1、By Olalekan Kadri & Aqila Dissanayake,Prevention and Detection of DoS/DDoS,Presentation Outline,Introduction DDoS Defeating DDoS Attacks by Fixing the Incentive Chain Cooperative Filtering Cooperative Caching Fixing the Incentive Chain DDoS Defense by Offense Protection of Multimedia QoS against DoS
2、 The Intrusion Detection System Adaptive Transmission Management Conclusion and References,Introduction,A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users 11 This type of attack is characterized by malicious use of computer resources t
3、o its capacity, thereby preventing the legitimate use of such resources DoS attacks came into popularity in the year 2000 when websites such as Yahoo, Amazon, and CNN were crippled using these attacks 3,Introduction,The sources of DoS can be single or multiple as seen in Distributed Denial of Servic
4、e attacks (DDoS). DDoS make use of network of computers to launch the attack DDoS can be automated and several hosts can be attacked in minutes. 7,DDoS,Adapted from http:/ Process,Initiate a scan phase in which a large number of hosts (on the order of 100,000 or more) are probed for a known vulnerab
5、ility 7. Compromise the vulnerable hosts to gain access 7. Install the tool on each host 7. Use the compromised hosts for further scanning and compromises 7.,The Survey Papers,Defeating DDoS Attacks by Fixing the Incentive Chain,The authors argue that, although there is room for more improvements in
6、 technological solutions, the priority should be placed on economic solutions 1 Also, the paper argues that a “vast amount of research has been done on technological solutions while only a handful exist on economic aspects” 1. According to the paper “the parties that suffer the most are not in the b
7、est position to defend, while the parties in the best position do not suffer enough to defend” 1.,Defeating DDoS Attacks by Fixing the Incentive Chain,In order to deliver digital content successfully, collaboration of multiple parties are requiredThese include1 (1) Internet Content Providers (ICP) (
8、2) Backbone ISPs (3) Regional ISPs (4) End users Each one of these parties contributes and invests various amounts to the final product. Therefore successful delivery of content or the final product depends on the effort of each party.,An incentive chain is the set of value and monetary transactions
9、 along digital delivery channels 1. It can act as a glue to stick various parties together in collaboration In a DDoS scenario, defensive action taken by ISPs benefit ICPs and end users the most, but ISPs are rarely compensated which discourage them to take action against such attacks 1. The solutio
10、n is to transfer the incentives from the parties that suffer the most to the parties that are in the best position to defend 1. This is achieved by a “usage-based traffic pricing structure that stimulates cooperative filtering” 1.,The Digital Supply Chain and Cooperative Technological Solutions to D
11、DoS Attacks,The digital supply chain consist of the following 1 1. The Internet core, which consists of dozens of interconnected backbone ISPs who collectively maintain the backbone of the Internet. 2. The Internet cloud except the core, which consists of less than 10,000 regional ISPs that connect
12、to the core through one or several backbone ISPs and serve different geographical regions. 3. The edge of the Internet, which consists of around 100,000 networks that are locally administrated. 4. Millions of online computers including content servers and clients,The Digital Supply Chain Adapted fro
13、m 1,Cooperative Filtering,This works in 3 steps 1.Alarming - Intrusion Detection Systems (IDS) identify suspicious traffic and send out alarms.Tracing - Following the alarms, a tracing mechanism kicks in to track back each attack path as far as possible.Filtering - filters along every attack path th
14、at is configured to filter out attack traffic.,Ban IP-Spoofing at the Edge,One approach to filter out attack traffic is to ban IP-spoofing at the edge of the network 1. The reason being, if the source addresses are correct, then the tracing mechanism can accurately trace every bad packet and find th
