Defending against Large-Scale Distributed Denial-of-Service Attacks
description
Transcript of Defending against Large-Scale Distributed Denial-of-Service Attacks
![Page 1: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/1.jpg)
Defending against Large-ScaleDistributed Denial-of-Service
Attacks
Department of Electrical and Computer Engineering
Advanced Research in Information Assurance and Security (ARIAS) Lab
Virginia Tech
Jung-Min Park
![Page 2: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/2.jpg)
2
Overview of DoS Attacks
What is a DoS attack? An attack that disrupts network services to legitimate clients
Large-scale Distributed DoS (DDoS) attack of Feb. 2000 A DDoS attack took down Yahoo, EBay, and Amazon.com Outage caused millions of dollars in lost revenue
Hundreds of attacks are observed each day Global corporations lost over $1.39 trillion in revenue due
to security breaches in 2000, and Over 60% are due to viruses and DoS attacks
(http://www.captusnetworks.com/BeenDoSd.pdf)
FBI reports indicate DoS attacks are on the rise
![Page 3: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/3.jpg)
3
Taxonomy of DoS Attacks
Attacks that exploit system design weaknesses Teardrop attack Ping-of-death attack Land attack SYN flood attack
Attacks that exploit the weakness of particular protocols Attacks against authentication protocols Attacks against key agreement protocols
Attacks that exploit the asymmetry between “line rate” and throughput of hosts and routers Flooding-based DDoS attacks
![Page 4: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/4.jpg)
4
Flooding-based DDoS Attacks
Exploits the asymmetry between “line rate” and throughput of hosts and routers
Large volume of packets is sent toward a victim
Consumes bandwidth and processing power of the victim
DDoS attacks utilize attack handlers and zombies to hide the identity of the real attacker
![Page 5: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/5.jpg)
5
Lines of Defense Against DDoS Attacks• Apply software patch
• SYN cookies, client puzzles
• Design DoS attack resistant systems
• Overlay networks• Signature (misuse) detection
• Anomaly detection• Client puzzles
• Aggregate filtering, pushback
• Overlay networks• IP traceback: packet marking
• IP traceback: packet logging
• “Attack traceback”
Prevention and preemption
(before the attack)Detection
(during the attack)
Mitigation and filtering
(during the attack)attack source traceback
and identification(during and after the
attack)
![Page 6: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/6.jpg)
TRACK:A New Approach to IP Traceback
![Page 7: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/7.jpg)
7
The IP Traceback Problem
IP traceback strategies:
Probabilistic Packet Marking (PPM)
Packet Logging
Attack Detection
Traceback to the zombie’s border router
![Page 8: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/8.jpg)
8
Limitations of Current IP Traceback Schemes
Do not support last-hop traceback Packet logging schemes
Significant computation overhead on routers Significant storage overhead on routers
Packet marking Not scalable: Complexity of path reconstruction process
increases rapidly as number of attackers increase Large number of packets need to be collected
![Page 9: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/9.jpg)
9
rouTer poRt mArking and paCKet filtering (TRACK)
Objective: Reduce computation complexity of path reconstruction
Reduce number of packets that need to be collected
Support last-hop traceback
Support gradual deployment
Filter attack traffic using traceback information
Attack Detection
Router Port Markingfor traceback
Packet filtering at theborder router of
the zombies
![Page 10: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/10.jpg)
10
Basic Principles of TRACK
A string composed of locally-unique router interface port numbers is a globally unique identifier of a path.
