McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  McAfee Research Blog
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Latest Malware Threats
 RSS Feed
Win32.Weird.e2010-02-02
Win32.Tolone2010-02-02
Worm.IrcBot.14786562009-12-10
Trojan.Drop.Agent.poa.22009-12-10
Trojan.Magania.1059882009-12-08
Trojan.PSW.Frethog.AJ.22009-12-08
View Malware Library
 

McAfee Research Blog

DDoS Response: Part 1

September 8th, 2009

Distributed-denial-of-service (DDoS) attacks can be conducted in various ways (by SYN flood, UDP flood, Teardrop Attack, Ping of Death, Smurfing, Mail Bombing, etc.).  DDoS attacks can exploit vulnerabilities in software running on the victim’s machine or via sending a higher volume of traffic than the victim’s system can handle. The attacks can target resources (such as the network layer, network link, or end-host systems) or routes to resources. They frequently involve botnets and are used to extort ransoms from websites in the online gambling business. Some recent examples included Sportingbet Australia and Sports Alive. The latter was down for almost an entire day in August.

These days you can find many reports and papers on DDoS attacks. Most of these articles explain how attacks occur, but a few discuss how Internet service providers can protect their customers from this threat. And that’s why I wrote this two-part post.

The following image shows how a typical DDoS attack takes place:
null

In return for payment or to suit themselves, botmasters start DDoS attacks by relaying instructions via their command-and-control servers to their bots, which simultaneously send fake traffic to the victim to disrupt service. Trying to process packets or requests, the system consumes all of its available resources, crashes, or becomes unresponsive.

The first method ISPs can use to mitigate attacks is redirection or black-hole routing:
null

When implemented, all traffic going to the victim’s address is forwarded to a “discard pile.” Any router configured this way will eliminate all traffic–the good and the bad–sent to the victim. If an ecommerce website works almost exclusively with national consumers, a black-hole mechanism implemented at the international perimeter can be a good temporary solution to release bandwidth and to allow resources to regular users. But the botnet is not really impacted, and bots within the national perimeter are still active. In this example, however, we anticipate this remaining DDoS efforts will not greatly impact the victim.

A more effective solution is filtering:
null

With packet filtering, we can distinguish the bad packets from the good packets. Only the good packets will be transmitted to the recipient. However, traditional packet filtering can be inadequate to mitigate some botnets that dynamically or rapidly modify their configuration. Flooding attacks using legitimate services can often succeed. IP protocol and forwarding mechanisms also make it difficult for an ISP to identify the real origin of a packet. Futhermore, DDoS attackers can use spoofed IP addresses. To make up for this gap, we have a third technique: traceback.
null

With IP traceback mechanisms, we can find the true source of the attacks. We can determine the origin (or nearby) of the attack and block it at a point nearest to its source.

Rate limiting is another effective technique. It imposes a rate limit on high-bandwidth incoming traffic for streams that are characterized as malicious:
null

Traffic, whether good or bad, might be subjected to rate limiting. The probability of false positives is also high. In Part 2, we shall look at some other solutions, as well as references for reports and a university thesis that helped me in this discussion.

Back to McAfee Research Blog overview

McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

ANY INFORMATION PROVIDED BY MCAFEE ON THIS BLOG ARE OFFERED "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTIES, CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION CONTAINED IN OR LINKED TO AND NO RIGHTS ARE CONFERRED. BY USING THIS BLOG, YOU ASSUME ALL RISK FOR YOUR USE. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. MCAFEE HAS NO OBLIGATION TO POST BLOG SUBMISSIONS OR RESPONSES.