Friday, July 22, 2011

DDoS Mitigation Techniques - State of the Art

This article discusses different DDoS mitigation schemes in use among the state of the art DDoS mitigation appliances.


Introduction



Firewalls, switches, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) have been commonly used in the past as security perimeter appliances. A new generation of attacks has now become common that cannot be stopped using the above appliances. Distributed Denial of Service (DDoS) attacks have become very common because of easy availability of botnets. New techniques have evolved in the industry to thwart DDoS attacks. This knol discusses the new and upcoming techniques.

 

SYN Proxy

This is one of the earliest techniques to handle spoofed DDoS attacks. During SYN flood, a few machines start spoofing IP addresses and start sending SYN packets. When a server receives these connection requests, it responds by sending TCP SYN/ACK packets and adding those connection entries into its own connection table. Since these spoofed IP addresses don't really exist, they don't respond to the SYN/ACK and thus the connection table remains filled for a long duration. This effectively denies the access to new and legitimate connections.
SYN Proxy is a mechanism, usually done by intermediate appliances that sit before the actual server and proxy the responses. Until the spoofed IP or un-spoofed IPs respond with the ACK, the connection requests are not forwarded.
This ensures that under SYN flood, all connection requests are screened and only those that are legitimate are forwarded.


Connection Limiting

 
Too many connections can cause a server to be overloaded. By limiting the number of new connection requests, you can temporarily give the server respite. This is done by giving preference to existing connections and limiting the new connection requests.
 

Aggressive Aging

Some botnet attacks involve opening a legitimate connection and not doing anything at all. Such idle connections fill up the connection tables in firewall and servers. By aggressively aging such idle connections, you can provide some relief to them. Aggressive aging involves removing connections from the tables and may also involve sending a TCP RST packet to the server/firewall.


Source Rate Limiting

 
When a limited number of sources are available to a bot-master, he/she can use them to aggressive send packets. These high rate packets can burden the server. Multi-threaded attacks cause such patterns of attack. By identifying outlier IP addresses that break norms, you can deny them access to excessive bandwidth. Since IP addresses in such attacks are not predictable, it is important to keep track of millions of IP addresses and their behavior to isolate outliers. Such isolation can only be done in silicon and it is difficult to achieve using software only techniques due to excessive memory bandwidth requirements.

Dynamic Filtering

 
Static filtering is a common technique in firewalls, switches and routers and is usually achieved using Access Control Lists (ACLs). Dynamic filtering is required when the attack and the attackers change constantly. Dynamic filtering is done by identifying undisciplined behavior and punishing that behavior for a short time by creating a short-span filtering rule and removing that rule after that time-span.

Active Verification through Legitimate IP Address Matching

 
While SYN Proxy is a great technique for anti-spoofing, everytime there is a SYN flood, within a short duration, if the appliance keeps sending SYN/ACK packets back, that would add too much outbound traffic. To avoid such reverse flood, it is necessary to cache identified legitimate IPs in to a memory table for a limited period of time and then letting them go without the SYN proxy check. It is quite possible for the attackers to misuse such holes, therefore it is necessary to have further checks on legitimate IP addresses by rate limiting zombies which are able to complete 3-way-handshakes.


Anomaly Recognition

 
Most DDoS attacks are written using scripts which continuously vary a few parameters in the network packets. By performing anomaly checks on headers, state and rate, an appliance can filter out most attack packets which otherwise would pass simple firewall rules.

Protocol Analysis

 
Similar to header, state and rate anomalies, further protocol analysis can bring out issues that would otherwise pass through a generic firewall.

Granular Rate Limiting

 
DDoS attacks are unpredictable and usually managed using scripted BOTs. The packets which reach the server are different from each other. There is however some self-similarity among all attack packets in a single attacks.

Granular Rate Limiting is a technique that identifies rate violations from past behavior. Rate thresholds are set based on past behavior set during a training session and adjusted adaptively over time.
 
Granularity refers to various parameters available in layer 3, layer 4 and layer 7 headers. These include packet rates for source, destination, protocol, fragment, ports, and HTTP methods, URLs, User-Agents, Cookie, Host, Referer etc.

Country Based Access Control Lists (ACL)

 
Most botnet traffic originates from a limited number of countries. These countries may not be the places from where you expect traffic. By filtering traffic based on countries, you can reduce the traffic load signficantly including the spoofed traffic. However, doing this in software may have a lot of performance penalties. Look for hardware logic implementation.

White-list, Black-list, Non-tracked Sources

 
In any network, there will always be some IP addresses that you want to deny or allow. White-listing and Black-listing capability are useful during DDoS attack to ensure that such rules are honored despite rate violations or in spite of rate-violations.

Since rate anomalies are behavioral, all behaviors are learned from past. Therefore if you don't want some behavior not to be learned, you must not track such behavior by creating an exception. Such non-tracked sources include backup IP machines etc. that do large amounts of IOs at specific times or Content Data Network (CDN).

State Anomaly Recognition

 
TCP is most commonly used protocol for web infrastructure. TCP is a stateful protocol and follows certain rules. Since most bots are scripted, many a times, they break these rules. A state anomaly recognition engine looks for illegal TCP state transition anomalies, foreign packets (packets in connections that are not properly established) and TCP window-violations.

Stealth Attack Filtering

 
Before an attack, there are precursors to attacks. These are in the form of scans. Network scans to discover IP addresses in use are common and so also Port Scans to discover TCP and UDP ports that respond to connections. By identifying, such attacks and corresponding attackers, you can take some precautions for a future full-blown attack.

Dark Address Scan Prevention

 
Dark addresses are IP addresses that are not yet assigned by IANA. These are also called bogon addresses. Any packets coming from or going to dark addresses are signs of spoofing. By blocking them, you can block a substantial percentage of DDoS packets that are spoofed.
 
 
 

A Typical DDoS Mitigation Stack
What About Botnet Attacks?

Now that you understand the techniques for previous generation of DDoS attacks, how about learning more about the current generation of botnet attacks which involve access that mimics legitimate users.
For further information, please a see a white paper from IntruGuard on: