An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical...

An Adaptable Inter-Domain An Adaptable Inter-Domain InfrastructureInfrastructure

Against DoS AttacksAgainst DoS Attacks

Georgios KoutepasNational Technical University of Athens,

Greece

SSGRR 2003wSSGRR 2003w

January 10, 2003

Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003

What is "What is "Denial of ServiceDenial of Service"?"?

• An attack to suspend the availability of a service• Until recently the "bad guys" tried to enter our

systems. Now it’s:

""If not us, then NobodyIf not us, then Nobody""• No break-in attempts, no information stealing,

although they can be combined with other attacks to confuse Intrusion Detection Systems.

• No easy solutions! DoS is still mostly a research issue


Main Characteristics of DoSMain Characteristics of DoS

• Variable targets: – Single hosts or whole domains– Computer systems or networks– ImportantImportant: Active network components (e.g.

routers) also vulnerable and possible targets!• Variable uses & effects:

– Hacker "turf" wars– High profile commercial targets (or just

competitors…).– Useful in cyber-warfare, terrorism etc…


Brief HistoryBrief History

First Phase (starting in the '90s): Single System DoS• Started as bug/vulnerability exploitation• The targets are single hosts - single services• One single malicious packet many times is enoughSecond Phase (1996-2000): Resource Consuming DoS• Resource consuming requests from many sources• Internet infrastructure used for attack amplificationThird Phase (after 2000): Distributed DoS• Bandwidth of network connections is the main

target• Use of many pirated machines, possibly many

attack stages, that will have an escalating effect to saturate the victim(s)


Brief History (cont.)Brief History (cont.)

Important Events:• February 7-11 2000: Big commercial sites (CNN,

Yahoo, E-Bay) are taken down by flooding of their networks.– The attacks capture the attention of the media– The US President assembles emergency council

members of Internet, e-commerce companies, civil liberties organizations, and security experts to jointly announce actions strengthening Internet and computer network security

• January 2002: The British ISP CloudNine suspends operations because of continuous interruption in Internet connectivity.


1. Taking Control

2. Commandingthe attack

Distributed DoSDistributed DoS

Target

domain

"zombies"

Pirated machines

Domain A

Pirated machines

Domain B

Attacker

X


A DDoS Attack Domain-wiseA DDoS Attack Domain-wise

Sources of the attack

Innocent Domains, but their connectivity is affected

Attack TransitDomains Target Domain

Sources of the attack


DDoS FactsDDoS Facts

• Some hundred of persistent flows are enough to knock a large network off the Internet

• Incoming traffic has to be controlled, outsideoutside the victim’s domain, at the upstream providers

• Usually source IPs spoofedspoofed on attack packets• Offending systems may be controlled without their

users suspecting it• Possibly many levels of command & control:

– Attacker-Manager-Agents

• Examples of automatic tools for such attacks: "Trinoo", "Stacheldraht", and "TFN2K", also called rootkits


Multi-tier attackMulti-tier attack

Target

domain

"zombies"Attack Agents

Attacker

X

AttackMaster

AttackMaster


Reflection DDoS AttackReflection DDoS Attack

Target

domain

"zombies"

Attacker

X

AttackMaster

Routers

Web or otherservers

Legitimate TCP SYNrequests

TCP SYN-ACKanswers


Reaction to DDoSReaction to DDoS

• The malicious flows have to be determined. Timely reaction is critical!

• The attack characteristics have to be communicated (in any way possible) upstream. This usually has to be done manually and is an uncertain and time-consuming procedure.

• Filters that will block attack traffic must be set up and maintained. Their effectiveness must be verified.

• The bandwidth penalty is still present throughout all the affected networks. Actions are required on all the networks along the attack path


Reaction to DDoS (cont.)Reaction to DDoS (cont.)

• Another possible solution (helps the ISP): stop all traffic to the target. Direct it to a central point and discard it. Completes the attack!

• Trace-back efforts:– Following the routing (if sources not spoofed)– Step by step through ISPs. Difficult to convince

them if not concerned about the bandwidth penalty

• Conclusion: It’s not a matter of a single site

Our Solution:Our Solution:Inter-Domain Cooperative IDS Inter-Domain Cooperative IDS

EntitiesEntities


Inter-Domain Cooperative IDS Inter-Domain Cooperative IDS EntitiesEntities

Cooperative IDSEntity

Non-participatingDomain

ParticipatingDomain

NotificationPropagation(Multicast)

Activation offilters and reactionaccordingto local Policies

The Cooperative IDS Entities constitute an Overlay Network


Main Design Characteristics: Main Design Characteristics: ArchitectureArchitecture

• Unit of Reaction to the attack: each administrative domain

• Requires agreement between domains but this is not difficult, since they preserve their independence

• Actions along the attack path in as many networks as possible

• Minimizing the bandwidth loss not only at the victim but at each step in the attack. Non-malicious traffic has then better chances to get-through


The EntitiesThe Entities

• The Entities compose the infrastructure– They are the trusted points for the domain – They manage all communications and reaction within

the domain, aimed to stopping an on-going attack– Communications by multicast methods– They are on the top of the local IDS hierarchy, thus

combine the local picture with the one from peers– They are controlled locally according to the choices

and policies of the administrator• They can implement reaction filters to routers, BUT:

– Their duration is controlled, the admin is aware of them and it’s possible to adjust to shifting attack patterns


Main Design Characteristics: Main Design Characteristics: Entity ImplementationEntity Implementation

• Lightweight and Modular software architecture, different components performing the various tasks

• Java Management Extensions (JMX) framework for control and configuration

• Using the Intrusion Detection Message Exchange Format (IDMEF) in all messages achieves compatibility with standards and inter-operability with installed IDS infrastructure

• Multicast advantages:– Independence from specific installation host– Stealthy presence– Possible parallel operation of backup Entities


Main Design Characteristics: Main Design Characteristics: Internal Entity ArchitectureInternal Entity Architecture

Alerts

Heartbeats

LocalNotifications

CommunicationUnit

FilteringUnit

AnalysisUnit

EventInfo

ConfigurationTranscription

ResponseUnit

JMX Infrastructure

Response Policies

Management Console

PeerEntities

Local NetworkLocal NetworkComponentsComponents


What happens during an Attack What happens during an Attack

Cooperative IDSEntity

Non-participatingDomain

Hot-spareEntities

(1) The Attack may be detected in many places in the same time with the help of local IDS

!

!

!

!!

!

(2) The alerted Entities notify all other ones in their community, using multicast

(3) Some of them may determine that they are not on the attack path

(4) The rest, automatically, set up filters to suppress the attack


Additional ConceptsAdditional Concepts

• It is possible to create “communities” of entities and distribute the notifications only within. Only events transcending two communities will be let to pass, thus limiting traffic and notification overhead

• The communities can be set up thanks to multicast either:– Geographically (by the TTL on the packets)– According to common interests etc. (by different groups)

• Security– The messages are encrypted against eavesdropping BUT

by symmetric cryptography– Additionally there are timestamps and digital signatures

on the messages to avoid repetition attacks


Current StatusCurrent Status

• Currently developing a prototype– Linking with a Panoptis / Netflow detection

engine• Plans to deploy it in the Greek Academic Network• Testing the effectiveness of a peer-2-peer

communications scheme in addition to multicast• Developing the Hot-Spare concepts

Questions and AnswersQuestions and Answers

An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical...

Documents

Transcript of An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical...