1 / 34

Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic

Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic. Presenter: Lei Wu March, 2009. Cheng Jin ( chengjin@cs.caltech.edu ) Haining Wang ( hnw@cs.wm.edu ) Kang G. Shin ( kgshin@eecs.umich.edu ) CCS’03, Oct, 2003, Washington, DC, USA. Outline. Background

Download Presentation

Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic Presenter: Lei Wu March, 2009 Cheng Jin (chengjin@cs.caltech.edu) Haining Wang (hnw@cs.wm.edu) Kang G. Shin (kgshin@eecs.umich.edu) CCS’03, Oct, 2003, Washington, DC, USA Presentation for CAP 6135

  2. Outline • Background • Mechanism and construction • Measurement • Conclusion Presentation for CAP 6135

  3. Outline • Background • Mechanism and construction • Measurement • Conclusion Presentation for CAP 6135

  4. Background • IP address spoofing • DDoS Attack • Two classes of defense approaches Presentation for CAP 6135

  5. IP address spoofing • In computer networking, the term IP address spoofing refers to the creation of IP packets with a forged (spoofed) source IP address with the purpose of concealing the identity of the sender or impersonating another computing system. Presentation for CAP 6135

  6. DDoS Attack • Distributed Denial Of Service (DDoS) Attack • DDoS attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. • DDoS attacks on root nameservers • October 21, 2002 • February 6, 2007 Presentation for CAP 6135

  7. Defense Approaches • Router-based • Making improvements to the routing infrastructure • Off-line analysis of flooding traffic or on-line filtering of DDoS traffic inside routers • Require not only router support , but also coordination among different routers and networks, and wide-spread deployment • Victim-based • Enhancing the resilience of Internet servers against attacks • Easy to deploy Presentation for CAP 6135

  8. Weakness of conventional victim-based methods • Protection based on sophisticated resource management schemes • No mechanism to detect and discard spoofed traffic • Could confine the scope of damage to the service under attack, but might not be able to sustain the availability of the service • Filtering spoofed traffic can help a lot • TTL field of the IP header • Assumption: attackers cannot sabotage routers to alter TTL values of IP packets that traverse them Presentation for CAP 6135

  9. Outline • Background • Mechanism and construction • Measurement • Conclusion Presentation for CAP 6135

  10. Mechanism and construction • Introduction • Construction of IP2HC mapping table • Hop-Count Computation • Inspection Algorithm • Two running states of HCF Presentation for CAP 6135

  11. Introduction • Basic idea of Hop-Count Filtering (HCF) • Building an accurate IP-to-hop-count (IP2HC) mapping table • Clustering address prefixes based on hop-count • Two running states Presentation for CAP 6135

  12. Construction of IP2HC mapping table • Objectives in building an HCP table • Accurate IP2HC mapping • Up-to-date IP2HC mapping • Moderate storage requirement • Two Issues • Clustering address prefixes based on hop-counts • 24-bits aggregation • Divide IP addresses with each 24-bit prefix into smaller clusters • A pollution-proof update procedure to capture legitimate hop-count changes while foiling attackers’ attempt to pollute HCF tables Presentation for CAP 6135

  13. Construction of IP2HC mapping table (cont) • An example of hop-count clustering Presentation for CAP 6135

  14. Construction of IP2HC mapping table (cont) • Accuracies of various filters Presentation for CAP 6135

  15. Construction of IP2HC mapping table (cont) • Sizes of various HCF tables Presentation for CAP 6135

  16. Construction of IP2HC mapping table (cont) • Pollution-Proof Initialization and Update • Initialization • Collect traces of its clients that contain both IP addresses and the corresponding TTL values • Period depends on its traffic-load • Update • HCF table should be updated only by those TCP connections in the established state • Provide a user-configurable parameter to adjust the frequency of update • Re-clustering is negligible Presentation for CAP 6135

