Pi: A Path Identification Mechanism to Defend Against

DDoS Attacks

Abraham Yaar, Adrian Perrig, Dawn SongCarnegie Mellon University

{ayaar, perrig, dawnsong}@cmu.eduPresented and Edited by Yongdae Kim

Outline

DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion

DDoS Review Attackers compromise

network hosts, flood victim with packets• Overload packet

processing capacity

• Saturate network bandwidth

Spoofed source IP addresses evade network filters

RFC 3514

Security flag in IP header• By Steven Bellovin

• Attackers must set evil bit in malicious packets

• Receivers can filter out evil packets

Challenge: deployment April fools joke Pi achieves similar property!

IP Traceback Defense

Victim reconstructs attack tree from address fragments

Disadvantages:• Slow reconstruction

• Multi-path reconstruction

• Assumes upstream ISP collaboration

Other Strategies

Source Path Isolation Engine (SPIE)• Routers store packet hashes, recursive query to

reconstruct path

• Disadvantage–Per-packet state at routers

Pushback Framework• Routers identify attack packet characteristics,

install upstream filter

• Disadvantage–Difficult to distinguish attack/user packets

Outline

DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion

Goals – Ideal DDoS Defense Fast

• Defense after single attack packet Victim filters traffic

• No dependency on upstream ISPs Overhead

• Minimal computation/state at routers and victims Interoperability

• Supports IP Fragmentation Incrementally deployable

• Additional deployment increases performance

Main Idea

Path “fingerprints”• Entire fingerprint in

each packet

• Incrementally constructed by routers along path

Victim rejects packets with attacker fingerprints (Pi-marks)

Main Idea

Path “fingerprints”• Entire fingerprint in

each packet

• Incrementally constructed by routers along path

Victim rejects packets with attacker fingerprints (Pi-marks)

Main Idea

Path “fingerprints”• Entire fingerprint in

each packet

• Incrementally constructed by routers along path

Victim rejects packets with attacker fingerprints (Pi-marks)

Main Idea

Path “fingerprints”• Entire fingerprint in

each packet

• Incrementally constructed by routers along path

Victim rejects packets with attacker fingerprints (Pi-marks)

Outline

DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion

Pi Marking Scheme

Marking Scheme

• Each router marks n bits into IP Identification field

Marking Function

• Last n bits of hash (eg. MD5) of router IP address

Marking Aggregation

• Router pushes marking into IP Identification field

Queue-based marking• Routers “push” marking into IP Identification

field

• Note: Victim’s local routers (in general, 3, 4 hopes) do not mark.

Pi Marking

Legacy routers do not mark

Extensions• Detect upstream legacy router• Mark for previous legacy router• Write-ahead improvement

Legacy Routers

Path marking vs. Edge Marking Collision in path marking

• path(AC) = mamc, path(BC) = mbmc

• With probability 1/2n, ma = mb

Edge marking• path(AC) = ma’mc1, path(BC) = mb’mc2

• where mc1 = h(IPC || IPA), mc2 = h(IPC || IPB)

• Still probability of collision is 1/2n

• But, new probability of having identical marks for two paths joining at the same node becomes 1/22n

Pi Marking - IP Fragmentation

Problem• Using deterministic values in IP Identification

field breaks fragmentation

Solution (suggested by Vern Paxson)• Don’t mark packets that may ever get

fragmented, or are fragments themselves–Packets with DFT bit set

–Packets smaller than smallest MTU

• During DDoS attack, drop packets that do not have DFT bit set

Outline

DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion

Pi Filtering – Basic Scheme

Basic Scheme• Drop all packets with Pi marks matching that of

any attack packets

Assumption• Victim can identify attack packets

Implementation Overhead• Memory: Bit vector of length 216 (8kB)

– if (BitVec[PiMark] == 0) then accept() else drop();

• Simple per packet lookup

Pi Filtering - Thresholds Problem

• Single attacker causes multiple users’ rejections

Solution• Assume, for a particular Pi mark, i:

–ai= number of attack packets

–ui= number of legitimate users’ packets

• Victim chooses threshold, t, such that if:

then packets with Pi mark i are kept

ii

i

ua

at

Outline

DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion

Exp. Results – Attack Model

Two phase DDoS model• Phase 1: Learning Phase

–Omniscient victim, Filter Bootstrapping

–Limited Length (3 packets per endhost)

• Phase 2: Attack Phase–Pi filter deployed

–“Unlimited” Length (3 packets simulated)

Results presented for phase 2

Exp. Results - Setup

Two Internet Topologies• Internet Map Project

–81,953 unique endhosts

• CAIDA Skitter Map–171,472 unique endhosts

5,000 Legitimate Users, 100-10,000 Attackers n = 2 bits 4 router non-marking ISP perimeter

• Victim ISP marks unnecessary/undesirable

Exp. Results - Metrics

Filter Errors• False Positive: User packet dropped

• False Negative: Attacker packet accepted

Acceptance Ratio• Percent packets accepted by victim of total

packets sent

• Attacker Acceptance Ratio = false negative rate

• User Acceptance Ratio = (1 – false positive rate)

Exp. Results – Basic Filter

DDoS protection• Accepted (with

10,000 unique attack paths):

– 60% of user traffic

– 17% attacker traffic

Downward slope due to “marking saturation”• All markings

flagged as attacker

Exp. Results – 50% Threshold Filter Performance

Thresholds Work!• Accepted (with

10,000 unique attack paths):

– 82% of user traffic

– 22% attacker traffic

Increased attack severity requires increased threshold

Exp. Results – Legacy Routers

50% threshold used Performance

degradation is gradual

Some filtering accuracy even at 50% legacy routers• 0 = random selection

• 1 = perfect filter

Exp. Results – Limited Capacity Constraint

• Limit maximum number of packets accepted.

Strategy• Accept lowest attack

traffic Pi marks first.

Performance• 60% server capacity

for legitimate packets when total attack traffic 170X of user traffic. *Note: Each Attacker sends 10X

traffic over legitimate user.

Outline

DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion

Other Applications

Help other anti-DDoS techniques• Pushback

–Filters that mask individual IP addresses can be very long

–Upstream path information improves filtering accuracy

• IP traceback path reconstruction• IDS

ISPs use Pi to detect IP address spoofing

Discussion: Deployment Incentives

Lack of incentive for ingress filtering Pi provides incentive for ISP

• Customers benefit from Pi marking

Attackers within ISP cause blocking of other ISP customers• ISP has incentive to block attack

• Incentives for ingress filtering

Market pressures drive Pi deployment• Large-scale Internet sites > ISP > router manufacturer

Future Work Advanced marking schemes

• Use combination of exor and shift

Advanced dynamic filters

• Problems:–“Nearby” attackers always have attacker

initialized bits in markings

–Route changes cause Pi mark variations

• Solution: Machine learning techniques identify marking commonalities–(ie. Longest prefix matching for nearby attackers)

Related Work

IP traceback itrace SPIE PEIP – Path Enhanced IP CS3-Inc.

• Adds 16 bytes path to each packet

• Router marks within 16 bytes path

Pi: Conclusions Disadvantages of current DDoS defenses

• Slow

• High overhead

• Assumes ISP collaboration

Pi provides DDoS protection• After first identified attack packet

• Minimal overhead at routers and endhosts

• Maintains IP Fragmentation

• No inter-ISP cooperation

• Great incremental deployment properties