use of its resources.[1]•DoS Attacks Affect:–Software Systems–Network Routers/Equipment/Servers–Servers and End-User PCsSpechtSeptember 23, 2002 Princeton University Electrical Engineering DepartmentClassification of DoS Attacks[1]Attack Affected Area Example DescriptionNetwork Level DeviceRouters, IP Switches, FirewallsAscend Kill II,“Christmas Tree Packets”Attack attempts to exhaust hardware resources using multiple duplicate packets or a software bug.OS Level Equipment Vendor OS, End-User Equipment.Ping of Death,ICMP Echo Attacks,TeardropAttack takes advantage of the way operating systems implement protocols.Application Level AttacksFinger Bomb Finger Bomb,Windows NT RealServer G2 6.0Attack a service or machine by using an application attack to exhaust resources.Data Flood (Amplification, Oscillation, Simple Flooding)Host computer or networkSmurf Attack (amplifier attack)UDP Echo (oscillation attack)Attack in which massive quantities of data are sent to a target with the intention of using up bandwidth/processing resources.Protocol Feature AttacksServers, Client PC, DNS ServersSYN (connection depletion)Attack in which “bugs” in protocol are utilized to take down network resources. Methods of attack include: IP address spoofing, and corrupting DNS server cache.SpechtSeptember 23, 2002 Princeton University Electrical Engineering DepartmentCountermeasures for DoS Attacks[1]Attack CountermeasureOptionsExample DescriptionNetwork Level DeviceSoftware patches, packet filteringIngress and Egress FilteringSoftware upgrades can fix known bugs and packet filtering can prevent attacking traffic from entering a network.OS Level SYN Cookies, drop backlog connections, shorten timeout timeSYN Cookies Shortening the backlog time and dropping backlog connections will free up resources. SYN cookies proactively prevent attacks.Application Level AttacksIntrusion Detection SystemGuardDog, other vendors.Software used to detect illicit activity.Data Flood (Amplification, Oscillation, Simple Flooding)Replication and Load BalancingAkami/Digital Island provide content distribution.Extend the volume of content under attack makes it more complicated and harder for attackers to identify services to attack and accomplish complete attacks.Protocol Feature AttacksExtend protocols to support security.ITEF standard for itrace, DNSSECTrace source/destination packets by a means other than the IP address (blocks against IP address spoofing). DNSSEC would provide authorization and authentication on DNS information.SpechtSeptember 23, 2002 Princeton University Electrical Engineering DepartmentDoS Shortfalls•DoS attacks are unable to attack large bandwidth websites – one upstream client cannot generate enough bandwidth to cripple major megabit websites.•New distributed server architecture makes it harder for one DoS to take down an entire site.•New software protections neutralize existing DoS attacks