1 / 18

Georgios Koutepas, Fotis Stamatelopoulos, Vasilios Hatziyannakis, and Basil Maglaris

Design and Operational Characteristics of a Distributed Cooperative Infrastructure against DDoS Attacks. Georgios Koutepas, Fotis Stamatelopoulos, Vasilios Hatziyannakis, and Basil Maglaris National Technical University of Athens, Greece ECIW 2003 July 1, 2003. What is " Denial of Service "?.

mare
Download Presentation

Georgios Koutepas, Fotis Stamatelopoulos, Vasilios Hatziyannakis, and Basil Maglaris

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Design and Operational Characteristics of a Distributed Cooperative Infrastructureagainst DDoS Attacks Georgios Koutepas, Fotis Stamatelopoulos, Vasilios Hatziyannakis, and Basil Maglaris National Technical University of Athens, Greece ECIW 2003 July 1, 2003

  2. What is "Denial of Service"? • An attack to suspend the availability of a service • Until recently the "bad guys" tried to enter our systems. Now it’s: "If not us, then Nobody" • No break-in attempts, no information stealing, although they can be combined with other attacks to confuse Intrusion Detection Systems. • DoS: single correctly made malicious packets against the target machine • Distributed DoS: traffic flows from various sources to exhaust network or computing resources • No easy solutions! DoS is still mostly a research issue A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

  3. Main Characteristics of DoS • Variable targets: • Single hosts or whole domains • Computer systems or networks • Important: Active network components (e.g. routers) also vulnerable and possible targets! • Variable uses & effects: • Hacker "turf" wars • High profile commercial targets (or just competitors…). • Useful in cyber-warfare, terrorism etc. • February 7-11 2000: Big commercial sites (CNN, Yahoo, E-Bay) are taken down by flooding of their networks. • October 2002: attack against the Root DNS servers A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

  4. Pirated machines Domain A 2. Commanding the attack 1. Taking Control "zombies" Pirated machines Domain B Distributed DoS Target domain Attacker X A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

  5. A DDoS Attack Domain-wise Sources of the attack Attack Transit Domains Innocent Domains, but their connectivity is affected Target Domain A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

  6. Reaction to DDoS • Incoming traffic has to be controlled, outside the victim’s domain, at the upstream providers • Usually source IPs spoofed on attack packets • The malicious flows have to be determined. • The attack characteristics have to be communicated upstream. This usually is done manually and is an uncertain and time-consuming procedure. • Filters that will block attack traffic must be set up and maintained. Their effectiveness must be verified. • The bandwidth penalty is still present throughout all the affected networks. Actions are required on all the networks along the attack path A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

  7. Our Solution: An Inter-Domain Cooperative Infrastructure

  8. Inter-Domain Cooperative Framework Cooperative Counter-DDoS Entity Activation of filters and reaction according to local Policies Participating Domain Non-participating Domain Notification Propagation (Multicast) The Cooperative Counter-DDoS Entities constitute an Overlay Network A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

  9. The Entities • The Entities compose the infrastructure • They are the trusted points for the domain to participate in the Infrastracture • They manage all communications and reaction within the domain • They are on the top of the local IDS hierarchy, thus combine the local picture with the one from peers • They are controlled locally according to the choices and policies of the administrator • Communications by multicast methods • They can implement reaction filters to routers, BUT: • Their duration is controlled, the admin is aware of them and it’s possible to adjust to shifting attack patterns A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

  10. Main Design Characteristics: Entity Implementation • Lightweight and Modular software architecture, different components performing the various tasks • Java Management Extensions (JMX) framework for control and configuration • Using the Intrusion Detection Message Exchange Format (IDMEF) in all messages achieves compatibility with standards and inter-operability with installed IDS infrastructure • Multicast advantages: • Stealthy presence • Independence from specific installation host • Possible parallel operation of backup Entities A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

  11. Entity State Transition A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

  12. Internal Entity Architecture A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

  13. ! What happens during an Attack Message DB of the Entity at domain B W X Y A Path Cases for domain B Z B C E D A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

  14. Policy Entries • Match Event Characteristics with actions taken against the attack • Attack type • Attack destination (target domain) • Path positioning case • Custom made actions to match the specific attack • Reaction for a certain time A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

  15. Additional Concepts • Security • The messages are encrypted against eavesdropping BUT by symmetric cryptography • Additionally there are timestamps and digital signatures on the messages to avoid repetition attacks • It is possible to create “communities” of Entities by multicast and distribute the notifications only within. • Geographically (by the TTL on the packets) • According to common interests etc. (by different multicast groups) A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

  16. Current Status • Finished prototype • Putting a WAN emulation facility (Dummynet) between the Entities for testing behavior during attacks • Test the accuracy in setting up the right filters, at the right points • Determine the effects on non-attack traffic, thus choose the right configuration parameters, duration of filters • Testing the effectiveness of a peer-2-peer communications scheme in addition to multicast • Developing the Hot-Spare concepts • Introducing the usage of advanced inference algorithms and/or expert systems • Plans to deploy it in the Greek Academic Network A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

  17. Conclusions • It's not an IDS, but rather a “message management system” independent of the underlying detection technologies • Distributed framework that uses a Cooperative Inter-Domain approach • Trusted partners, each deploying a local software Entity • Entities exchange security information so that positioning in the attack path is detected locally and without requiring traceback procedures • Reaction is activated in parallel, controlled at each domain by local policies A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

  18. Questions and Answers

More Related