Defending against large scale distributed denial of service attacks
Download
1 / 39

Defending against Large-Scale Distributed Denial-of-Service Attacks - PowerPoint PPT Presentation


  • 135 Views
  • Uploaded on

Defending against Large-Scale Distributed Denial-of-Service Attacks. Department of Electrical and Computer Engineering Advanced Research in Information Assurance and Security (ARIAS) Lab Virginia Tech Jung-Min Park. Overview of DoS Attacks. What is a DoS attack?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Defending against Large-Scale Distributed Denial-of-Service Attacks' - deacon-barlow


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Defending against large scale distributed denial of service attacks

Defending against Large-ScaleDistributed Denial-of-Service Attacks

Department of Electrical and Computer Engineering

Advanced Research in Information Assurance and Security (ARIAS) Lab

Virginia Tech

Jung-Min Park


Overview of dos attacks
Overview of DoS Attacks

  • What is a DoS attack?

    • An attack that disrupts network services to legitimate clients

  • Large-scale Distributed DoS (DDoS) attack of Feb. 2000

    • A DDoS attack took down Yahoo, EBay, and Amazon.com

    • Outage caused millions of dollars in lost revenue

  • Hundreds of attacks are observed each day

  • Global corporations lost over $1.39 trillion in revenue due to security breaches in 2000, and

    • Over 60% are due to viruses and DoS attacks (http://www.captusnetworks.com/BeenDoSd.pdf)

  • FBI reports indicate DoS attacks are on the rise

2


Taxonomy of dos attacks
Taxonomy of DoS Attacks

  • Attacks that exploit system design weaknesses

    • Teardrop attack

    • Ping-of-death attack

    • Land attack

    • SYN flood attack

  • Attacks that exploit the weakness of particular protocols

    • Attacks against authentication protocols

    • Attacks against key agreement protocols

  • Attacks that exploit the asymmetry between “line rate” and throughput of hosts and routers

    • Flooding-based DDoS attacks

3


Flooding based ddos attacks

Exploits the asymmetry between “line rate” and throughput of hosts and routers

Large volume of packets is sent toward a victim

Consumes bandwidth and processing power of the victim

DDoS attacks utilize attack handlers and zombies to hide the identity of the real attacker

Flooding-based DDoS Attacks

4


Lines of defense against ddos attacks

Prevention and preemption throughput of hosts and routers(before the attack)

Detection(during the attack)

Mitigation and filtering(during the attack)

attack source traceback and identification(during and after the attack)

Lines of Defense Against DDoS Attacks

  • Apply software patch

  • SYN cookies, client puzzles

  • Design DoS attack resistant systems

  • Overlay networks

  • Signature (misuse) detection

  • Anomaly detection

  • Client puzzles

  • Aggregate filtering, pushback

  • Overlay networks

  • IP traceback: packet marking

  • IP traceback: packet logging

  • “Attack traceback”

5


Track a new approach to ip traceback

TRACK: throughput of hosts and routersA New Approach to IP Traceback


The ip traceback problem

Attack Detection throughput of hosts and routers

Traceback to the

zombie’s border router

The IP Traceback Problem

IP traceback strategies:

  • Probabilistic Packet Marking (PPM)

  • Packet Logging

7


Limitations of current ip traceback schemes
Limitations of Current IP Traceback Schemes throughput of hosts and routers

  • Do not support last-hop traceback

  • Packet logging schemes

    • Significant computation overhead on routers

    • Significant storage overhead on routers

  • Packet marking

    • Not scalable: Complexity of path reconstruction process increases rapidly as number of attackers increase

    • Large number of packets need to be collected

8


Router port marking and packet filtering track

Attack Detection throughput of hosts and routers

Router Port Markingfor traceback

Packet filtering at the

border router of

the zombies

rouTer poRt mArking and paCKet filtering (TRACK)

  • Objective:

    • Reduce computation complexity of path reconstruction

    • Reduce number of packets that need to be collected

    • Support last-hop traceback

    • Support gradual deployment

    • Filter attack traffic using traceback information

9


Basic principles of track
Basic Principles of TRACK throughput of hosts and routers

A string composed of locally-unique router interface port numbers is a globally unique identifier of a path.

