How Come We Have DDoS?There Are Still No Strong Defenses Against DDoSWhy Is DDoS Hard to Solve?1. Simplicity Of Attack2. Preys On Internet’s StrengthsInternet Resource Utilization3. Availability Of Attack MachinesCan’t We Fix These Vulnerabilities?4. Attacks Resemble Normal Traffic5. Lack Of Enforcement ToolsWhat Is the Internet Lacking?6. Poor Cooperation In the Internet7. Effective Solutions Hard To DeployNatural consequence of the way Internet is organizedoBest effort service means routers don’t do much processing per packet and store no state – they will let anything throughoEnd to end paradigm means routers will enforce no security or authentication – they will let anything throughIt works real well when both parties play fairIt creates opportunity for DDoS when one party cheatsHow Come We Have DDoS?You can make yourself harder to attackBut you can’t make it impossibleAnd, if you haven’t made it hard enough, there’s not much you can do when you are attackedoThere are no patches to applyoThere is no switch to turnoThere might be no filtering rule to applyoGrin and bear itThere Are Still No Strong Defenses Against DDoS1. A simple form of attack2. Designed to prey on the Internet’s strengths3. Easy availability of attack machines4. Attack can look like normal traffic5. Lack of Internet enforcement tools6. Hard to get cooperation from others7. Effective solutions hard to deployWhy Is DDoS Hard to Solve?Basically, just send someone a lot of trafficMore complicated versions can add refinements, but that’s the crux of itNo need to find new vulnerabilitiesNo need to worry about timing, tracing, etc.Toolkits are readily available to allow the novice to perform DDoSEven distributed parts are very simple1. Simplicity Of AttackThe Internet was designed to deliver lots of traffic oFrom lots of places, to lots of placesDDoS attackers want to deliver lots of traffic from lots of places to one placeAny individual packet can look proper to the InternetWithout sophisticated analysis, even the entire flow can appear proper2. Preys On Internet’s StrengthsInternet was not designed to monitor resource utilizationoMost of it follows first come, first served modelMany network services work the same wayAnd many key underlying mechanisms do, tooThus, if a villain can get to the important resources first, he can often deny them to good usersInternet Resource UtilizationDDoS is feasible because attackers can enlist many machinesAttackers can enlist many machines because many machines are readily vulnerableNot hard to find 1,000 crackable machines on the InternetoParticularly if you don’t care which 1,000Botnets numbering hundreds of thousands of hosts have been discovered3. Availability Of Attack MachinesDDoS attacks don’t really harm the attacking machinesMany people don’t protect their machines even when the attacks can harm themWhy will they start protecting their machines just to help others?Altruism has not yet proven to be a compelling argument for for network securityCan’t We Fix These Vulnerabilities?A DDoS attack can consist of vast number of requests for a web server’s home pageNo need for attacker to use particular packets or packet contentsSo neat filtering/signature tools may not helpAttacker can be arbitrarily sophisticated at mirroring legitimate trafficoIn principleoNot often done because dumb attacks work so well4. Attacks Resemble Normal TrafficDDoS attackers have never been caught by tracing or observing attackOnly by old-fashioned detective workoReally, only when they’re dumb enough to boast about their successThe Internet offers no help in tracing a single attack stream, much less multiple onesEven if you trace them, a clever attacker leaves no clues of his identity on those machines5. Lack Of Enforcement ToolsNo validation of IP source addressNo enforcement of amount of resources usedNo method of tracking attack flowsoOr those controlling attack flowsNo method of assigning responsibility for bad packets or packet streamsNo mechanism or tools for determining who corrupted a machineWhat Is the Internet Lacking?It’s hard to get anyone to help you stop or trace or prevent an attackEven your ISP might not be too cooperativeAnyone upstream of your ISP is less likely to be cooperativeoISPs more likely to cooperate with each other, thoughEven if cooperation occurs, it occurs at human timescalesoThe attack might be over by the time you figure out who to call6. Poor Cooperation In the InternetThe easiest place to deploy defensive systems is near your own machine oDefenses there might not work well (firewall example)There are effective solutions under researchoBut they require deployment near attackers or in the Internet coreoOr, worse, in many placesA working solution is useless without deploymentoHard to get anything deployed if deploying site gets no direct advantage7. Effective Solutions Hard To
View Full Document