240 likes | 256 Views
(Distributed) Denial of Service (DDoS). Yang Richard Yang 11/12/2001. Review: A Diagram Showing the Problem Space of CC and Router Mechanisms. Compatibility among different CCs; effects of a mix of CCs on network performance: loss, queueing, delay: TCP-friendly CCs as an example. CC.
E N D
(Distributed) Denial of Service (DDoS) Yang Richard Yang 11/12/2001
Review: A Diagram Showing the Problem Space of CC and Router Mechanisms Compatibility among different CCs; effects of a mix of CCs on network performance: loss, queueing, delay: TCP-friendly CCs as an example CC Effects of CCs on application performance: Previous studies did not consider the effects on applications. What are the effects of application adaptations? Effect of router mechanisms on a mix of CCs: puzzle from [DKS89] Effects of CCs on the design of router mechanisms: Previous design and stability analyses implicitly assume TCP/Reno Applications Router Mechanisms How to capture application requirements, and design CCs for them? VQM, and short transaction flows Application utilities determine fairness, how to implement it using router mechanisms, instead of relying on CC: Proportional fairness as an example
A1 R1 attack path R4 R6 V R2 A2 victim R5 R3 A3 attackers (Distributed) Denial of Service • Overload the network connection with garbage traffic squeeze out the legacy traffic • Ping of death
Discussion • What are the goals?
Classification • Prevention • ingress filtering • router filtering [Park et al. 2001] • Detection • end-to-end signaling • ICMP: out-band [Bellovin 2000] • Marking: in-band [Savage et al. 2000] • auditing • Source Path Isolation Engine (SPIE) [Snoeren et al. 2001]
R2 R4 R2 R2 R4 R6 Marking: Node Append • Append each router to the packet • Victim extracts the path R4 R6 V R2 A2 victim • What are the problems?
Marking: Edge Sampling • Marking • three fields: [start, end, distance] • with probability pa router inserts itself in the start field, and clears the other two fields • otherwise if the distance field is zero the router inserts itself in the end field increments the distance field • Tree reconstruction • reconstruct that attack graph starting from victim
R4 R6 V R2 A2 0 R6 R6 1 R4 R2 R4 2 An Example
Encoding Issues • Edge sampling needs too many bits (i.e., 64 for IP addresses + distance) • Only possibility is to reuse the 16-bit IP identification field • How to compress the three fields into 16 bits?
R6 R4 R6 (R4 R6) = R4 R4 (R2 R4) = R2 Technique 1: XOR • XOR edge endpoints halves space to store edge • Path reconstruction R4 R6 V R2 A2 R6 0 R6 1 R2 R4 2
Technique 2: Fragmentation • Subdivide each edge into k non-overlapping fragments • Insert a non-overlapping fragment together with the offset • Space requirements • Path reconstruction: • what if there are multiple attackers?
Technique 3: Hash for Identification • Compute a hash of the IP router address and interleave the IP address itself use this to identify the router HASH(IP address) IP address Bit interleave Bit deinterleave address Edge reconstruction HASH(address) =? YES Valid address
Putting Everything Together: Fragment Marking Scheme (FMS) • Router identifier: 64 bits • Use XOR edge identifier: 64 bits • Choose k = 8 11 bits required to store a fragment • 8 bits for fragment • 3 bits for fragment’s offset • Use 5 bits to encode the distance • Total 16 bits stored in the IP fragment identifier
What are the Problems of FMS? • Computation overhead • Number of packets (sensitivity)
Advanced Marking Scheme (AMS) I[Song et al. 2001] • Main idea: assume that the victim knows the map of its upstream routers • relatively easy to obtain in practice, although incurs a high overhead • Use two 11-bit hash functions (to distinguish the order of the two routers) h and h’ to hash the endpoints addresses and XOR them • Use the other 5 bits to encode the distance from edge to the victim
Advance Marking Scheme II • Use two sets of hash functions instead of two hash functions • Use w bits to encode the hash function and 11 – w to encode its value • Intuition • probability for collision in AMS I is 1/211 • probability for collision in AMS II is 1/2(11-w)s , where s = 2wbecause the victim will need to match the values of s hash functions (the implementation uses a threshold approach) • Choose w = 3 • What if a host that is very close to the victim is compromised?
Authenticated Marking Scheme • Previous schemes (FMS and AMS) not robust against compromised routers • compromised routers can forge the markings of upstream routers • Solution: use message authentication codes (MACs) • routers and victim share • a secret key K • A MAC function f • upon receiving packet P router R appends fK(<P, R>) to the packet • in practice appends fK(<dst, src, R>)
Authenticated Marking Scheme (cont’) • What if attackers replay?
Time Released Key Chains • Each router Ri generates a sequence of t secret keys {Kj,i}, and uses a one-way function g such that • Kj,i = g(Kj+1,i) • Each router commits to its secrete keys via a standard protocol • Each router divides the time into intervals • during interval j uses the key Kj,i • after interval j expires, it publishes Kj,i • Reconstruction: • the victim downloads Kj,i and uses g to compute the previous keys: Kj-1,i, Kj-2,i, Kj-3,i,…
What Are The Requirements and Assumptions of the Marking Schemes?
Source Path Isolation Engine (SPIE) • Traffic auditing by using packet digest • Why use packet digest? • Use SPIE to implement traceback