Distributed Deniel Of Service attacks. A proposal based on routing.
-------------------------------------------------------------------
(version 1.0)
Disclaimer
----------
The opinions expressed here are mine only. My current employer does not
hold any responsability over them.
This is only a proposal that must be considered as _draft_ or _work in
progress_. It is made available to the Internet community as a contribution to
fight the DDOS threat. It is published as and 'thinking starting point' rather
than as closed solution.
Please be aware that assesments made here could be wrong. I'd love to
here corrections and refutals.
Abstract
--------
This paper describes a technique that -hopefully- can be used to defeat
the recent DDOS attacks. The solution presented here is bases on routing. It
requires a certain amount of extra network infrastructure.
Introduction
------------
Recent attacks to big Internet sites such as Yahoo and CNN has possed
a threat on Internet security. The problem with these DDOS is that packets
come from spoofed addresses and tracking the source becomes a very complex
task involving cross-AS cooperation and a huge amount of time.
Some measures have been proposed, but they are based on filtering
forged packets at the origin, and this means action by an -a priori-
uniterested party. Furthermore little has been proposed to stop attacks as
they are being produced.
This paper introduces a method that can be used in some situations to
avoid this kind of attacks in a short time fraim. It's efectivy increases if it
is combined with origin-analysis techniques.
Description
-----------
We will introduce the proposed technique by means of an example. Let's
suppose example.com has an important web site. During the scope of this paper
we will asume we are not interested on any other service than www, although
this method can be applied to protect another services (but not all of them).
Another simplification will be to assume that example.com has only one link to
the Internet.
We can draw example.com current infrastructure like this:
+--------+
-a--| | +---------------+
| | | | +-----------------+
-b--| ISP +-----d------+ example.com's +-----+ www.example.com |
| | | border router | +-----------------+
-c--| | +---------------+ \
+--------+ \ 10.0.0.2
10.0.0.1
Being: a, b and c the ISP links to the Internet, and d a link between the ISP
and example.com. Let 10.0.0.1 be the IP assigned to the internal interface of
the border router and 10.0.0.2 the IP assigned to www.example.com public web
server.
It can be argued that there must be a firewall in between, but this is
not relevant to the proposal.
The proposed technique is about changing the IP addresses of the hosts
being attacked and diverting the IP block under attack to a stub network
where traffic can be analyzed to track it down, or just dropped.
In order to be ready to a massive DDOS attack, example.com should
change its network structure to something like:
+--------------+
+----e-----+ stub network |
| +--------------+
+--------+ |
-a--| | | +---------------+
| | | | | +-----------------+
-b--| ISP +-+---d------+ example.com's +-----+ www.example.com |
| | | border router | +-----------------+
-c--| | +---------------+ \
+--------+ \ 10.0.0.2 and 10.0.1.2
10.0.0.1 and 10.0.1.1
+---------------+
| example.com's |
| DNS server |
| where |
| www=10.0.0.2 |
+---------------+
In case a DDOS attack against example.com is detected, the following
actions should be carried on:
1- dial up connection to example.com's externally located DNS server
(possible many of them in order to complicate DDOSing both www and DNS
servers) to make www.example.com point to 10.0.1.2.
2- phone call to ISP to route traffic to 10.0.0.x to the stub network and start
routing the 10.0.1 network.
These simple steps would divert the attack to a place where it doesn't
disrupts example.com functionality and where it can be tracked down.
Of course the attacker can notice the change, and:
a) attack also the new network. In this case his 'firing power' against each
network would be halfed. This opens the chance to example.com to have many
networks to be used for such cases. Hopefully, a sufficient number of networks
would make the amount of traffic received by each one large enough to be
handled by undelying infraestructure.
b) attack _only_ the new network. example.com can switch back to the old one,
or even a new one. Maybe this is the best move the attacker can made, but if
he does the comprised machines would create a pattern of traffic very easily
identified by a distributed network scanner that can consult a central site
for patterns and can _hopefully_ be run on periodic bases by ISPs concerned
about Internet safety.
Conclusion
----------
A method for defeating DDOS attacks on real time has been depicted.
This method is not bullet proof and requires a certain amount of extra network
infrastructure.
Publishing it in its actual form main purposed is having it enhanced
by the Internet community.
Fernando P. Schapachnik
Administración de la red
VIA NET.WORKS ARGENTINA S.A.
fernando@via-net-works.net.ar
(54-11) 4323-3333
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:22 PDT