620 likes | 635 Views
DDoS/Traceback Paper Group # 23: Characterization. Ozgur Ozturk CSE 581 - W02 Internet Technologies Instructed by Wu-chang Feng. Paper List. “Inferring Internet Denial-of-Service Activity” [ MOORE ] D. Moore @ CAIDA G. Voelker, S. Savage @ UCSD 2001 USENIX Security Symposium.
E N D
DDoS/TracebackPaper Group # 23:Characterization Ozgur Ozturk CSE 581 - W02 Internet Technologies Instructed by Wu-chang Feng DDoS/Traceback-Characterisation Ozgur Ozturk
Paper List • “Inferring Internet Denial-of-Service Activity” [MOORE] • D. Moore @ CAIDA • G. Voelker, S. Savage @ UCSD • 2001 USENIX Security Symposium DDoS/Traceback-Characterisation Ozgur Ozturk
MooreOutline • Underlying Mechanisms of DoS Attacks • The Backscatter Analysis Technique • Techniques for classifying attacks • Validation • Observations and Results • Conclusions DDoS/Traceback-Characterisation Ozgur Ozturk
MooreAbstract • Backscatter analysis provides quantitative data for a global view on DoS activity using local monitoring • Videos • Traffic Characterisation (How Data Gathered) • http://www.caida.org/outreach/resources/animations/passive_monitoring/traffic_char.mpg (1min12s) • TCP Port Analysis • http://www.caida.org/outreach/resources/animations/passive_monitoring/tcp_port_analysis.mpg (2min15s) • Backscatter • http://www.caida.org/outreach/resources/animations/passive_monitoring/backscatter.mpg (1min26) DDoS/Traceback-Characterisation Ozgur Ozturk
MooreDoS Attacks Background • Logic Attacks • Exploit Software Flaws • e.g. Ping of Death • Flooding Attacks • Overwhelm CPU, Memory, Bandwidth • e.g. SYN flood, ICMP flood DDoS/Traceback-Characterisation Ozgur Ozturk
Flooding Attacks- Backscatter • Attackers spoof source address randomly • Small frequent packets. (packet/sec bottleneck) • e.g. TCP SYN -> victim allocate data structure for arriving packets (for unmatched to existing connections) • Victims, in turn, respond to attack packets • Remotely controlled “Zombies” for DDoS DDoS/Traceback-Characterisation Ozgur Ozturk
Randomness in IP addresses • Unsolicited responses (backscatter) equally distributed across IP space • Received backscatter is evidence of an attacker elsewhere DDoS/Traceback-Characterisation Ozgur Ozturk
DDoS/Traceback-Characterisation Ozgur Ozturk From caida page
DDoS/Traceback-Characterisation Ozgur Ozturk From caida page
Assumptions • Address Uniformity • Reliable delivery • Backscatter not lost • Backscatter hypothesis • Unsolicited packets represent backscatter • In fact any server can send • Reflector attack may not be detected • Not random IP-forgery • Some attacks (e.g. TCP-RST) doesn’t produce backscatter. DDoS/Traceback-Characterisation Ozgur Ozturk
Cluster packages • TCP- ICMP Single attack- multiple attacks • start and end times of attacks • small number of longer attacks • or many short attacks DDoS/Traceback-Characterisation Ozgur Ozturk
Platform DDoS/Traceback-Characterisation Ozgur Ozturk
Results • 13000 attacks • 5000 victim IP addresses on 2000 domains • 200 million backscatter packets • *256 < Real attack packets DDoS/Traceback-Characterisation Ozgur Ozturk
How threatening • 500 packets enough to overwhelm server • 38-46 % of attacks (unif.-all) • 14000 packets for firewall • 0.3-2.4 % of attacks (unif.-all) DDoS/Traceback-Characterisation Ozgur Ozturk
Autonomous Systems DDoS/Traceback-Characterisation Ozgur Ozturk
Paper#2Characteristics of Network Traffic Flow Anomalies • A project focused on precise characterization of anomalous network traffic behavior. • anomalous traffic • Outages • Configuration changes • Flash crowds • Abuse DDoS/Traceback-Characterisation Ozgur Ozturk
Paper#2Introduction • Step 1 • Gather passive measurements of network traffic at the IP flow level. • Tool • FlowScan open source SW • Focus: • Precisely identify similarity and differences among each anomaly group DDoS/Traceback-Characterisation Ozgur Ozturk
Paper#2Related Work • Network traffic properties • time series techniques • wavelet analysis • isolating failures in networks • papers on clustering methods, neural networks and Markov models to recognize intrusions. • flash crowd behavior not well treated • New mechanisms involving cooperative pushback are being proposed DDoS/Traceback-Characterisation Ozgur Ozturk
Paper#2FlowScan • FlowScan collects Netflow data exported by Cisco routers in a network. • Netflow data includes source and destination AS/IP/port pairs, packet and byte counts, flow start and end times and protocol information. • FlowScan maintains a set of counters based upon the attributes of each flow reported by a router. DDoS/Traceback-Characterisation Ozgur Ozturk
Paper#2Anomaly Identification • Three general categories • Network Operation Anomalies • device outages, configuration changes • traffic reaching environmental limits • Flash Crowd Anomalies • Software release (e.g. UW is a RedHat Linux mirror site) • or External interest in a site (national publicity) • Rapid rise in traffic flows of particular type (eg. FTP flows) • Network Abuse Anomalies DDoS/Traceback-Characterisation Ozgur Ozturk
Network Operation Anomalies Example: network outage which occurred just after 1:00am, a Napster server outage which occurred at 2:00pm, and three instances of turning on/off rate limiters on Napster traffic for the network. DDoS/Traceback-Characterisation Ozgur Ozturk
