170 likes | 267 Views
Distributed Denial of Service. CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004. Why DDoS is hard to prevent. Internet Limited resources Security highly interdependent. ISP?.
E N D
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004
Why DDoS is hard to prevent • Internet • Limited resources • Security highly interdependent
ISP? • The problem with DDOS security is this: if you implement DDOS security, it does not protect your network, it merely prevents your network from harming others. Why would an ISP spend extra time and effort implementing a security protocol that was good for everyone else... but not for them? • by simul, Kuro5hin.org (targeted by DDoS attacks), February 4, 2004
Defenses • IP spoofing • Egress filtering • Keep routing state for each packet • New type of control message (ICMP) • Embed traceback information into IP header • Bandwidth flooding • Use Overlay Networks to debug input • Push back to preserve bandwidth • Equip your host with gobs of bandwidth and the appliances can mitigate the effect
Problem Statement • Use IP traceback to defend IP spoofing • Packets having the same routing path with the attacker packets will be dropped • Challenges • The average Internet routing path length is around 15, so reconstruct the path will take 60 bytes • Where to put the traceback information?
PI Overview • Model the Internet as a binary tree rooted at the victim node • The router mark 0 or 1 in IP identification field based on past path information Victim RA RX RB RC RY RZ A U U A A A
IP Header • Identification field (16 bits) • IP identification is only used for fragmentation, which constitutes less than 0.25% of the packets in Internet
Pi Marking - Basic Marking Scheme • Marking Scheme • Each router marks n bits into IP Identification field • Marking Location • TTL (mod 16/n) indexes location in field to mark • Marking Function • Last n bits of hash (eg. MD5) of router IP address The following slides are adapted from Abraham Yaar’s Oakland 2003 slides
253 252 254 π π π xx 00 xx xx xx 00 10 xx xx 00 10 11 xx xx xx xx 251 250 249 π V π π 01 00 10 11 01 10 10 11 01 10 01 11 Pi Marking - Example TTL = 255 A ? Known Attacker 01100111 00000111 = 01100101 = 01100111 = 10101100 = 11001100 =
Pi Marking Scheme - TTL Attack • Problem • Attacker shifts markings by modifying initial TTL 251 255 254 Final TTL Pointer π π A V xx xx xx xx xx 00 xx xx 10 00 10 11 1000101110 250 254 253 Final TTL Pointer π π A V xx xx xx xx xx xx 00 xx 11 10 00 10 111000101110 • Note - marking bits and order haven’t changed, just location in the marking field • Solution • Victim uses final TTL to justify packet contents using bit rotation
Pi Marking - IP Fragmentation • Problem • Mark values in IP Identification field breaks fragmentation • Solution • Don’t mark packets that mayever get fragmented, or are fragments themselves • During DDoS attack, drop packets not satisfying this predicate
Pi Filtering – Basic Scheme • Basic Scheme • Drop all packets with Pi marks matching that of any attack packets • Assumption • Victim can identify attack packets • Implementation Overhead • Memory: Bit vector of length 216 (8kB) • if (BitVec[PiMark] == 0) then accept() else drop(); • Computation: O(1)per packet
Pi Filtering - Thresholds • Problem • Single attacker causes multiple users’ rejections • Solution • Assume, for a particular Pi mark, i: • ai= number of attack packets • ui= number of legitimate users’ packets • Victim chooses threshold, t, such that if: then all packets with Pi mark i are dropped
Experiment Results – Basic Filter • DDoS protection • Accepted: • 60% of user traffic • 17% attacker traffic • Downward slope due to “marking saturation” • All markings flagged as attacker
Experiment Results – Threshold Filter • Thresholds Work! • Victim increases false positives to decrease false negatives • Greater attack traffic requires greater threshold values
Comments • Review of the goal • The same routing path yields the same marking • Different routing path has little probability to overlap • Question • Why bother using rotated marking instead of a simple hash function?
DDoS Attacks • IP spoofing • Bandwidth flooding Back to Zhanxiang