15、e attackers which could result in the ISP banning those responsible IP Address.We think that even though this approach sounds like very effective, itll be very hard to implement. Especially with NAT (Network Address Translation) being widely used everywhere.If an ISP doesnt take NAT into account and
16、 ban IP Address that send DoS traffic, it could mean a lot of innocent users getting affected. One can argue that IP spoofing can be implemented at the very edge of the network like routers in a home network or a small organization.It can be done, but the problem is that most users in those networks
17、 do not understand what IP spoofing is yet alone DDoS attacks.,Ingress/Egress Filtering,Ingress Filtering controlling of traffic coming into a networkEgress Filtering controlling of traffic leaving from a networkIngress filtering can prevent certain DDoS attacks coming toward a network. Egress filte
18、ring can prevent internal systems from performing outbound IP spoofing attacks.,Cooperative Caching,Another solution is to divert and evenly distribute attack traffic from a victim into a large number of cache servers such that each stream of diverted traffic is not significant enough in volume to c
19、reate any congestion 1 “Cooperative caching is an effective solution to DDoS attacks when cooperative filtering is costly to implement, or when attack traffic is well concealed in legitimate data requests such that pattern recognition is technically difficult” 1 Also, both filtering and caching can
20、be jointly used to more effectively reduce and divert attack traffic.,The flow of the digital content is driven by two major sources 1 (1) End users demand to consume digital content (2) ICPs demand to publish digital contentEnd users and ICPs both pay directly to ISPs for internet connections 1. Re
21、gional ISPs pay larger regional ISPs and backbone ISPs for the internet connectivity 1. This series of payments is called the “incentive chain” 1.,These days most internet connections are subscription based meaning an end user or a regional ISP pays a fixed monthly fee to a regional ISP/backbone 1.T
22、he fee is paid for a certain traffic volume. Furthermore, most ISPs have extra bandwidth that is not being used. Why should ISPs use these unused resources to provide better services and help on cooperative filtering? More importantly, what are the costs and benefits an ISP will get by doing so? The
23、 costs will include administrative work in setting up filters and reduction in transmission performance due to filtering 1. Unfortunately the benefits for the ISPs are little to nothing as long as the DDoS attacks only take the extra bandwidth which the ISP does not use anyway 1.,The lack of increme
24、ntal payment structures on the internet makes it difficult for victims of DDoS attacks to motivate ISPs who are in a better position to filter traffic 1.As one can see from this scenario, ISPs have no incentive to control/filter traffic as long as they do not have congestion in their own network.In
25、other words, the attack traffic used to do harm to ICPs are only taking bandwidth that is already free in the network.,Proposed Solution,As a potential solution, a usage-based, pricing structure provides the right incentive for cooperative filtering 1. A usage based pricing structure will tie paymen
26、ts to actual traffic 1. This means a user will have to pay for the actual traffic usage or in other words the number of IP packets transmitted. Also, another solution proposed is dynamic pricing where the actual cost of transmission depends on the congestion level of the network 1.,Proposed Solution
27、,The main requirement of usage-based pricing is that the cost of transmitting the attack traffic has to be large enough for the ISPs even when it does not lead to congestion 1. That way they will have enough incentives to set up filters. By replacing the current subscription based internet access wi
28、th a usage-based one we can have a win-win situation for regional ISPs and Internet Content Providers (ICPs) as they will only pay for what is used at any point in time.,One problem that rises from this method is how to count the number of packets that is used by a user in order to charge that user.