Paper#2 3rd anomaly type:Network Abuse Anomalies • DoS flood attacks and port scans • Different from network operation and flash crowd anomalies • not always readily apparent in bit or packet rate measurements • flow count measurements clearly indicate abuse activity DDoS/Traceback-Characterisation Ozgur Ozturk
Five minute averages for flows per second into and out of our network broken out by protocol. The anomalous behavior is clearly evident in the spike of flows into the network during a half hour period just before noon. DDoS/Traceback-Characterisation Ozgur Ozturk
Paper#2 Anomaly Characteristics - Analysis Process • 1st step: isolate each of the anomalies in data sets & group them into the three general categories mentioned. • 2nd Step: apply time series analysis • analyzing stationarity, correlation structures and testing various time series models to see if any are accurate statistical representations of anomaly data model developing • final step: apply wavelet analysis DDoS/Traceback-Characterisation Ozgur Ozturk
Paper#2 Future Work • Various directions • Evaluate 1 min VS 5 min.s • Accuracy VS dataset size • anomaly data collection process across multiple sites • larger datasets • correlations of behavior across sites DDoS/Traceback-Characterisation Ozgur Ozturk
Paper#3 An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks • Overview • Definition of DDOS attack. • Different Trace back schemes. • Reflectors. • Defenses against Reflectors. • Filtering out Reflector Replies. • Implications of Using Reflector for Trace back. DDoS/Traceback-Characterisation Ozgur Ozturk
Trace back schemes • Trace back schemes for spoofed packets • ITRACE (ICMP Trace) • Volume based • Probabilistic packet marking. • Computational difficulties – scaling. • Source Path Isolation Engine (SPIE). • Does trace back information help? DDoS/Traceback-Characterisation Ozgur Ozturk
Reflectors • A reflector is any IP host that will return a packet or more if sent a packet. Examples: • Web servers: return SYN ACKS or RSTs in response to SYN or other TCP packets. • DNS servers: return query replies in response to query requests. • Routers: return ICMP Time Exceeded or Host Unreachable messages in response to particular IP packets. DDoS/Traceback-Characterisation Ozgur Ozturk
Using Reflectors • Reflector cannot easily locate the slave because of the IP spoofing. • If there are Nr reflectors, Ns slaves and a flooding rate F from each slave • Flooding rate at each reflector F’=F * Ns/Nr • So, individual reflectors send at a much lower rate than the slaves. • Local detection mechanism at each reflector fails to detect, based on volume. DDoS/Traceback-Characterisation Ozgur Ozturk
Reflectors contd… • Trace back mechanisms based on larger volumes of traffic such as ITRACE, probabilistic packet marking etc. fail. • Using reflectors provides attackers, protection against trace back mechanisms. • Source Path Isolation Engine (SPIE) helps. • Reflectors need not serve as amplifiers. DDoS/Traceback-Characterisation Ozgur Ozturk
Defense against Reflectors • Prevent spoofing source address by ubiquitous deployment of ingress filtering. Application level reflectors such as recursive DNS queries or HTTP proxy requests can still be used. Disadvantage: Not feasible. • Traffic generated by reflectors can be filtered or classified by the victim. • Deploying filters to prevent serving as reflectors. Disadvantage: Requires widespread deployment of filtering. DDoS/Traceback-Characterisation Ozgur Ozturk
Defense against Reflectors … • Deploy trace back mechanisms that incorporate the reflector end-host software itself in the scheme, allowing trace back through the reflector back to the slave. Disadvantage: Enormous deployment difficulties. • Intrusion Detection Systems (IDS) monitor a site’s network for active slaves. Disadvantage: Requires widespread deployment of security technology. DDoS/Traceback-Characterisation Ozgur Ozturk
Filtering out Reflector replies • IP packets • Type of service (TOS/DSCP). (for scenarios in future) • Difficult for the attacker to manipulate a reflector into having a particular DSCP attached traffic. • If the traffic in general is premium then it will be difficult for the attacker to force the premium marking, given the financial motivation to secure use of the premium traffic. DDoS/Traceback-Characterisation Ozgur Ozturk
IP packets • IP Fragments • Make it difficult for the victim to filter the protocol header information. • Victim can filter out all fragmented traffic. • Because of limited use of fragments in Internet. • Suffer little degradation. • Other than protocols like NFS, AFS etc. • IP protocol field • Filter out uninteresting protocol traffic. • IP source and destination address • Filter out the unknown or suspicious sourced traffic. DDoS/Traceback-Characterisation Ozgur Ozturk
Types of ICMP reflector replies: • ICMP echo, timestamp, address mask, router solicitation, information request/reply. • ICMP echo is widely used. • Smurf attacks. • ICMP source quench, unreachable, time exceeded, parameter problem, and redirect. Important ICMP messages: • Host unreachable. • Time exceeded. • Need fragmentation. DDoS/Traceback-Characterisation Ozgur Ozturk