Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic - PowerPoint PPT Presentation

lucius
hop count filtering an effective defense against spoofed ddos traffic n.
Skip this Video
Loading SlideShow in 5 Seconds..
Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic PowerPoint Presentation
Download Presentation
Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic

play fullscreen
1 / 34
Download Presentation
Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic
129 Views
Download Presentation

Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic Presenter: Lei Wu March, 2009 Cheng Jin (chengjin@cs.caltech.edu) Haining Wang (hnw@cs.wm.edu) Kang G. Shin (kgshin@eecs.umich.edu) CCS’03, Oct, 2003, Washington, DC, USA Presentation for CAP 6135

  2. Outline • Background • Mechanism and construction • Measurement • Conclusion Presentation for CAP 6135

  3. Outline • Background • Mechanism and construction • Measurement • Conclusion Presentation for CAP 6135

  4. Background • IP address spoofing • DDoS Attack • Two classes of defense approaches Presentation for CAP 6135

  5. IP address spoofing • In computer networking, the term IP address spoofing refers to the creation of IP packets with a forged (spoofed) source IP address with the purpose of concealing the identity of the sender or impersonating another computing system. Presentation for CAP 6135

  6. DDoS Attack • Distributed Denial Of Service (DDoS) Attack • DDoS attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. • DDoS attacks on root nameservers • October 21, 2002 • February 6, 2007 Presentation for CAP 6135

  7. Defense Approaches • Router-based • Making improvements to the routing infrastructure • Off-line analysis of flooding traffic or on-line filtering of DDoS traffic inside routers • Require not only router support , but also coordination among different routers and networks, and wide-spread deployment • Victim-based • Enhancing the resilience of Internet servers against attacks • Easy to deploy Presentation for CAP 6135

  8. Weakness of conventional victim-based methods • Protection based on sophisticated resource management schemes • No mechanism to detect and discard spoofed traffic • Could confine the scope of damage to the service under attack, but might not be able to sustain the availability of the service • Filtering spoofed traffic can help a lot • TTL field of the IP header • Assumption: attackers cannot sabotage routers to alter TTL values of IP packets that traverse them Presentation for CAP 6135

  9. Outline • Background • Mechanism and construction • Measurement • Conclusion Presentation for CAP 6135

  10. Mechanism and construction • Introduction • Construction of IP2HC mapping table • Hop-Count Computation • Inspection Algorithm • Two running states of HCF Presentation for CAP 6135

  11. Introduction • Basic idea of Hop-Count Filtering (HCF) • Building an accurate IP-to-hop-count (IP2HC) mapping table • Clustering address prefixes based on hop-count • Two running states Presentation for CAP 6135

  12. Construction of IP2HC mapping table • Objectives in building an HCP table • Accurate IP2HC mapping • Up-to-date IP2HC mapping • Moderate storage requirement • Two Issues • Clustering address prefixes based on hop-counts • 24-bits aggregation • Divide IP addresses with each 24-bit prefix into smaller clusters • A pollution-proof update procedure to capture legitimate hop-count changes while foiling attackers’ attempt to pollute HCF tables Presentation for CAP 6135

  13. Construction of IP2HC mapping table (cont) • An example of hop-count clustering Presentation for CAP 6135

  14. Construction of IP2HC mapping table (cont) • Accuracies of various filters Presentation for CAP 6135

  15. Construction of IP2HC mapping table (cont) • Sizes of various HCF tables Presentation for CAP 6135

  16. Construction of IP2HC mapping table (cont) • Pollution-Proof Initialization and Update • Initialization • Collect traces of its clients that contain both IP addresses and the corresponding TTL values • Period depends on its traffic-load • Update • HCF table should be updated only by those TCP connections in the established state • Provide a user-configurable parameter to adjust the frequency of update • Re-clustering is negligible Presentation for CAP 6135

