Senior Threat Researcher
François Paget is a senior threat research engineer and one of the founding members of McAfee Labs, where he conducts a ...
In my post “DDoS Response: Part 1,” I started an analysis on combating distributed-denial-of-service attacks. In this post, Part 2, I shall examine solutions for private networks.
To proactively prevent attacks on private networks, one solution is to hide the legitimate paths from attackers and to periodically change the topology of the network. Source-address filtering, secret proxy servers (servlets), and virtual overlay network (with Secure Overlay Access Points, SOAPs) are helpful in a reconfiguration scheme:
Any transmissions that wish to pass the overlay must first be validated at entry points of the overlay (SOAP machines). Only confirmed users can access the network. If the attacker discovers the address of the filtering router in front of the client, a brute force attack is still possible.
Another solution for protecting a private network is to use a cryptographic process such as “client puzzle.” This method requires a client to sacrifice some of its resources to prove that it is legitimate. Basically, when a server comes under attack, it distributes small cryptographic puzzles to clients making service requests. To complete the request, the client must solve the puzzle correctly:
Other solutions filter and mitigate DDoS traffic. In resource replication (for example, XenoService), the victim or the network responds to DDoS attacks by producing replicas of the resources in demand. Legitimacy testing (NetBouncer) can distinguish legitimate from illegitimate traffic. Using containment, ISPs can employ honeypots to trap malicious code, which can then be studied and blocked.
For these posts, I consulted various white papers and thesis reports. The most significant is an impressive (204 pages) August 2008 Ph.D. thesis submitted to Imperial College London by Dr. Vrizlynn Thing Ling Ling.
I extracted the following table to summarize the usefulness of the responses I have already described:
|Â RESPONSES||WHEN AND WHY?|
|Traceback||When spoofing is used. For locating nearest point to the attack sources.|
|Containment||Mainly used as a diversion away from real targets.|
|Reconfiguration||Configuration changes in the network, such as route changes, to isolate “authenticated” legitimate traffic from attack traffic. Allows dropping of attack traffic in the case of highly reliable isolation.|
|Redirection||Redirection to a black hole will be considered as filtering here.|
|Filtering||When confidence level of detection is high and identifiable attack flows are present, filtering on traffic matching these identities should be performed.|
|Rate limiting||As an initial response during a flooding attack to prevent the network from being overwhelmed. When the confidence level of detection is low. When it’s not possible to form an identifiable signature to distinguish attack traffic from legitimate traffic.|
|Resource replication||When it is actually a flash crowd and not a DDoS attack, more resources are allocated to handle the massive number of legitimate service requests.|
|Legitimacy testing||To authenticate clients by performing tests for verification. Assuming that such tests are widely deployed on Internet hosts and that the legitimate users will observe the “rules of the game” if they want their request served.|
|Attackers’ resource consumption||To have the clients sacrifice their own resources to prove that they are willing to do so for their requests to be fulfilled. In a way, it may allow a server to distinguish between legitimate traffic and DDoS attack traffic if attack hosts are not willing to work on the puzzles. If they are prepared to allocate resources to work on puzzles for each attack request, it will slow down the attack hosts. It is also assumed that such puzzle algorithms are widely deployed on Internet hosts.|
At McAfee, equipment in the McAfee Network Security Platform series can help customers in this fight.
McAfee’s NSP (formerly IntruShield) sensors can detect DDoS attacks by learning the network’s “normal” traffic behaviors and detecting attacks based on deviations from these normal behaviors, including packet counts and rates for various types of packets such as ICMP, TCP SYN, UDP, IP fragments, etc. Details are available in the two McAfee white papers listed below.
Other useful documents: