An analysis of using reflectors for distributed denial-of-service attacks

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

An analysis of using reflectors for distributed denial-of-service attacks

Full text

Pdf (1.02 MB)

Source

ACM SIGCOMM Computer Communication Review archive
Volume 31 , Issue 3 (July 2001) table of contents

SESSION: Papers table of contents

Pages: 38 - 47

Year of Publication: 2001

ISSN:0146-4833

Author

Vern Paxson

International Computer Science Institute, Berkeley, CA

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 21, Downloads (12 Months): 160, Citation Count: 38

Additional Information:

abstract references cited by collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/505659.505664 What is a DOI?

ABSTRACT

Attackers can render distributed denial-of-service attacks more difficult to defend against by bouncing their flooding traffic off of reflectors; that is, by spoofing requests from the victim to a large set of Internet servers that will in turn send their combined replies to the victim. The resulting dilution of locality in the flooding stream complicates the victim's abilities both to isolate the attack traffic in order to block it, and to use traceback techniques for locating the source of streams of packets with spoofed source addresses, such as ITRACE [Be00a], probabilistic packet marking [SWKA00], [SP01], and SPIE [S+01]. We discuss a number of possible defenses against reflector attacks, finding that most prove impractical, and then assess the degree to which different forms of reflector traffic will have characteristic signatures that the victim can use to identify and filter out the attack traffic. Our analysis indicates that three types of reflectors pose particularly significant threats: DNS and Gnutella servers, and TCP-based servers (particularly Web servers) running on TCP implementations that suffer from predictable initial sequence numbers. We argue in conclusion in support of "reverse ITRACE" [Ba00] and for the utility of packet traceback techniques that work even for low volume flows, such as SPIE.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	{Ba00} C. Barros, "{LONG} A Proposal for ICMP Traceback Messages," http://www.research.att.com/lists/ietf-itrace/2000/09/msg00044.html, Sept. 18, 2000.
	2	{Be96} S. Bellovin, "Defending Against Sequence Number Attacks," RFC 1948, May 1996.
	3	{Be00a} S. Bellovin, "ICMP Traceback Messages," Internet Draft, http://www.research.att.com/~smb/papers/draft-bellovin-itrace-00.txt, March 2000.
	4	{Be00b} S. Bellovin, "Security Aspects of Napster and Gnutella," http://www.research.att.com/~smb/talks/NapsterGnutella/index.htm, June 2000.
	5	{Br94} R. Braden, "T/TCP --- TCP Extensions for Transactions: Functional Specification," RFC 1644, July 1994.
	6	{CFSD90} J. Case, M. Fedor, M. Schoffstall and C. Davin, "Simple Network Management Protocol (SNMP)," RFC 1157, May 1990.
	7	{Ce97} CERT Coordination Center, "FTP Bounce," CERT Advisory CA-1997-27, http://www.cert.org/advisories/CA-1997-27.html, December 1997.
	8	{F+00} D. Farinacci, T. Li, S. Hanks, D. Meyer and P. Traina, "Generic Routing Encapsulation (GRE), RFC 2784, March 2000.
	9	{FS00} P. Ferguson and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," RFC 2827, May 2000.
	10	{Gn00} Gnutella, http://gnutella.wego.com, 2000.
	11	{Gu01} Guardent, "Guardent releases information regarding flaw in Internet infrastructure," http://www.guardent.com/pr2001-03-12-ips.html, March 2001.
	12	{Me00} P. Metzger, private communication, February 2000.
	13	{Mo87} P. Mockapetris, "Domain names --- implementation and specification," RFC 1035, November 1987.
	14	{Mo90} J. Mogul and S. Deering, "Path MTU discovery," RFC 1191, November 1990.
	15	{NBBB98} K. Nichols, S. Blake, F. Baker and D. Black, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers," RFC 2474, December 1998.
	16	Vern Paxson, Bro: a system for detecting network intruders in real-time, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.31 n.23-24, p.2435-2463, Dec. 1999 [doi>10.1016/S1389-1286(99)00112-7]
	17	{Po80} J. Postel, "User Datagram Protocol," RFC 768, August 1980.
	18	{Po81a} J. Postel, "Internet Protocol," RFC 791, September 1981.
	19	{Po81b} J. Postel, "Internet Control Message Protocol," RFC 792, September 1981.
	20	{Po81c} J. Postel, "Transmission Control Protocol," RFC 793, September 1981.
	21	{Po82} J. Postel, "Simple Mail Transfer Protocol," RFC 821, August 1982.
	22	{PR85} J. Postel and J. Reynolds, "File Transfer Protocol," RFC 959, October 1985.
	23	{RP94} J. Reynolds and J. Postel, "Assigned Numbers," RFC 1700, October 1994.
	24	Stefan Savage , Neal Cardwell , David Wetherall , Tom Anderson, TCP congestion control with a misbehaving receiver, ACM SIGCOMM Computer Communication Review, v.29 n.5, October 1999 [doi>10.1145/505696.505704]
	25	Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Practical network support for IP traceback, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.295-306, August 28-September 01, 2000, Stockholm, Sweden
	26	Alex C. Snoeren, Hash-based IP traceback, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.3-14, August 2001, San Diego, California, United States
	27	{SP01} D. Song and A. Perrig, "Advanced and Authenticated Marking Schemes for IP Traceback," Proc. IEEE INFOCOM, April 2001.