V
A
B C D
E F G H I J
L M N O P Q R S4
21 18
11
50
21
29
34
42
47
27
7 62
36 8 5214
19
24
61
C1 C2 C3 C4
32
![Page 11: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/11.jpg)
11
Marking Traceback Information in the IP Header
![Page 12: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/12.jpg)
12
Router Port Marking Procedure
Active Port Marking Mode (APMM) at probability of p :
Distance
XORPort NumberMarking Flag
1 Port Number
Last 5-digit of TTL
Passive Port Marking Mode (PPMM) at probability of 1 – p :
XOR
If Marking Flag = 1
Port Number
![Page 13: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/13.jpg)
13
Path Reconstruction Process of TRACK
Objective Recover the port number sequence of an attack path and
convert them into a sequence of router IP addresses
Approach Distribute the path reconstruction process among the
victim’s upstream routers (victim attacker’s border router)(similar to Pushback)
Employ a trace table and trace packets Use same info. to filter attack traffic at the border router of
the attacker
Computational Complexity: O(N2)
![Page 14: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/14.jpg)
14
Path Reconstruction Process of TRACK
MKF = 1, XOR = PN = 18,Distance = TTL5 (254) = 30
MKF = 1, PN = 18,Distance = 30, TTL5 = 27, XOR = 2 (=18 47 34 21);
d = 30 – 27 = 3
Assume C3 is sending packets to VM is in APMM; F, B, and A are in PPMM
![Page 15: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/15.jpg)
15
Path Reconstruction Process of TRACK
Router closest to V in APMM *
Hop Count: d Port Number: PN(d)
XOR: XOR(d)
A 0 21 [010101]** 21
B 1 34 [100010] 55 ( 34 = 21)
F 2 47 [100111] 16 ( 47 = 55)
M 3 18 [010010] 02 ( 18 = 16)
d = Distance – TTL5
XOR(d+1) PN(d+1) = XOR(d)
C3’s path: 21-34-47-18
![Page 16: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/16.jpg)
16
Number of Packets Needed for Path Reconstruction
p = 0.04 p = 0.01
![Page 17: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/17.jpg)
17
False Positive Rate
Skitter Internet map Complete tree topology model
![Page 18: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/18.jpg)
18
Gradual Deployment
Complete tree topology modelSkitter Internet map
![Page 19: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/19.jpg)
Chained Puzzles:A Novel Approach to IP-Layer
Puzzles
![Page 20: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/20.jpg)
20
Client Puzzle Protocols
A technique used to mitigate DoS attacks that does not rely on distinguishing between attack traffic and legitimate client traffic
Puzzles are typically based on difficult problems from cryptosystems Partial reversal of a hash
function Exhaustive key search in a
private key cryptosystem
ClientServer/Router
Puzzle Request
Puzzle Challenge
Puzzle Solution
![Page 21: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/21.jpg)
21
Basic Principles of Chained Puzzles
Puzzle algorithm: Exhaustive key search of XTEA6 XTEA6: Truncated version of the XTEA encryption
algorithm
Puzzle Routers Puzzle distribution and verification is performed by the
“first-hop” border router called a Puzzle Router Puzzles are enabled by downstream Puzzle Routers
![Page 22: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/22.jpg)
22
Message Exchange Between Puzzle Routers
Downstream Puzzle Routers enable puzzles at the upstream Puzzle Routers
Puzzle Router Puzzle RouterICMP Congestion Notifications
Flow of Traffic
`
Zombie or Legitimate Client
Server
![Page 23: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/23.jpg)
23
Optimal Location for Detection and Mitigation
Detection: DDoS attacks are detected easily near the server or the main victim of the attack (packet loss, heavy congestion, etc.)
Mitigation: Preventing or mitigating an attack is best performed as close to the source of the attack as possible
Zombies``` ` `
![Page 24: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/24.jpg)
24
Puzzle Distribution
How do we distribute puzzles? Easy in TCP 3-way handshake
IP is connectionless and a client puzzle protocol is connection oriented
1. Client asks for a puzzle2. Server sends the puzzle to the client3. Client solves the puzzle, sends the solution back to the
server Solution
Puzzle solution chaining
ClientServer/Router
Puzzle Request
Puzzle Challenge
Puzzle Solution
![Page 25: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/25.jpg)
25
Puzzle Solution Chaining
When Puzzles are enabled, “bootstrapping” procedure is needed to create the first puzzle
Subsequent puzzles are created by the client independently
Current solution becomes plaintext for the next puzzle
![Page 26: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/26.jpg)
26
Puzzle Solution Chaining – cont’d
Client creates a chain of puzzlesClient Puzzle
RouterP1
Puzzle Challenge
P1 (w/Solution)
P2 (w/Solution)
P3 (w/Solution)
P4 (w/Solution)
The Puzzle Router reissues the puzzle challenge periodically
![Page 27: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/27.jpg)
27
Probabilistic Verification
Probabilistic verification Puzzle Routers verify incoming puzzles according to a
given probability Increase performance and throughput of the Puzzle
Routers
Verify Puzzle?
