A Taxonomy of DDo S Attack and DDo

A Taxonomy of DDo. S Attack and DDo. S Defense Mechanisms By Jelena Mirkovic and Peter Reiher

DDo. S Attack Overview DDo. S – A distributed denial of service attack uses multiple machines to prevent the legitimate use of a service Examples: 1. Stream of packets consuming a key resource - renders resource unavailable to legitimate clients 2. Malformed packets confusing an application or protocol - forces it to freeze or reboot 3. Overload the Internet infrastructure

Why are DDo. S attacks possible? n Internet security is highly interdependent - each host depends on the state of security in the rest of global Internet resources are limited - not enough resources to match the number of users n Resources are not collocated - end networks only have small amount of bandwidth n compared to abundant resources of network

Why are DDo. S attacks possible? Accountability is not enforced - source address spoofing n Control is distributed - networks run according to local policy n - impossible to investigate cross-network traffic behavior

DDo. S Attack Phases Recruiting - multiple agents (slaves, zombies) machines n Exploiting - utilize discovered vulnerability n Infecting - plant attack code n Using - send attack packets via agents n

Why make DDo. S attacks? Personal reasons - target specific computers for revenge n Prestige - gain respect of hacker community n Material gain - damage resources n Political reasons - compromise enemy’s resources n

Taxonomy of DDo. S Attacks DA: Degree of Automation n EV: Exploited Vulnerability to Deny Service n SAV: Source Address Validity n ARD: Attack Rate Dynamics n PC: Possibility of Characterization n PAS: Persistence of Agent Set n VT: Victim Type n IV: Impact on the Victim n

Figure 1: Taxonomy of DDo. S Attack Mechanisms

DA-2 and DA-3: SS: Scanning Strategy Locate as many vulnerable machines as possible while creating a low traffic volume n DA-2 and DA-3: SS-1: Random Scanning - compromised hosts probe random addresses in the IP address space, using a different seed (ex: Code Red) - high traffic volume can lead to detection n DA-2 and DA-3: SS-2: Hitlist Scanning - probe all addresses from an externally supplied list - if list is too large, high traffic volume results

DA-2 and DA-3: SS: Scanning Strategy n DA-2 and DA-3: SS-3: Signpost Scanning - uses information on compromised host to select new targets (ex: address book) - depends on agent machines and their user behavior n DA-2 and DA-3: SS-4: Permutation Scanning n DA-2 and DA-3: SS-2: Local Subnet Scanning - scan for targets on the same subnet as the compromised host - psuedo-random permutation of the IP address space with indexing - semi-coordinated, comprehensive scan with benefits of random probing - a single copy of the scanning program can compromise many machines behind a firewall (ex: Code Red II and Nimda Worm)

DA-2 and DA-3: PM: Propagation Mechanism Utilized during the infection phase n DA-2 and DA-3: PM-1: Central Source Propagation - attack code resides on central server - large burden on central server, creating high traffic and single point of failure (ex: 1 i 0 n worm) n DA-2 and DA-3: PM-2: Back-Chaining Propagation - attack code is downloaded from the machine that exploited the system - avoids single point of failure (ex: Ramen and Morris Worms) n DA-2 and DA-3: PM-3: Autonomous Propagation - injecting attack instructions into target host during exploit phase - reduces frequency of network traffic needed (ex: Code Red and

EV: Exploited Vulnerability to Deny Service EV-1: Semantic - exploit a specific feature or implementation bug of some protocol or application - consume excess amounts of its resources - ex: TCP SYN (connection queue space) n EV-2: Brute-Force (aka flooding attacks) - high number of attack packets exhaust victim’s resources - misuse of legitimate services n

SAV: Source Address Validity SAV-1: Spoofed Source Address n SAV-1: AR-1: Routable Source Address - reflection attack: multiple requests made using spoofed address n SAV-1: AR-2: Non-Routable Source Address - spoof address belonging to reserved set of addresses or part of assigned but not used address space of some network

SAV: Source Address Validity SAV-1: ST-1: Random Spoofed Source Address - random source addresses in attack packets n SAV-1: ST-2: Subnet Spoofed Source Address - random address from address space assigned to the agent machine’s subnet n SAV-1: ST-3: En Route Spoofed Source Address - address spoofed en route from agent machine to victim n

SAV: Source Address Validity n SAV-2: Valid Source Address - used when attack strategy requires several request/reply exchanges between an agent and the victim machine - target specific applications or protocol features

ARD: Attack Rate Dynamics Agent machine sends a stream of packets to the victim n ARD-1: Constant Rate - attack packets generated at constant rate, usually as many as resources allow n ARD-2: Variable Rate - delay or avoid detection and response

ARD: Attack Rate Dynamics ARD-2: RCM: Rate Change Mechanism n ARD-2: RCM-1: Increasing Rate - gradually increasing rate causes a slow exhaustion of the victim’s resources n ARD-2: RCM-2: Fluctuating Rate - occasionally relieving the effect - victim can experience periodic service disruptions

PC: Possibility of Characterization Looking at the content and header fields of attack packets n PC-1: Characterizable - target specific protocols or applications at the victim - identifiable by content and header fields n PC-2: Non-Characterizable - attack attempts to consume network bandwidth using a variety of packets that engage different applications and protocols - ex: various combinations of TCP is actually characterizable as a TCP attack

