Describe the standard approaches to mitigate DDOS attacks, including the use of multiple communications paths, ACLs and IP Blocking, Blackholing, and rate limiting.
- [Voiceover] There are a number of methods that can be used to defeat denial-of-service attacks, or at least to try. These come into one of two categories, mitigation through design and operational mitigation. Mitigation through decision includes establishing the capability for priority-based servicing, egress filtering, and ingress filtering. Operational mitigation includes IP address verification and dropping spoofed packets, rate limiting, ACLs, understanding the characteristics of malicious traffic and dropping it, and understanding the characteristics of normal traffic and dropping anomalies.
Priority based servicing of traffic can be achieved by ensuring network traffic is marked with a priority attribute and network queues are managed by priority. This is a common voice call service offered by telecommunications companies to support responders under emergency conditions. Under normal conditions, all traffic gets processed, but when congested, the traffic queues are ordered by priority and lower priority packets discarded to ensure decongestion. Similarly, priority based servicing of data network traffic can be implemented, so that when a flood of packet data comes in, it can be de-prioritized to ensure legitimate traffic gets through.
A similar mitigation is aggregate-based congestion control, or ACC, in which aggregates are common packets such as TCP SYN and ICMP Echo. An ACC, once detecting an attack, will maintain its connection and attempt to determine the aggregate causing the congestion, and control it. It may also request upstream routers to apply limitations to the packet stream. NetBouncer is an older example of a priority approach. NetBouncer emerged from the DARPA fault tolerant networks program.
It's a client legitimacy mechanism that's positioned at the network's internet gateway and allows packets only from legitimate clients or users. Several tests for legitimacy are performed on the client, including a ping to see whether there's a real client at the package source address, and a reverse Turing test, such as a CAPTCHA. Other tests investigate whether an ongoing connection is consistent with the protocol specifications and if not NetBouncer terminates the connection. Once the client has been proven legitimate, it's added to the pool of legitimate clients and given higher priority than not yet legitimate clients.
The pool is managed using quality of service techniques and guarantees fair sharing of resources between all the legitimate clients. To prevent an attacker from inheriting the credentials of a legitimate client, the legitimacy expires after a certain time and needs to be reassessed using the same or a different test. Egress filtering is a form of packet inspection carried out as packet's exit the network perimeter. It doesn't stop incoming attacks, but can stop attack sources sending attacks out.
This is done by establishing rules to detect known bad packets, such as source address spoofing and to stop connections to known command and control servers. Ingress filtering is used to drop packets where they can be recognized as malicious. An example would be a packet with a source address that could not possibly of come from it's originating network. This requires network contexted design time and is an approach useful in controlling business network connections and intranetwork segment traffic. Spoofing a source address is a common tactic in denial of service attacks and if we can identify a source address as spoofed, we can drop the packet with certainty that it's an attack.
However, real time source address verification is not a trivial issue to solve. One approach is to have a traceback mechanism whereby there's evidence to show the route the packet followed on it's way to our network. The number of protocols and methods, such as Itros, have been proposed to do this, but the workload involved made them suitable for investigations rather real-time verification. Some subsequent work has been done on efficient traceback methods, but this currently remains in the academic realm.
A common method used in firewalls to protect against DDoS is to have a rate limiting mechanism where by floods of packets of a similar type, for example NTP packets, can be dropped once they reach a certain point. Repose is an open source middleware platform which provides a good example of a rate limiting filter. It can be installed as a proxy server, protecting internal servers from client side flooding. The proxy server deployment is known as Valve, it can be installed on the Debian platform as a service. Repose can be configured using XML scripts to limit how many requests per time unit are allowed to be made.
Rate limiting can be by IP address or user. In addition, Repose can limit the size of content to defeat a large packet denial-of-service attack. Commercial equipment, such as the Cisco catalyst, also provide DoS protection though configuring rate limiting on the quality of service to limit the amount of a particular type of traffic that will be accepted. In some devices, the rate limiting can be set in hardware registers to minimize latency. ACLs can also be used to stop denial of service attacks, however, because they're configured specifically for source IP addresses, they're usually applied as a denial-of-service response once an attack has been detected.
Characterizing normal traffic is a useful way of detecting attack, especially when the characteristics of protocols can be predicted. This normally involves training the detection system by monitoring traffic with the network in a known normal state. Metrics are often used in network characterization with thresholds to reflect the extent of normal. TCP normal for a network can be determined through a process of training to determine the normal ratio of sent to received packets. Anything significantly above this, is likely to be malicious.
UDP normal can be similarly determined looking at the number of allowed sources per destination, the number of packets per source, and the rate of sending and receiving. ICMP normal can be assessed by looking at the number of ICMP echo time stamp and information request packets in the overall aggregate traffic flow. This should be relatively static within reasonable bounds. And similar characteristics can designed for other protocols. We've seen there are some approaches to DoS mitigation that can be deployed and some are more successful than others in practice.
However, right now it's fair to say that the attacker has the upper hand.
Note: Our Ethical Hacking series will map to the 18 parts of the EC-Council's certification exam. This course maps to the 09 Denial of Service domain.
- What is denial of service?
- SYN flooding
- Smurf and URL flooding
- Deauthenticating a wireless host
- Flooding HTTP
- Using BlackEnergy
- Flooding SIP
- Detecting DoS with PeerShark
- Defeating DoS attacks