Feeds & Podcasts
Blogs
- Consumer (476)
- Corporate (155)
- Enterprise (463)
- McAfee Labs (1125)
Meet the Bloggers
- Abhishek Karnik
- Adam Pridgen
- Adam Wosotowsky
- Aditya Kapoor
- Ahmed Sallam
- Alex Hinchliffe
- Allysa Myers
- Anil Ramabhatta
- Anindita Mishra
- Anna Stepanov
- Apurv Anand
- Arun Pradeep
- Arun Sabapathy
- Avelino Rico Jr
- Ben Edelman
- Bhaskar Krishna
- Bing Sun
- Brad Antoniewicz
- Brant Yaeger
- Brenda Moretto
- Brian Kenyon
- Brian Mann
- Carlos Castillo
- Cedric Cochin
- Chen Yu
- Chintan Shah
- Chris Barton
- Craig Schmugar
- Cyber Mum Australia
- Dan Sommer
- Dave Klenske
- David Marcus
- David Rayhawk
- David Scharoun
- Dennis Elser
- Denys Ma
- Di Tian
- Dirk Kollberg
- Dmitry Gryaznov
- Dr. Phyllis Schneck
- DThakkar
- Editor
- Elodie Grandjean
- Eric Peterson
- Eric Schou
- Federico Barbieri
- Felix Martinez
- Francie Coulter
- Francisca Moreno
- Francois Paget
- Gabriel Acevedo
- Gaith Taha
- Gary Davis
- Gavin Struthers
- Geok Meng Ong
- Georg Wicherski
- George Kurtz
- Gert Jan Schenk
- Girish Pillai
- Guilherme Venere
- Haowei Ren
- Harish Garg
- Hiep Dang
- HongZheng Zhou
- Igor Muttik
- James Duldulao
- James Galpin
- Jan Volzke
- Jeremy Gilliat
- Jim Walter
- Jimmy Kuo
- Jimmy Shah
- Joe Telafici
- Joel Spurlock
- Joey Koo
- John Dasher
- Jon Paterson
- Jonathan Zdziarski
- Juan Bocanegra
- Karthik Raman
- Kevin Beets
- Kevin McGhee
- Kevin Watkins
- Kim Eichorn
- Lang Tibbils
- Latha Ramasamy
- Lianne Caetano
- Lokesh Kumar
- Madhurima Pawar
- Marc Olesen
- Marius van Oers
- Mark Olea
- Matthew Wollenweber
- Meirgen Krehs
- MFEChannelChief
- Micha Pekrul
- MihwaLee
- Mike Price
- Mohinder Gill
- Monty Ijzerman
- Nandi Kishore
- Navtej Singh
- Neha Joshi
- Nick Kelly
- Nikfar Khaleeli
- Nishad Herath
- Nitin Jyoti
- Nitin Kumar
- Oliver Devane
- PageOne Pr
- Paolo Palumbo
- Paras Gupta
- Patrick Comiotto
- Patrick Knight
- Paula Greve
- Pedro Bueno
- Peter Meyer
- Peter Szor
- Pradeep Govindaraju
- Prajwala Rao
- Prashanth PR
- Rachit Mathur
- Rafal Wojtczuk
- Rahul Kashyap
- Rahul Mohandas
- Raj Samani
- Ravi Balupari
- Rizwan Husain
- Robert Ross
- Robert Siciliano
- Rodney Andres
- Romain Levy
- Rusty Carter
- Ryan Permeh
- Sam Masiello
- Schalk Cronjé
- Seth Purdy
- Shane Keats
- Shannon Cole
- Sharath Veerabhadraswamy
- Shinsuke Honjo
- Simon Cooper
- Simon Hunt
- Stephen Karkula
- Stina Wikstrom
- Stuart McClure
- Sudarshan Swamy
- Swapnil Pathak
- Tad Heppner
- Ted Rooney
- Tim Fulkerson
- Todd Gebhart
- Toralv Dirro
- Tracy Mooney
- Tracy Ross
- Ugur Sahsi
- Umesh Wanve
- Varadharajan Krishnasamy
- Vinay Mahadik
- Vinoo Thomas
- Vitaly Zaytsev
- Vivek Chudgar
- Vu Nguyen
- Wei Wang
- Xiao Chen
- Xing Su
- Yang Zhang
- Yichong Lin
- Zhedong Chen
- Zhu Cheng
Archive
- February 2012 (13)
- January 2012 (47)
- 2011 (482)
- 2010 (431)
- 2009 (395)
- 2008 (294)
- 2007 (416)
- 2006 (169)
Tags
#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity
DDoS Response: Part 2
|
|
In my post “DDoS Response: Part 1,” I started an analysis on combating distributed-denial-of-service attacks. In this post, Part 2, I shall examine solutions for private networks.