  17. Hop-Count Computation • Time To Live (TTL) IP Header Presentation for CAP 6135

  18. Hop-Count Computation (cont) • The challenge is that a destination only sees the final TTL value when receiving a packet. • Most modern Oss use only a few selected initial TTL value • 30, 32, 60, 64, 128 and 255 • Few Internet hosts are apart by more than 30 hops • For example, if the final TTL value is 112, we can infer that its initial TTL value is 128 • What about the ambiguities {30, 32}, {60, 64}, and {32, 60}? • Compute a hop-count value for each of the possible initial TTL value, and accept the packet if there is a match with one of the possible hop-counts. Presentation for CAP 6135

  19. Inspection Algorithm Presentation for CAP 6135

  20. Two running states of HCF • HCF causes delay in the critical path of packet processing, it should not be active at all time • Two running states • Alert: detect the presence of spoofed packets • By default, HCF stays in alert state and monitors the trend of hop-count changes without discarding packets • Action: discard spoofed packets • Upon detection of a flux of spoofed packets, HCF switches to action state to examine each packet and discards spoofed IP packets Presentation for CAP 6135

  21. Two running states of HCF (cont) • Operations in two HCP states Presentation for CAP 6135

  22. Two running states of HCF (cont) • Extra benefits of two running states • Against Distributed Reflected Denial of Service (DRDoS) attack • Blocking Bandwidth Attacks Presentation for CAP 6135

  23. Outline • Background • Mechanism and construction • Measurement • Feasibility • Effectiveness • Resource Savings • Conclusion Presentation for CAP 6135

  24. Feasibility of HCF • The feasibility of HCF hinges on three factors • Stability of hop-counts • The Internet paths were found to be dominated by a few prevalent routes • About two thirds of the Internet paths studied were observed to have routes persisting for either days or weeks • Diversity of hop-count distribution • More standard deviation, more effective • Robustness against possible evasion • Without compromising, it is very difficulty to get the IP2HC mapping table for the whole random address space • Spoofing from compromised machines makes detection and removal much easier Presentation for CAP 6135

  25. Diversity of hop-count distribution • The largest percentage of IP addresses that have a common hop-count value is only 10% Presentation for CAP 6135

  26. Effectiveness of HCF • Simple Attacks: always using the default initial TTL value Presentation for CAP 6135

  27. Effectiveness of HCF (cont) • Sophisticated Attackers: randomly choose TTL value Presentation for CAP 6135

  28. Resource Savings • This part gives some practical skills to implement HCF, which reduces the resource consumption • Insert into Linux Kernel • Hash table for the organization of hop-count mapping • Please read the paper for details Presentation for CAP 6135

  29. Outline • Background • Mechanism and construction • Measurement • Conclusion • Contribution • Weakness • Improvement Presentation for CAP 6135

  30. Contribution • Propose a hop-count based filtering scheme that detects and discards spoofed IP packets to conserve system resources • Give some analytical measurement on feasibility and effectiveness • Give the details description on how to make the whole system perform efficient, and also give the evaluation Presentation for CAP 6135

  31. Weakness • TTL-based Hop-Count Computation • Assume that most OSs use only a few selected initial TTL values • The solution to the ambiguities {30, 32}, {60, 64}, and {32, 60} • No explicit way to assign and adjust values of parameters • Feasibility of HCF • No definitive claim of whether hop-count distributions are Gaussian or not • Effectiveness of HCF, Sophisticated Attackers • No analysis on multiple flooding source • No comparison with other methods • No consideration on more realistic and complex network environment Presentation for CAP 6135

  32. Improvement • Use some machine learning methods to assign and adjust values of parameters • Find out the distributions of hop-count • Give the analysis on multiple flooding source of the sophisticated attackers • Compare HCF with other methods • Consider more realistic and complex network environment Presentation for CAP 6135

  33. Extra References • http://en.wikipedia.org/wiki/Internet_Protocol • http://en.wikipedia.org/wiki/Distributed_Reflection_Denial_of_Service Presentation for CAP 6135

  34. Questions? Thank you! Presentation for CAP 6135