10


Marking Traceback Information in the IP Header throughput of hosts and routers

11


Router port marking procedure

1 throughput of hosts and routers

Port Number

If Marking Flag = 1

Marking Flag

Port Number

XOR

Port Number

Last 5-digit of TTL

XOR

Distance

Router Port Marking Procedure

Active Port Marking Mode (APMM) at probability of p :

Passive Port Marking Mode (PPMM) at probability of 1 – p :

12


Path reconstruction process of track
Path Reconstruction Process of TRACK throughput of hosts and routers

  • Objective

    • Recover the port number sequence of an attack path and convert them into a sequence of router IP addresses

  • Approach

    • Distribute the path reconstruction process among the victim’s upstream routers (victim  attacker’s border router)(similar to Pushback)

    • Employ a trace table and trace packets

    • Use same info. to filter attack traffic at the border router of the attacker

  • Computational Complexity: O(N2)

13


Path reconstruction process of track1
Path Reconstruction Process of TRACK throughput of hosts and routers

MKF = 1, XOR = PN = 18,Distance = TTL5 (254) = 30

Assume C3 is sending packets to V

M is in APMM; F, B, and A are in PPMM

MKF = 1, PN = 18,Distance = 30, TTL5 = 27, XOR = 2 (=18  47  34  21);

d = 30 – 27 = 3

14


Path reconstruction process of track2
Path Reconstruction Process of TRACK throughput of hosts and routers

d = Distance – TTL5

XOR(d+1)  PN(d+1) = XOR(d)

C3’s path: 21-34-47-18

15


Number of packets needed for path reconstruction
Number of Packets Needed for Path Reconstruction throughput of hosts and routers

p = 0.01

p = 0.04

16


False positive rate
False Positive Rate throughput of hosts and routers

Skitter Internet map

Complete tree topology model

17


Gradual deployment
Gradual Deployment throughput of hosts and routers

Skitter Internet map

Complete tree topology model

18


Chained puzzles a novel approach to ip layer puzzles

Chained Puzzles: throughput of hosts and routersA Novel Approach to IP-Layer Puzzles


Client puzzle protocols
Client Puzzle Protocols throughput of hosts and routers

  • A technique used to mitigate DoS attacks that does not rely on distinguishing between attack traffic and legitimate client traffic

  • Puzzles are typically based on difficult problems from cryptosystems

    • Partial reversal of a hash function

    • Exhaustive key search in a private key cryptosystem

20


Basic principles of chained puzzles
Basic Principles of Chained Puzzles throughput of hosts and routers

  • Puzzle algorithm: Exhaustive key search of XTEA6

    • XTEA6: Truncated version of the XTEA encryption algorithm

  • Puzzle Routers

    • Puzzle distribution and verification is performed by the “first-hop” border router called a Puzzle Router

    • Puzzles are enabled by downstream Puzzle Routers

21


Message exchange between puzzle routers
Message Exchange Between Puzzle Routers throughput of hosts and routers

  • Downstream Puzzle Routers enable puzzles at the upstream Puzzle Routers

22


Optimal location for detection and mitigation
Optimal Location for Detection and Mitigation throughput of hosts and routers

Detection: DDoS attacks are detected easily near the server or the main victim of the attack (packet loss, heavy congestion, etc.)

Mitigation: Preventing or mitigating an attack is best performed as close to the source of the attack as possible

23


Puzzle distribution
Puzzle Distribution throughput of hosts and routers

  • How do we distribute puzzles?

