1 / 24

Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic

Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic. Authors: Cheng Jin, Haining Wang, Kang G. Shin Appeared in 10th ACM International Conference on Computer and Communications Security 2003 Presenter: Haiou Xiang. Introduction. DDoS attacks

terrence-quinones
Download Presentation

Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic Authors: Cheng Jin, Haining Wang, Kang G. Shin Appeared in 10th ACM International Conference on Computer and Communications Security 2003 Presenter: Haiou Xiang

  2. Introduction • DDoS attacks • Limit and block legitimate users’ access by exhausting victim servers’ resources • Saturating stub networks’ access links to the Internet • Spoofed DDoS • To conceal flooding sources and localities in flooding traffic, attackers often spoof IP addresses by randomizing the 32-bit source-address field in the IP header • It is difficult to counter IP spoofing because of the stateless and destination-based routing of the Internet

  3. Exist Techniques • Router-based • Victim-based • Easily deployable • Without any router support

  4. Approach: Hop-Count-Filtering • An attacker can forge any field in the IP header • However, cannot falsify the number of hops an IP packet takes to reach its destination • Solely determined by the Internet routing infrastructure.

  5. Computation—Hop-Count Number of network hops source destination TTL: Ti TTL: Tf # of Hops: Hc=Ti-Tf

  6. Assumption • Attackers cannot sabotage routers to alter TTL values of IP packets that traverse them

  7. Hop-Count Inspection Algorithm Packet Source IP addr. S Final Tf Hop-count Hs from IP2HC Infer initial Ti Hop-count Hc= Ti - Tf Hc != Hs No legitimate packet Yes Spoofed packet

  8. Approach mechanism • Hop-count filter (HCF) Alert state packet HCF Accept Action state IP2HC Drop

  9. Running state of HCF • Two state • Alert: detect the presence of spoofed packets • Action: discard spoofed packets

  10. Alert State --Sample incoming packets for hop-count inspection -- Calculate the spoofed packet counter -- Update the IP2HC mapping table in case of legitimate hop-count changes

  11. Action state -- Performs per-packet hop-count inspection and discards spoofed packets, if any -- Examine every packet -- Discards spoofed packets

  12. Challenge • HCF cannot recognize forged packets whose source IP addresses have the same hop-count value as that of a zombie.

  13. Hop-Count Distribution • Gaussian distribution

  14. Hop-Count Distribution • Gaussian distribution • The girth is the standard deviation, σ. • The area under the Gaussian distribution sums to the number of IP addresses measured. • The mean value of a Gaussian distribution specifies the center of the bellshaped curve.

  15. Hop-Count Distribution 19 5 14 3 The largest percentage of IP addresses that have a common hop-count value is only 10%

  16. Effectiveness of HCF • “what fraction of spoofed IP packets can be detected by the proposed HCF?” • Single attack • Single flood source • Multiple flood sources • Sophisticated attack

  17. Single flood source • Given a single flooding source hose hop-count to the victim is h, let denote the fraction of IP addresses that have the same hopcount to the victim as the flooding source Identified and discarded by HCF the fraction of spoofed IP addresses that cannot be detected

  18. Multiple flood sources there are n sources that flood a total of F packets, each flooding source generates F/n spoofed packets Identifiable spoofed packets generated by n flooding sources

  19. Sophisticated Attackers The summation will have a maximum value of 1 so ¯Z can be at most 1/H = 8.5%. In this case, less than 10% of spoofed packets go undetected by HCF. the fraction of spoofed source IP addresses that have correct TTL values

  20. Results • None of these “intelligent” attacks are much more effective than the simple attacks • HCF can remove nearly 90% of spoofed traffic with an accurate mapping between IP addresses and hop-counts

  21. Construction of HCF table • Objectives • Accurate IP2HC mapping • Up-to-date IP2HC mapping • Moderate storage requirement • Method: Clustering address prefixes based on hop-counts • Build accurate IP2HC mapping tables and maximize HCF’s effectiveness without storing the hop-count for each IP address. • A pollution-proof update procedure that captures legitimate hop-count changes while foiling attackers’ attempt to pollute HCF tables

  22. Strength of HCF • HCF can remove 90% of spoofed traffic • Even if an attacker is aware of HCF, he or she cannot easily circumvent HCF. • HCF is a simple and effective solution in protecting network services against spoofed IP packets • HCF can be readily deployed in end-systems since it does not require any network support.

  23. Weakness of HCF • The existence of NAT (Network Address Translator) boxes, each of which may connect multiple stub networks, could make a single IP address appear to have multiple valid hop-counts at the same time • To install the HCF system at a victim site for practical use, we need a systematic procedure for setting the parameters of HCF, such as the frequency of dynamic updates

More Related