9.6 Countermeasures

Detection Techniques

  • Detection techniques are based on identifying and discriminating the illegitimate traffic increase and flash events from legitimate packet traffic.
  • All detection techniques define an attack as an abnormal and noticeable deviation from a threshold of normal network traffic statistics.
  1. Activity Profiling
  2. Wavelet-based Signal Analysis
  3. Changepoint Detection

Activity Profiling

  • An attack is indicated by:
    • An increase in activity levels among the network flow clusters.
    • An increase in the overall number of distinct clusters (DDoS attack)
  • Activity profile is done based on the average packet rate for a network flow, which consists of consecutive packets with similar packet fields.
  • Activity profile is obtained by monitoring the network packet's header information.

Activity Profiling monitors a network packet's header information, calculates the average packet rate for a network flow.

Wavelet-based Signal Analysis

  • Wavelet analysis describes an input signal in terms of spectral components.
  • Wavelets provide for concurrent time and frequency description.
  • Analyzing each spectral window's energy determines the presence of anomalies.
  • Signal analysis determines the time at which certain frequency components are present.

Sequential Change-Point Detection

  • Isolate Traffic: Change-point detection algorithms isolate changes in network traffic statistics caused by attacks.
  • Filter Traffic: The algorithms filter the target traffic data by address, port, or protocol and store the resultant flow as a time series.
  • Identify Attack: Sequential change-point detection technique uses Cumulative Sum (Cusum) algorithm to identify and locate the DoS attacks; the algorithm calculates deviations in the actual versus expected local average in the traffic time series.
  • Identify Scan Activity: This technique can also be used to identify the typical scanning activities of the network worms.

DoS/DDoS Countermeasure Strategies

  • Absorbing the Attack:
    • Use additional capacity to absorb attack; it requires preplanning.
    • It requires additional resources.
  • Degrading Services:
    • Identify critical services and stop non critical services.
  • Shutting Down the Services:
    • Shut down all the services until the attack has subsided.

DDoS Attack Countermeasures

  • Protect Secondary Victims
  • Neutralize Handlers
  • Prevent Potential Attacks
  • Deflect Attacks
  • Mitigate Attacks
  • Post-attack Forensics

DoS/DDoS Attack Countermeasures: Protect Secondary Victims

  • Install anti-virus and anti-Trojan software and keep these up-to-date.
  • Increase awareness of security issues and prevention techniques in all Internet users.
  • Disable unnecessary services, uninstall unused applications, and scan all the files received from external sources.
  • Properly configure and regularly update the built-in defensive mechanisms in the core hardware and software of the system.

DoS/DDoS Attack Countermeasures: Detect and Neutralize Handlers

  • Network Traffic Analysis: Analyze communication protocols and traffic patterns between handlers and clients or handlers and agent in order to identify the network nodes that might be infected by the handlers.
  • Neutralize Botnet Handlers: There are usually few DDoS handlers deployed as compared to the number of agents. Neutralizing a few handlers can possibly render multiple agents useless, thus thwarting DDoS attacks.
  • Spoofed Source Address: There is a decent probability that the spoofed source address of DDoS attack packets will not represent a valid source address of the definite sub-network.

DoS/DDoS Countermeasures: Detect Potential Attacks

  • Egress Filtering:
    • Scanning the packet headers of IP packets leaving a network.
    • Egress filtering ensures that unauthorized or malicious traffic never leaves the internal network.
  • Ingress Filtering:
    • Protects from flooding attacks which originate from the valid prefixes (IP address)
    • It enables the originator to be traced to its true source.
  • TCP Intercept:
    • Configuring TCP Intercept prevents DoS attacks by intercepting and validating the TCP connection requests.

DoS/DDoS Countermeasures: Deflect Attacks

  • Systems that are set up with limited security, also known as Honeypots, act as an enticement for an attacker.
  • Honeypots serve as a means for gaining information about attackers, attack techniques and tools by storing a record of the system activities.
  • Use defense-in-depth approach with IPSes at different network points to divert suspicious DoS traffic to several honeypots.
  • Low-interaction honeypots: All services offered by a Low Interaction Honeypots are emulated.
  • High-interaction honeypots: (honeynet) High Interaction Honeypots make use of the actual vulnerable service or software.
  • KFSensor: KFSensor is a Windows-based honeypot IDS.

