This document discusses distributed denial of service (DDoS) attacks and botnets. It explains that DDoS attacks use multiple compromised internet-connected devices to overwhelm a target with traffic. Large botnets like Conficker have infected millions of devices worldwide. While targets can defend against low-level attacks, high volume attacks are difficult to defend against. Ultimately, reducing DDoS attacks requires addressing the root causes that enable the creation of botnets, such as improving user awareness of computer security and developing better security tools.
2. What
is
DDoS?
• “Distributed
Denial
of
Service
A>ack”
– Uses
mulBple
hosts
on
the
Internet
to
focus
traffic
against
one
or
more
targets.
– MulBple
can
mean
100’s
of
machine
but
could
also
mean
millions
– Generates
more
traffic
than
the
target
can
handle,
hence
denying
service
to
legiBmate
traffic
4. Just
a
small
sample
of
targets
• 2002
Root
Servers
a>acked
• ……
• 2006
CafePress
• 2007
Estonia
• 2008
Scientology
• 2009
Twi>er
• 2010
Austalia’s
Parliament
House
• 2011
…..
?
?
?
5. BotNets
are
a
big
Problem
• You
can
not
talk
about
DDoS
without
menBoning
the
hijacked
machines
that
are
used
in
the
a>acks!
• Viruses/Worms
etc.
are
used
to
enable
control
of
poorly
secured
machines.
• Can
be
spread
in
numerous
ways.
6. How
big
is
the
BotNet
Problem?
• We
don’t
really
know
– Seriously!
That
is
a
sign
of
how
bad
it
is..
• One
BotNet
is
Conficker:
– We
can
measure
+/-‐
6
million
unique
IP
addresses
showing
conficker
infecBons
globally….
– However
that
does
not
count
individual
infecBons
behind
firewalls..
The
Chinese
say
that
they
see
18
million
conficker
infecBons
every
month!
Source:
h>p://www.confickerworkinggroup.org/
and
h>p://www.china.org.cn/government/whitepaper/node_7093508.htm
7. Can
you
defend
against
this?
• You
can
provision
to
deal
with
low
level
a>acks.
(bandwitdth,
system
resources)
• You
can
have
processes
in
place
to
push
back
on
a>acks.
(Filtering
at
upstreams)
• This
is
an
arms
raise,
one
where
we
pay
for
our
resources
but
the
“bad
guys”
don’t
8. • Infected
machines
are
not
just
used
for
DDoS,
-‐ Also
used
to
collect,
store
and
move
data.
-‐ (Including
peoples
IdenBBes,
money
and
other
sensiBve
data)
• If
someone
owns
your
machine
they
can
do
anything
with
it
that
you
can
do
including
some
things
you
would
never
think
of
doing
9.
“fight
the
disease
not
the
symptoms”
• We
cannot
remove
the
threat
of
DDoS
unless
we
tackle
the
issues
that
allow
for
BotNets.
• If
we
are
seeing
millions
of
machines
infected
then
clearly
the
way
we
are
currently
doing
things
is
not
working
10. User
awareness
and
computer
hygiene
needs
to
be
drasBcally
improved.
That
means
more
educaBon
and
be>er
user
tools.
We
must
find
ways
to
make
cybercrime
less
rewarding
and
much
higher
risk.
This
is
no
different
to
real
world
crime
problems!
11. Thank
You
John
Crain
Senior
Director,
Security
Stability
and
Resiliency
ICANN
john.crain@icann.org