9.6 Countermeasures
Detection Techniques
- Detection techniques are based on identifying and discriminating the illegitimate traffic increase and flash events from legitimate packet traffic.
- All detection techniques define an attack as an abnormal and noticeable deviation from a threshold of normal network traffic statistics.
- Activity Profiling
- Wavelet-based Signal Analysis
- Changepoint Detection
Activity Profiling
- An attack is indicated by:
- An increase in activity levels among the network flow clusters.
- An increase in the overall number of distinct clusters (DDoS attack)
- Activity profile is done based on the average packet rate for a network flow, which consists of consecutive packets with similar packet fields.
- Activity profile is obtained by monitoring the network packet's header information.
Activity Profiling monitors a network packet's header information, calculates the average packet rate for a network flow.
Wavelet-based Signal Analysis
- Wavelet analysis describes an input signal in terms of spectral components.
- Wavelets provide for concurrent time and frequency description.
- Analyzing each spectral window's energy determines the presence of anomalies.
- Signal analysis determines the time at which certain frequency components are present.
Sequential Change-Point Detection
- Isolate Traffic: Change-point detection algorithms isolate changes in network traffic statistics caused by attacks.
- Filter Traffic: The algorithms filter the target traffic data by address, port, or protocol and store the resultant flow as a time series.
- Identify Attack: Sequential change-point detection technique uses Cumulative Sum (Cusum) algorithm to identify and locate the DoS attacks; the algorithm calculates deviations in the actual versus expected local average in the traffic time series.
- Identify Scan Activity: This technique can also be used to identify the typical scanning activities of the network worms.
DoS/DDoS Countermeasure Strategies
- Absorbing the Attack:
- Use additional capacity to absorb attack; it requires preplanning.
- It requires additional resources.
- Degrading Services:
- Identify critical services and stop non critical services.
- Shutting Down the Services:
- Shut down all the services until the attack has subsided.
DDoS Attack Countermeasures
- Protect Secondary Victims
- Neutralize Handlers
- Prevent Potential Attacks
- Deflect Attacks
- Mitigate Attacks
- Post-attack Forensics
DoS/DDoS Attack Countermeasures: Protect Secondary Victims
- Install anti-virus and anti-Trojan software and keep these up-to-date.
- Increase awareness of security issues and prevention techniques in all Internet users.
- Disable unnecessary services, uninstall unused applications, and scan all the files received from external sources.
- Properly configure and regularly update the built-in defensive mechanisms in the core hardware and software of the system.
DoS/DDoS Attack Countermeasures: Detect and Neutralize Handlers
- Network Traffic Analysis: Analyze communication protocols and traffic patterns between handlers and clients or handlers and agent in order to identify the network nodes that might be infected by the handlers.
- Neutralize Botnet Handlers: There are usually few DDoS handlers deployed as compared to the number of agents. Neutralizing a few handlers can possibly render multiple agents useless, thus thwarting DDoS attacks.
- Spoofed Source Address: There is a decent probability that the spoofed source address of DDoS attack packets will not represent a valid source address of the definite sub-network.
DoS/DDoS Countermeasures: Detect Potential Attacks
- Egress Filtering:
- Scanning the packet headers of IP packets leaving a network.
- Egress filtering ensures that unauthorized or malicious traffic never leaves the internal network.
- Ingress Filtering:
- Protects from flooding attacks which originate from the valid prefixes (IP address)
- It enables the originator to be traced to its true source.
- TCP Intercept:
- Configuring TCP Intercept prevents DoS attacks by intercepting and validating the TCP connection requests.
DoS/DDoS Countermeasures: Deflect Attacks
- Systems that are set up with limited security, also known as Honeypots, act as an enticement for an attacker.
- Honeypots serve as a means for gaining information about attackers, attack techniques and tools by storing a record of the system activities.
- Use defense-in-depth approach with IPSes at different network points to divert suspicious DoS traffic to several honeypots.
- Low-interaction honeypots: All services offered by a Low Interaction Honeypots are emulated.
- High-interaction honeypots: (honeynet) High Interaction Honeypots make use of the actual vulnerable service or software.