CITED BY 38

	Alefiya Hussain , John Heidemann , Christos Papadopoulos, A framework for classifying denial of service attacks, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany
	Brian Carrier , Clay Shields, The session token protocol for forensics and traceback, ACM Transactions on Information and System Security (TISSEC), v.7 n.3, p.333-362, August 2004
	Wu-chang Feng, The case for TCP/IP puzzles, ACM SIGCOMM Computer Communication Review, v.33 n.4, October 2003
	Alex C. Snoeren , Craig Partridge , Luis A. Sanchez , Christine E. Jones , Fabrice Tchakountio , Beverly Schwartz , Stephen T. Kent , W. Timothy Strayer, Single-packet IP traceback, IEEE/ACM Transactions on Networking (TON), v.10 n.6, p.721-734, December 2002
	Christos Douligeris , Aikaterini Mitrokotsa, DDoS attacks and defense mechanisms: classification and state-of-the-art, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.44 n.5, p.643-666, 5 April 2004
	Cheng Jin , Haining Wang , Kang G. Shin, Hop-count filtering: an effective defense against spoofed DDoS traffic, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
	Kun-chan Lan , John Heidemann, A tool for RApid model parameterization and its applications, Proceedings of the ACM SIGCOMM workshop on Models, methods and tools for reproducible network research, August 25-27, 2003, Karlsruhe, Germany
	Yanet Manzano, Tracing the development of denial of service attacks: a corporate analogy, Crossroads, v.10 n.1, p.4-4, Fall 2003
	Alefiya Hussain , John Heidemann , Christos Papadopoulos, Distinguishing between single and multi-source attacks using signal processing, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.46 n.4, p.479-503, 15 November 2004
	Jelena Mirkovic , Peter Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communication Review, v.34 n.2, April 2004
	Mark Handley , Adam Greenhalgh, Steps towards a DoS-resistant internet architecture, Proceedings of the ACM SIGCOMM workshop on Future directions in network architecture, August 30-30, 2004, Portland, Oregon, USA
	Ratul Mahajan , Steven M. Bellovin , Sally Floyd , John Ioannidis , Vern Paxson , Scott Shenker, Controlling high bandwidth aggregates in the network, ACM SIGCOMM Computer Communication Review, v.32 n.3, p.62-73, July 2002
	Ramana Rao Kompella , Sumeet Singh , George Varghese, On scalable attack detection in the network, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy
	Chatree Sangpachatanaruk , Sherif M. Khattab , Taieb Znati , Rami Melhem , Daniel Mossé, Design and analysis of a replicated elusive server scheme for mitigating denial of service attacks, Journal of Systems and Software, v.73 n.1, p.15-29, September 2004
	Haining Wang , Danlu Zhang , Kang G. Shin, Change-Point Monitoring for the Detection of DoS Attacks, IEEE Transactions on Dependable and Secure Computing, v.1 n.4, p.193-208, October 2004
	Rob Sherwood , Bobby Bhattacharjee , Ryan Braud, Misbehaving TCP receivers can cause internet-wide congestion collapse, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
	Michael T. Goodrich, Efficient packet marking for large-scale IP traceback, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA
	Jarmo Mölsä, Mitigating denial of service attacks: a tutorial, Journal of Computer Security, v.13 n.6, p.807-837, December 2005
	Yogesh Prem Swami , Hannes Tschofenig, Protecting mobile devices from TCP flooding attacks, Proceedings of first ACM/IEEE international workshop on Mobility in the evolving internet architecture, December 01-01, 2006, San Francisco, California
	V. T. Lam , S. Antonatos , P. Akritidis , K. G. Anagnostakis, Puppetnets: misusing web browsers as a distributed attack infrastructure, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