To proactively prevent attacks on private networks, one solution is to hide the legitimate paths from attackers and to periodically change the topology of the network. Source-address filtering, secret proxy servers (servlets), and virtual overlay network (with Secure Overlay Access Points, SOAPs) are helpful in a reconfiguration scheme:
Any transmissions that wish to pass the overlay must first be validated at entry points of the overlay (SOAP machines). Only confirmed users can access the network. If the attacker discovers the address of the filtering router in front of the client, a brute force attack is still possible.
Another solution for protecting a private network is to use a cryptographic process such as “client puzzle.” This method requires a client to sacrifice some of its resources to prove that it is legitimate. Basically, when a server comes under attack, it distributes small cryptographic puzzles to clients making service requests. To complete the request, the client must solve the puzzle correctly:
Other solutions filter and mitigate DDoS traffic. In resource replication (for example, XenoService), the victim or the network responds to DDoS attacks by producing replicas of the resources in demand. Legitimacy testing (NetBouncer) can distinguish legitimate from illegitimate traffic. Using containment, ISPs can employ honeypots to trap malicious code, which can then be studied and blocked.
For these posts, I consulted various white papers and thesis reports. The most significant is an impressive (204 pages) August 2008 Ph.D. thesis submitted to Imperial College London by Dr. Vrizlynn Thing Ling Ling.
I extracted the following table to summarize the usefulness of the responses I have already described:
| Â RESPONSES | WHEN AND WHY? |
| Traceback | When spoofing is used. For locating nearest point to the attack sources. |
| Containment | Mainly used as a diversion away from real targets. |
| Reconfiguration | Configuration changes in the network, such as route changes, to isolate “authenticated” legitimate traffic from attack traffic. Allows dropping of attack traffic in the case of highly reliable isolation. |
| Redirection | Redirection to a black hole will be considered as filtering here. |
| Filtering | When confidence level of detection is high and identifiable attack flows are present, filtering on traffic matching these identities should be performed. |
| Rate limiting | As an initial response during a flooding attack to prevent the network from being overwhelmed. When the confidence level of detection is low. When it’s not possible to form an identifiable signature to distinguish attack traffic from legitimate traffic. |
| Resource replication | When it is actually a flash crowd and not a DDoS attack, more resources are allocated to handle the massive number of legitimate service requests. |
| Legitimacy testing | To authenticate clients by performing tests for verification. Assuming that such tests are widely deployed on Internet hosts and that the legitimate users will observe the “rules of the game” if they want their request served. |
| Attackers’ resource consumption | To have the clients sacrifice their own resources to prove that they are willing to do so for their requests to be fulfilled. In a way, it may allow a server to distinguish between legitimate traffic and DDoS attack traffic if attack hosts are not willing to work on the puzzles. If they are prepared to allocate resources to work on puzzles for each attack request, it will slow down the attack hosts. It is also assumed that such puzzle algorithms are widely deployed on Internet hosts. |
At McAfee, equipment in the McAfee Network Security Platform series can help customers in this fight.
McAfee’s NSP (formerly IntruShield) sensors can detect DDoS attacks by learning the network’s “normal” traffic behaviors and detecting attacks based on deviations from these normal behaviors, including packet counts and rates for various types of packets such as ICMP, TCP SYN, UDP, IP fragments, etc. Details are available in the two McAfee white papers listed below.
Other useful documents:
- A video (in French) on DDoS mitigation (Orange group)
- IP Traceback: A New DOS Deterrent? (IEEE Security & Privacy)
- Secure Overlay Services (Auburn University)
- A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms (University of California)
- Pushback: Remedy for DDoS attack (San Jose State University)
- Deciphering Detection Techniques: Anomaly-Based Intrusion Detection (McAfee)
- Deciphering Detection Techniques: Denial of Service Detection (McAfee)
|
|
Comments (1)
Thanks for your link to our video on DDOS. If needs be, we could put an English version of that video on tape. Do you think that this would be worthwhile? Please advise.
Submit your own comments / message for this post