- KFSensor: KFSensor is a Windows-based honeypot IDS.
DoS/DDoS Countermeasures: Mitigate Attacks
- Load Balancing:
- Increase bandwidth on critical connections to absorb additional traffic generated by an attack.
- Replicate servers to provide additional failsafe protection.
- Balance load on each server in a multiple-server architecture to mitigates DDoS attack.
- 增加頻寬、備份
- Throttling:
- Set routers to access a server with a logic to throttle incoming traffic levels that are safe for the server.
- Throttling helps in preventing damage to servers by controlling the DoS traffic.
- Can be extended to throttle DDoS attack traffic and allow legitimate user traffic for better results.
- 限制流量
- Drop Request:
- Drop packets when a load increases.
- 丟棄封包
- Drop packets when a load increases.
Post-Attack Forensics
- DDoS attack traffic patterns can help the network administrators to develop new filtering techniques for preventing the attack traffic from entering or leaving the networks.
- Analyze router, firewall, and IDS logs to identify the source of the DoS traffic. Try to trace back attacker IP's with the help of intermediary ISPs and law enforcement agencies.
- Traffic pattern analysis: Data can be analyzed - post-attack - to look for specific characteristics within the attacking traffic.
- Using these characteristics, the result of traffic pattern analysis can be used for updating load-balancing and throttling countermeasures.
分析攻擊的模式再找出解決方法
Techniques to Defend against Botnets
- RFC 3704 Filtering: Any traffic coming from unused or reserved IP addresses is bogus and should be filtered at the ISP before it enters the Internet link.
- Cisco IPS Source IP Reputation Filtering: Reputation services help in determining if an IP or service is a source of threat or not, Cisco IPS regularly updates its database with known threats such as botnets, botnet harvesters, malwares, etc. and helps in filtering DoS traffic.
- Black Hole Filtering:
- Black hole refers to network nodes where incoming traffic is discarded or dropped without informing the source that the data did not reach it intended recipient.
- Black hole filtering refers to discarding packets at the routing level.
- DDoS Prevention Offerings from ISP or DDoS Service: Enable IP Source Guard (in CISCO) or similar features in other routers to filter traffic based on the DHCP snooping binding database or IP source bindings which prevents a bot to send spoofed packets.
DoS/DDoS Countermeasures
- Use strong encryption mechanisms such as WPA2, AES 256, etc. for broadband networks to withstand against eavesdropping.
- Ensure that the software and protocols are up-to-date and scan the machines thoroughly to detect any anomalous behavior.
- Disable unused and insecure services.
- Block all inbound packets originating from the service ports to block the traffic from reflection servers.
- Update kernel to the latest release.
- Prevent the transmission of the fraudulently addressed packets at ISP level.
- Implement cognitive radios in the physical layer to handle the jamming and scrambling attacks.
- Configure the firewall to deny external ICMP traffic access.
- Perform the thorough input validation.
- Prevent use of unnecessary functions such as gets, strcpy etc.
- Secure the remote administration and connectivity testing.
- Data processed by the attacker should be stopped from being executed.
- Prevent the return addresses from being overwritten.
DoS/DDoS Protection at ISP Level
- Most ISPs simply blocks all the requests during a DDoS attack, denying even the legitimate traffic from accessing the service.
- ISPs offer in-the-cloud DDoS protection for Internet links so that they do not become saturated by the attack.
- Attack traffic is redirected to the ISP during the attack to be filtered and sent back.
- Administrators can request ISPs to block the original affected IP and move their site to another IP after performing DNS propagation.
Enabling TCP Intercept on Cisco IOS Software
- To enable TCP intercept, use these commands in global configuration mode:
- Define an IP extended access list:
access-list access-list {deny | permit} tcp any destination destination-wildcard
- Enable TCP Intercept:
ip tcp Intercept list access-list-number
- Define an IP extended access list:
- TCP intercept can operate in either active intercept mode or passive watch mode. The default is intercept mode.
- The command to set the TCP intercept mode in global configuration mode:
- Set the TCP intercept mode:
ip tcp intercept mode {intercept | watch}
- Set the TCP intercept mode: