Contents

Foreword

Acknowledgments

About the Authors

1 Introduction

1.1 DoS and DDoS

1.2 Why Should We Care?

1.3 What Is This Book?

1.4 Who Is This Book For?

1.5 What Can This Book Help You Do?

1.6 Outline of the Remaining Chapters

2 Understanding Denial of Service

2.1 The Ulterior Motive

2.2 Meet the Attackers

2.3 Behind the Scenes

2.3.1 Recruiting and Controlling Attacking Machines

2.3.2 Hiding

2.3.3 Misusing Legitimate Services

2.4 Distribution Effects

2.5 DDoS: Hype or Reality?

2.5.1 How Common Are DDoS Attacks?

2.5.2 The Magnitude of DDoS Attacks

2.6 How Vulnerable Are You to DDoS?

3 History of DoS and DDoS

3.1 Motivation

3.2 Design Principles of the Internet

3.2.1 Packet-Switched Networks

3.2.2 Best-Effort Service Model and End-to-End Paradigm

3.2.3 Internet Evolution

3.2.4 Internet Management

3.3 DoS and DDoS Evolution

3.3.1 History of Network-Based Denial of Service

4 How Attacks Are Waged

4.1 Recruitment of the Agent Network

4.1.1 Finding Vulnerable Machines

4.1.2 Breaking into Vulnerable Machines

4.1.3 Malware Propagation Methods

4.2 Controlling the DDoS Agent Network

4.2.1 Direct Commands

4.2.2 Indirect Commands

4.2.3 Malware Update

4.2.4 Unwitting Agent Scenario

4.2.5 Attack Phase

4.3 Semantic Levels of DDoS Attacks

4.3.1 Exploiting a Vulnerability

4.3.2 Attacking a Protocol

4.3.3 Attacking Middleware

4.3.4 Attacking an Application

4.3.5 Attacking a Resource

4.3.6 Pure Flooding

4.4 Attack Toolkits

4.4.1 Some Popular DDoS Programs

4.4.2 Blended Threat Toolkits

4.4.3 Implications

4.5 What Is IP Spoofing?

4.5.1 Why Is IP Spoofing Defense Challenging?

4.5.2 Why DDoS Attacks Use IP Spoofing

4.5.3 Spoofing Is Irrelevant at 10,000+ Hosts

4.6 DDoS Attack Trends

5 An Overview of DDoS Defenses

5.1 Why DDoS Is a Hard Problem

5.2 DDoS Defense Challenges

5.2.1 Technical Challenges

5.2.2 Social Challenges

5.3 Prevention versus Protection and Reaction

5.3.1 Preventive Measures

5.3.2 Reactive Measures

5.4 DDoS Defense Goals

5.5 DDoS Defense Locations

5.5.1 Near the Target

5.5.2 Near the Attacker

5.5.3 In the Middle

5.5.4 Multiple Deployment Locations

5.6 Defense Approaches

5.6.1 Protection

5.6.2 Attack Detection

5.6.3 Attack Response

6 Detailed Defense Approaches

6.1 Thinking about Defenses

6.2 General Strategy for DDoS Defense

6.3 Preparing to Handle a DDoS Attack

6.3.1 Understanding Your Network

6.3.2 Securing End Hosts on Your Network

6.3.3 Fortifying Your Network

6.3.4 Preparing to Respond to the Attack

6.4 Handling an Ongoing DDoS Attack as a Target

6.5 Handling an Ongoing DDoS Attack as a Source

6.6 Agreements/Understandings with Your ISP

6.7 Analyzing DDoS tools

6.7.1 Historical DDoS Analyses

6.7.2 Full Disclosure versus Nondisclosure

6.7.3 How to Analyze Malware Artifacts

7 Survey of Research Defense Approaches

7.1 Pushback

7.2 Traceback

7.3 D-WARD

7.4 NetBouncer

7.5 Secure Overlay Services (SOS)

7.6 Proof of Work

7.7 DefCOM

7.8 COSSACK

7.9 Pi

7.10 SIFF: An End-Host Capability Mechanism to Mitigate DDoS Flooding Attacks

7.11 Hop-Count Filtering (HCF)

7.12 Locality and Entropy Principles

7.12.1 Locality

7.12.2 Entropy

7.13 An Empirical Analysis of Target-Resident DoS Filters

7.14 Research Prognosis

7.14.1 Slowing Innovation

7.14.2 Several Promising Approaches

7.14.3 Difficult Deployment Challenges

8 Legal Issues

8.1 Basics of the U.S. Legal System

8.2 Laws That May Apply to DDoS Attacks

8.3 Who Are the Victims of DDoS?

8.4 How Often Is Legal Assistance Sought in DDoS Cases?

8.5 Initiating Legal Proceedings as a Victim of DDoS

8.5.1 Civil Proceedings

8.5.2 Criminal Proceedings

8.6 Evidence Collection and Incident Response Procedures

8.7 Estimating Damages

8.7.1 A Cost-Estimation Model

8.8 Jurisdictional Issues

8.9 Domestic Legal Issues

8.10 International Legal Issues

8.11 Self-Help Options

8.12 A Few Words on Ethics

8.13 Current Trends in International Cyber Law

9 Conclusions

9.1 Prognosis for DDoS

9.1.1 Increase in Size

9.1.2 Increase in Sophistication

9.1.3 Increases in Semantic DDoS Attacks

9.1.4 Infrastructure Attacks

9.1.5 Degradation of Service

9.1.6 Motivations for Attacks

9.1.7 Overall Prognosis

9.2 Social, Moral, and Legal Issues

9.3 Resources for Learning More

9.3.1 Web Sites

9.3.2 Mailing lists

9.3.3 Conferences and Workshops

9.3.4 Magazines and Journals

9.4 Conclusion

Appendix A: Glossary

Appendix B: Survey of Commercial Defense Approaches

B.1 Mazu Enforcer by Mazu Networks

B.2 Peakflow by Arbor Networks

B.3 WS Series Appliances by Webscreen Technologies

B.4 Captus IPS by Captus Networks

B.5 MANAnet Shield by CS3

B.6 Cisco Traffic Anomaly Detector XT and Cisco Guard XT

B.7 StealthWatch by Lancope

B.8 Summary

Appendix C: DDoS Data

C.1 2004 CSI/FBI Computer Crime and Security Survey

C.2 Inferring Internet Denial-of-Service Activity

C.3 A Framework for Classifying Denial-of-Service Attacks

C.4 Observations and Experiences Tracking Denial-of-Service Attacks across a Regional ISP

C.5 Report on the DDoS Attack on the DNS Root Servers

C.6 Conclusion

References

Index