1 / 30

563.3.2 DoS Detection and Defense

563.3.2 DoS Detection and Defense. Computer Security II CS463/ECE424 University of Illinois. Why is DDoS Defense hard?. Simplicity Plug-and-play attack tools Traffic variety (similarity) Attack traffic is as good as legitimate traffic IP spoofing High-volume traffic

pilis
Download Presentation

563.3.2 DoS Detection and Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 563.3.2 DoS Detection and Defense Computer Security II CS463/ECE424 University of Illinois

  2. Why is DDoS Defense hard? • Simplicity • Plug-and-play attack tools • Traffic variety (similarity) • Attack traffic is as good as legitimate traffic • IP spoofing • High-volume traffic • Traffic profiling hard, requires per-packet processing • Short time span • Numerous agent machines • Weak spot in Internet topology • Highly connected and well-provisioned spots relay traffic for rest of the internet. [MirkovicDDR04]

  3. Spread of Code Red II Code Red traffic approaching the White House

  4. Detecting DoS Part 1 of 2 • How common are DoS attacks and what is their nature? • Idea: conduct a survey of potential victims. Problem: how does a victim know it is was under attack? • Can an ISP recognize an attack using data gathered by its routers?

  5. In-Network Monitoring [SekarDSMZ06]

  6. Number of Incidents in an 11 Day Period in August 2005

  7. Detecting DoS Part 2 of 2 • Another idea: detect bad behavior that is a symptom of DoS without cooperation of ISP. Examples: • Detect flows that violate TCP congestion control rules. • Detect spoofing.

  8. Backscatter Analysis [MooreSBVS06]

  9. Collection and Criteria

  10. Attacks by Protocol

  11. Attacks by Rate

  12. Our Discussion Filtering-Based Defenses Proof-Based Defenses Cookies Client puzzles Bandwidth • Ingress and route-based filtering • Traceback/Pushback • Packet marking • Overlays

  13. DoS Countermeasures: Ingress Filtering Spoofed packets ingress from leaf network into the Internet on to Victim Leaf network Internet 204.69.207.0/24 Victim Attack Traffic Attacker Backscatter Limit ingress traffic to return addresses in 204.69.207.0/24 [FergusonS00]

  14. Customized On-Demand Ingress Filtering • Locate source of attack as coming through ISP D • Ask ISP D to install ingress or egress filter Egress D Ingress D ISP D 204.69.207.0/24 Victim Attacker Leaf network

  15. Route Based Packet Filtering • Problems with ingress filtering • Limited deployment • Any gaps limit effectiveness of existing deployment • Generalization: filter packets based on routing information from the Internet Autonomous System (AS) topology Illustration of route-based packet filtering executed at node 6. Node 7 uses IP address belonging to node 2 when attacking node 4. [ParkL01]

  16. Pushback • Look for severe congestion • Congestion signature • Push back rate-limit • Signature • Too broad • Too narrow • Router • Upgrade • Traffic state • Too much too late [MahajanBFIPS02]

  17. Probabilistic Packet Marking to Traceback [GaoA05]

  18. xx xx xx xx 00 xx xx 10 11 00 00 xx xx xx 11 Packet Marking • Pi Marking Scheme • Each router marks n bits into IP Identification field • Marking Function • Last n bits of hash (eg. MD5) of router IP address • Marking Aggregation • Router pushes marking into IP Identification field • Pi filters • Hi bandwidth flows (defined by marking) can be dropped by routers and victim π A π π V • There is just so much space in IP identification field [YarrPS03]

  19. Beacon Secret servlet Overlay Access Point target Filtered region Secure Overlay Services Client • Authenticate client communication • Longer/slower route • Closed network Overlay Nodes Internet Route Overlay hops Secure channel [KeromytisMR02]

  20. DDoS Defense Challenges • Distributed response required • Cooperation between many points • Economic and social factor • Source deploys filter to protect destination • Legislative measures • Lack of detailed attack information • Frequency of attack types, attack parameters, increasing attack scale • Backscatter, Internet Telescope • Lack of defense benchmark • How should the performance be measured? • NSF benchmarking effort • Difficulty of large scale testing • Test bed mimicking Internet (e.g. PlanetLab and DETER) [MirkovicR04]

  21. AT&T 2000

  22. Mirkovic and Reiher Classification for DDoS Defense Mechanisms

  23. Taxonomy of DDoS Defenses • Preventive vs. Reactive • Degree of Cooperation • Autonomous • Cooperative • Interdependent • Deployment Location • Victim network • Intermediate network • Source network

  24. Reactive Strategies Detection Response Agent Identification Rate-limiting Filtering Reconfiguration Change the topology of victim or the network to add more resources or isolate attack machines. • Pattern • Signatures of known attacks stored • Anomaly • Model of normal system behavior • Standard • Detect half-open TCP • Trained • Traffic dynamics, expected system performance • Third Party • Traceback

  25. Degree of Cooperation • Autonomous – independent defense at the point of deployment • Cooperative – perform better in joint operation • Interdependent – cannot operate autonomously

  26. Source Network Victim Network Middle of Network Source Network Source Network Deployment Location • Victim network – most common, the most interested party. • Intermediate network – ISP can provide the service, potential to cooperation. • Source network – prevent DDoS at the source, least motivation

  27. Other factors • Stateless vs. Stateful • Internet architecture • Router modification • Application modification

  28. Reading Part 1 of 2 • [SekarDSMZ06] LADS: Large-scale Automated DDoS detection System, Vyas Sekar, Nick Duffield, Oliver Spatscheck, Jacobus van der Merwe, and Hui Zhang. USENIX ATC 2006. • [MooreSBVS06] Inferring Internet Denial-of-service activity, David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage. ACM Transactions on Computer Systems, 24(2), 2006. • [FergusonS00] Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, P. Ferguson and D. Senie. IETF RFC 2827, 2000. • [ParkL01] On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets, Kihong Park and Heejo Lee. SIGCOMM 2001. • [YaarPS03s] Pi: A Path Identification Mechanism to Defend against DDoS Attacks, Abraham Yaar, Adrian Perrig, and Dawn Song, IEEE Security and Privacy, 2003.

  29. Reading Part 2 of 2 • [MirkovicDDR04] Internet Denial of Service Attack and Defense Mechanisms, Jelena Mirkovic, Sven Dietrich, David Dittrich, and Peter Reiher. Pearson 2004. • [MirkovicR04] A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms, Jelena Mirkovic and Peter Reiher. Computer Communications Review, Vol. 34, No. 2, April 2004. • [GaoA05] Tracing Cyber attacks from the practical perspective, Zhiqiang Gao and Nirwan Ansari. IEEE Communications Magazine, May 2005. • [KeromytisMR02] SOS: Secure Overlay Services (2002), Angelos D. Keromytis, Vishal Misra, Dan Rubenstein. ACM SIGCOMM 2002.

  30. Discussion • What should be the qualities of a “good” detection technique? • What are the pros and cons of monitoring flows to see if they are “TCP-like” as a way to prevent DoS?

More Related