340 likes | 480 Views
Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic . Presenter: Lei Wu March, 2009. Cheng Jin ( chengjin@cs.caltech.edu ) Haining Wang ( hnw@cs.wm.edu ) Kang G. Shin ( kgshin@eecs.umich.edu ) CCS’03, Oct, 2003, Washington, DC, USA. Outline. Background
E N D
Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic Presenter: Lei Wu March, 2009 Cheng Jin (chengjin@cs.caltech.edu) Haining Wang (hnw@cs.wm.edu) Kang G. Shin (kgshin@eecs.umich.edu) CCS’03, Oct, 2003, Washington, DC, USA Presentation for CAP 6135
Outline • Background • Mechanism and construction • Measurement • Conclusion Presentation for CAP 6135
Outline • Background • Mechanism and construction • Measurement • Conclusion Presentation for CAP 6135
Background • IP address spoofing • DDoS Attack • Two classes of defense approaches Presentation for CAP 6135
IP address spoofing • In computer networking, the term IP address spoofing refers to the creation of IP packets with a forged (spoofed) source IP address with the purpose of concealing the identity of the sender or impersonating another computing system. Presentation for CAP 6135
DDoS Attack • Distributed Denial Of Service (DDoS) Attack • DDoS attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. • DDoS attacks on root nameservers • October 21, 2002 • February 6, 2007 Presentation for CAP 6135
Defense Approaches • Router-based • Making improvements to the routing infrastructure • Off-line analysis of flooding traffic or on-line filtering of DDoS traffic inside routers • Require not only router support , but also coordination among different routers and networks, and wide-spread deployment • Victim-based • Enhancing the resilience of Internet servers against attacks • Easy to deploy Presentation for CAP 6135
Weakness of conventional victim-based methods • Protection based on sophisticated resource management schemes • No mechanism to detect and discard spoofed traffic • Could confine the scope of damage to the service under attack, but might not be able to sustain the availability of the service • Filtering spoofed traffic can help a lot • TTL field of the IP header • Assumption: attackers cannot sabotage routers to alter TTL values of IP packets that traverse them Presentation for CAP 6135
Outline • Background • Mechanism and construction • Measurement • Conclusion Presentation for CAP 6135
Mechanism and construction • Introduction • Construction of IP2HC mapping table • Hop-Count Computation • Inspection Algorithm • Two running states of HCF Presentation for CAP 6135
Introduction • Basic idea of Hop-Count Filtering (HCF) • Building an accurate IP-to-hop-count (IP2HC) mapping table • Clustering address prefixes based on hop-count • Two running states Presentation for CAP 6135
Construction of IP2HC mapping table • Objectives in building an HCP table • Accurate IP2HC mapping • Up-to-date IP2HC mapping • Moderate storage requirement • Two Issues • Clustering address prefixes based on hop-counts • 24-bits aggregation • Divide IP addresses with each 24-bit prefix into smaller clusters • A pollution-proof update procedure to capture legitimate hop-count changes while foiling attackers’ attempt to pollute HCF tables Presentation for CAP 6135
Construction of IP2HC mapping table (cont) • An example of hop-count clustering Presentation for CAP 6135
Construction of IP2HC mapping table (cont) • Accuracies of various filters Presentation for CAP 6135
Construction of IP2HC mapping table (cont) • Sizes of various HCF tables Presentation for CAP 6135
Construction of IP2HC mapping table (cont) • Pollution-Proof Initialization and Update • Initialization • Collect traces of its clients that contain both IP addresses and the corresponding TTL values • Period depends on its traffic-load • Update • HCF table should be updated only by those TCP connections in the established state • Provide a user-configurable parameter to adjust the frequency of update • Re-clustering is negligible Presentation for CAP 6135
Hop-Count Computation • Time To Live (TTL) IP Header Presentation for CAP 6135
Hop-Count Computation (cont) • The challenge is that a destination only sees the final TTL value when receiving a packet. • Most modern Oss use only a few selected initial TTL value • 30, 32, 60, 64, 128 and 255 • Few Internet hosts are apart by more than 30 hops • For example, if the final TTL value is 112, we can infer that its initial TTL value is 128 • What about the ambiguities {30, 32}, {60, 64}, and {32, 60}? • Compute a hop-count value for each of the possible initial TTL value, and accept the packet if there is a match with one of the possible hop-counts. Presentation for CAP 6135
Inspection Algorithm Presentation for CAP 6135
Two running states of HCF • HCF causes delay in the critical path of packet processing, it should not be active at all time • Two running states • Alert: detect the presence of spoofed packets • By default, HCF stays in alert state and monitors the trend of hop-count changes without discarding packets • Action: discard spoofed packets • Upon detection of a flux of spoofed packets, HCF switches to action state to examine each packet and discards spoofed IP packets Presentation for CAP 6135
Two running states of HCF (cont) • Operations in two HCP states Presentation for CAP 6135
Two running states of HCF (cont) • Extra benefits of two running states • Against Distributed Reflected Denial of Service (DRDoS) attack • Blocking Bandwidth Attacks Presentation for CAP 6135
Outline • Background • Mechanism and construction • Measurement • Feasibility • Effectiveness • Resource Savings • Conclusion Presentation for CAP 6135
Feasibility of HCF • The feasibility of HCF hinges on three factors • Stability of hop-counts • The Internet paths were found to be dominated by a few prevalent routes • About two thirds of the Internet paths studied were observed to have routes persisting for either days or weeks • Diversity of hop-count distribution • More standard deviation, more effective • Robustness against possible evasion • Without compromising, it is very difficulty to get the IP2HC mapping table for the whole random address space • Spoofing from compromised machines makes detection and removal much easier Presentation for CAP 6135
Diversity of hop-count distribution • The largest percentage of IP addresses that have a common hop-count value is only 10% Presentation for CAP 6135
Effectiveness of HCF • Simple Attacks: always using the default initial TTL value Presentation for CAP 6135
Effectiveness of HCF (cont) • Sophisticated Attackers: randomly choose TTL value Presentation for CAP 6135
Resource Savings • This part gives some practical skills to implement HCF, which reduces the resource consumption • Insert into Linux Kernel • Hash table for the organization of hop-count mapping • Please read the paper for details Presentation for CAP 6135
Outline • Background • Mechanism and construction • Measurement • Conclusion • Contribution • Weakness • Improvement Presentation for CAP 6135
Contribution • Propose a hop-count based filtering scheme that detects and discards spoofed IP packets to conserve system resources • Give some analytical measurement on feasibility and effectiveness • Give the details description on how to make the whole system perform efficient, and also give the evaluation Presentation for CAP 6135
Weakness • TTL-based Hop-Count Computation • Assume that most OSs use only a few selected initial TTL values • The solution to the ambiguities {30, 32}, {60, 64}, and {32, 60} • No explicit way to assign and adjust values of parameters • Feasibility of HCF • No definitive claim of whether hop-count distributions are Gaussian or not • Effectiveness of HCF, Sophisticated Attackers • No analysis on multiple flooding source • No comparison with other methods • No consideration on more realistic and complex network environment Presentation for CAP 6135
Improvement • Use some machine learning methods to assign and adjust values of parameters • Find out the distributions of hop-count • Give the analysis on multiple flooding source of the sophisticated attackers • Compare HCF with other methods • Consider more realistic and complex network environment Presentation for CAP 6135
Extra References • http://en.wikipedia.org/wiki/Internet_Protocol • http://en.wikipedia.org/wiki/Distributed_Reflection_Denial_of_Service Presentation for CAP 6135
Questions? Thank you! Presentation for CAP 6135