29、 Another question that can be asked is what if the people conducting the DDoS attack can purchase enough bandwidth because the DDoS attack itself will gain them more profit than what it costs to do the attack.Also, the benefits gained from the solution should not be less than the costs to implement
30、the solution. If it is the case, then there is no point in implementing such a solution. After all, to filter out traffic and to monitor usage many extra devices will have to be purchased. Furthermore there will be costs for configuring, billing, auditing and disputing 1.,DDoS Defense by Offense,The
31、 paper DDoS Defense by Offense talks about defending servers against application-level Distributed Denial of Service (DDoS) attacks. “This paper presents the design, implementation, analysis, of “speak-up”, a defense against application level distributed denial-of-service (DDoS)”10.According to the
32、paper, with “Speak Up” a server under attack encourages all clients, resources permitting, to automatically send higher volumes of traffic 10.,The theory behind this is that attackers are already using most of their upload bandwidth 10. However, good clients have bandwidth left which results in high
33、 volumes of traffic when encouraged 10. “The intended outcome of this traffic inflation is that the good clients crowd out the bad ones, thereby capturing a much larger fraction of the servers resources than before.” 10,Usually DDoS defense mechanisms work to slow down bad traffic or eliminate them
34、completely. But in DDoS defense by offense, the process relies on all clients to send more traffic than they are currently sending.In this scenario 2 assumptions are made Good clients are not utilizing full available bandwidth Bad clients are utilizing full available bandwidth,Unfortunately, if the
35、bad clients are not working at their full bandwidth when conducting the attack, the speak-up strategy would backfire.Another problem is that the server will need to keep extra bandwidth available for speed-up to successfully work.In other words if the DDoS attack can consume most of servers bandwidt
36、h, speed-up will not be successful. The paper suggests that speed-up is not a good solution for small sites that has less bandwidth for the simple reason in DDoS attacks their bandwidth will be completely consumed.,The protection of QoS for Multimedia Transmission against Denial of Service Attacks,T
37、his paper is based on the general knowledge that Denial of Service (DoS) attacks compete for the limited available resources with legitimate trafficDoS is viewed from a multimedia environment with the aim of preventing it from interfering with the quality of transmission of multimedia services over
38、the internet,The protection of QoS for Multimedia Transmission against Denial of Service Attacks,Based the on two major components of the framework: The Intrusion Detection System 9 Adaptive Transmission Management 9,Framework for protecting a multimedia QoS against Denial of Service 9,IDS component
39、,This is an anomaly detection systemBased on a training system that detects attacks based on a traffic comparison with good packetsThe system is based on data mining 9,Adaptive Transmission Management unit,The Adaptive Transmission component is responsible for allocation of resources for quality of
40、service 9 This component works with synchronization of two other sub-units; rate control and packet schedulingFactors such as bandwidth requirements, packet losses and delay jitters are dynamically adjusted depending on the network situation to guarantee the quality of transmission 9,Adaptive Transm
41、ission Management unit,The Packet scheduling is responsible for implementing multi-buffer scheme at the source to increase the quality of video being transmitted 9,Simulation conducted,Done with NS2 (Network Simulator 2) tool 2 Services tested Video streaming via UDP protocol 9 FTP via TCP were test
42、ed with the attack launched from a FTP service 9 It was found that QoS was affected when a DoS was launched,Simulation Architecture,Architecture of the environment used 9,The protection of QoS for Multimedia Transmission against Denial of Service Attacks,The system is a function of how intelligent t
43、he training system isTherefore, possibility of False Negatives and Positives are inherentThe experiment does not show how the IDS works, its efficiency is therefore questionable,References,1 Yun Huang, Xianjun Geng, Andrew B. Whinston “Defeating DDoS Attacks by Fixing the Incentive Chain”, ACM Trans
44、actions on Internet Technology (TOIT), 2007 2 Wireless attacks, A to Z, , “http:/ 3 Wireless tapping, www.governmentsecurity.org , “http:/www.governmentsecurity.org/articles/WirelessTaping.php” 4 Houle K. J. and Weaver G. M. “Trends in Denial of Service Attack Technology”, CERT Coordination Center,
45、Carnegie Mellon University, Oct. 2001 5 New flaw takes Wifi off the air, , “http:/ “ 6 Port scanning, www.cs.wright.edu, “http:/www.cs.wright.edu/pmateti/Courses/499/Probing/“ 7 Strategies to protect Against Distributed Denial of Service (DDoS) Attacks, , “http:/ 8 Luo Hongli and Shyu Mei-Ling, “Pro
46、tection of QoS for Multimedia Transmission against Denial of Service Attacks”, Proceedings of seventh IEEE International Symposium on Multimedia, 2005 9 Luo Hongli and Shyu Mei-Ling, “Protection of QoS for Multimedia Transmission against Denial of Service Attacks”, Proceedings of seventh IEEE Intern
47、ational Symposium on Multimedia, 2005 10 Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker, “DDoS defense by Offense”, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications SIGCOMM, 2006,Thanks,Questions ?,
