Georgios Koutepas, Fotis Stamatelopoulos, Vasilios Hatziyannakis, and Basil Maglaris
description
Transcript of Georgios Koutepas, Fotis Stamatelopoulos, Vasilios Hatziyannakis, and Basil Maglaris
Design and Operational Characteristics Design and Operational Characteristics of a Distributed Cooperative of a Distributed Cooperative
InfrastructureInfrastructureagainst DDoS Attacksagainst DDoS Attacks
Georgios Koutepas, Fotis Stamatelopoulos, Vasilios Hatziyannakis, and Basil MaglarisNational Technical University of Athens,
Greece
ECIW 2003ECIW 2003
July 1, 2003
A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003
What is "What is "Denial of ServiceDenial of Service"?"?
• An attack to suspend the availability of a service• Until recently the "bad guys" tried to enter our
systems. Now it’s:
""If not us, then NobodyIf not us, then Nobody""• No break-in attempts, no information stealing,
although they can be combined with other attacks to confuse Intrusion Detection Systems.– DoS: single correctly made malicious packets against the
target machine– Distributed DoS: traffic flows from various sources to
exhaust network or computing resources
• No easy solutions! DoS is still mostly a research issue
A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003
Main Characteristics of DoSMain Characteristics of DoS• Variable targets:
– Single hosts or whole domains– Computer systems or networks– ImportantImportant: Active network components (e.g.
routers) also vulnerable and possible targets!• Variable uses & effects:
– Hacker "turf" wars– High profile commercial targets (or just
competitors…).– Useful in cyber-warfare, terrorism etc.
• February 7-11 2000: Big commercial sites (CNN, Yahoo, E-Bay) are taken down by flooding of their networks.
• October 2002: attack against the Root DNS servers
A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003
1. Taking Control
2. Commandingthe attack
Distributed DoSDistributed DoS
Target
domain
"zombies"
Pirated machines
Domain A
Pirated machines
Domain B
Attacker
X
A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003
A DDoS Attack Domain-wiseA DDoS Attack Domain-wise
Sources of the attack
Innocent Domains, but their connectivity is affected
Attack TransitDomains Target Domain
A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003
Reaction to DDoSReaction to DDoS
• Incoming traffic has to be controlled, outsideoutside the victim’s domain, at the upstream providers
• Usually source IPs spoofedspoofed on attack packets
• The malicious flows have to be determined.• The attack characteristics have to be
communicated upstream. This usually is done manually and is an uncertain and time-consuming procedure.
• Filters that will block attack traffic must be set up and maintained. Their effectiveness must be verified.
• The bandwidth penalty is still present throughout all the affected networks. Actions are required on all the networks along the attack path
Our Solution:Our Solution:An Inter-Domain Cooperative An Inter-Domain Cooperative
InfrastructureInfrastructure
A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003
Inter-Domain Cooperative Inter-Domain Cooperative FrameworkFramework
Cooperative Counter-DDoS Entity
Non-participatingDomain
ParticipatingDomain
NotificationPropagation(Multicast)
Activation offilters and reactionaccordingto local Policies
The Cooperative Counter-DDoS Entities constitute an Overlay Network
A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003
The EntitiesThe Entities
• The Entities compose the infrastructure– They are the trusted points for the domain to
participate in the Infrastracture – They manage all communications and reaction
within the domain– They are on the top of the local IDS hierarchy, thus
combine the local picture with the one from peers– They are controlled locally according to the choices
and policies of the administrator – Communications by multicast methods
• They can implement reaction filters to routers, BUT:– Their duration is controlled, the admin is aware of
them and it’s possible to adjust to shifting attack patterns
A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003
Main Design Characteristics: Main Design Characteristics: Entity ImplementationEntity Implementation
• Lightweight and Modular software architecture, different components performing the various tasks
• Java Management Extensions (JMX) framework for control and configuration
• Using the Intrusion Detection Message Exchange Format (IDMEF) in all messages achieves compatibility with standards and inter-operability with installed IDS infrastructure
• Multicast advantages:– Stealthy presence – Independence from specific installation host– Possible parallel operation of backup Entities
A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003
Entity State TransitionEntity State Transition
A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003
Managementapplication
Networkingcomponent
configuration
To NetworkManagement
Console
Alerts
Heartbeats
Multicast Messagesto other Entities
ResponseUnit
Multicast Messagesfrom other Entities
Notifications
Alerts
Heartbeats
Local IDSHierarchy
Event infoDB
EntityDB
PolicyFile
Analysis Unit
DiagnosedSecurity Events
StatusInformation
Communication Unit
JMX Infrastructure
ConfigurationEvent
Notification
Internal Entity ArchitectureInternal Entity Architecture
A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003
What happens during an Attack What happens during an Attack
AA
BB
CCEE
DD
WW XX
YY
ZZ
Message DB of the Entity at domain B
Path Cases for domain BPath Case
Situation
1 B may be the source or on the attack path
2 B is on the attack path
3 B is the target of the attack
4 B out of the attack path
AlertSende
r
Source
Domain
TargetDomai
n
Next-Hop
Domain
EventType
1 A W D B (125) ICMP flood
2 A X D B (125)
3 C B D D (125)
4 C Z D D (125)
5 D C D N/A (125)
!
A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003
Policy EntriesPolicy Entries• Match Event Characteristics with actions taken against
the attack– Attack type– Attack destination (target domain)– Path positioning case
• Custom made actions to match the specific attack• Reaction for a certain time
Matching Part Reaction Part
Destination Attack Type
PathCase
Action Duration
D DDoS packet type (*)
1&2 a. Throttle traffic 25% b. Coming from source domain
that gives Path Case 1c. Packet Type the one derived
from messages, Dest. D
600 sec
* DDoS packet type (*)
1&2 a. Throttle traffic 50% b. Outgoing to the direction of
target domainc. Packet Type the one derived
from messages, Dest. the target domain
200 sec
A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003
Additional ConceptsAdditional Concepts
• Security– The messages are encrypted against
eavesdropping BUT by symmetric cryptography– Additionally there are timestamps and digital
signatures on the messages to avoid repetition attacks
• It is possible to create “communities” of Entities by multicast and distribute the notifications only within. – Geographically (by the TTL on the packets)– According to common interests etc. (by different
multicast groups)
A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003
Current StatusCurrent Status
• Finished prototype• Putting a WAN emulation facility (Dummynet)
between the Entities for testing behavior during attacks– Test the accuracy in setting up the right filters, at the right
points– Determine the effects on non-attack traffic, thus choose
the right configuration parameters, duration of filters
• Testing the effectiveness of a peer-2-peer communications scheme in addition to multicast
• Developing the Hot-Spare concepts• Introducing the usage of advanced inference
algorithms and/or expert systems• Plans to deploy it in the Greek Academic Network
A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003
ConclusionsConclusions
• It's not an IDS, but rather a “message management system” independent of the underlying detection technologies
• Distributed framework that uses a Cooperative Inter-Domain approach
• Trusted partners, each deploying a local software Entity
• Entities exchange security information so that positioning in the attack path is detected locally and without requiring traceback procedures
• Reaction is activated in parallel, controlled at each domain by local policies