1 / 62

DDoS/Traceback Paper Group # 23: Characterization

DDoS/Traceback Paper Group # 23: Characterization. Ozgur Ozturk CSE 581 - W02 Internet Technologies Instructed by Wu-chang Feng. Paper List. “Inferring Internet Denial-of-Service Activity” [ MOORE ] D. Moore @ CAIDA G. Voelker, S. Savage @ UCSD 2001 USENIX Security Symposium.

emccartney
Download Presentation

DDoS/Traceback Paper Group # 23: Characterization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DDoS/TracebackPaper Group # 23:Characterization Ozgur Ozturk CSE 581 - W02 Internet Technologies Instructed by Wu-chang Feng DDoS/Traceback-Characterisation Ozgur Ozturk

  2. Paper List • “Inferring Internet Denial-of-Service Activity” [MOORE] • D. Moore @ CAIDA • G. Voelker, S. Savage @ UCSD • 2001 USENIX Security Symposium DDoS/Traceback-Characterisation Ozgur Ozturk

  3. MooreOutline • Underlying Mechanisms of DoS Attacks • The Backscatter Analysis Technique • Techniques for classifying attacks • Validation • Observations and Results • Conclusions DDoS/Traceback-Characterisation Ozgur Ozturk

  4. MooreAbstract • Backscatter analysis provides quantitative data for a global view on DoS activity using local monitoring • Videos • Traffic Characterisation (How Data Gathered) • http://www.caida.org/outreach/resources/animations/passive_monitoring/traffic_char.mpg (1min12s) • TCP Port Analysis • http://www.caida.org/outreach/resources/animations/passive_monitoring/tcp_port_analysis.mpg (2min15s) • Backscatter • http://www.caida.org/outreach/resources/animations/passive_monitoring/backscatter.mpg (1min26) DDoS/Traceback-Characterisation Ozgur Ozturk

  5. MooreDoS Attacks Background • Logic Attacks • Exploit Software Flaws • e.g. Ping of Death • Flooding Attacks • Overwhelm CPU, Memory, Bandwidth • e.g. SYN flood, ICMP flood DDoS/Traceback-Characterisation Ozgur Ozturk

  6. Flooding Attacks- Backscatter • Attackers spoof source address randomly • Small frequent packets. (packet/sec bottleneck) • e.g. TCP SYN -> victim allocate data structure for arriving packets (for unmatched to existing connections) • Victims, in turn, respond to attack packets • Remotely controlled “Zombies” for DDoS DDoS/Traceback-Characterisation Ozgur Ozturk

  7. Randomness in IP addresses • Unsolicited responses (backscatter) equally distributed across IP space • Received backscatter is evidence of an attacker elsewhere DDoS/Traceback-Characterisation Ozgur Ozturk

  8. DDoS/Traceback-Characterisation Ozgur Ozturk From caida page

  9. DDoS/Traceback-Characterisation Ozgur Ozturk From caida page

  10. Assumptions • Address Uniformity • Reliable delivery • Backscatter not lost • Backscatter hypothesis • Unsolicited packets represent backscatter • In fact any server can send • Reflector attack may not be detected • Not random IP-forgery • Some attacks (e.g. TCP-RST) doesn’t produce backscatter. DDoS/Traceback-Characterisation Ozgur Ozturk

  11. Cluster packages • TCP- ICMP Single attack- multiple attacks • start and end times of attacks • small number of longer attacks • or many short attacks DDoS/Traceback-Characterisation Ozgur Ozturk

  12. DDoS/Traceback-Characterisation Ozgur Ozturk

  13. Platform DDoS/Traceback-Characterisation Ozgur Ozturk

  14. Results • 13000 attacks • 5000 victim IP addresses on 2000 domains • 200 million backscatter packets • *256 < Real attack packets DDoS/Traceback-Characterisation Ozgur Ozturk

