Source Router Approach Source Router Approach to DDoS Defenseto DDoS Defense

Jelena Mirković and Peter ReiherUCLA

USENIX Work-In Progress SessionWashington DC, 08/17/2001

{sunshine, reiher}@cs.ucla.edu

Approach OverviewApproach Overview Goal: Prevent our site from participating

in DDoS attack Monitor incoming and outgoing traffic

looking for signs that some destination is in trouble

Reduce traffic to that destination Separate attacking from normal flows Shut down attacking machines

Approach OverviewApproach Overview

A

B

C

DE F G

I

J

H

A

B

C

DE F G

I

J

H

Approach OverviewApproach Overview

A

B

C

DE F G

I

J

H

Approach OverviewApproach Overview

A

B

C

DE F G

I

J

H

Approach OverviewApproach Overview

A

B

C

DE F G

I

J

H

Approach OverviewApproach Overview

Related Work - MULTOPSRelated Work - MULTOPS Yes, it is similar to MULTOPS, but:

It is located on source side only Traffic models do not rely only on packet

ratio Discovery of attacking machines Can be pushed further in the network

time

Stable Packet Ratio Stable Packet Ratio in Mixed Trafficin Mixed Trafficpa

cket

rat

io

time

pack

et r

atio

Stable Packet Ratio Stable Packet Ratio in TCP Trafficin TCP Traffic

time

pack

et r

atio

Stable Packet Ratio Stable Packet Ratio in UDP Trafficin UDP Traffic

time

pack

et r

atio

Stable Packet Ratio Stable Packet Ratio in UDP Trafficin UDP Traffic

time

pack

et r

atio

Variable Packet Ratio Variable Packet Ratio in Mixed Trafficin Mixed Traffic

DDoS + FTP

FTP

DDoS

time

pack

et r

atio

Variable Packet Ratio Variable Packet Ratio in Attack Trafficin Attack Traffic

ChallengesChallengesRouter performance.Why would ISP implement this?False positives.Multicast traffic is usually

unidirectional.Asymmetric routes. Throttling and

TCP congestion control mechanism.Traffic patterns in the Internet change

drastically over time.

For More Info...For More Info...

http://fmg-www.cs.ucla.edu/ddos