Exploring DDoS Defense Mechanisms Patrick Holl Seminar Future - - PowerPoint PPT Presentation

Lehrstuhl Netzarchitekturen und Netzdienste

Institut für Informatik Technische Universität München

Exploring DDoS Defense Mechanisms

Patrick Holl

Seminar Future Internet SS14-WS14/15 Lehrstuhl Netzarchitekturen und Netzdienste Fakultät für Informatik, Technische Universität München

Exploring DDoS Defense Mechanisms

2

Overview  Defining DoS and DDoS

• DoS vs. DDoS
• DDoS classification

 DDoS Defense Mechanisms

• Proactive
• Reactive
• Rule based
• Model based

 Future of DDoS defense

• Software-defined networking (SDN)

 Conclusion

Exploring DDoS Defense Mechanisms

3

Overview  Defining DoS and DDoS

• DoS vs. DDoS
• DDoS classification

 DDoS Defense Mechanisms

• Proactive
• Reactive
• Rule based
• Model based

 Future of DDoS defense

• Software-defined networking (SDN)

 Conclusion

Exploring DDoS Defense Mechanisms

4

Defining (Distributed) Denial-of-Service

Denial-of-service (DoS) = attempt to make a machine or network unavailable to its intended users

Exploring DDoS Defense Mechanisms

5

DDoS attacks can target different layers…

 Transport Layer Attacks (e.g. TCP SYN Flooding)

Legit TCP 3-Way Handshake

Imag age Sourc urce: : http:// p://de de.w .wik ikipe pedia dia.o .org/w /wik iki/SY i/SYN-Flo lood

Exploring DDoS Defense Mechanisms

6

DDoS attacks can target different layers…

 Transport Layer Attacks (e.g. TCP SYN Flooding)

TCP SYN Flooding attack

Imag age Sourc urce: : http:// p://de de.w .wik ikipe pedia dia.o .org/w /wik iki/SY i/SYN-Flo lood

Exploring DDoS Defense Mechanisms

7

Not only the transport layer is vulnerable to DDoS attacks

 Transport Layer Attacks (e.g. TCP SYN Flooding)  Application Layer Attacks (e.g. Apache2 web server attacks like

Slowloris)

Imag age Sourc urce: : http://e p://en.w .wik ikipe pedia dia.o .org/w /wik iki/Slo i/Slow_lo loris

Exploring DDoS Defense Mechanisms

8

Overview  Defining DoS and DDoS

• DoS vs. DDoS
• DDoS classification

 DDoS Defense Mechanisms

• Proactive
• Reactive
• Rule based
• Model based

 Future of DDoS defense

• Software-defined networking (SDN)

 Conclusion

Exploring DDoS Defense Mechanisms

9

How can we achieve this?

Imag age Sourc urce: : http://w p://www.n .neust ustar.bi .biz/re z/resourc urces/produ /product-li literat ature ure/n /neust ustar-ddo ddos-miti itigat atio ion-pro profe fessio ional-servi vices

Exploring DDoS Defense Mechanisms

10

There are various approaches to handle an attack

 Proactive defense

• Built your infrastructure in a way that it will survive a DDoS attack
• Rely on a scalable infrastructure (e.g. cloud hosting)
• Utilize resources when necessary
• There is a good chance to survive Zero-Day DDoS attacks
• Infrastructure can be expensive

Exploring DDoS Defense Mechanisms

11

There are various approaches to handle an attack

 Reactive defense

• Mitigate or block a DDoS attack when it happens
• Install an IDS and feed it with certain attack patterns
• There are attacks which are easier to detect (TCP SYN Flooding) and ones

which are much harder (flash crowd imitation)

• Zero-Day DDoS attacks are in most cases not detectable

It’s either or…

Exploring DDoS Defense Mechanisms

12

Which approach is the best?

 There is no best approach, why?

• Depending on the concrete scenario, one approach can outperform the
• ther
• Not everybody can afford the resources to build an infrastructure which are

able to survive large DDoS attacks

• Reactive approaches are usually cheaper
• Proactive and reactive approaches are often combined for multiple lines
• f defense

Imag age Sourc urce: : http:// ://pa pas-wor

• rdpre

press-media dia.s3.am .amazo zonaws.com

• m/c

/content nt/up uplo loads ds/2014/0 /08/Pr Proactive ve-v. v.-Reactive ive.pn .png

Exploring DDoS Defense Mechanisms

13

What can we actually do to defend our servers?

Exploring DDoS Defense Mechanisms

14

Overview  Defining DoS and DDoS

• DoS vs. DDoS
• DDoS classification

 DDoS Defense Mechanisms

• Proactive
• Reactive
• Rule based
• Model based

 Future of DDoS defense

• Software-defined networking (SDN)

 Conclusion

Exploring DDoS Defense Mechanisms

15

Selective Blackholing [Snijders, 2014]

 Consider the following scenario:

• A German online shop where 95% of its customers are Germans
• One day, 95% of all incoming traffic originate from China
• Wow, my internationalization strategy must really work!?

