DDoS
- Distributed Denial-of-Service Attack
- Symmetric DDoS Attack: the amount of bandwidth the targeted device consumes is simply the sum of the total traffic sent from each attacker.
- Asymmetric DDoS Attack: a relatively small number or low levels of resources are required by an attacker to cause a significantly greater number or higher level of target resources to malfunction or fail.
Symmetric DDoS Attack
Ping Flood
- Both incoming ICMP Echo Request and outgoing ICMP Echo Replu consume bandwidth
- Attack Principles: The attacker sends many ICMP echo request packets to the targeted server using multiple devices.
- Solution: disable the ICMP functionality of the target device.
TCP SYN Flood
- SYN packets with random source IP addresses, and Fill up backlog queue on server. No further connections possible.
- Attack principle: server commits resources before confirming identify of client.
- Solution: SYN Cookies
SYN Cookies
- Goal: avoid state storage on server until 3-way handshake completes.
sequenceDiagram C ->> S: SYN SN(C) ← rand S ->> C: SYN/ACK SN(S) ← (T||M||L) Note right of S: Store none info C ->> S: ACK: SN ← SN(C) + 1, AN ← SN(S) + 1 Note right of S: Recover SN(c), SN(s), Verify SN(s)
- Explaination of SN(S) ← (T||M||L)
- T: 5-bit timestamp
time()logically right-shifted 6 positions. - M: 3-bit MSS maximum segment size
- L:
- T: 5-bit timestamp
Asymmetric DDoS attack
- exploit traffic amplifier
- Smurf Attack
- DNS Amplification Attack
- NTP Amplification Attack
- Memcached Attack
- SSDP Attack
- exploit computation asymmetry
- HTTP Flood
- Fragmented HTTP Flood
- Payment DDoS
- others
- Tail Attack
- SDN CrossPath Attack
Smurf Attack
- Amplify the effect of ping flood and
- Attack Principle: Attack with an ICMP Echo Request with spoofed source IP address of the targeted server and destination IP address of an IP broadcast address
- Solution: disable IP broadcast addresses on router and firewall, or reject external packets to broadcast address.
DNS Amplification Attack
- What is DNS?
- Attack Principle: Exploit DNS query of type
ANYthat retrieves all the available types for a given name. Also with spoofed source IP address of the victim target. - Solution: reduce the number of open resolvers, or add source IP verification
NTP Amplification Attack
- What is NTP?
- Network Time Protocol
- Attack Principle: Exploit
monlistcommand that triggers a response with the last 600 source IP addresses of requests made to the NTP server
Memcached Attack
- Attack Principle: Exploit memcached request that triggers a response with a large volume of data to target
- Solution
- disable UDP on Memcached server
- firewall Memcached server
- source IP verification
SSDP Attack
UPnP
UPnP 是 Universal Plug and Play 的简称,是一种基于网络的协议,旨在使各种设备(例如计算机、智能手机、打印机、路由器等)能够自动发现和相互通信,从而实现更简单、更方便的互联。
SSDP
SSDP 是 Simple Service Discovery Protocol 的简称,是基于 UPnP 的协议,用于在局域网中发现和访问网络服务。它通过多播方式在局域网内广播服务信息,让设备可以自动发现和使用其他设备提供的服务。
- Attack Principle
- 扫描周围可用的 plug-and-play 设备
- 用伪装的 IP 地址给这些设备发送 UDP 包,并尝试获取尽可能多的数据(比如将设置
ssdp:rootdevice或者ssdp:all) - 每个设备将会发送超过三十倍请求数据量的信息给受害者
HTTP Flood
- Exploit SSL/TLS handshake requests to drain server resources
- Attack Principle
- Complete real TCP connection
- Complete TLS Handshake
GET/POSTlarge image or other content
- Solution: block or rate limit
DDoS Defences
Ingress Filtering
- Purpose: 避免 IP Spoofing
- Main Idea
- Ingress filtering policy: 要求每个 ISP 在向后传递数据包前都验证源地址的合法性
- Limitation
- Requires global coordination: 如果有 10% 的网络不满足此要求,整个系统就没有防御性,同时也没有理由强迫所有人实现此功能。
- 中间的 AS 系统无法检查源地址,因为路由协议仅仅关注目标地址
Traceback
- Purpose: 进行 packet 传递路径的回溯
- Main Idea: 让路由器在包中新增一些内容
- 方法一:将自身的 IP 地址加入包中,缺点是会让 packet 过大
- 方法二:Edge Sampling,将路径分别保存在多个包中,以拼接成完整的路径
Alibi Routing
- Purpose: 证明一个 packet 没有经过某个 AS[1]
- Main Idea: 引入 proof waypoint(r),证明
s->r->d的过程中,没有时间经过特定的 AS
Client Puzzles
- Main Idea: 强迫每个客户在连接时进行计算
- Benefits: 可以在被攻击时调用,并根据攻击流量进行动态调整
- Limitatoin: 在被攻击期间,低功率的合法客户的访问将受到影响;需要修改对应的协议,客户端和服务端也需要做对应的调整
CAPTCHA
- Completely Automated Public Turing test to tell Computers and Humans Apart
- 即验证码,通过一些测试去判断对方是人类还是自己