240 likes | 382 Views
CS 563.9.2 DoS Overview DoS Countermeasures. Presented by: Fariba Khan DoS Group: Fariba Khan, Omid Fatemieh, Roger Fliege University of Illinois Spring 2006. DoS Defense Research. Pushback Traceback Ingress filtering Secure Overlay Services Pi (Packet marking) TVA
E N D
CS 563.9.2 DoS OverviewDoS Countermeasures Presented by: Fariba Khan DoS Group: Fariba Khan, Omid Fatemieh, Roger Fliege University of Illinois Spring 2006
DoS Defense Research • Pushback • Traceback • Ingress filtering • Secure Overlay Services • Pi (Packet marking) • TVA • Network architecture improvement • Proof of Work • Locality and Entropy
Look for severe congestion Congestion signature Push back rate-limit Signature Too broad Too narrow Router Upgrade Traffic state Too much too late Pushback Mahajan, Bellovin, Floyd, Ioannidis, Paxson, Shenker 02
Locate source of attack Persuade ISP for filter Traceback and Ingress Filtering Ingress D Egress D ISP D 204.69.207.0/24 Leaf network Ingress D Egress D Mirkovic, Dietrich, Dittrich, Reiher 04
Traceback Taxonomy Gao, Ansari 05
Authenticate client communication Longer/slower route Closed network Beacon Secret servlet Overlay Access Point target Filtered region Secure Overlay Services Sourcepoint Overlay Nodes Keromytis, Misra, Rubenstein, 02
xx xx xx xx 00 xx xx 10 11 00 00 xx xx xx 11 Pi (Packet marking) • Marking Scheme • Each router marks n bits into IP Identification field • Marking Function • Last n bits of hash (eg. MD5) of router IP address • Marking Aggregation • Router pushes marking into IP Identification field π A π π V • There is just so much space in IP identification field Yarr, Perrig, Song 03
TVA (Capability) Alice PreCapability (Pi)= hash(srcIP, destIP, time, secret) RTS Pre1 • RTS rate limited • 1-5% of bandwidth • Pi Queue at Router • Most recent Pi Pre1, Pre2 CNN Yang, Wetherall, Anderson 05
TVA (Capability) Alice Capability = timestamp || Hash (N, T, PreCap) CAP Cap1, Cap2 • N bytes, T seconds • Stateless receiver • Does not store N, T • Bounded router state (Per destination Q) • Input link C, minimum sending rate N/T • C/(N/T) records CAP Cap1, Cap2 CAP Cap1, Cap2 CNN
More … • Proof of Work • Schemes requiring work from part of client (cryptographic puzzle, RTT) • Locality • Model of people communication • Model of attack behavior • Entropy • Self-similarity of attack traffic • QoS • Provide guarantee in terms of bandwidth [Gligor03]
Why is DDoS Defense hard? • Simplicity • Plug-and-play attack tools • Traffic variety (similarity) • Attack traffic is as good as legitimate traffic • IP spoofing • High-volume traffic • Traffic profiling hard, requires per-packet processing • Numerous agent machines • Weak spot in Internet topology • Highly connected and well-provisioned spots relay traffic for rest of the internet. Mirkovic, Dietrich, Dittrich, Reiher 04
DDoS Defense Challenges • Distributed response required • Cooperation between many points • Economic and social factor • Source deploys filter to protect destination • Legislative measures • Lack of detailed attack information • Frequency of attack types, attack parameters • Backscatter, ISI/USC • Lack of defense benchmark • How should the performance be measured? • NSF benchmarking effort • Difficulty of large scale testing • Testbed mimicking Internet • PlanetLab Mirkovic, Reiher 04
Taxonomy of DDoS Defenses Mirkovic, Reiher 04
Taxonomy of DDoS Defenses • Preventive vs. Reactive • Degree of Cooperation • Autonomous • Cooperative • Interdependent • Deployment Location • Victim network • Intermediate network • Source network
Preventive Actions • Attack Prevention • Prevent attacker launch an attack • Secured Target • Machine secured, attacker loses army • System security • Patches, firewall, IDS, • Protocol security • Change Internet to have stateless TCP handshake, IP validity, authentication • DoS Prevention • Improve system to be attack resilient • Prevention Method • Resource Accounting • Resource allocation based on privileges of user • Resource Multiplication • Server pools, high bandwidth links
Detection Strategy Pattern Signatures of known attacks stored Anomaly Model of normal system behavior Standard Detect half-open TCP Trained Traffic dynamics, expected system performance Third Party Traceback Response Strategy Agent Identification Rate-limiting Filtering Reconfiguration Change the topology of victim or the network to add more resources or isolate attack machines. Reactive Actions
Degree of Cooperation • Autonomous – independent defense at the point of deployment • Cooperative – perform better in joint operation. • Interdependent – cannot operate autonomously.
Source Network Victim Network Middle of Network Source Network Source Network Deployment Location • Victim network – most common, the most interested party. • Intermediate network – ISP can provide the service, potential to cooperation. • Source network – prevent DDoS at the source, least motivation
Examples of Defense Erramilli04
Other factors • Stateless vs. Stateful • Internet architecture • Router modification • Application modification
DoS Defense Goals • Effectiveness • Completeness • Legitimate traffic performance • Low false positive • Low deployment and operational cost
References • Z. Gao and N. Ansari, Tracing Cyber Attacks from the Practical Perspective, IEEE Communications Magazine, Vol.43, No. 5, pp.123-131, May 2005. • V. Gligor, Guaranteeing Access in Spite of Service-Flooding Attacks (Proc. of the Security Protocols Workshop, Sidney Sussex College, Cambridge, UK, April 2-4, 2003. Lecture Notes in Computer Science, Springer-Verlag, 2004.) • A. Keromytis, V. Misra, and D. Rubenstein, SOS: Secure Overlay Services, in Proceedings ofACM SIGCOMM'02, (Pittsburgh, PA), August 2002. • Ruby B. Lee, Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures, Princeton University, 2003. • Mahajan, R., Bellovin, S. M., Floyd, S., Ioannidis, J., Paxson, V., and Shenker, S. 2002. Controlling high bandwidth aggregates in the network. SIGCOMM Comput. Commun. Rev. 32, 3 (Jul. 2002), 62-73. • J. Mirkovic, S. Dietrich, D. Dittrich and P. Reiher, Internet Denial of Service: Attack and Defense Mechanisms, Prentice Hall PTR, ISBN 0-13-147573-8. • Jelena Mirkovic, and Peter Reiher, A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, ACM SIGCOMM CCR, 2004. • A. Yaar, A. Perrig, and D. Song. Pi: A Path Identification Mechanism to Defend against DDoS Attacks. In IEEE Symposium on Security and Privacy, May 2003. • X. Yang, D. Wetherall, and T. Anderson, A DoS-limiting Network Architecture, In Proc. ACM SIGCOMM, (Philadelphia, PA), Aug. 2005.