Denial of Service

Jump to: navigation, search

Sustained DoS DDoDing the website to make it unavailable DDoS

Assessment and Documentation

Input - URLs to test for DDoS - Server IPs? - e.g. to test for DNS server specific DDoS

Start TCP Dump

Step 0: resolve host name NS auth server then query auth server Log DNS response time

Step 1: check that IPID header is monotonic If yes, can look at IPID heuristic, else not.

Step 2: HTTP Get URL, log response time Follow redirects

Step 3: throughput test To control server + Potential DDoS’ed server In lab ahead of time: fetch page + upload largest object to control server. Fetch object from control + DDoS’ed server. Xput: control DDoS’ed server

Step 4: Traceroute to server ⇒ tracetroute + RTTs in path

Step 5: Traceroute to auth. nameserver ⇒ tracert + rtts

Outputs of Measurements (per URL) Auth name server DNS response time (from Auth server) if IPID is incrementing HTTP server response time Xput: server + control traceroute to web server traceroute to Auth DNS Server tcpdump trace failures of different tests

Data Analysis

Run: before, during, after if we know event; otherwise just run during and after on clients in multiple regions

DATA Collection

DNS tests: - DNS response time: compare in/out of region, during/after (before) event


Web Server tests: Xput: compare during.after for decreased Xpu compare control server + DDOSed server factor out client issues compare in/out of region ⇒ if same potential DDoS Look for where in traceroute paths RTTs increase common path segment hit by DDoSers? look for increased response time during attach do clients in many regions see this? ⇒ potential DDoS


IPID: Compare jumps in IPID from non-attack time to during attack time to see if server is sending more packets if server passes monotonic test, extract this from TCP dump

caption caption

Non-responsive server: tests fail in all regions ⇒ need to factor out server failure

Confounding Factors Caching Outages

DDoS Detection News report, where to get data on instances of DDoS for these reports? How do we detect DDoS from clients, say we have a site we expect to be DDoS’ed, what then: Correlation of reachability across regions, however there are complications caused by cloudhosting and CDNs, Maybe traffic would be slower, could look at lower throughput, response time (RTT), bandwidth variability, times between SYN and SYN/ACK, Look at percentage of completed responses across time, TCP Sequence number over time plot, Correlated across users accessing the site look at IPID number (more space for surge), Traceroutes to find congested hop; What type of DDoS could we detect: Flood DNS, do not receive response or slow response time; Flood webserver, slow response or no responses; Radio jamming; How do we differentiate bandwidth availability, or natural resource issues, from DDoS; What if we have access to the server -- we can use existing DDoS detection and fingerprint techniques;