Defending against large scale distributed denial of service attacks
Sponsored Links
This presentation is the property of its rightful owner.
1 / 39

Defending against Large-Scale Distributed Denial-of-Service Attacks PowerPoint PPT Presentation


  • 106 Views
  • Uploaded on
  • Presentation posted in: General

Defending against Large-Scale Distributed Denial-of-Service Attacks. Department of Electrical and Computer Engineering Advanced Research in Information Assurance and Security (ARIAS) Lab Virginia Tech Jung-Min Park. Overview of DoS Attacks. What is a DoS attack?

Download Presentation

Defending against Large-Scale Distributed Denial-of-Service Attacks

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Defending against Large-ScaleDistributed Denial-of-Service Attacks

Department of Electrical and Computer Engineering

Advanced Research in Information Assurance and Security (ARIAS) Lab

Virginia Tech

Jung-Min Park


Overview of DoS Attacks

  • What is a DoS attack?

    • An attack that disrupts network services to legitimate clients

  • Large-scale Distributed DoS (DDoS) attack of Feb. 2000

    • A DDoS attack took down Yahoo, EBay, and Amazon.com

    • Outage caused millions of dollars in lost revenue

  • Hundreds of attacks are observed each day

  • Global corporations lost over $1.39 trillion in revenue due to security breaches in 2000, and

    • Over 60% are due to viruses and DoS attacks (http://www.captusnetworks.com/BeenDoSd.pdf)

  • FBI reports indicate DoS attacks are on the rise

2


Taxonomy of DoS Attacks

  • Attacks that exploit system design weaknesses

    • Teardrop attack

    • Ping-of-death attack

    • Land attack

    • SYN flood attack

  • Attacks that exploit the weakness of particular protocols

    • Attacks against authentication protocols

    • Attacks against key agreement protocols

  • Attacks that exploit the asymmetry between “line rate” and throughput of hosts and routers

    • Flooding-based DDoS attacks

3


Exploits the asymmetry between “line rate” and throughput of hosts and routers

Large volume of packets is sent toward a victim

Consumes bandwidth and processing power of the victim

DDoS attacks utilize attack handlers and zombies to hide the identity of the real attacker

Flooding-based DDoS Attacks

4


Prevention and preemption(before the attack)

Detection(during the attack)

Mitigation and filtering(during the attack)

attack source traceback and identification(during and after the attack)

Lines of Defense Against DDoS Attacks

  • Apply software patch

  • SYN cookies, client puzzles

  • Design DoS attack resistant systems

  • Overlay networks

  • Signature (misuse) detection

  • Anomaly detection

  • Client puzzles

  • Aggregate filtering, pushback

  • Overlay networks

  • IP traceback: packet marking

  • IP traceback: packet logging

  • “Attack traceback”

5


TRACK:A New Approach to IP Traceback


Attack Detection

Traceback to the

zombie’s border router

The IP Traceback Problem

IP traceback strategies:

  • Probabilistic Packet Marking (PPM)

  • Packet Logging

7


Limitations of Current IP Traceback Schemes

  • Do not support last-hop traceback

  • Packet logging schemes

    • Significant computation overhead on routers

    • Significant storage overhead on routers

  • Packet marking

    • Not scalable: Complexity of path reconstruction process increases rapidly as number of attackers increase

    • Large number of packets need to be collected

8


Attack Detection

Router Port Markingfor traceback

Packet filtering at the

border router of

the zombies

rouTer poRt mArking and paCKet filtering (TRACK)

  • Objective:

    • Reduce computation complexity of path reconstruction

    • Reduce number of packets that need to be collected

    • Support last-hop traceback

    • Support gradual deployment

    • Filter attack traffic using traceback information

9


Basic Principles of TRACK

A string composed of locally-unique router interface port numbers is a globally unique identifier of a path.

10


Marking Traceback Information in the IP Header

11


1

Port Number

If Marking Flag = 1

Marking Flag

Port Number

XOR

Port Number

Last 5-digit of TTL

XOR

Distance

Router Port Marking Procedure

Active Port Marking Mode (APMM) at probability of p :

Passive Port Marking Mode (PPMM) at probability of 1 – p :

12


Path Reconstruction Process of TRACK

  • Objective

    • Recover the port number sequence of an attack path and convert them into a sequence of router IP addresses

  • Approach

    • Distribute the path reconstruction process among the victim’s upstream routers (victim  attacker’s border router)(similar to Pushback)

    • Employ a trace table and trace packets

    • Use same info. to filter attack traffic at the border router of the attacker

  • Computational Complexity: O(N2)

13


Path Reconstruction Process of TRACK

MKF = 1, XOR = PN = 18,Distance = TTL5 (254) = 30

Assume C3 is sending packets to V

M is in APMM; F, B, and A are in PPMM

MKF = 1, PN = 18,Distance = 30, TTL5 = 27, XOR = 2 (=18  47  34  21);

d = 30 – 27 = 3

14


Path Reconstruction Process of TRACK

d = Distance – TTL5

XOR(d+1)  PN(d+1) = XOR(d)