    • Easy in TCP  3-way handshake

  • IP is connectionless and a client puzzle protocol is connection oriented

    • Client asks for a puzzle

    • Server sends the puzzle to the client

    • Client solves the puzzle, sends the solution back to the server

  • Solution

    • Puzzle solution chaining

24


Puzzle solution chaining
Puzzle Solution Chaining throughput of hosts and routers

  • When Puzzles are enabled, “bootstrapping” procedure is needed to create the first puzzle

  • Subsequent puzzles are created by the client independently

  • Current solution becomes plaintext for the next puzzle

25


Puzzle solution chaining cont d
Puzzle Solution Chaining – cont’d throughput of hosts and routers

  • Client creates a chain of puzzles

  • The Puzzle Router reissues the puzzle challenge periodically

26


Probabilistic verification
Probabilistic Verification throughput of hosts and routers

  • Probabilistic verification

    • Puzzle Routers verify incoming puzzles according to a given probability

    • Increase performance and throughput of the Puzzle Routers

27


Simulation results npsr
Simulation Results: NPSR throughput of hosts and routers

  • Normal Packet Survival Ratio (NPSR)

    • Percentage of legitimate packets that can make their way to the victim in the midst of a DDoS attack

28


Future work
Future Work throughput of hosts and routers

  • IP Traceback

    • Improve scalability

    • Better support of gradual deployment

    • Minimize the number of false positives

    • Support IP fragments

    • Support router degrees greater than 64

  • Client puzzle protocol

    • Specification of a Puzzle Router’s functions

    • Resolve protocol architecture issues

    • Counter puzzle protocol circumvention

    • Ensure fairness

29


Questions

Questions? throughput of hosts and routers


Conclusion
Conclusion throughput of hosts and routers

  • Last-hop traceback capability: a step closer to attack traceback

  • Support of gradual deployment: more realistic solution

  • Using router port instead of router as the atomic unit for traceback: fewer packets and less computational complexity for path reconstruction, finer granularity, and less false positive

  • Attack detection at the victim and packet filtering at the zombies’ border routers: the optimal location for both modules

31


Backup
Backup throughput of hosts and routers

32


Path Reconstruction Process of TRACK throughput of hosts and routers

  • Objective

    • Recover the port number sequence of an attack path and convert them into a sequence of router IP addresses

  • Approach

    • Distribute the path reconstruction process among the victim’s upstream routers (victim  attacker’s border router)(similar to Pushback)

    • Employ a trace table and trace packets

    • Use same info. to filter attack traffic at the border router of the attacker

  • Computational Complexity: O(N2)

33


Limitation of current attack mitigation schemes
Limitation of Current Attack Mitigation Schemes throughput of hosts and routers

  • Problem

    • Conventional countermeasures attempt to detect and filter at the same location

  • Fact

    • Attack detection is easier closer to the victim, packet filtering is more effective closer to the attack source

  • Solution

    • Separate the two functions in separate modules

34


Attack mitigation packet filtering

Attack Detection throughput of hosts and routers

Packet Filtering

Attack Mitigation (Packet Filtering)

  • Location of attack detectionand packet filtering:

    • At the victim

    • In the network

    • At the attack source

35


Probabilistic packet marking basics
Probabilistic Packet Marking (Basics) throughput of hosts and routers

  • Routers mark packets with fragments of its IP addresses probabilistically

  • Identification field in IP header is used (The probability of IP fragmentation is 0.25%)

  • The victim can collect IP fragments from many packets to reconstruct attacking path

36


Overhead of packet logging
Overhead of Packet Logging throughput of hosts and routers

For a OC-192 link:

  • TRACK: 50k destination IP address insertion or update per second; 900MB/hours storage, upper-bounded by 20GB

  • The scheme in [Snoe01]: 60 million hash operations per second; 44GB storage per hour, bounded by the maximum allowed traceback time

  • The scheme in [Li04]: 8 million hash operations per second; 5.2GB storage per hour, bounded by the maximum allowed traceback time

37


False Positive Analysis throughput of hosts and routers

38


Gradual deployment1
Gradual Deployment throughput of hosts and routers

  • Neighbor-Discovery Handshake Protocol

  • Jump back to source during path reconstruction

39


ad