390 likes | 546 Views
Defending against Large-Scale Distributed Denial-of-Service Attacks. Department of Electrical and Computer Engineering Advanced Research in Information Assurance and Security (ARIAS) Lab Virginia Tech Jung-Min Park. Overview of DoS Attacks. What is a DoS attack?
E N D
Defending against Large-ScaleDistributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information Assurance and Security (ARIAS) Lab Virginia Tech Jung-Min Park
Overview of DoS Attacks • What is a DoS attack? • An attack that disrupts network services to legitimate clients • Large-scale Distributed DoS (DDoS) attack of Feb. 2000 • A DDoS attack took down Yahoo, EBay, and Amazon.com • Outage caused millions of dollars in lost revenue • Hundreds of attacks are observed each day • Global corporations lost over $1.39 trillion in revenue due to security breaches in 2000, and • Over 60% are due to viruses and DoS attacks (http://www.captusnetworks.com/BeenDoSd.pdf) • FBI reports indicate DoS attacks are on the rise 2
Taxonomy of DoS Attacks • Attacks that exploit system design weaknesses • Teardrop attack • Ping-of-death attack • Land attack • SYN flood attack • Attacks that exploit the weakness of particular protocols • Attacks against authentication protocols • Attacks against key agreement protocols • Attacks that exploit the asymmetry between “line rate” and throughput of hosts and routers • Flooding-based DDoS attacks 3
Exploits the asymmetry between “line rate” and throughput of hosts and routers Large volume of packets is sent toward a victim Consumes bandwidth and processing power of the victim DDoS attacks utilize attack handlers and zombies to hide the identity of the real attacker Flooding-based DDoS Attacks 4
Prevention and preemption(before the attack) Detection(during the attack) Mitigation and filtering(during the attack) attack source traceback and identification(during and after the attack) Lines of Defense Against DDoS Attacks • Apply software patch • SYN cookies, client puzzles • Design DoS attack resistant systems • Overlay networks • Signature (misuse) detection • Anomaly detection • Client puzzles • Aggregate filtering, pushback • Overlay networks • IP traceback: packet marking • IP traceback: packet logging • “Attack traceback” 5
Attack Detection Traceback to the zombie’s border router The IP Traceback Problem IP traceback strategies: • Probabilistic Packet Marking (PPM) • Packet Logging 7
Limitations of Current IP Traceback Schemes • Do not support last-hop traceback • Packet logging schemes • Significant computation overhead on routers • Significant storage overhead on routers • Packet marking • Not scalable: Complexity of path reconstruction process increases rapidly as number of attackers increase • Large number of packets need to be collected 8
Attack Detection Router Port Markingfor traceback Packet filtering at the border router of the zombies rouTer poRt mArking and paCKet filtering (TRACK) • Objective: • Reduce computation complexity of path reconstruction • Reduce number of packets that need to be collected • Support last-hop traceback • Support gradual deployment • Filter attack traffic using traceback information 9
Basic Principles of TRACK A string composed of locally-unique router interface port numbers is a globally unique identifier of a path. 10
1 Port Number If Marking Flag = 1 Marking Flag Port Number XOR Port Number Last 5-digit of TTL XOR Distance Router Port Marking Procedure Active Port Marking Mode (APMM) at probability of p : Passive Port Marking Mode (PPMM) at probability of 1 – p : 12
Path Reconstruction Process of TRACK • Objective • Recover the port number sequence of an attack path and convert them into a sequence of router IP addresses • Approach • Distribute the path reconstruction process among the victim’s upstream routers (victim attacker’s border router)(similar to Pushback) • Employ a trace table and trace packets • Use same info. to filter attack traffic at the border router of the attacker • Computational Complexity: O(N2) 13
Path Reconstruction Process of TRACK MKF = 1, XOR = PN = 18,Distance = TTL5 (254) = 30 Assume C3 is sending packets to V M is in APMM; F, B, and A are in PPMM MKF = 1, PN = 18,Distance = 30, TTL5 = 27, XOR = 2 (=18 47 34 21); d = 30 – 27 = 3 14
Path Reconstruction Process of TRACK d = Distance – TTL5 XOR(d+1) PN(d+1) = XOR(d) C3’s path: 21-34-47-18 15
Number of Packets Needed for Path Reconstruction p = 0.01 p = 0.04 16
False Positive Rate Skitter Internet map Complete tree topology model 17
Gradual Deployment Skitter Internet map Complete tree topology model 18
