Lehrstuhl Netzarchitekturen und Netzdienste Institut für Informatik Technische Universität München Exploring DDoS Defense Mechanisms Patrick Holl Seminar Future Internet SS14-WS14/15 Lehrstuhl Netzarchitekturen und Netzdienste Fakultät für Informatik, Technische Universität München
Overview Defining DoS and DDoS DoS vs. DDoS DDoS classification DDoS Defense Mechanisms Proactive Reactive Rule based Model based Future of DDoS defense Software-defined networking (SDN) Conclusion 2 Exploring DDoS Defense Mechanisms
Overview Defining DoS and DDoS DoS vs. DDoS DDoS classification DDoS Defense Mechanisms Proactive Reactive Rule based Model based Future of DDoS defense Software-defined networking (SDN) Conclusion 3 Exploring DDoS Defense Mechanisms
Defining (Distributed) Denial-of-Service Denial-of-service ( DoS ) = attempt to make a machine or network unavailable to its intended users 4 Exploring DDoS Defense Mechanisms
DDoS attacks can target different layers… Transport Layer Attacks (e.g. TCP SYN Flooding) Legit TCP 3-Way Handshake Imag age Sourc urce: : http:// p://de de.w .wik ikipe pedia dia.o .org/w /wik iki/SY i/SYN-Flo lood 5 Exploring DDoS Defense Mechanisms
DDoS attacks can target different layers… Transport Layer Attacks (e.g. TCP SYN Flooding) TCP SYN Flooding attack Imag age Sourc urce: : http:// p://de de.w .wik ikipe pedia dia.o .org/w /wik iki/SY i/SYN-Flo lood 6 Exploring DDoS Defense Mechanisms
Not only the transport layer is vulnerable to DDoS attacks Transport Layer Attacks (e.g. TCP SYN Flooding) Application Layer Attacks (e.g. Apache2 web server attacks like Slowloris) Imag age Sourc urce: : http://e p://en.w .wik ikipe pedia dia.o .org/w /wik iki/Slo i/Slow_lo loris 7 Exploring DDoS Defense Mechanisms
Overview Defining DoS and DDoS DoS vs. DDoS DDoS classification DDoS Defense Mechanisms Proactive Reactive Rule based Model based Future of DDoS defense Software-defined networking (SDN) Conclusion 8 Exploring DDoS Defense Mechanisms
How can we achieve this? Imag age Sourc urce: : http://w p://www.n .neust ustar.bi .biz/re z/resourc urces/produ /product-li literat ature ure/n /neust ustar-ddo ddos-miti itigat atio ion-pro profe fessio ional-servi vices 9 Exploring DDoS Defense Mechanisms
There are various approaches to handle an attack Proactive defense Built your infrastructure in a way that it will survive a DDoS attack Rely on a scalable infrastructure (e.g. cloud hosting) Utilize resources when necessary There is a good chance to survive Zero-Day DDoS attacks Infrastructure can be expensive 10 Exploring DDoS Defense Mechanisms
There are various approaches to handle an attack Reactive defense Mitigate or block a DDoS attack when it happens Install an IDS and feed it with certain attack patterns There are attacks which are easier to detect (TCP SYN Flooding) and ones which are much harder (flash crowd imitation) Zero-Day DDoS attacks are in most cases not detectable It’s either or… 11 Exploring DDoS Defense Mechanisms
Which approach is the best? There is no best approach, why? Depending on the concrete scenario, one approach can outperform the other Not everybody can afford the resources to build an infrastructure which are able to survive large DDoS attacks Reactive approaches are usually cheaper Proactive and reactive approaches are often combined for multiple lines of defense Imag age Sourc urce: : http:// ://pa pas-wor ordpre press-media dia.s3.am .amazo zonaws.com om/c /content nt/up uplo loads ds/2014/0 /08/Pr Proactive ve-v. v.-Reactive ive.pn .png 12 Exploring DDoS Defense Mechanisms
What can we actually do to defend our servers? 13 Exploring DDoS Defense Mechanisms
Overview Defining DoS and DDoS DoS vs. DDoS DDoS classification DDoS Defense Mechanisms Proactive Reactive Rule based Model based Future of DDoS defense Software-defined networking (SDN) Conclusion 14 Exploring DDoS Defense Mechanisms
Selective Blackholing [Snijders, 2014] Consider the following scenario: A German online shop where 95% of its customers are Germans One day, 95% of all incoming traffic originate from China Wow, my internationalization strategy must really work!? 15 Exploring DDoS Defense Mechanisms
