McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  McAfee Research Blog
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Latest Malware Threats
 RSS Feed
Win32.Weird.e2010-02-02
Win32.Tolone2010-02-02
Worm.IrcBot.14786562009-12-10
Trojan.Drop.Agent.poa.22009-12-10
Trojan.Magania.1059882009-12-08
Trojan.PSW.Frethog.AJ.22009-12-08
View Malware Library
 

McAfee Research Blog

DDoS Response: Part 2

September 8th, 2009

In my post “DDoS Response: Part 1,” I started an analysis on combating distributed-denial-of-service attacks. In this post, Part 2, I shall examine solutions for private networks.

To proactively prevent attacks on private networks, one solution is to hide the legitimate paths from attackers and to periodically change the topology of the network. Source-address filtering, secret proxy servers (servlets), and virtual overlay network (with Secure Overlay Access Points, SOAPs) are helpful in a reconfiguration scheme:

null

Any transmissions that wish to pass the overlay must first be validated at entry points of the overlay (SOAP machines). Only confirmed users can access the network. If the attacker discovers the address of the filtering router in front of the client, a brute force attack is still possible.

Another solution for protecting a private network is to use a cryptographic process such as “client puzzle.” This method requires a client to sacrifice some of its resources to prove that it is legitimate. Basically, when a server comes under attack, it distributes small cryptographic puzzles to clients making service requests. To complete the request, the client must solve the puzzle correctly:

null

Other solutions filter and mitigate DDoS traffic. In resource replication (for example, XenoService), the victim or the network responds to DDoS attacks by producing replicas of the resources in demand. Legitimacy testing (NetBouncer) can distinguish legitimate from illegitimate traffic. Using containment, ISPs can employ honeypots to trap malicious code, which can then be studied and blocked.

For these posts, I consulted various white papers and thesis reports. The most significant is an impressive (204 pages) August 2008 Ph.D. thesis submitted to Imperial College London by Dr. Vrizlynn Thing Ling Ling.

I extracted the following table to summarize the usefulness of the responses I have already described:

 RESPONSES WHEN AND WHY?
Traceback When spoofing is used. For locating nearest point to the attack sources.
Containment Mainly used as a diversion away from real targets.
Reconfiguration Configuration changes in the network, such as route changes, to isolate “authenticated” legitimate traffic from attack traffic. Allows dropping of attack traffic in the case of highly reliable isolation.
Redirection Redirection to a black hole will be considered as filtering here.
Filtering When confidence level of detection is high and identifiable attack flows are present, filtering on traffic matching these identities should be performed.
Rate limiting As an initial response during a flooding attack to prevent the network from being overwhelmed. When the confidence level of detection is low. When it’s not possible to form an identifiable signature to distinguish attack traffic from legitimate traffic.
Resource replication When it is actually a flash crowd and not a DDoS attack, more resources are allocated to handle the massive number of legitimate service requests.
Legitimacy testing To authenticate clients by performing tests for verification. Assuming that such tests are widely deployed on Internet hosts and that the legitimate users will observe the “rules of the game” if they want their request served.
Attackers’ resource consumption To have the clients sacrifice their own resources to prove that they are willing to do so for their requests to be fulfilled. In a way, it may allow a server to distinguish between legitimate traffic and DDoS attack traffic if attack hosts are not willing to work on the puzzles. If they are prepared to allocate resources to work on puzzles for each attack request, it will slow down the attack hosts. It is also assumed that such puzzle algorithms are widely deployed on Internet hosts.

At McAfee, equipment in the McAfee Network Security Platform series can help customers in this fight.
null

McAfee’s NSP (formerly IntruShield) sensors can detect DDoS attacks by learning the network’s “normal” traffic behaviors and detecting attacks based on deviations from these normal behaviors, including packet counts and rates for various types of packets such as ICMP, TCP SYN, UDP, IP fragments, etc. Details are available in the two McAfee white papers listed below.

Other useful documents:

Back to McAfee Research Blog overview

McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

ANY INFORMATION PROVIDED BY MCAFEE ON THIS BLOG ARE OFFERED "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTIES, CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION CONTAINED IN OR LINKED TO AND NO RIGHTS ARE CONFERRED. BY USING THIS BLOG, YOU ASSUME ALL RISK FOR YOUR USE. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. MCAFEE HAS NO OBLIGATION TO POST BLOG SUBMISSIONS OR RESPONSES.