  15. DDoS/Traceback-Characterisation Ozgur Ozturk

  16. DDoS/Traceback-Characterisation Ozgur Ozturk

  17. DDoS/Traceback-Characterisation Ozgur Ozturk

  18. DDoS/Traceback-Characterisation Ozgur Ozturk

  19. DDoS/Traceback-Characterisation Ozgur Ozturk

  20. How threatening • 500 packets enough to overwhelm server • 38-46 % of attacks (unif.-all) • 14000 packets for firewall • 0.3-2.4 % of attacks (unif.-all) DDoS/Traceback-Characterisation Ozgur Ozturk

  21. DDoS/Traceback-Characterisation Ozgur Ozturk

  22. DDoS/Traceback-Characterisation Ozgur Ozturk

  23. DDoS/Traceback-Characterisation Ozgur Ozturk

  24. Autonomous Systems DDoS/Traceback-Characterisation Ozgur Ozturk

  25. DDoS/Traceback-Characterisation Ozgur Ozturk

  26. DDoS/Traceback-Characterisation Ozgur Ozturk

  27. DDoS/Traceback-Characterisation Ozgur Ozturk

  28. Paper#2Characteristics of Network Traffic Flow Anomalies • A project focused on precise characterization of anomalous network traffic behavior. • anomalous traffic • Outages • Configuration changes • Flash crowds • Abuse DDoS/Traceback-Characterisation Ozgur Ozturk

  29. Paper#2Introduction • Step 1 • Gather passive measurements of network traffic at the IP flow level. • Tool • FlowScan open source SW • Focus: • Precisely identify similarity and differences among each anomaly group DDoS/Traceback-Characterisation Ozgur Ozturk

  30. Paper#2Related Work • Network traffic properties • time series techniques • wavelet analysis • isolating failures in networks • papers on clustering methods, neural networks and Markov models to recognize intrusions. • flash crowd behavior not well treated • New mechanisms involving cooperative pushback are being proposed DDoS/Traceback-Characterisation Ozgur Ozturk

  31. Paper#2FlowScan • FlowScan collects Netflow data exported by Cisco routers in a network. • Netflow data includes source and destination AS/IP/port pairs, packet and byte counts, flow start and end times and protocol information. • FlowScan maintains a set of counters based upon the attributes of each flow reported by a router. DDoS/Traceback-Characterisation Ozgur Ozturk

  32. Paper#2Anomaly Identification • Three general categories • Network Operation Anomalies • device outages, configuration changes • traffic reaching environmental limits • Flash Crowd Anomalies • Software release (e.g. UW is a RedHat Linux mirror site) • or External interest in a site (national publicity) • Rapid rise in traffic flows of particular type (eg. FTP flows) • Network Abuse Anomalies DDoS/Traceback-Characterisation Ozgur Ozturk

  33. Network Operation Anomalies Example: network outage which occurred just after 1:00am, a Napster server outage which occurred at 2:00pm, and three instances of turning on/off rate limiters on Napster traffic for the network. DDoS/Traceback-Characterisation Ozgur Ozturk

  34. DDoS/Traceback-Characterisation Ozgur Ozturk

  35. Paper#2 3rd anomaly type:Network Abuse Anomalies • DoS flood attacks and port scans • Different from network operation and flash crowd anomalies • not always readily apparent in bit or packet rate measurements • flow count measurements clearly indicate abuse activity DDoS/Traceback-Characterisation Ozgur Ozturk

  36. Five minute averages for flows per second into and out of our network broken out by protocol. The anomalous behavior is clearly evident in the spike of flows into the network during a half hour period just before noon. DDoS/Traceback-Characterisation Ozgur Ozturk

  37. Paper#2 Anomaly Characteristics - Analysis Process • 1st step: isolate each of the anomalies in data sets & group them into the three general categories mentioned. • 2nd Step: apply time series analysis • analyzing stationarity, correlation structures and testing various time series models to see if any are accurate statistical representations of anomaly data  model developing • final step: apply wavelet analysis DDoS/Traceback-Characterisation Ozgur Ozturk

  38. Paper#2 Future Work • Various directions • Evaluate 1 min VS 5 min.s • Accuracy VS dataset size • anomaly data collection process across multiple sites • larger datasets • correlations of behavior across sites DDoS/Traceback-Characterisation Ozgur Ozturk

