In this lesson, we discuss how the DDoS, Distributed Denial of Service defense techniques and the challenges in defending against DDoS attack. Challenges in DDoS defense. First, is difficult to defend DDoS, usually the IP address of the attack traffic are spoofed. So, we cannot use that to go after the attacker. We don't know where they actually come from. Can come from anywhere in the Internet. Hacker changing the source IP address and set the victims IP address. You can set in a refracted attack by DDoS, DNS attack, they can start with an IP address. The legitimate server or web server then bounces back to the victim. So, we need hop-by-hop pattern check and it is very slow and time consuming. The third one reason is DDoS traffic sense through across, I said across the ISP and country boundary. Then, there's a legal issue, there's a detection coordination and filtering issues anymore and require a lot of cooperation, verification and authentications and allow time. There is no mutual agreement between different country and different ISP. By the time we reach the compromised host, it is one of the hundreds of thousands of compromised device and is not attacker is victim actually. Since our table's schedule, even we get into the device, we don't know whether the attacker is the mastermind, already gone for long time. A variant of DDoS. They are effective attack, they are degraded attack which is still down there attacks space, so that they won't be triggered by the intrusion detection system that has subnet thwarting detection mechanisms. So, they do cookie from the legitimate server because using these effective attack. Large number of IoT device with a weak password and protocol are compromise, as we talked about today. As we show in Google shield project that protects our Brian Krebs. At least there are 175,000 device got compromised. IoT partner provider simply by also simply by their subscription and purchase of a DDoS attack. Then posting 50,000 bots per hour at $4,600. But is on the other hand, internal event. Even reserving a single bit in IP/TCP headers, it take four years. I remember one of the IP traceback technique is reported in 2000 and 2003 and gets up only 14 year later the steward didn't come up with one. Here are the three basic types of DDoS defense technique: Prevention, detection and response. Intrusion prevention, okay. We can set a sound security policies and enforce them with the procedure rigorously. For example, if every DNS server are set only client DNS query, from its own domain and one can set one outside request from those part. Then, if the DNS server verifies the origin. So, instead of using UDP, a server UDP using the TCP and maybe even a secure TCP mechanism. Then DNS reflect attack will be significantly reduced. Ingress/ egress filtering, we will discuss in detail in the next slide. So, the technique is by filtering the packet with wrong source IP address if the router can identify them. There's a RFC 2827 Network ingress filtering. The ingress filtering discussed by most of the current literature seemed to actually refer to the same thing. Intrusion detections. Here we listed two basic type; anomaly detection referred to we tried to capture the traffic pattern and train the system so that it can recognize the computer activities that do not match a predefined profile. After training them, if the activity coming in doesn't match the predefined profile, you will generate alert. The second type is the core misuse detections. We also call it a signature-based protection. Typically, they recognized some sort of pattern in the payload or the packet. Then if they can't recognized by the device, then a report generate alert. Intrusion response. Here we'll discuss quite a few technique here, one is source identifications. We try to identify where the attacks source come from even with IP spoofing. So, there's core IP tracebacks, need a lot of cooperation between the ISP provider. The second one in terms of intrusion response is network forensics. We tried to collect evidence to keep the techie parent and potentially pursue the hacker through legal means. The intrusion pushbacks, once we trace them back, we can actually tell the upswing Internet service provider to put a Rayleigh method or block the attack original coming from. But that require another authentication and correlation along the path or the party involved along the paths. Intrusion tolerance, that's another master techniques we're going to cover and here you are in total control here. We do that by providing more alternate route, more bandwidth. We present two different geometric ideal different technique. One is A2D2 which you only try to within their own site. Set up queuing CB, Class Bay queuing or set up meeting so that, the geometric enjoy more penalties. The second one, secure collaborative event, actually find out the proxy server out there and then, ask the client come in through the indirect route. We'll talk those two in detail later.