One example of a bot that has DDoS features is the Agobot and its over 500 derivations (source code under GPL) which has been around since the early 2000s. One way to see how sophisticated DDoS can be is by looking at common botnet configuration options that can perform DDoS attacks. Known Bots with DDoS options Agobot, SDBot, UrxBotĭdos.httpflood 4One fear that many people have about DDoS attacks is how sophisticated the attacks can be. SANS Technology Institute - Candidate for Master of Science Degree4Fear of the Attack IntelligenceBot DDoS optionsSYN/ICMP Floods, Frag Attacks, invalid header valuesApplication DDoS HTTP recursive attacks However, this data is the only publicly known data the author was able to find that can be used to analyze existing DDoS trends and patterns. This data could be skewed to favor Arbor Network DDoS mitigation products. It is important to consider this data a small subset of the total population. The website has an interesting ongoing list of federal prosecution efforts against DDoS attacks.Note: The diagram is using data taken from the Arbor network surveyed companies. Some companies that are attacked dont typically like to publicize they were attacked (unless successfully mitigated).Honeynet project did some monitoring in 2004 regarding 226 DDoS-attacks against 99 unique targets by making guestimates about the number of certain IRC commands with an IRC network. Unfortunately there are not many good sources of DDoS attack data. The above diagram shows that nearly 50% of all bot activity during 2009 was related to DDoS Attacks taken from companies that participated in Arbor Networks Survey. The nature of DDoS attacks requires a massive distributed attack that would require an organized command and control architecture that is commonly orchestrated with bot/zombie networks. By looking at DDoS trends we can understand what type of DDoS attacks are common and intelligibly forecast what the future DDoS attacks may look like. After the presentation well open up to any audience questions or commentsSANS Technology Institute - Candidate for Master of Science Degree3DDoS TrendsĪrbor Networks World Wide Infrastructure Security Report 20093Before looking at the specific configuration options we need to deconstruct what the DDoS attacks are. Well conclude by looking at how future attacks may evolve and how effective LB/ADC devices will be against these attacks. This presentation will also cover common DDoS trends and real world attacks in order to understand how effective some of these configuration options may be. Well cover some options that were never intended to fight against DDoS attacks, such as some of the Layer 7 switching features, that can be used even on older Load Balancing hardware. This presentation will give an overview of different configuration options, found among common Load Balancer/ADC vendor appliances, to help fight against DDoS attacks. In fact, some common load balancing features have unintended benefits that can help fight against DDoS attacks. Many people forget that the load balancing hardware that typically lives in between the edge routers and end servers may have features that can help fight against a DDoS attack. This started me thinking about what other features and how other LB vendors could help in mitigating a DDoS attack.SANS Technology Institute - Candidate for Master of Science Degree2ObjectiveDDoS TrendsCommon Mitigating MethodsLoad Balancing/ADC FeaturesConclusionQuestions/Comments2Many DDoS mitigation techniques traditionally focus on either getting help from the upstream ISP or reconfiguring the end servers that are getting attacked. I stumbled upon features some of the load balancer hardware had out of necessity to stop an attack.
The idea for this research topic came about after looking at past DDoS attacks that I have helped mitigate over the past few years.
Started working with Load Balancing hardware in in 2000 while working for AT&T Datacenter Hosting Services, helping develop networking services. Spent the last 10 years as a network engineer working with ISP and Datacenter networks primarily focusing on routing, switching, firewall/IDS system, and of course Load Balancing hardware. Currently a Network Engineer for Live Nation Entertainment (Ticketmaster). SANS Technology Institute - Candidate for Master of Science Degree1Leveraging the Load Balancer to Fight DDoSBrough DavisSeptember 2010GIAC GCIA, GPEN, GCIH, GCFW, GSEC#1Introduction.
0 kommentar(er)