  39. Paper#3 An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks • Overview • Definition of DDOS attack. • Different Trace back schemes. • Reflectors. • Defenses against Reflectors. • Filtering out Reflector Replies. • Implications of Using Reflector for Trace back. DDoS/Traceback-Characterisation Ozgur Ozturk

  40. DDoS/Traceback-Characterisation Ozgur Ozturk

  41. Trace back schemes • Trace back schemes for spoofed packets • ITRACE (ICMP Trace) • Volume based • Probabilistic packet marking. • Computational difficulties – scaling. • Source Path Isolation Engine (SPIE). • Does trace back information help? DDoS/Traceback-Characterisation Ozgur Ozturk

  42. Reflectors • A reflector is any IP host that will return a packet or more if sent a packet. Examples: • Web servers: return SYN ACKS or RSTs in response to SYN or other TCP packets. • DNS servers: return query replies in response to query requests. • Routers: return ICMP Time Exceeded or Host Unreachable messages in response to particular IP packets. DDoS/Traceback-Characterisation Ozgur Ozturk

  43. DDoS/Traceback-Characterisation Ozgur Ozturk

  44. Using Reflectors • Reflector cannot easily locate the slave because of the IP spoofing. • If there are Nr reflectors, Ns slaves and a flooding rate F from each slave • Flooding rate at each reflector F’=F * Ns/Nr • So, individual reflectors send at a much lower rate than the slaves. • Local detection mechanism at each reflector fails to detect, based on volume. DDoS/Traceback-Characterisation Ozgur Ozturk

  45. Reflectors contd… • Trace back mechanisms based on larger volumes of traffic such as ITRACE, probabilistic packet marking etc. fail. • Using reflectors provides attackers, protection against trace back mechanisms. • Source Path Isolation Engine (SPIE) helps. • Reflectors need not serve as amplifiers. DDoS/Traceback-Characterisation Ozgur Ozturk

  46. Defense against Reflectors • Prevent spoofing source address by ubiquitous deployment of ingress filtering. Application level reflectors such as recursive DNS queries or HTTP proxy requests can still be used. Disadvantage: Not feasible. • Traffic generated by reflectors can be filtered or classified by the victim. • Deploying filters to prevent serving as reflectors. Disadvantage: Requires widespread deployment of filtering. DDoS/Traceback-Characterisation Ozgur Ozturk

  47. Defense against Reflectors … • Deploy trace back mechanisms that incorporate the reflector end-host software itself in the scheme, allowing trace back through the reflector back to the slave. Disadvantage: Enormous deployment difficulties. • Intrusion Detection Systems (IDS) monitor a site’s network for active slaves. Disadvantage: Requires widespread deployment of security technology. DDoS/Traceback-Characterisation Ozgur Ozturk

  48. Filtering out Reflector replies • IP packets • Type of service (TOS/DSCP). (for scenarios in future) • Difficult for the attacker to manipulate a reflector into having a particular DSCP attached traffic. • If the traffic in general is premium then it will be difficult for the attacker to force the premium marking, given the financial motivation to secure use of the premium traffic. DDoS/Traceback-Characterisation Ozgur Ozturk

  49. IP packets • IP Fragments • Make it difficult for the victim to filter the protocol header information. • Victim can filter out all fragmented traffic. • Because of limited use of fragments in Internet. • Suffer little degradation. • Other than protocols like NFS, AFS etc. • IP protocol field • Filter out uninteresting protocol traffic. • IP source and destination address • Filter out the unknown or suspicious sourced traffic. DDoS/Traceback-Characterisation Ozgur Ozturk

  50. Types of ICMP reflector replies: • ICMP echo, timestamp, address mask, router solicitation, information request/reply. • ICMP echo is widely used. • Smurf attacks. • ICMP source quench, unreachable, time exceeded, parameter problem, and redirect. Important ICMP messages: • Host unreachable. • Time exceeded. • Need fragmentation. DDoS/Traceback-Characterisation Ozgur Ozturk

More Related