We don’t want to ship to China! Some facts about large Botnets: Most bots are hijacked via automated routines Agents are distributed globally How can we provide a service to its main target group? If the incoming packets exceed the servers resources, block all outside the scope of the main target group. In this example => Block all traffic outside from Germany 16 Exploring DDoS Defense Mechanisms
How does this work? Country based filter as proposed by Snijders 17 Exploring DDoS Defense Mechanisms
Overview Defining DoS and DDoS DoS vs. DDoS DDoS classification DDoS Defense Mechanisms Proactive Reactive Rule based Model based Future of DDoS defense Software-defined networking (SDN) Conclusion 18 Exploring DDoS Defense Mechanisms
Statistical Approaches Statistical approaches are based on the assumption that DDoS attack traffic shows anomalies in the entropy and frequency of selected packet attributes. For instance, the packets source address distribution: Regular traffic flow: … 129.122.23.2 131.87.32.33 87.23.22.111 91.11.111.23 DoS attack: … 129.122.23.2 129.122.23.2 129.122.23.2 129.122.23.2 19 Exploring DDoS Defense Mechanisms
We have to build a model first Incoming packets are classified by a model that represents the default (legit) state Calculate to entropy of consecutive packets Use the entropy to find the normal source address distribution Changes in the entropy can give a hint for an attack 20 Exploring DDoS Defense Mechanisms
Which defense mechanism is the best? 21 Exploring DDoS Defense Mechanisms
Both have advantages and shortcomings Rule based Model based + Advantages + Advantages Low start-up time Can give protection against Zero- 100% detection rate for known Day DDoS attacks attacks (where rules exist) Abnormal packet streams can be Low false-positive rate flagged for further analysis Maintenance Scalable + Shortcomings + Shortcomings Not able to detect Zero-Day or Works only well if a suitable model other kinds of unknown DDoS exists attacks Model has to be built first Nowadays, attackers attack Model has to be constantly different layers concurrently updated 22 Exploring DDoS Defense Mechanisms
A combination of multiple techniques is possible Rule based: Selective blackholing Good for known attacks Block traffic outside main target group Model based: Find suspicious packet stream Detect attacks inside the geographical location of the main target group As a result: Bots outside the geographical location of the target user group cannot attack the service Bots within the location radius of the main target group can attack but, depending on the number of available bots, are heavily mitigated 23 Exploring DDoS Defense Mechanisms
Overview Defining DoS and DDoS DoS vs. DDoS DDoS classification DDoS Defense Mechanisms Proactive Reactive Rule based Model based Future of DDoS defense Software-defined networking (SDN) Conclusion 24 Exploring DDoS Defense Mechanisms
Whats next? Software-Defined Networking (SDN) are (maybe) the next big thing! Traffic is separated into flows Central point of knowledge (SDN Controller) Once a DDoS attack flow is identified, the whole flow can be blackholed 25 Exploring DDoS Defense Mechanisms
Overview Defining DoS and DDoS DoS vs. DDoS DDoS classification DDoS Defense Mechanisms Proactive Reactive Rule based Model based Future of DDoS defense Software-defined networking (SDN) Conclusion 26 Exploring DDoS Defense Mechanisms
Conclusion DDoS mitigation and defense is a game of cat-and-mouse with the bad guys Rule based Selective blackholing Model based: Source address distribution Model an rule based approaches can be combined It is hard to test DDoS defense mechanisms in a realistic scenario DDoS attacks can target different layers 27 Exploring DDoS Defense Mechanisms
Conclusion DDoS mitigation and defense is a game of cat-and-mouse with the bad guys We have seen rule based approaches like selective blackholing and model based ones like the source address distribution Various defense mechanisms can be combined to achieve multiple lines of defense It is hard to test DDoS defense mechanisms in a realistic scenario There are many different kinds of DDoS attacks which target different layers 28 Exploring DDoS Defense Mechanisms
Recommend
More recommend