worm blog: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds

« Defending against Hitlist Worms using Network Address Space Randomization | Main | A Self-Learning Worm Using Importance Scanning »

Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds

A nice paper on Botnets that attempts to defeat some of their firepower and purpose. I spent much of my available time on Monday looking at a new bot, and it had all sorts of functionality: CD key theft, spam, DDoS of various sorts, proxying, etc ... I don't think that you can simply defeat the DDoS element and call it over with. One of the DDoS mechanisms was to repeat the same URL POST pattern repeatedly, and that's very easy to spot, trace back, and block at the ingress edge. No need to use something like this below, but this paper is still worth a read.

Recent denial of service attacks are mounted by professionals using Botnets of tens of thousands of compromised machines. To circumvent detection, attackers are increasingly moving away from bandwidth floods to attacks that mimic the Web browsing behavior of a large number of clients, and target expensive higher-layer resources such as CPU, database and disk bandwidth. The resulting attacks are hard to defend against using standard techniques, as the malicious requests differ from the legitimate ones in intent but not in content.
We present the design and implementation of Kill-Bots, a kernel extension to protect Web servers against DDoS attacks that masquerade as flash crowds. Kill-Bots provides authentication using graphical tests but is different from other systems that use graphical tests. First, Kill-Bots uses an intermediate stage to identify the IP addresses that ignore the test, and persistently bombard the server with requests despite repeated failures at solving the tests. These machines are bots because their intent is to congest the server. Once these machines are identified, Kill-Bots blocks their requests, turns the graphical tests off, and allows access to legitimate users who are unable or unwilling to solve graphical tests. Second, Kill-Bots sends a test and checks the client's answer without allowing unauthenticated clients access to sockets, TCBs, and worker processes. Thus, it protects the authentication mechanism from being DDoSed. Third, Kill-Bots combines authentication with admission control. As a result, it improves performance, regardless of whether the server overload is caused by DDoS or a true Flash Crowd.

Source: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds, Srikanth Kandula, Dina Katabi, Matthias Jacob, Arthur Berger.

February 14, 2006 in defense, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit