1 / 80

A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of Service Attacks

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 5, MAY 2007. A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of Service Attacks. Presented by: C. W. Fan-Chiang. Author(1/3). Ruiliang Chen He is currently a PhD student in the Bradley

crwys
Download Presentation

A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 5, MAY 2007 A Divide-and-Conquer Strategy forThwartingDistributed Denial-ofService Attacks Presented by: C. W. Fan-Chiang

  2. Author(1/3) Ruiliang Chen He is currently a PhD student in the Bradley Department of Electrical and Computer Engineering at Virginia Polytechnic Institute and State University (Virginia Tech). His research interests include traceback and mitigation mechanisms for thwarting denial-of-service attacks, attack-resilient routing protocols for wireless ad hoc networks, and security issues in cognitive radio networks. He is a student member of the IEEE. OPLab,NTUIM

  3. Author(2/3) Jung-Min Park He received the bachelor’s and master’s degrees in electronic engineering from Yonsei University, Seoul, Republic of Korea, in 1995 and 1997, respectively, and the PhD degree from the School of Electrical and Computer Engineering at Purdue University in 2003. His research interests include DoS attack countermeasures, e-commerce protocols, cognitive radio networks, key management, and applied cryptography. He is a member of the IEEE and the ACM. OPLab,NTUIM

  4. Author(3/3) Randolph Marchany He is currently the director of the Virginia Polytechnic Institute and State University (Virginia Tech) IT Security Testing Lab, a component of the university’s Information Technology Security Office. a coauthor of the FBI/SANS Institute’s “Top 10/20 Internet Security Vulnerabilities” , a co-author of the SANS Institute’s “Responding to DDoS Attacks”, Computer Security—Incident Handling—Step by Step,” He is a member of the IEEE. OPLab,NTUIM

  5. Agenda INTRODUCTION ATTACK DIAGNOSIS AND PARALLEL ATTACK DIAGNOSIS PRACTICAL CONSIDERATIONS SIMULATION AND RESULTS RELATED WORK CONCLUSION OPLab,NTUIM

  6. Agenda INTRODUCTION ATTACK DIAGNOSIS AND PARALLEL ATTACK DIAGNOSIS PRACTICAL CONSIDERATIONS SIMULATION AND RESULTS RELATED WORK CONCLUSION OPLab,NTUIM

  7. Introduction (1/13) • Defending against DDoS attacks is challenging for two reasons. • First, the number of attackers involved in a DDoS attack is very large. • Second, attackers usually spoof their IP addresses, which makes it very difficult to trace the attack traffic back to its sources. • Ingress/egress ;Subnet Spoofing? OPLab,NTUIM

  8. Introduction (2/13) Attacker Packet Filtering Attack Detection Victim • Client puzzle, Max-min Servercentric router throttles, Differentiated service • The ideal countermeasure paradigm of Max-min Servercentric router throttles, • the attack detection module is placed at (or near) the victim and • the packet filtering module is placed as close to the attack sources OPLab,NTUIM

  9. Introduction (3/13) When attacks are detected downstream close to the victim, the upstream routers close to the attack sources filter attack packets using summarized attack signatures sent by the detection module. However, have either or both of the following two drawbacks OPLab,NTUIM

  10. Introduction (4/13) 1.The need to securely forward attack signatures to the upstream routers. May require a global key distribution infrastructure for authenticating and verifying the attack signatures.(which is costly to deploy and maintain.) OPLab,NTUIM

  11. Introduction (5/13) • 2.The dependence on attack signatures to separate attack traffic from legitimate traffic. Such a signature is very difficult for three reasons. OPLab,NTUIM

  12. Introduction (6/13) • 2-1.In many cases, an attack detection module can only detect the existence of attacks but may not formulate any attack signatures from the observed traffic OPLab,NTUIM

  13. Introduction (7/13) 2-2.Even if an attack signature is obtained, it may not be usable to a router to filter packets when the signature lies above the network layer. Because a router is a network-layer device, it would severely degrade its performance to examine the contents of every packet to match high-layer attack signatures OPLab,NTUIM

  14. Introduction (8/13) 2-3.Even signatures in the network layer may have limited value because the attackers can readily manipulate corresponding information. Because An attacker can spoof source IP addresses and change the protocol field in the IP header, rendering these fields useless as valid attack signatures. The only absolutely reliable information in a packet is the destination IP address. OPLab,NTUIM

  15. Introduction (9/13) Attack Diagnosis (AD), a novel attack mitigation scheme that combines the concepts of Pushback and packet marking to thwart DDoS attacks. OPLab,NTUIM

  16. Introduction (10/13)-the execution of AD 1.An Intrusion Detection System (IDS) installed at the victim (or at its firewall) detects an attack. 2.The victim instructs the upstream routers to start marking packets with trace back information. 3. Based on the marking information extracted from collected packets, the victim separates an attacker from other clients and traces back to the attack source. 4. The victim instructs the appropriate upstream routers to filter attack packets. OPLab,NTUIM

  17. Introduction (11/13) However, AD is not appropriate for large-scale attacks involving a large number of attackers because the process would be very slow. An extension to AD called Parallel Attack Diagnosis (PAD) that can throttle traffic coming from multiple attackers simultaneously in a single round. OPLab,NTUIM

  18. Introduction (12/13) - AD/PAD features AD/PAD support the ideal DDoS countermeasure paradigm AD/PAD is reactive in nature. No communication overhead is required when a network is not under attack. AD/PAD employ deterministic packet marking, they are robust against forgery of marking fields OPLab,NTUIM

  19. Introduction (13/13) - AD/PAD features AD/PAD throttle attackers in a “divide and conquer” fashion, very low false positive ratios are incurred. Moreover, PAD provides a “tunable” parameter that enables the network to adjust the diagnosis process delay and the false positive ratio. AD/PAD do not rely on attack signatures for packet filtering and require no global key distribution infrastructure. OPLab,NTUIM

  20. Agenda INTRODUCTION ATTACK DIAGNOSIS AND PARALLEL ATTACK DIAGNOSIS PRACTICAL CONSIDERATIONS SIMULATION AND RESULTS RELATED WORK CONCLUSION OPLab,NTUIM

  21. ATTACK DIAGNOSIS AND PARALLEL ATTACK DIAGNOSIS (1/33) • Assumptions • Overview of AD and PAD • Attack Diagnosis • Parallel Attack Diagnosis • Analysis of False Positives • Analysis of Attack Mitigation Delay OPLab,NTUIM

  22. ATTACK DIAGNOSIS AND PARALLEL ATTACK DIAGNOSIS (2/33)- Assumptions • Every host, either a client or a server, is connected to its local edgerouter. • Edge routers are, in turn, interconnected by core routers. • We refer to the server host being attacked as the victim. OPLab,NTUIM

  23. ATTACK DIAGNOSIS AND PARALLEL ATTACK DIAGNOSIS (3/33) - Assumptions A recent study has shown that 95 percent of the routes observed in the Internet have fewer than five observable daily changes. we make the reasonable assumption that every route from a client to the victim is fixed during the timeframe of interest. Assume that Internet routers are not compromised. OPLab,NTUIM

  24. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (4/33) - Assumptions • False Negative to denote an attacker whose malicious packets have not been filtered, • False Positive to denote a legitimate client whose packets have been incorrectly throttled. OPLab,NTUIM

  25. ATTACK DIAGNOSIS AND PARALLEL ATTACK DIAGNOSIS (5/33) - Assumptions • The existence of an IDS module installed at the victim (or at its firewall), which is able to identify the existence of attacks after observing malicious traffic. OPLab,NTUIM

  26. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (6/33) - Overview of AD/PAD Some of the router interfaces are labeled with a locally unique number that identifies that interface port. We call this number the port identifier (PID). However, when an interface port is connected to multiple hosts via a broadcast link-layer channel (such as in a LAN), a PID cannot be used to uniquely identify a host. OPLab,NTUIM

  27. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (7/33) - Overview of AD/PAD Router F maintains a virtual PID table, which maps a “virtual PID” to every MAC address that the router observes coming through interface x. OPLab,NTUIM

  28. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (8/33) - Overview of AD/PAD OPLab,NTUIM

  29. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (9/33) - Overview of AD/PAD PID is locally unique within a router, a string of PIDs can be used to uniquely identify the path from a server to a client. Eg.4-8-24-42、53—8-50-27 AD is capable of throttling malicious traffic coming from a modest number of attackers. PAD solves this problem by dealing with multiple attackers simultaneously. OPLab,NTUIM

  30. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (10/33) - Attack Diagnosis To support AD, a router needs to mark packets with its PIDs and other traceback-related information. For this purpose, we overload the 16-bit Identification field and one reserved bit in the IP header. Note that IP fragments constitute a very small proportion of the actual Internet traffic (less than 0.25 percent) OPLab,NTUIM

