1 / 39

D-WARD: DDoS Network Attack Recognition and Defense

D-WARD: DDoS Network Attack Recognition and Defense. PhD Qualifying Exam Jelena Mirković PhD Advisor: Peter Reiher 01/23/2002. Design and implement DDoS defense system located at source network autonomously detects and stops attacking flows does not affect legitimate flows. 2 /39.

niveditha
Download Presentation

D-WARD: DDoS Network Attack Recognition and Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. D-WARD:DDoS Network Attack Recognition and Defense PhD Qualifying Exam Jelena Mirković PhD Advisor: Peter Reiher 01/23/2002

  2. Design and implement DDoS defense system • located at source network • autonomously detects and stops attacking flows • does not affect legitimate flows 2/39

  3. Overview • Problem Statement • Related Work • Desirable Characteristics • D-WARD • Thesis Goals • Conclusion 3/39

  4. What is a DoS Attack? 4/39 Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  5. What is a DDoS Attack? 5/39 Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  6. DDoS Defense Problem • Large number of unwitting participants • No common characteristics of DDoS streams • No administrative domain cooperation • Automated tools • Hidden identity of participants • Persistent security holes on the Internet 6/39 Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  7. DDoS Prevention • Compromise prevention • security patches • virus detection programs • intrusion detection systems (IDS) High deployment cannot be enforced 7/39 Problem Statement Related Work Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  8. DDoS Defense INTERMEDIATE NETWORK VICTIM NETWORK SOURCE NETWORK 8/39 Problem Statement Related Work Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  9. Victim Network • Intrusion Detection Systems • On-off control approach • Router monitoring tools (CISCO) + Victim can successfully detect the attack - Victim is helpless if: attack consists of legitimate packets or attack is of large volume 9/39 Problem Statement Related Work Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  10. Intermediate Network • WATCHERS • Traceback • Pushback • Spoofing prevention + Routers can effectively constrain/trace the attack - Possible performance degradation - Interdomain politics of isolation - Attack detection is hard - Communication has to be secured 10/39 Problem Statement Related Work Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  11. Source Network • MULTOPS + Source routers can effectively constrain/trace the attack + Internet resources are preserved - Attack detection is hard - Many deployment points needed for high efficacy 11/39 Problem Statement Related Work Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

  12. Desirable Characteristics • High security • Reliable attack detection • Independent detection and response • Low performance cost • Incremental benefit with incremental deployment • Handle recurring attacks • Traceback • Cooperation REQUIRED OPTIONAL 12/39 Problem Statement Related Work  Desirable Characteristics D-WARD  Thesis Goals  Conclusion

  13. D-WARD • DDoS defense system in Source Network • Source Router detects attack and responds • Monitors the two-way traffic • Suspect flows are rate-limited • Further observations lead to decrease or increase of rate-limit 13/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  14. OBSERVATION COMPONENT CLASSIFICATION TRAFFIC STATISTICS SOURCE ROUTER INTERNET STATISTICS CACHE MODEL CACHE NORMAL TRANSIENT ATTACK RATE LIMIT RULES SOURCE NETWORK THROTTLING COMPONENT System Architecture 14/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  15. Statistics Gathering • Statistics help discover difficulties • Only IP header data is used • Statistics classified per peer IP address • Statistics cache size is limited and the cache is purged periodically: • Records for normal flows deleted • Records for transient and attack flows reset 15/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  16. Traffic Models • TCP requires proportional reverse flow • Non-TCP traffic requires NO reverse flow • Non-TCP servers usually send constant amount of packets/Bytes per second to a given peer 16/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  17. Traffic Models • Model of normal TCP traffic: • low ratio of number of sent/number of received packets • Model of normal non-TCP traffic: • mean and standard deviation of number of sent packets/Bytes for certain destination • Non-TCP models created in training phase 17/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  18. Flow Classification • Comparison with models of normal traffic • compliant - within limits of the model • attack - outside of model limits • Well behaved or not • normal - well-behaved compliant flows • transient - non well-behaved compliant flows 18/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  19. Throttling Component • ATTACK: Exponential decrease • TRANSIENT: Slow recovery, linear increase • NORMAL: Fast recovery, exponential increase 19/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  20. Experiment 1 CLIENT ATTACKER ROUTER VICTIM ATTACKER 20/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  21. attack starts attack stops 21/39

  22. attack starts attack stops 22/39

  23. Experiment 2 CLIENT ATTACKER ROUTER VICTIM ATTACKER 23/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  24. legitimate traffic starts attack starts attack stops 24/39

  25. Legitimate traffic starts attack stops attack starts FTP starts 25/39

  26. Experiment 3 CLIENT ATTACKER ROUTER VICTIM ATTACKER 26/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  27. Legitimate traffic starts FTP starts attack stops attack starts 27/39

  28. attack starts attack stops 28/39

  29. Experiment 4 CLIENT ATTACKER ROUTER VICTIM ATTACKER 29/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  30. attack starts attack stops 30/39

  31. attack starts attack stops 31/39

  32. Summary of Results • D-WARD successfully detects and stops attacks • Legitimate clients from other domains benefit greatly • System is friendly to non-TCP traffic • Legitimate TCP connections from source network are slowed down • There is no fairness guarantee to normal flows 32/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  33. Attack Detection • Choice of monitored parameters: • reliability vs performance • separating legitimate from attack flows • Creation and update of models • Cooperation with other Source Routers • Cooperation with the victim • Recurring attacks 33/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  34. Attack Response • Effectiveness vs fairness of response • aggressiveness should depend on reliability of classification • design of feedback mechanism • Traceback of the attack • Interaction of multiple DDoS defense systems 34/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  35. Security • Attackers follow developments in security • Attackers could attempt to avoid detection: • pulsing attacks • generating reverse packets • gradually use up victim’s resources • mistrain models • Attackers could attempt to misuse the system: • drop legitimate packets • Attackers might DDoS Source Router 35/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  36. Partial Deployment • Effectiveness depends on degree of deployment • Does not protect deploying network so motivation is low • Legal factors could help • Additional incentive: • minimal changes to existing routers • low cost • good performance 36/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  37. Deployment on Core Routers • Large coverage with less deployment points • Router performance must not be degraded • Rate limit has impact on large portion of flows  few false positives a must 37/39 Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

  38. Timeline Year1 Year2 Jan Apr Jul Oct Jan Apr Jul Oct 7 10 1 9 12 3 5 8 2 11 4 6 38/39 Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals Conclusion

  39. Conclusions • DDoS attacks are a serious threat • A design of effective detection and response strategy is a must • D-WARD successfully detects and constraints the attacks but has undesired impact on legitimate flows • Further research needed to refine the system and devise deployment strategy 39/39 Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

More Related