Verify
No
Yes
Correct?Yes
No
Incoming Link Outbound Link
Drop Packet
![Page 28: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/28.jpg)
28
Simulation Results: NPSR
Normal Packet Survival Ratio (NPSR) Percentage of legitimate packets that can make their way
to the victim in the midst of a DDoS attack
0 2 5 8 10 12 150.75
0.8
0.85
0.9
0.95
1
Puzzle difficulty level d
Nor
mal
pac
ket
surv
ival
rat
io
Normal Packet Survival Ratio versus Puzzle Difficulty Level
Standard IP
AP, Q = 0
AP, Q = 25AP, Q = 50
AP, Q = 100
![Page 29: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/29.jpg)
29
Future Work
IP Traceback Improve scalability Better support of gradual deployment Minimize the number of false positives Support IP fragments Support router degrees greater than 64
Client puzzle protocol Specification of a Puzzle Router’s functions Resolve protocol architecture issues Counter puzzle protocol circumvention Ensure fairness
![Page 30: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/30.jpg)
Questions?
![Page 31: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/31.jpg)
31
Conclusion
Last-hop traceback capability: a step closer to attack traceback
Support of gradual deployment: more realistic solution Using router port instead of router as the atomic unit for
traceback: fewer packets and less computational complexity for path reconstruction, finer granularity, and less false positive
Attack detection at the victim and packet filtering at the zombies’ border routers: the optimal location for both modules
![Page 32: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/32.jpg)
32
Backup
![Page 33: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/33.jpg)
33
Path Reconstruction Process of TRACK
Router closest to V in APMM
Hop Count: d
Port Number: PN(d)
XOR: XOR(d)
A 0 21 [010101] 21 [010101]
A 0 42 [101010] 42 [101010]
B 1 34 [100010] 55 [110111] ( 34 = 21)
C 1 62 [111110] 20 [010100] ( 62 = 42)
F 2 47 [100111] 16 [010000] ( 47 = 55)
H 2 08 [001000] 28 [011100] ( 08 = 20)
M 3 18 [010010] 02 [000010] ( 18 = 16)
P 3 32 [100000] 60 [111100] ( 32 = 28)
Objective Recover the port number sequence of an attack path and
convert them into a sequence of router IP addresses
Approach Distribute the path reconstruction process among the victim’s
upstream routers (victim attacker’s border router)(similar to Pushback)
Employ a trace table and trace packets
Use same info. to filter attack traffic at the border router of the attacker
Computational Complexity: O(N2)
![Page 34: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/34.jpg)
34
Limitation of Current Attack Mitigation Schemes
Problem Conventional countermeasures attempt to detect and filter
at the same location
Fact Attack detection is easier closer to the victim, packet
filtering is more effective closer to the attack source
Solution Separate the two functions in separate modules
![Page 35: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/35.jpg)
35
Attack Mitigation (Packet Filtering)
Location of attack detectionand packet filtering:
At the victim In the network At the attack source
Attack Detection
Packet Filtering
![Page 36: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/36.jpg)
36
Probabilistic Packet Marking (Basics)
Routers mark packets with fragments of its IP addresses probabilistically
Identification field in IP header is used (The probability of IP fragmentation is 0.25%)
The victim can collect IP fragments from many packets to reconstruct attacking path
![Page 37: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/37.jpg)
37
Overhead of Packet Logging
For a OC-192 link:
TRACK: 50k destination IP address insertion or update per second; 900MB/hours storage, upper-bounded by 20GB
The scheme in [Snoe01]: 60 million hash operations per second; 44GB storage per hour, bounded by the maximum allowed traceback time
The scheme in [Li04]: 8 million hash operations per second; 5.2GB storage per hour, bounded by the maximum allowed traceback time
![Page 38: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/38.jpg)
38
False Positive Analysis
![Page 39: Defending against Large-Scale Distributed Denial-of-Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062408/568144db550346895db1a87f/html5/thumbnails/39.jpg)
39
Gradual Deployment
Neighbor-Discovery Handshake Protocol
Jump back to source during path reconstruction
V
A
B C D
E F G H I J
L M N O P Q R S4
21 18
11
50
21
29
34
42
47
27
7 62
36 8 5214
19
24
61
C1 C2 C3 C4
32