1 / 22

An Adaptable Inter-Domain Infrastructure Against DoS Attacks

An Adaptable Inter-Domain Infrastructure Against DoS Attacks. Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10, 2003. What is " Denial of Service "?. An attack to suspend the availability of a service

fonda
Download Presentation

An Adaptable Inter-Domain Infrastructure Against DoS Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Adaptable Inter-Domain InfrastructureAgainst DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10, 2003

  2. What is "Denial of Service"? • An attack to suspend the availability of a service • Until recently the "bad guys" tried to enter our systems. Now it’s: "If not us, then Nobody" • No break-in attempts, no information stealing, although they can be combined with other attacks to confuse Intrusion Detection Systems. • No easy solutions! DoS is still mostly a research issue Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  3. Main Characteristics of DoS • Variable targets: • Single hosts or whole domains • Computer systems or networks • Important: Active network components (e.g. routers) also vulnerable and possible targets! • Variable uses & effects: • Hacker "turf" wars • High profile commercial targets (or just competitors…). • Useful in cyber-warfare, terrorism etc… Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  4. Brief History First Phase (starting in the '90s): Single System DoS • Started as bug/vulnerability exploitation • The targets are single hosts - single services • One single malicious packet many times is enough Second Phase (1996-2000): Resource Consuming DoS • Resource consuming requests from many sources • Internet infrastructure used for attack amplification Third Phase (after 2000): Distributed DoS • Bandwidth of network connections is the main target • Use of many pirated machines, possibly many attack stages, that will have an escalating effect to saturate the victim(s) Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  5. Brief History (cont.) Important Events: • February 7-11 2000: Big commercial sites (CNN, Yahoo, E-Bay) are taken down by flooding of their networks. • The attacks capture the attention of the media • The US President assembles emergency council members of Internet, e-commerce companies, civil liberties organizations, and security experts to jointly announce actions strengthening Internet and computer network security • January 2002: The British ISP CloudNine suspends operations because of continuous interruption in Internet connectivity. Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  6. Pirated machines Domain A 2. Commanding the attack 1. Taking Control "zombies" Pirated machines Domain B Distributed DoS Target domain Attacker X Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  7. A DDoS Attack Domain-wise Sources of the attack Sources of the attack Attack Transit Domains Innocent Domains, but their connectivity is affected Target Domain Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  8. DDoS Facts • Some hundred of persistent flows are enough to knock a large network off the Internet • Incoming traffic has to be controlled, outside the victim’s domain, at the upstream providers • Usually source IPs spoofed on attack packets • Offending systems may be controlled without their users suspecting it • Possibly many levels of command & control: • Attacker-Manager-Agents • Examples of automatic tools for such attacks: "Trinoo", "Stacheldraht", and "TFN2K", also called rootkits Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  9. Multi-tier attack Attack Master "zombies" Attack Agents Target domain X Attacker Attack Master Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  10. Reflection DDoS Attack Attack Master Legitimate TCP SYN requests Web or other servers Target domain X Attacker TCP SYN-ACK answers "zombies" Routers Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  11. Reaction to DDoS • The malicious flows have to be determined. Timely reaction is critical! • The attack characteristics have to be communicated (in any way possible) upstream. This usually has to be done manually and is an uncertain and time-consuming procedure. • Filters that will block attack traffic must be set up and maintained. Their effectiveness must be verified. • The bandwidth penalty is still present throughout all the affected networks. Actions are required on all the networks along the attack path Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  12. Reaction to DDoS (cont.) • Another possible solution (helps the ISP): stop all traffic to the target. Direct it to a central point and discard it. Completes the attack! • Trace-back efforts: • Following the routing (if sources not spoofed) • Step by step through ISPs. Difficult to convince them if not concerned about the bandwidth penalty • Conclusion: It’s not a matter of a single site Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  13. Our Solution: Inter-Domain Cooperative IDS Entities

  14. Inter-Domain Cooperative IDS Entities Cooperative IDS Entity Activation of filters and reaction according to local Policies Participating Domain Non-participating Domain Notification Propagation (Multicast) The Cooperative IDS Entities constitute an Overlay Network Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  15. Main Design Characteristics: Architecture • Unit of Reaction to the attack: each administrative domain • Requires agreement between domains but this is not difficult, since they preserve their independence • Actions along the attack path in as many networks as possible • Minimizing the bandwidth loss not only at the victim but at each step in the attack. Non-malicious traffic has then better chances to get-through Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  16. The Entities • The Entities compose the infrastructure • They are the trusted points for the domain • They manage all communications and reaction within the domain, aimed to stopping an on-going attack • Communications by multicast methods • They are on the top of the local IDS hierarchy, thus combine the local picture with the one from peers • They are controlled locally according to the choices and policies of the administrator • They can implement reaction filters to routers, BUT: • Their duration is controlled, the admin is aware of them and it’s possible to adjust to shifting attack patterns Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  17. Main Design Characteristics: Entity Implementation • Lightweight and Modular software architecture, different components performing the various tasks • Java Management Extensions (JMX) framework for control and configuration • Using the Intrusion Detection Message Exchange Format (IDMEF) in all messages achieves compatibility with standards and inter-operability with installed IDS infrastructure • Multicast advantages: • Independence from specific installation host • Stealthy presence • Possible parallel operation of backup Entities Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  18. Main Design Characteristics: Internal Entity Architecture JMX Infrastructure Response Policies Analysis Unit Response Unit Configuration Transcription Event Info Management Console Alerts Communication Unit Peer Entities Heartbeats Local Network Components Filtering Unit Local Notifications Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  19. ! ! ! ! ! ! What happens during an Attack Hot-spare Entities (1) The Attack may be detected in many places in the same time with the help of local IDS (3) Some of them may determine that they are not on the attack path (4) The rest, automatically, set up filters to suppress the attack (2) The alerted Entities notify all other ones in their community, using multicast Non-participating Domain Cooperative IDS Entity Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  20. Additional Concepts • It is possible to create “communities” of entities and distribute the notifications only within. Only events transcending two communities will be let to pass, thus limiting traffic and notification overhead • The communities can be set up thanks to multicast either: • Geographically (by the TTL on the packets) • According to common interests etc. (by different groups) • Security • The messages are encrypted against eavesdropping BUT by symmetric cryptography • Additionally there are timestamps and digital signatures on the messages to avoid repetition attacks Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  21. Current Status • Currently developing a prototype • Linking with a Panoptis / Netflow detection engine • Plans to deploy it in the Greek Academic Network • Testing the effectiveness of a peer-2-peer communications scheme in addition to multicast • Developing the Hot-Spare concepts Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003

  22. Questions and Answers

More Related