1 / 17

Distributed Denial of Service

Distributed Denial of Service. CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004. Why DDoS is hard to prevent. Internet Limited resources Security highly interdependent. ISP?.

lucius-oneal
Download Presentation

Distributed Denial of Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004

  2. Why DDoS is hard to prevent • Internet • Limited resources • Security highly interdependent

  3. ISP? • The problem with DDOS security is this: if you implement DDOS security, it does not protect your network, it merely prevents your network from harming others. Why would an ISP spend extra time and effort implementing a security protocol that was good for everyone else... but not for them? • by simul, Kuro5hin.org (targeted by DDoS attacks), February 4, 2004

  4. Defenses • IP spoofing • Egress filtering • Keep routing state for each packet • New type of control message (ICMP) • Embed traceback information into IP header • Bandwidth flooding • Use Overlay Networks to debug input • Push back to preserve bandwidth • Equip your host with gobs of bandwidth and the appliances can mitigate the effect

  5. Problem Statement • Use IP traceback to defend IP spoofing • Packets having the same routing path with the attacker packets will be dropped • Challenges • The average Internet routing path length is around 15, so reconstruct the path will take 60 bytes • Where to put the traceback information?

  6. PI Overview • Model the Internet as a binary tree rooted at the victim node • The router mark 0 or 1 in IP identification field based on past path information Victim RA RX RB RC RY RZ A U U A A A

  7. IP Header • Identification field (16 bits) • IP identification is only used for fragmentation, which constitutes less than 0.25% of the packets in Internet

  8. Pi Marking - Basic Marking Scheme • Marking Scheme • Each router marks n bits into IP Identification field • Marking Location • TTL (mod 16/n) indexes location in field to mark • Marking Function • Last n bits of hash (eg. MD5) of router IP address The following slides are adapted from Abraham Yaar’s Oakland 2003 slides

  9. 253 252 254 π π π xx 00 xx xx xx 00 10 xx xx 00 10 11 xx xx xx xx 251 250 249 π V π π 01 00 10 11 01 10 10 11 01 10 01 11 Pi Marking - Example TTL = 255 A ? Known Attacker 01100111 00000111 = 01100101 = 01100111 = 10101100 = 11001100 =

  10. Pi Marking Scheme - TTL Attack • Problem • Attacker shifts markings by modifying initial TTL 251 255 254 Final TTL Pointer π π A V xx xx xx xx xx 00 xx xx 10 00 10 11 1000101110 250 254 253 Final TTL Pointer π π A V xx xx xx xx xx xx 00 xx 11 10 00 10 111000101110 • Note - marking bits and order haven’t changed, just location in the marking field • Solution • Victim uses final TTL to justify packet contents using bit rotation

  11. Pi Marking - IP Fragmentation • Problem • Mark values in IP Identification field breaks fragmentation • Solution • Don’t mark packets that mayever get fragmented, or are fragments themselves • During DDoS attack, drop packets not satisfying this predicate

  12. Pi Filtering – Basic Scheme • Basic Scheme • Drop all packets with Pi marks matching that of any attack packets • Assumption • Victim can identify attack packets • Implementation Overhead • Memory: Bit vector of length 216 (8kB) • if (BitVec[PiMark] == 0) then accept() else drop(); • Computation: O(1)per packet

  13. Pi Filtering - Thresholds • Problem • Single attacker causes multiple users’ rejections • Solution • Assume, for a particular Pi mark, i: • ai= number of attack packets • ui= number of legitimate users’ packets • Victim chooses threshold, t, such that if: then all packets with Pi mark i are dropped

  14. Experiment Results – Basic Filter • DDoS protection • Accepted: • 60% of user traffic • 17% attacker traffic • Downward slope due to “marking saturation” • All markings flagged as attacker

  15. Experiment Results – Threshold Filter • Thresholds Work! • Victim increases false positives to decrease false negatives • Greater attack traffic requires greater threshold values

  16. Comments • Review of the goal • The same routing path yields the same marking • Different routing path has little probability to overlap • Question • Why bother using rotated marking instead of a simple hash function?

  17. DDoS Attacks • IP spoofing • Bandwidth flooding Back to Zhanxiang

More Related