C3’s path: 21-34-47-18

15


Number of Packets Needed for Path Reconstruction

p = 0.01

p = 0.04

16


False Positive Rate

Skitter Internet map

Complete tree topology model

17


Gradual Deployment

Skitter Internet map

Complete tree topology model

18


Chained Puzzles:A Novel Approach to IP-Layer Puzzles


Client Puzzle Protocols

  • A technique used to mitigate DoS attacks that does not rely on distinguishing between attack traffic and legitimate client traffic

  • Puzzles are typically based on difficult problems from cryptosystems

    • Partial reversal of a hash function

    • Exhaustive key search in a private key cryptosystem

20


Basic Principles of Chained Puzzles

  • Puzzle algorithm: Exhaustive key search of XTEA6

    • XTEA6: Truncated version of the XTEA encryption algorithm

  • Puzzle Routers

    • Puzzle distribution and verification is performed by the “first-hop” border router called a Puzzle Router

    • Puzzles are enabled by downstream Puzzle Routers

21


Message Exchange Between Puzzle Routers

  • Downstream Puzzle Routers enable puzzles at the upstream Puzzle Routers

22


Optimal Location for Detection and Mitigation

Detection: DDoS attacks are detected easily near the server or the main victim of the attack (packet loss, heavy congestion, etc.)

Mitigation: Preventing or mitigating an attack is best performed as close to the source of the attack as possible

23


Puzzle Distribution

  • How do we distribute puzzles?

    • Easy in TCP  3-way handshake

  • IP is connectionless and a client puzzle protocol is connection oriented

    • Client asks for a puzzle

    • Server sends the puzzle to the client

    • Client solves the puzzle, sends the solution back to the server

  • Solution

    • Puzzle solution chaining

24


Puzzle Solution Chaining

  • When Puzzles are enabled, “bootstrapping” procedure is needed to create the first puzzle

  • Subsequent puzzles are created by the client independently

  • Current solution becomes plaintext for the next puzzle

25


Puzzle Solution Chaining – cont’d

  • Client creates a chain of puzzles

  • The Puzzle Router reissues the puzzle challenge periodically

26


Probabilistic Verification

  • Probabilistic verification

    • Puzzle Routers verify incoming puzzles according to a given probability

    • Increase performance and throughput of the Puzzle Routers

27


Simulation Results: NPSR

  • Normal Packet Survival Ratio (NPSR)

    • Percentage of legitimate packets that can make their way to the victim in the midst of a DDoS attack

28


Future Work

  • IP Traceback

    • Improve scalability

    • Better support of gradual deployment

    • Minimize the number of false positives

    • Support IP fragments

    • Support router degrees greater than 64

  • Client puzzle protocol

    • Specification of a Puzzle Router’s functions

    • Resolve protocol architecture issues

    • Counter puzzle protocol circumvention

    • Ensure fairness

29


Questions?


Conclusion

  • Last-hop traceback capability: a step closer to attack traceback

  • Support of gradual deployment: more realistic solution

  • Using router port instead of router as the atomic unit for traceback: fewer packets and less computational complexity for path reconstruction, finer granularity, and less false positive

  • Attack detection at the victim and packet filtering at the zombies’ border routers: the optimal location for both modules

31


Backup

32


Path Reconstruction Process of TRACK

  • Objective

    • Recover the port number sequence of an attack path and convert them into a sequence of router IP addresses

  • Approach

    • Distribute the path reconstruction process among the victim’s upstream routers (victim  attacker’s border router)(similar to Pushback)

    • Employ a trace table and trace packets

    • Use same info. to filter attack traffic at the border router of the attacker

  • Computational Complexity: O(N2)

33


Limitation of Current Attack Mitigation Schemes

  • Problem

    • Conventional countermeasures attempt to detect and filter at the same location

  • Fact

    • Attack detection is easier closer to the victim, packet filtering is more effective closer to the attack source

  • Solution

    • Separate the two functions in separate modules

34


Attack Detection

Packet Filtering

Attack Mitigation (Packet Filtering)

  • Location of attack detectionand packet filtering:

    • At the victim

    • In the network

    • At the attack source

35


Probabilistic Packet Marking (Basics)

  • Routers mark packets with fragments of its IP addresses probabilistically

  • Identification field in IP header is used (The probability of IP fragmentation is 0.25%)

  • The victim can collect IP fragments from many packets to reconstruct attacking path

36


Overhead of Packet Logging

For a OC-192 link:

  • TRACK: 50k destination IP address insertion or update per second; 900MB/hours storage, upper-bounded by 20GB

  • The scheme in [Snoe01]: 60 million hash operations per second; 44GB storage per hour, bounded by the maximum allowed traceback time

  • The scheme in [Li04]: 8 million hash operations per second; 5.2GB storage per hour, bounded by the maximum allowed traceback time

37


False Positive Analysis

38


Gradual Deployment

  • Neighbor-Discovery Handshake Protocol

  • Jump back to source during path reconstruction

39


  • Login