Panel description

Adapting intrusion detection systems to the
new distributed denial of service attacks

Panel Chair

Jon David (Lehman Brothers)

Panel Participants:

Robert Stone (UUNET Technologies, Inc)

Vern Paxson (ACIRI/LBNL)

Matt Blaze (AT&T Labs)

John Ioannidis (AT&T Labs)

Panel Description

Distributed denial of service (DDoS) attacks made headlines in February by taking down major networks and services. They are quite possibly the single greatest threat facing the Internet today. The sharing of attack "enhancements" and the providing of attack tools via the web makes these attacks a growing threat.

This session presents the nature and elements of DDoS attacks, and discusses things to be done by users, system administrators, Internet Service Providers, and router vendors to best treat the prevention, detection and response to this threat. Key areas it will treat are:

What is a DDoS attack ?

Master/slave/victim structure.
Ease of deployment and operation.

How is DDoS different from other threats ?

Accumulation of individually insignificant threats.
Industry unpreparedness.

Can they be detected in time ?

Before onset ?
Before it's too late ?

What security/network practices need be in place

at user sites ?
at ISPs ?
throughout the Internet ?

What user preparation is necessary for DDoS

prevention ?
detection ?
response ?

What industry preparation is necessary for DDoS

prevention ?
detection ?
response ?

"Standard" intrusion detection systems/products:

What they do.
What they don't do.

Forensics.
Directions in DDoS attacks.
Living in a DDoS world.

Coordinating user, router and ISP functioning.
Preparing for DDoS hits.

We'll be discussing techniques and technologies that are proven (such as egress filtering, CAR & RED), in the works (such as the ICMP traceback, now an IETF Working Group), and possible (such as ERUF+ITRACE, not yet even proposed to the IETF). DDoS attacks are not a problem with a fixed solution, and audience participation will be encouraged.

Additional links:

The World Wide Web Security FAQ Section 11

Practical Network Support for IP Traceback,
     Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson,
     Department of Computer Science and Engineering, University of Washington,
     Technical Report UW-CSE-2000-02-01

Security Portal's Denial of Service (DoS) FAQ

The "stacheldraht" distributed denial of service attack tool
The DoS Project's "trinoo" distributed denial of service attack tool
The "Tribe Flood Network" distributed denial of service attack tool
    David Dittrich <dittrich@cac.washington.edu>
    University of Washington
    Copyright 1999. All rights reserved.
    December 31, 1999