PC: Possibility of Characterization PC-1: RAVS: Relation of Attack to Victim Services n PC-1: RAVS-1: Filterable - malformed packets or packets for non-critical services of victim’s operation - use firewall - ex: UDP flood n PC-1: RAVS-2: Non-Filterable - well-formed packets that request legitimate victim services - indistinguishable from legitimate client - ex: HTTP flood

PAS: Persistence of Agent Set Recently, attacks have varied the set of agents active at any one time n PAS-1: Constant Agent Set - all agent machines act in a similar manner - pulsing attack can provide a constant agent set if the “on” and “off” periods match over all agent machines n PAS-2: Variable Agent Set - attacker divides all available agents into several groups, engaging only one group of agents at any one time

VT: Victim Type Not necessarily a single host machine n VT-1: Application - exploit some feature of a specific application on victim host - disables legitimate client use of that application and possibly strains resources - indistinguishable from legitimate packets - semantics of application must be heavily used in detection n VT-2: Host - disable access to the target machine completely by overloading or disabling its communication mechanism (ex: TCP SYN attack) - attack packets carry real destination address of target host

VT: Victim Type n VT-1: Network Attacks - consume incoming bandwidth of a target networks - attack packets have destination addresses within address space of network - high volume makes detection easy n VT-2: Infrastructure - target some distributed service that is crucial for the global Internet operation or operation of a subnetwork - ex: DNS server attacks

DDo. S Defense Challenges n Distributed response needed at many points on Internet - attacks target more than one host - wide deployment of any defense system cannot be enforce because Internet is administered in a distributed manner n Economic and social factors - distributed response system must be deployed by parties that do not suffer direct damage from DDo. S attacks - many good distributed solutions will achieve only sparse deployment

DDo. S Defense Challenges n Lack of detailed attack information - attacks are only reported to government (it is believed making this knowledge public damages the business reputation of the victim network) n Lack of defense system benchmarks - currently no benchmark suite of attack scenarios that would enable comparison between defense systems n Difficulty of large-scale testing - defenses need to be tested in a realistic environment - lack of large-scale testbeds

Figure 2: Taxonomy of DDo. S Defense Mechanisms

AL: Activity Level AL-1: Preventive - eliminate possibility of DDo. S attack altogether - enable potential victims to endure attack without denying services to legitimate clients n AL-2: Reactive - alleviate the impact of the attack on the victim - must detect and respond to attack n

AL: Activity Level AL-1: PG: Prevention Goal n AL-1: PG-1: Attack Prevention - modify systems and protocol - never 100% effective because global deployment cannot be guaranteed n AL-1: PG-2: Do. S Prevention - enforce policies for resource consumption - ensure that abundant resources exists

AL: Activity Level AL-1: PG-1: ST: Secured Target n AL-1: PG-1: ST-1: System Security - removing application bugs and updating protocol installations - ex: security patches, firewall systems, etc. n AL-1: PG-1: ST-2: Protocol Security - address problem of a bad protocol design - ex: authentication server attack, fragmented packet attack

AL: Activity Level AL-1: PG-2: PM: Prevention Method n AL-1: PG-2: PM-1: Resource Accounting - resources access based on the privileges and behavior of the user n AL-1: PG-2: PM-2: Resource Multiplication - abundance of resources to counter threat (costly but proven sufficient) - ex: pool of servers with high bandwidth links

AL: Activity Level AL-2: ADS: Attack Detection Strategy n AL-2: ADS-1: Pattern Detections - store signatures of known attacks in a database - known attacks are reliably detected - helpless against new attacks n AL-2: ADS-2: Anomaly Detection - have a model of normal system behavior with which to compare n AL-2: ADS-3: Third-Party Detection - rely on an external message that signals the occurrence of the attack and provides attack confirmation

AL: Activity Level AL-2: ADS-2: NBS: Normal Behavior Specification n AL-2: ADS-2: NBS-1: Standard - rely on some protocol standard or a set of rules - all legitimate traffic must comply n AL-2: ADS-2: NBS-2: Trained - monitor network traffic and system behavior and generate threshold values for different traffic parameters - threshold setting: too low leads to too many false positives and too high reduces sensitivity - model update to reflect evolution with time

AL: Activity Level AL-2: ARS: Attack Response Strategy - relieve the impact of the attack while imposing minimal collateral damage to legitimate clients n AL-2: ARS-1: Agent Identification - necessary for enforcement of liability for attack traffic - ex: traceback n AL-2: ARS-2: Rate-Limiting - impose a rate limit on a stream that has been characterized as malicious - lenient response technique because it will allow some attack traffic through

AL: Activity Level AL-2: ARS-3: Filtering - filter our attack streams completely - ex: dynamically deployed firewalls, Traffic. Master n AL-2: ARS-4: Reconfiguration - change the topology to either add more resources to the victim or to isolate the attack machines n

DL: Deployment Location n DL-1: Victim Network - defense mechanisms deployed here protect this network from attacks and respond to detected attacks by alleviating the impact on the victim - ex: resource accounting, protocol security mechanisms DL-2: Intermediate Network - provide infrastructural protection service to a large number of Internet hosts - ex: pushback and traceback DL-3: Source Network - prevent network customers from generating DDo. S attacks

Conclusion DDo. S attacks are complex and serious problem - affecting not only a victim but the victim’s legitimate clients n DDo. S defense approaches are numerous - need to learn how to combine the approaches to completely solve the problem n Internet community must cooperate to counter threat - global deployment of defense mechanisms n