	Matthias Bossardt , Thomas Dübendorfer , Bernhard Plattner, Enhanced Internet security by a distributed traffic control service based on traffic ownership, Journal of Network and Computer Applications, v.30 n.3, p.841-857, August, 2007
	Andrey Belenky , Nirwan Ansari, On deterministic packet marking, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.10, p.2677-2700, July, 2007
	Zhiqiang Gao , Nirwan Ansari, A practical and robust inter-domain marking scheme for IP traceback, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.3, p.732-750, February, 2007
	Ramana Rao Kompella , Sumeet Singh , George Varghese, On scalable attack detection in the network, IEEE/ACM Transactions on Networking (TON), v.15 n.1, p.14-25, February 2007
	Haining Wang , Cheng Jin , Kang G. Shin, Defense against spoofed IP traffic using hop-count filtering, IEEE/ACM Transactions on Networking (TON), v.15 n.1, p.40-53, February 2007
	Robert Beverly , Steven Bauer, The spoofer project: inferring the extent of source address filtering on the internet, Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, p.8-8, July 07, 2005, Cambridge, MA
	Tao Peng , Christopher Leckie , Kotagiri Ramamohanarao, Information sharing for distributed intrusion detection systems, Journal of Network and Computer Applications, v.30 n.3, p.877-899, August, 2007
	Erol Gelenbe , George Loukas, A self-aware approach to denial of service defence, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.5, p.1299-1314, April, 2007
	Hikmat Farhat, Protecting TCP services from denial of service attacks, Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, p.155-160, September 11-15, 2006, Pisa, Italy
	Daniel R. Simon , Sharad Agarwal , David A. Maltz, AS-based accountability as a cost-effective DDoS defense, Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p.9-9, April 10, 2007, Cambridge, MA
	Jun Li , Jelena Mirkovic , Toby Ehrenkranz , Mengqiu Wang , Peter Reiher , Lixia Zhang, Learning the valid incoming direction of IP packets, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.2, p.399-417, February, 2008
	Michael Durr , Ray Hunt, An analysis of security threats to mobile IPv6, International Journal of Internet Protocol Technology, v.3 n.2, p.107-118, September 2008
	Hiroshi Tsunoda , Kohei Ohta , Atsunori Yamamoto , Nirwan Ansari , Yuji Waizumi , Yoshiaki Nemoto, Detecting DRDoS attacks by a simple response packet confirmation mechanism, Computer Communications, v.31 n.14, p.3299-3306, September, 2008
	Haidar Safa , Mohamad Chouman , Hassan Artail , Marcel Karam, A collaborative defense mechanism against SYN flooding attacks in IP networks, Journal of Network and Computer Applications, v.31 n.4, p.509-534, November, 2008
	Spiros Antonatos , Periklis Akritidis , Vinh The Lam , Kostas G. Anagnostakis, Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure, ACM Transactions on Information and System Security (TISSEC), v.12 n.2, p.1-38, December 2008
	Minho Sung , Jun Xu , Jun Li , Li Li, Large-scale IP traceback in high-speed internet: practical techniques and information-theoretic foundation, IEEE/ACM Transactions on Networking (TON), v.16 n.6, p.1253-1266, December 2008
	Udaya Kiran Tupakula , Vijay Varadharajan , Srini Rao Pandalaneni, DoSTRACK: a system for defending against DoS attacks, Proceedings of the 2009 ACM symposium on Applied Computing, March 08-12, 2009, Honolulu, Hawaii
	Tao Peng , Christopher Leckie , Kotagiri Ramamohanarao, Survey of network-based defense mechanisms countering the DoS and DDoS problems, ACM Computing Surveys (CSUR), v.39 n.1, p.3-es, 2007

Collaborative Colleagues:

Vern Paxson: colleagues

Adobe Acrobat

QuickTime

Windows Media Player

Real Player