  31. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (11/33) - Attack Diagnosis • Use a-bit hop-count field, • a b-bit PID field, • and a c-bit XOR field, where OPLab,NTUIM

  32. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (12/33) - Attack Diagnosis • Hop-count field in a packet records the number of hops from a router that first marks a given packet to the edge router that is immediately upstream of the victim. • PID field of a given packet records the PID of the router’s input interface port that processed the packet. • XOR field of a packet records the value obtained by taking the XOR (exclusive OR) of the least significant c bits of PID values. OPLab,NTUIM

  33. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (13/33) - Attack Diagnosis • A router interface can be set to either of two marking modes. • Active Deterministic Marking Mode (ADMM) for V if it processes every packet destined for V as follows: • 1) sets the hop-count field to zero, • 2) copies its PID to the PID field, and • 3) copies the least significant c bits of its PID to the XOR field. OPLab,NTUIM

  34. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (14/33) - Attack Diagnosis • A router interface can be set to either of two marking modes. • Passive Deterministic Marking Mode (PDMM) for V if it processes every packet destined for V as follows: • 1) increases the hop-count field by one and • 2) computes the bit-by-bit XOR value of the least significant c bits of its PID and the XOR field value and writes the result back to the XOR field. OPLab,NTUIM

  35. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (15/33) - Attack Diagnosis AD process is triggered. The victim begins the process by sending a “DAI” (Diagnose-All-Interfaces) request with the TTL field set to 255 to its immediate edge router. DII-p(Diagnose Individual Interface) request received by a router is always preceded by a DAI request. OPLab,NTUIM

  36. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS(16/33) – AD Process SET interface 42 to PDMM Others remain unchanged SET all interface to ADMM Status packet DII-42 DAI OPLab,NTUIM

  37. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS(17/33) – AD Process Status packet SET interface 24 to PDMM Others remain unchanged DAI SET all C’s interface to ADMM DII-24 OPLab,NTUIM

  38. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS(18/33) – AD Process Status packet Figure that C1 is an attacker V instruct G to trigger packet filter module on 4 DII-4 OPLab,NTUIM

  39. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS(19/33) – PAD Process SET interface 27、42 to PDMM Others remain unchanged SET all interface to ADMM Status packet DII-42 DAI OPLab,NTUIM DII-27

  40. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS(20/33) – PAD Process Status packet Status packet SET interface 50 to PDMM Others remain unchanged SET interface 24 to PDMM Others remain unchanged DAI DAI SET all B’s interface to ADMM SET all C’s interface to ADMM DII-50 DII-24 OPLab,NTUIM

  41. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS(21/33) – PAD Process Status packet Status packet V instruct F to trigger packet filter module on x And use Virtual PID to locate C2 Figure that C1 is an attacker Figure that C2 is an attacker V instruct G to trigger packet filter module on 4 DII-31 DII-4 OPLab,NTUIM

  42. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS(22/33) OPLab,NTUIM

  43. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (23/33) - The Execution of AD How can V determine that interface 50 belongs to B and interface 24 belongs to C? PID 50 at hop 1 is grouped with PID 27 (and not PID 42) at hop 0 because 41⊕50 =27 OPLab,NTUIM

  44. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (24/33) OPLab,NTUIM

  45. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (25/33) - Analysis Of False Positives • Under the following assumptions, one can show that AD incurs no false negatives or false positives and PAD incurs no false negatives: • 1) the attackers keep sending attack packets to the victim during the AD or PAD process, • 2) the IDS installed at the victim can accurately identify attacks, • 3) the MAC addresses are not spoofed. OPLab,NTUIM

  46. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (26/33) - Analysis Of False Positives False positive occurs when each link of alegitimate client’s path (that is not on any attack path)collides with a link of an attack path, OPLab,NTUIM

  47. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (27/33) - Analysis Of False Positives We assume thateach router assigns PID values to its interfaces randomlyfrom 0 to 2b-1. If we assume that q attackers are diagnosed in a single round The probability that a link of a legitimate client’s path collides with a link on an attack path is OPLab,NTUIM

  48. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (28/33) - Analysis Of False Positives • If a legitimate client’s path has m links that do not coincide with any links on any attack path, then its false positive probability is OPLab,NTUIM

  49. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (29/33) - Analysis Of False Positives OPLab,NTUIM

  50. ATTACK DIAGNOSIS AND PARALLEL ATTACKDIAGNOSIS (30/33) - Define Variables OPLab,NTUIM

More Related