Client Puzzle Protocols • A technique used to mitigate DoS attacks that does not rely on distinguishing between attack traffic and legitimate client traffic • Puzzles are typically based on difficult problems from cryptosystems • Partial reversal of a hash function • Exhaustive key search in a private key cryptosystem 20
Basic Principles of Chained Puzzles • Puzzle algorithm: Exhaustive key search of XTEA6 • XTEA6: Truncated version of the XTEA encryption algorithm • Puzzle Routers • Puzzle distribution and verification is performed by the “first-hop” border router called a Puzzle Router • Puzzles are enabled by downstream Puzzle Routers 21
Message Exchange Between Puzzle Routers • Downstream Puzzle Routers enable puzzles at the upstream Puzzle Routers 22
Optimal Location for Detection and Mitigation Detection: DDoS attacks are detected easily near the server or the main victim of the attack (packet loss, heavy congestion, etc.) Mitigation: Preventing or mitigating an attack is best performed as close to the source of the attack as possible 23
Puzzle Distribution • How do we distribute puzzles? • Easy in TCP 3-way handshake • IP is connectionless and a client puzzle protocol is connection oriented • Client asks for a puzzle • Server sends the puzzle to the client • Client solves the puzzle, sends the solution back to the server • Solution • Puzzle solution chaining 24
Puzzle Solution Chaining • When Puzzles are enabled, “bootstrapping” procedure is needed to create the first puzzle • Subsequent puzzles are created by the client independently • Current solution becomes plaintext for the next puzzle 25
Puzzle Solution Chaining – cont’d • Client creates a chain of puzzles • The Puzzle Router reissues the puzzle challenge periodically 26
Probabilistic Verification • Probabilistic verification • Puzzle Routers verify incoming puzzles according to a given probability • Increase performance and throughput of the Puzzle Routers 27
Simulation Results: NPSR • Normal Packet Survival Ratio (NPSR) • Percentage of legitimate packets that can make their way to the victim in the midst of a DDoS attack 28
Future Work • IP Traceback • Improve scalability • Better support of gradual deployment • Minimize the number of false positives • Support IP fragments • Support router degrees greater than 64 • Client puzzle protocol • Specification of a Puzzle Router’s functions • Resolve protocol architecture issues • Counter puzzle protocol circumvention • Ensure fairness 29
Conclusion • Last-hop traceback capability: a step closer to attack traceback • Support of gradual deployment: more realistic solution • Using router port instead of router as the atomic unit for traceback: fewer packets and less computational complexity for path reconstruction, finer granularity, and less false positive • Attack detection at the victim and packet filtering at the zombies’ border routers: the optimal location for both modules 31
Backup 32
Path Reconstruction Process of TRACK • Objective • Recover the port number sequence of an attack path and convert them into a sequence of router IP addresses • Approach • Distribute the path reconstruction process among the victim’s upstream routers (victim attacker’s border router)(similar to Pushback) • Employ a trace table and trace packets • Use same info. to filter attack traffic at the border router of the attacker • Computational Complexity: O(N2) 33
Limitation of Current Attack Mitigation Schemes • Problem • Conventional countermeasures attempt to detect and filter at the same location • Fact • Attack detection is easier closer to the victim, packet filtering is more effective closer to the attack source • Solution • Separate the two functions in separate modules 34
Attack Detection Packet Filtering Attack Mitigation (Packet Filtering) • Location of attack detectionand packet filtering: • At the victim • In the network • At the attack source 35
Probabilistic Packet Marking (Basics) • Routers mark packets with fragments of its IP addresses probabilistically • Identification field in IP header is used (The probability of IP fragmentation is 0.25%) • The victim can collect IP fragments from many packets to reconstruct attacking path 36
Overhead of Packet Logging For a OC-192 link: • TRACK: 50k destination IP address insertion or update per second; 900MB/hours storage, upper-bounded by 20GB • The scheme in [Snoe01]: 60 million hash operations per second; 44GB storage per hour, bounded by the maximum allowed traceback time • The scheme in [Li04]: 8 million hash operations per second; 5.2GB storage per hour, bounded by the maximum allowed traceback time 37
Gradual Deployment • Neighbor-Discovery Handshake Protocol • Jump back to source during path reconstruction 39