Surviving Organized DDo S Attacks That Mimic Flash

  • Slides: 7
Download presentation
Surviving Organized DDo. S Attacks That Mimic Flash Crowds Srikanth Kandula Dina Katabi MIT

Surviving Organized DDo. S Attacks That Mimic Flash Crowds Srikanth Kandula Dina Katabi MIT Matthias Jacob Princeton Arthur Berger MIT/Akamai CS 495 – Spring 2005 Northwestern University Sausan Yazji 10/31/2021 1

Notes n Kill-Bots uses the following as a defense mechanism: n Checking for IP

Notes n Kill-Bots uses the following as a defense mechanism: n Checking for IP address n Authentication n Combining Authentication with Access Control n Test performed on Linux n “Is targeted towards small and medium online businesses, as well as non-commercial Web sites. ” n What about the performance during the graphical test? 10/31/2021 2

n Expensive Solution n authenticating n Servicing n Complex Solution n Puzzel Generator n

n Expensive Solution n authenticating n Servicing n Complex Solution n Puzzel Generator n Blooming service n Cookie Check n Does this assume that the good client will not perform an attack in the future? n Was not convinced with Flash Crowd performance improvement 10/31/2021 3

n “Compared to a server that does not use Kill-Bots, our system survives attack

n “Compared to a server that does not use Kill-Bots, our system survives attack rates 2 orders of magnitude higher, while maintaining response times around their values with no attack. ” What about compared to other defense mechanism? n No Bandwidth attack is addressed n No DNS entry attack is addressed n No Routing entries attacks are addressed, so why should we use this solution? 10/31/2021 4

n More assumptions: n n n 10/31/2021 server’s link bandwidth and the device driver

n More assumptions: n n n 10/31/2021 server’s link bandwidth and the device driver are NOT congested by the volume of attack traffic. An attacker cannot sniff packets on a major link which might carry traffic for a large number of legitimate users. the attacker does not have access to the server’s local network or physical access to the server itself. the zombies cannot solve the graphical test the attacker is not able to concentrate a large number of humans to continuously solve reverse Turing tests. 5

n The paper addressed the copy attacks, but did not address the n n

n The paper addressed the copy attacks, but did not address the n n n Session Hijacking problem processes every incoming TCP packet addressed to port 80? ? Changes to the TCP protocol How big is the puzzle table? Did not address the DOS to the bandwidth due to authentication requests the probability a legitimate client is classified as an attacker is approximately is 0. 023, given the chosen values for N and k, and for 75, 000 attack machines. . This is a high number we modified about 300 lines of kernel code, mostly in the TCP/IP protocol stack. Isn’t that expensive? 10/31/2021 6

Already Identified Problems n Kill-Bots interacts in a complex way with Web proxies n

Already Identified Problems n Kill-Bots interacts in a complex way with Web proxies n Customized parameter setting n Kill-Bots assumes that the first data packet of the TCP connection will contain the GET and Cookie lines of the HTTP request n Bloom filter needs to be flushed since compromised zombies may turn into legitimate clients. 10/31/2021 7

KillBots Surviving DDo S Attacks That Mimic LegitimateKillBots Surviving DDo S Attacks That Mimic Legitimate
Botz4 Sale Surviving Organized DDo S Attacks ThatBotz4 Sale Surviving Organized DDo S Attacks That
FLASH FLASH FLASH FLASH INFO Lcole maternelle deFLASH FLASH FLASH FLASH INFO Lcole maternelle de
MOTHER Mimic Mimic Obey 2 Peter 1 2MOTHER Mimic Mimic Obey 2 Peter 1 2
Resourcebased Attacks Attacking Networks ResourceBased Attacks Resourcebased attacksResourcebased Attacks Attacking Networks ResourceBased Attacks Resourcebased attacks
A Taxonomy of DDo S Attack and DDoA Taxonomy of DDo S Attack and DDo