  17. Hop-Count Computation • Time To Live (TTL) IP Header Presentation for CAP 6135

  18. Hop-Count Computation (cont) • The challenge is that a destination only sees the final TTL value when receiving a packet. • Most modern Oss use only a few selected initial TTL value • 30, 32, 60, 64, 128 and 255 • Few Internet hosts are apart by more than 30 hops • For example, if the final TTL value is 112, we can infer that its initial TTL value is 128 • What about the ambiguities {30, 32}, {60, 64}, and {32, 60}? • Compute a hop-count value for each of the possible initial TTL value, and accept the packet if there is a match with one of the possible hop-counts. Presentation for CAP 6135

  19. Inspection Algorithm Presentation for CAP 6135

  20. Two running states of HCF • HCF causes delay in the critical path of packet processing, it should not be active at all time • Two running states • Alert: detect the presence of spoofed packets • By default, HCF stays in alert state and monitors the trend of hop-count changes without discarding packets • Action: discard spoofed packets • Upon detection of a flux of spoofed packets, HCF switches to action state to examine each packet and discards spoofed IP packets Presentation for CAP 6135

  21. Two running states of HCF (cont) • Operations in two HCP states Presentation for CAP 6135

  22. Two running states of HCF (cont) • Extra benefits of two running states • Against Distributed Reflected Denial of Service (DRDoS) attack • Blocking Bandwidth Attacks Presentation for CAP 6135

  23. Outline • Background • Mechanism and construction • Measurement • Feasibility • Effectiveness • Resource Savings • Conclusion Presentation for CAP 6135

  24. Feasibility of HCF • The feasibility of HCF hinges on three factors • Stability of hop-counts • The Internet paths were found to be dominated by a few prevalent routes • About two thirds of the Internet paths studied were observed to have routes persisting for either days or weeks • Diversity of hop-count distribution • More standard deviation, more effective • Robustness against possible evasion • Without compromising, it is very difficulty to get the IP2HC mapping table for the whole random address space • Spoofing from compromised machines makes detection and removal much easier Presentation for CAP 6135

  25. Diversity of hop-count distribution • The largest percentage of IP addresses that have a common hop-count value is only 10% Presentation for CAP 6135

  26. Effectiveness of HCF • Simple Attacks: always using the default initial TTL value Presentation for CAP 6135

  27. Effectiveness of HCF (cont) • Sophisticated Attackers: randomly choose TTL value Presentation for CAP 6135

  28. Resource Savings • This part gives some practical skills to implement HCF, which reduces the resource consumption • Insert into Linux Kernel • Hash table for the organization of hop-count mapping • Please read the paper for details Presentation for CAP 6135

  29. Outline • Background • Mechanism and construction • Measurement • Conclusion • Contribution • Weakness • Improvement Presentation for CAP 6135

  30. Contribution • Propose a hop-count based filtering scheme that detects and discards spoofed IP packets to conserve system resources • Give some analytical measurement on feasibility and effectiveness • Give the details description on how to make the whole system perform efficient, and also give the evaluation Presentation for CAP 6135

  31. Weakness • TTL-based Hop-Count Computation • Assume that most OSs use only a few selected initial TTL values • The solution to the ambiguities {30, 32}, {60, 64}, and {32, 60} • No explicit way to assign and adjust values of parameters • Feasibility of HCF • No definitive claim of whether hop-count distributions are Gaussian or not • Effectiveness of HCF, Sophisticated Attackers • No analysis on multiple flooding source • No comparison with other methods • No consideration on more realistic and complex network environment Presentation for CAP 6135

  32. Improvement • Use some machine learning methods to assign and adjust values of parameters • Find out the distributions of hop-count • Give the analysis on multiple flooding source of the sophisticated attackers • Compare HCF with other methods • Consider more realistic and complex network environment Presentation for CAP 6135

  33. Extra References • http://en.wikipedia.org/wiki/Internet_Protocol • http://en.wikipedia.org/wiki/Distributed_Reflection_Denial_of_Service Presentation for CAP 6135

  34. Questions? Thank you! Presentation for CAP 6135

More Related