D-WARD: DDoS Network Attack Recognition and Defense - PowerPoint PPT Presentation

d ward ddos network attack recognition and defense l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
D-WARD: DDoS Network Attack Recognition and Defense PowerPoint Presentation
Download Presentation
D-WARD: DDoS Network Attack Recognition and Defense

play fullscreen
1 / 39
D-WARD: DDoS Network Attack Recognition and Defense
258 Views
Download Presentation
niveditha
Download Presentation

D-WARD: DDoS Network Attack Recognition and Defense

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. D-WARD:DDoS Network Attack Recognition and Defense PhD Qualifying Exam Jelena Mirković PhD Advisor: Peter Reiher 01/23/2002

  2. Design and implement DDoS defense system • located at source network • autonomously detects and stops attacking flows • does not affect legitimate flows 2/39

  3. Overview • Problem Statement • Related Work • Desirable Characteristics • D-WARD • Thesis Goals • Conclusion 3/39

  4. What is a DoS Attack? 4/39 Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  5. What is a DDoS Attack? 5/39 Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  6. DDoS Defense Problem • Large number of unwitting participants • No common characteristics of DDoS streams • No administrative domain cooperation • Automated tools • Hidden identity of participants • Persistent security holes on the Internet 6/39 Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  7. DDoS Prevention • Compromise prevention • security patches • virus detection programs • intrusion detection systems (IDS) High deployment cannot be enforced 7/39 Problem Statement Related Work Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  8. DDoS Defense INTERMEDIATE NETWORK VICTIM NETWORK SOURCE NETWORK 8/39 Problem Statement Related Work Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  9. Victim Network • Intrusion Detection Systems • On-off control approach • Router monitoring tools (CISCO) + Victim can successfully detect the attack - Victim is helpless if: attack consists of legitimate packets or attack is of large volume 9/39 Problem Statement Related Work Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  10. Intermediate Network • WATCHERS • Traceback • Pushback • Spoofing prevention + Routers can effectively constrain/trace the attack - Possible performance degradation - Interdomain politics of isolation - Attack detection is hard - Communication has to be secured 10/39 Problem Statement Related Work Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  11. Source Network • MULTOPS + Source routers can effectively constrain/trace the attack + Internet resources are preserved - Attack detection is hard - Many deployment points needed for high efficacy 11/39 Problem Statement Related Work Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  12. Desirable Characteristics • High security • Reliable attack detection • Independent detection and response • Low performance cost • Incremental benefit with incremental deployment • Handle recurring attacks • Traceback • Cooperation REQUIRED OPTIONAL 12/39 Problem Statement Related Work  Desirable Characteristics D-WARD  Thesis Goals  Conclusion

  13. D-WARD • DDoS defense system in Source Network • Source Router detects attack and responds • Monitors the two-way traffic • Suspect flows are rate-limited • Further observations lead to decrease or increase of rate-limit 13/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  14. OBSERVATION COMPONENT CLASSIFICATION TRAFFIC STATISTICS SOURCE ROUTER INTERNET STATISTICS CACHE MODEL CACHE NORMAL TRANSIENT ATTACK RATE LIMIT RULES SOURCE NETWORK THROTTLING COMPONENT System Architecture 14/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  15. Statistics Gathering • Statistics help discover difficulties • Only IP header data is used • Statistics classified per peer IP address • Statistics cache size is limited and the cache is purged periodically: • Records for normal flows deleted • Records for transient and attack flows reset 15/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  16. Traffic Models • TCP requires proportional reverse flow • Non-TCP traffic requires NO reverse flow • Non-TCP servers usually send constant amount of packets/Bytes per second to a given peer 16/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  17. Traffic Models • Model of normal TCP traffic: • low ratio of number of sent/number of received packets • Model of normal non-TCP traffic: • mean and standard deviation of number of sent packets/Bytes for certain destination • Non-TCP models created in training phase 17/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  18. Flow Classification • Comparison with models of normal traffic • compliant - within limits of the model • attack - outside of model limits • Well behaved or not • normal - well-behaved compliant flows • transient - non well-behaved compliant flows 18/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  19. Throttling Component • ATTACK: Exponential decrease • TRANSIENT: Slow recovery, linear increase • NORMAL: Fast recovery, exponential increase 19/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  20. Experiment 1 CLIENT ATTACKER ROUTER VICTIM ATTACKER 20/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  21. attack starts attack stops 21/39

  22. attack starts attack stops 22/39

  23. Experiment 2 CLIENT ATTACKER ROUTER VICTIM ATTACKER 23/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  24. legitimate traffic starts attack starts attack stops 24/39

  25. Legitimate traffic starts attack stops attack starts FTP starts 25/39

  26. Experiment 3 CLIENT ATTACKER ROUTER VICTIM ATTACKER 26/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  27. Legitimate traffic starts FTP starts attack stops attack starts 27/39

  28. attack starts attack stops 28/39

  29. Experiment 4 CLIENT ATTACKER ROUTER VICTIM ATTACKER 29/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  30. attack starts attack stops 30/39

  31. attack starts attack stops 31/39

  32. Summary of Results • D-WARD successfully detects and stops attacks • Legitimate clients from other domains benefit greatly • System is friendly to non-TCP traffic • Legitimate TCP connections from source network are slowed down • There is no fairness guarantee to normal flows 32/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  33. Attack Detection • Choice of monitored parameters: • reliability vs performance • separating legitimate from attack flows • Creation and update of models • Cooperation with other Source Routers • Cooperation with the victim • Recurring attacks 33/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  34. Attack Response • Effectiveness vs fairness of response • aggressiveness should depend on reliability of classification • design of feedback mechanism • Traceback of the attack • Interaction of multiple DDoS defense systems 34/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  35. Security • Attackers follow developments in security • Attackers could attempt to avoid detection: • pulsing attacks • generating reverse packets • gradually use up victim’s resources • mistrain models • Attackers could attempt to misuse the system: • drop legitimate packets • Attackers might DDoS Source Router 35/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  36. Partial Deployment • Effectiveness depends on degree of deployment • Does not protect deploying network so motivation is low • Legal factors could help • Additional incentive: • minimal changes to existing routers • low cost • good performance 36/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  37. Deployment on Core Routers • Large coverage with less deployment points • Router performance must not be degraded • Rate limit has impact on large portion of flows  few false positives a must 37/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  38. Timeline Year1 Year2 Jan Apr Jul Oct Jan Apr Jul Oct 7 10 1 9 12 3 5 8 2 11 4 6 38/39 Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals Conclusion

  39. Conclusions • DDoS attacks are a serious threat • A design of effective detection and response strategy is a must • D-WARD successfully detects and constraints the attacks but has undesired impact on legitimate flows • Further research needed to refine the system and devise deployment strategy 39/39 Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion