1 / 35

Pi: A Path Identification Mechanism to Defend Against DDoS Attacks

Pi: A Path Identification Mechanism to Defend Against DDoS Attacks. Abraham Yaar, Adrian Perrig, Dawn Song Carnegie Mellon University {ayaar, perrig, dawnsong}@cmu.edu Presented and Edited by Yongdae Kim. Outline. DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering

loc
Download Presentation

Pi: A Path Identification Mechanism to Defend Against DDoS Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Pi: A Path Identification Mechanism to Defend Against DDoS Attacks Abraham Yaar, Adrian Perrig, Dawn Song Carnegie Mellon University {ayaar, perrig, dawnsong}@cmu.edu Presented and Editedby Yongdae Kim

  2. Outline • DDoS Attack/Defense Review • Goals/Main Idea • Pi Marking • Pi Filtering • Experimental Results • Discussion • Conclusion

  3. DDoS Review Victim • Attackers compromise network hosts, flood victim with packets • Overload packet processing capacity • Saturate network bandwidth • Spoofed source IP addresses evade network filters RA RX RB RC RY RZ A U U A A A

  4. RFC 3514 • Security flag in IP header • By Steven Bellovin • Attackers must set evil bit in malicious packets • Receivers can filter out evil packets • Challenge: deployment • April fools joke • Pi achieves similar property!

  5. A 2 B 1 A 1 C 1 C 2 B 2 Z Z 1 2 A 2 x x x x 1 1 2 2 Y C 1 Y Z 1 2 1 1 Y C 1 Y Z 1 2 2 Y C 2 Y Z 2 2 1 Y Z 1 x Z 1 1 x Y 2 x 1 Y 2 x 2 Z 1 2 IP Traceback Defense Victim • Victim reconstructs attack tree from address fragments • Disadvantages: • Slow reconstruction • Multi-path reconstruction • Assumes upstream ISP collaboration RA RX 1 B RZ RB RC RY A U U A A A

  6. Other Strategies • Source Path Isolation Engine (SPIE) • Routers store packet hashes, recursive query to reconstruct path • Disadvantage • Per-packet state at routers • Pushback Framework • Routers identify attack packet characteristics, install upstream filter • Disadvantage • Difficult to distinguish attack/user packets

  7. Outline • DDoS Attack/Defense Review • Goals/Main Idea • Pi Marking • Pi Filtering • Experimental Results • Discussion • Conclusion

  8. Goals – Ideal DDoS Defense • Fast • Defense after single attack packet • Victim filters traffic • No dependency on upstream ISPs • Overhead • Minimal computation/state at routers and victims • Interoperability • Supports IP Fragmentation • Incrementally deployable • Additional deployment increases performance

  9. 3 1 2 3 3 3 3 3 1 4 6 7 6 4 7 7 6 4 Main Idea Victim • Path “fingerprints” • Entire fingerprint in each packet • Incrementally constructed by routers along path • Victim rejects packets with attacker fingerprints (Pi-marks) RA RX i i 4 1 i i 2 6 i i 4 i 3 7 i i 4 i 3 6 i i 4 i 3 7 i i 4 1 i i 2 6 i i 4 i 3 7 i i 4 1 i i 3 6 RZ RB RC RY A U U A A A 0 2 3 4 5 6 7 1

  10. 3 1 2 3 3 3 3 3 1 4 6 7 6 4 7 7 6 4 4 1 7 3 4 3 Main Idea Victim • Path “fingerprints” • Entire fingerprint in each packet • Incrementally constructed by routers along path • Victim rejects packets with attacker fingerprints (Pi-marks) Accepted Packets Rejected Packets Attacker Marks RA RX i i 4 1 i i 2 6 i i 4 i 3 7 4 i i 4 i 3 6 i i 4 i 3 7 i i 4 1 i i 2 6 i i 4 i 3 7 i i 4 1 i i 3 6 RZ RB RC RY A U U A A A 0 2 3 4 5 6 7 1

  11. 3 1 2 3 3 3 3 3 1 4 6 7 6 4 7 7 6 4 C Z 1 1 1 Y C 1 Y Z 1 2 2 Y C 2 Y Z 2 2 1 Y Z 1 7 3 1 4 3 Main Idea Victim • Path “fingerprints” • Entire fingerprint in each packet • Incrementally constructed by routers along path • Victim rejects packets with attacker fingerprints (Pi-marks) Accepted Packets Rejected Packets Attacker Marks RA RX 4 7 3 4 1 B RZ RB RC RY A U U A A A 0 2 3 4 5 6 7 1

  12. 3 1 2 3 3 3 3 3 1 4 6 7 6 4 7 7 6 4 C Z 1 1 1 Y C 1 Y Z 1 2 2 Y C 2 Y Z 2 2 1 Y Z 1 4 3 1 Main Idea 1 3 3 3 3 1 Victim • Path “fingerprints” • Entire fingerprint in each packet • Incrementally constructed by routers along path • Victim rejects packets with attacker fingerprints (Pi-marks) Accepted Packets Rejected Packets Attacker Marks RA RX 4 7 3 4 7 1 B 3 RZ RB RC RY A U U A A A 0 2 3 4 5 6 7 1

  13. Outline • DDoS Attack/Defense Review • Goals/Main Idea • Pi Marking • Pi Filtering • Experimental Results • Discussion • Conclusion

  14. Pi Marking Scheme • Marking Scheme • Each router marks n bits into IP Identification field • Marking Function • Last n bits of hash (eg. MD5) of router IP address • Marking Aggregation • Router pushes marking into IP Identification field