DoS/DDoS Countermeasures: Mitigate Attacks

  • Load Balancing:
    • Increase bandwidth on critical connections to absorb additional traffic generated by an attack.
    • Replicate servers to provide additional failsafe protection.
    • Balance load on each server in a multiple-server architecture to mitigates DDoS attack.
      • 增加頻寬、備份
  • Throttling:
    • Set routers to access a server with a logic to throttle incoming traffic levels that are safe for the server.
    • Throttling helps in preventing damage to servers by controlling the DoS traffic.
    • Can be extended to throttle DDoS attack traffic and allow legitimate user traffic for better results.
      • 限制流量
  • Drop Request:
    • Drop packets when a load increases.
      • 丟棄封包

Post-Attack Forensics

  • DDoS attack traffic patterns can help the network administrators to develop new filtering techniques for preventing the attack traffic from entering or leaving the networks.
  • Analyze router, firewall, and IDS logs to identify the source of the DoS traffic. Try to trace back attacker IP's with the help of intermediary ISPs and law enforcement agencies.
  • Traffic pattern analysis: Data can be analyzed - post-attack - to look for specific characteristics within the attacking traffic.
  • Using these characteristics, the result of traffic pattern analysis can be used for updating load-balancing and throttling countermeasures.


Techniques to Defend against Botnets

  • RFC 3704 Filtering: Any traffic coming from unused or reserved IP addresses is bogus and should be filtered at the ISP before it enters the Internet link.
  • Cisco IPS Source IP Reputation Filtering: Reputation services help in determining if an IP or service is a source of threat or not, Cisco IPS regularly updates its database with known threats such as botnets, botnet harvesters, malwares, etc. and helps in filtering DoS traffic.
  • Black Hole Filtering:
    • Black hole refers to network nodes where incoming traffic is discarded or dropped without informing the source that the data did not reach it intended recipient.
    • Black hole filtering refers to discarding packets at the routing level.
  • DDoS Prevention Offerings from ISP or DDoS Service: Enable IP Source Guard (in CISCO) or similar features in other routers to filter traffic based on the DHCP snooping binding database or IP source bindings which prevents a bot to send spoofed packets.

DoS/DDoS Countermeasures

  • Use strong encryption mechanisms such as WPA2, AES 256, etc. for broadband networks to withstand against eavesdropping.
  • Ensure that the software and protocols are up-to-date and scan the machines thoroughly to detect any anomalous behavior.
  • Disable unused and insecure services.
  • Block all inbound packets originating from the service ports to block the traffic from reflection servers.
  • Update kernel to the latest release.
  • Prevent the transmission of the fraudulently addressed packets at ISP level.
  • Implement cognitive radios in the physical layer to handle the jamming and scrambling attacks.
  • Configure the firewall to deny external ICMP traffic access.
  • Perform the thorough input validation.
  • Prevent use of unnecessary functions such as gets, strcpy etc.
  • Secure the remote administration and connectivity testing.
  • Data processed by the attacker should be stopped from being executed.
  • Prevent the return addresses from being overwritten.

DoS/DDoS Protection at ISP Level

  • Most ISPs simply blocks all the requests during a DDoS attack, denying even the legitimate traffic from accessing the service.
  • ISPs offer in-the-cloud DDoS protection for Internet links so that they do not become saturated by the attack.
  • Attack traffic is redirected to the ISP during the attack to be filtered and sent back.
  • Administrators can request ISPs to block the original affected IP and move their site to another IP after performing DNS propagation.

Enabling TCP Intercept on Cisco IOS Software

  • To enable TCP intercept, use these commands in global configuration mode:
    • Define an IP extended access list: access-list access-list {deny | permit} tcp any destination destination-wildcard
    • Enable TCP Intercept: ip tcp Intercept list access-list-number
  • TCP intercept can operate in either active intercept mode or passive watch mode. The default is intercept mode.
  • The command to set the TCP intercept mode in global configuration mode:
    • Set the TCP intercept mode: ip tcp intercept mode {intercept | watch}

Advanced DDoS Protection Appliances

results matching ""

    No results matching ""