Exploring DDoS Defense Mechanisms

16

We don’t want to ship to China!

 Some facts about large Botnets:

• Most bots are hijacked via automated routines
• Agents are distributed globally

 How can we provide a service to its main target group?

• If the incoming packets exceed the servers resources, block all outside the

scope of the main target group.

• In this example => Block all traffic outside from Germany

Exploring DDoS Defense Mechanisms

17

How does this work?

Country based filter as proposed by Snijders

Exploring DDoS Defense Mechanisms

18

Overview  Defining DoS and DDoS

• DoS vs. DDoS
• DDoS classification

 DDoS Defense Mechanisms

• Proactive
• Reactive
• Rule based
• Model based

 Future of DDoS defense

• Software-defined networking (SDN)

 Conclusion

Exploring DDoS Defense Mechanisms

19

Statistical Approaches

 Statistical approaches are based on the assumption that DDoS attack

traffic shows anomalies in the entropy and frequency of selected packet attributes.

 For instance, the packets source address distribution:

129.122.23.2 131.87.32.33 87.23.22.111 91.11.111.23

…

Regular traffic flow:

129.122.23.2 129.122.23.2 129.122.23.2 129.122.23.2

…

DoS attack:

Exploring DDoS Defense Mechanisms

20

We have to build a model first

 Incoming packets are classified by a model that represents the default

(legit) state

 Calculate to entropy of consecutive packets  Use the entropy to find the normal source address distribution  Changes in the entropy can give a hint for an attack

Exploring DDoS Defense Mechanisms

21

Which defense mechanism is the best?

Exploring DDoS Defense Mechanisms

22

Both have advantages and shortcomings

Rule based + Advantages

• Low start-up time
• 100% detection rate for known

attacks (where rules exist)

• Low false-positive rate
• Maintenance
• Scalable

Model based + Advantages

• Can give protection against Zero-

Day DDoS attacks

• Abnormal packet streams can be

flagged for further analysis

+ Shortcomings + Shortcomings

• Works only well if a suitable model

exists

• Model has to be built first
• Model has to be constantly

updated

• Not able to detect Zero-Day or
• ther kinds of unknown DDoS

attacks

• Nowadays, attackers attack

different layers concurrently

Exploring DDoS Defense Mechanisms

23

A combination of multiple techniques is possible

 Rule based:

• Selective blackholing
• Good for known attacks
• Block traffic outside main target group

 Model based:

• Find suspicious packet stream
• Detect attacks inside the geographical location of the main target group

 As a result:

• Bots outside the geographical location of the target user group cannot

attack the service

• Bots within the location radius of the main target group can attack but,

depending on the number of available bots, are heavily mitigated

Exploring DDoS Defense Mechanisms

24

Overview  Defining DoS and DDoS

• DoS vs. DDoS
• DDoS classification

 DDoS Defense Mechanisms

• Proactive
• Reactive
• Rule based
• Model based

 Future of DDoS defense

• Software-defined networking (SDN)

 Conclusion

Exploring DDoS Defense Mechanisms

25

Whats next?

 Software-Defined Networking (SDN) are (maybe) the next big thing!  Traffic is separated into flows  Central point of knowledge (SDN Controller)  Once a DDoS attack flow is identified, the whole flow can be

blackholed

Exploring DDoS Defense Mechanisms

26

Overview  Defining DoS and DDoS

• DoS vs. DDoS
• DDoS classification

 DDoS Defense Mechanisms

• Proactive
• Reactive
• Rule based
• Model based

 Future of DDoS defense

• Software-defined networking (SDN)

 Conclusion

Exploring DDoS Defense Mechanisms

27

Conclusion

 DDoS mitigation and defense is a game of cat-and-mouse with the bad

guys

 Rule based

• Selective blackholing

 Model based:

• Source address distribution

 Model an rule based approaches can be combined  It is hard to test DDoS defense mechanisms in a realistic scenario  DDoS attacks can target different layers

Exploring DDoS Defense Mechanisms

28

Conclusion

 DDoS mitigation and defense is a game of cat-and-mouse with the bad

guys

 We have seen rule based approaches like selective blackholing and

model based ones like the source address distribution

 Various defense mechanisms can be combined to achieve multiple

lines of defense

 It is hard to test DDoS defense mechanisms in a realistic scenario  There are many different kinds of DDoS attacks which target different

layers

Exploring DDoS Defense Mechanisms

29

Conclusion

 DDoS mitigation and defense is a game of cat-and-mouse with the bad

guys

 We have seen rule based approaches like selective blackholing and

model based ones like the source address distribution

 Various defense mechanisms can be combined to achieve multiple

lines of defense

 It is hard to test DDoS defense mechanisms in a realistic scenario  There are many different kinds of DDoS attacks which target different

layers