  15. xx xx xx xx 00 xx xx 10 11 00 00 xx xx xx 11 Pi Marking • Queue-based marking • Routers “push” marking into IP Identification field • Note: Victim’s local routers (in general, 3, 4 hopes) do not mark. π A π π V

  16. 00 xx xx xx xx xx xx xx xx xx xx 10 00 00 Legacy Routers • Legacy routers do not mark • Extensions • Detect upstream legacy router • Mark for previous legacy router • Write-ahead improvement L π A π V

  17. Path marking vs. Edge Marking • Collision in path marking • path(AC) = mamc, path(BC) = mbmc • With probability 1/2n, ma = mb • Edge marking • path(AC) = ma’mc1, path(BC) = mb’mc2 • where mc1 = h(IPC || IPA), mc2 = h(IPC || IPB) • Still probability of collision is 1/2n • But, new probability of having identical marks for two paths joining at the same node becomes 1/22n

  18. Pi Marking - IP Fragmentation • Problem • Using deterministic values in IP Identification field breaks fragmentation • Solution (suggested by Vern Paxson) • Don’t mark packets that mayever get fragmented, or are fragments themselves • Packets with DFT bit set • Packets smaller than smallest MTU • During DDoS attack, drop packets that do not have DFT bit set

  19. Outline • DDoS Attack/Defense Review • Goals/Main Idea • Pi Marking • Pi Filtering • Experimental Results • Discussion • Conclusion

  20. Pi Filtering – Basic Scheme • Basic Scheme • Drop all packets with Pi marks matching that of any attack packets • Assumption • Victim can identify attack packets • Implementation Overhead • Memory: Bit vector of length 216 (8kB) • if (BitVec[PiMark] == 0) then accept() else drop(); • Simpleper packet lookup

  21. Pi Filtering - Thresholds • Problem • Single attacker causes multiple users’ rejections • Solution • Assume, for a particular Pi mark, i: • ai= number of attack packets • ui= number of legitimate users’ packets • Victim chooses threshold, t, such that if: then packets with Pi mark i are kept

  22. Outline • DDoS Attack/Defense Review • Goals/Main Idea • Pi Marking • Pi Filtering • Experimental Results • Discussion • Conclusion

  23. Exp. Results – Attack Model • Two phase DDoS model • Phase 1: Learning Phase • Omniscient victim, Filter Bootstrapping • Limited Length (3 packets per endhost) • Phase 2: Attack Phase • Pi filter deployed • “Unlimited” Length (3 packets simulated) • Results presented for phase 2

  24. Exp. Results - Setup • Two Internet Topologies • Internet Map Project • 81,953 unique endhosts • CAIDA Skitter Map • 171,472 unique endhosts • 5,000 Legitimate Users, 100-10,000 Attackers • n = 2 bits • 4 router non-marking ISP perimeter • Victim ISP marks unnecessary/undesirable

  25. Exp. Results - Metrics • Filter Errors • False Positive: User packet dropped • False Negative: Attacker packet accepted • Acceptance Ratio • Percent packets accepted by victim of total packets sent • Attacker Acceptance Ratio = false negative rate • User Acceptance Ratio = (1 – false positive rate)

  26. Exp. Results – Basic Filter • DDoS protection • Accepted (with 10,000 unique attack paths): • 60% of user traffic • 17% attacker traffic • Downward slope due to “marking saturation” • All markings flagged as attacker

  27. Exp. Results – 50% Threshold Filter Performance • Thresholds Work! • Accepted (with 10,000 unique attack paths): • 82% of user traffic • 22% attacker traffic • Increased attack severity requires increased threshold

  28. Exp. Results – Legacy Routers • 50% threshold used • Performance degradation is gradual • Some filtering accuracy even at 50% legacy routers • 0 = random selection • 1 = perfect filter

  29. Exp. Results – Limited Capacity • Constraint • Limit maximum number of packets accepted. • Strategy • Accept lowest attack traffic Pi marks first. • Performance • 60% server capacity for legitimate packets when total attack traffic 170X of user traffic. *Note: Each Attacker sends 10X traffic over legitimate user.

  30. Outline • DDoS Attack/Defense Review • Goals/Main Idea • Pi Marking • Pi Filtering • Experimental Results • Discussion • Conclusion

  31. Other Applications • Help other anti-DDoS techniques • Pushback • Filters that mask individual IP addresses can be very long • Upstream path information improves filtering accuracy • IP traceback path reconstruction • IDS • ISPs use Pi to detect IP address spoofing

  32. Discussion: Deployment Incentives • Lack of incentive for ingress filtering • Pi provides incentive for ISP • Customers benefit from Pi marking • Attackers within ISP cause blocking of other ISP customers • ISP has incentive to block attack • Incentives for ingress filtering • Market pressures drive Pi deployment • Large-scale Internet sites > ISP > router manufacturer

  33. Future Work • Advanced marking schemes • Use combination of exor and shift • Advanced dynamic filters • Problems: • “Nearby” attackers always have attacker initialized bits in markings • Route changes cause Pi mark variations • Solution: Machine learning techniques identify marking commonalities • (ie. Longest prefix matching for nearby attackers)

  34. Related Work • IP traceback • itrace • SPIE • PEIP – Path Enhanced IP CS3-Inc. • Adds 16 bytes path to each packet • Router marks within 16 bytes path

  35. Pi: Conclusions • Disadvantages of current DDoS defenses • Slow • High overhead • Assumes ISP collaboration • Pi provides DDoS protection • After first identified attack packet • Minimal overhead at routers and endhosts • Maintains IP Fragmentation • No inter-ISP cooperation • Great incremental deployment properties

More Related