1 / 40

Characterizing and Defending Against DDoS Attacks

Characterizing and Defending Against DDoS Attacks. Christos Papadopoulos ..and many others. Internet. How Do Computers Find Each Other?. Computer1. Computer 2. What Are the Different Kinds of Addresses?. Have domain name (e.g., www.usc.edu) Global, human readable name

rafal
Download Presentation

Characterizing and Defending Against DDoS Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Characterizing and Defending Against DDoS Attacks Christos Papadopoulos ..and many others

  2. Internet How Do Computers Find Each Other? Computer1 Computer 2

  3. What Are the Different Kinds of Addresses? • Have domain name (e.g., www.usc.edu) • Global, human readable name • DNS translates name to IP address (e.g. 128.125.19.146) • Global, understood by all networks • Finally, we need local net address • e.g., Ethernet (08-00-2c-19-dc-45) • Local, works only on a particular network

  4. Domain Naming System (DNS) Local DNS server Computer 1 What’s the IP address for www.usc.edu? It is 128.125.19.146 DNS address manually configured into OS

  5. Finding Ether Address:Address Resolution (ARP) Broadcast: who knows the Ethernet address for 128.125.51.41? Ethernet Broadcast: I do, it is 08-00-2c-19-dc-45 Ethernet

  6. Sending a Packet Through the Internet Routers send packet to next closest point H R H R H H R R R R R The Internet routes packets based on their destination! H R H: Hosts R: Routers H

  7. attacker amplifier network target Smurf Attack broadcast echo request source address is spoofed to be target’s address many echo replies are received by the target, since most machines on the amplifier network respond to the broadcast

  8. SYN SYN - ACK ACK server target client (port = 23/tcp) (port = 23/tcp) (port = 33623/tcp) [ACK set for remainder of session] [session proceeds] TCP SYN Flooding- A more powerful attack - SPOOFED SYN SYN - ACK FINAL ACK NEVER SENT nonexistent host

  9. So, What Is DDoS? Distributed Denial of Service • New, more pernicious type of attack • Many hosts “gang” up to attack another host • Network resource attack: • Bandwidth • State

  10. Why Should We Care? • Successfully used to attack prominent sites in the Internet by those with a primitive understanding of internet protocols • It is relatively easy to do, but hard to detect and stop • It is only going to get worse unless we develop adequate protection mechanisms

  11. Anatomy of an Attack • Compromise a large set of machines • Install attack tools • Instruct all attack machines to initiate attack against a victim Process highly automated

  12. Phase 1: Compromise A (stolen) account is used as repository for attack tools. A scan is performed to identify potential victims. A script is used to compromise the victims.

  13. Phase 2: Install Attack Tools • An automated installation script is then run on the “owned” systems to download and install the attack tool(s) from the repository. • Optionally, a “root kit” is installed on the compromised systems.

  14. Phase 3: Launch attack • Launch a coordinated DDoS from different sites against a single victim. • Network pipes of attackers can be small, but aggregated bw is far larger than victim’s pipe. • Victim’s ISP may not notice elevated traffic. • DDoS attacks are harder to track than a DoS.

  15. Some Known DDoS attack tools • Trin00 • Tribal Flood Network (TFN) • Tribal Flood Network 2000 (TFN2K) • Stacheldraht

  16. Stacheldraht • Combines features of trin00 and TFN. • Adds encryption between the attacker and masters and automated update of agents. • Communication between attacker and masters take place on tcp port 16660. • Daemons receive commands from masters through ICMP echo replies • ICMP, UDP, SYN flood and SMURF attack.

  17. # ./client 192.168.0.1 [*] stacheldraht [*] (c) in 1999 by ... trying to connect... connection established. -------------------------------------- enter the passphrase : sicken -------------------------------------- entering interactive session. ****************************** welcome to stacheldraht ****************************** type .help if you are lame stacheldraht(status: a!1 d!0)>

  18. stacheldraht(status: a!1 d!0)>.help available commands in this version are: -------------------------------------------------- .mtimer .mudp .micmp .msyn .msort .mping .madd .mlist .msadd .msrem .distro .help .setusize .setisize .mdie .sprange .mstop .killall .showdead .showalive -------------------------------------------------- stacheldraht(status: a!1 d!0)>

  19. Some Commands -------- .distro user server Instructs the agent to install and run a new copy of itself using the Berkeley "rcp" command, on the system "server", using the account "user" (e.g., "rcp user@server:linux.bin ttymon") .madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims. .madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims. .mdie Sends die request to all agents.

  20. COSSACK: Coordinated Suppressionof Simultaneous Attacks Computer Networks Division ISI http://www.isi.edu/cossack

  21. People • Co-PIs: Christos Papadopoulos, Bob Lindell (USC/ISI) • Affiliations: RameshGovindan (USC/ISI) • Staff: John Mehringer (ISI) • Students: Alefiya Hussain (USC) • DARPA synergies: • DWARD - Peter Reiher, Jelena Mirkovic (UCLA) • SAMAN - John Heidemann (USC/ISI)

  22. Cossack Overview • Distributed set of watchdogs at network perimeter • Local IDS • Group communication • Topology information (when available) • Fully distributed approach • Peer-to-peer rather than master-slave • Attack-driven dynamic grouping of watchdogs • Attack correlation via coordination with other watchdogs • Independent, selective deployment of countermeasures

  23. Cossack: A Simplified View attacker attacker watchdog watchdog W W attacker attacker watchdog watchdog watchdog W target

  24. Attacks Begin attacker W W watchdog W target

  25. YOID Watchdogs Communicate Using YOID attacker W W watchdog W target

  26. YOID Attacks Detected attacker W W watchdog W target

  27. Watchdogs Install Filters and Eliminate Attack attacker W W watchdog W target

  28. Detecting Source Spoofed Attacks attacker W W YOID watchdog W target

  29. Linux IPTables Router Interface Cisco Interface Router Control Snort Interface Other IDS (D-WARD) Pulsing Detector Event Monitor Rate Monitor Distributed Blackboard Yoid Multicast Interface Cossack Watchdog Architecture YOID Multicast group

  30. Linux IPTables Router Interface Cisco Interface Router Control Snort Interface Other IDS (D-WARD) Pulsing Detector Event Monitor Rate Monitor Distributed Blackboard Yoid Multicast Interface Request more stats Cossack Plugin Operation Packet Averages Grouped by Destination Address Packet Flow Statistics

  31. Linux IPTables Router Interface Cisco Interface Router Control Packet Averages Grouped by Source Address Snort Interface Other IDS (D-WARD) Pulsing Detector Event Monitor Rate Monitor Distributed Blackboard Yoid Multicast Interface Request for more stats Cossack Plugin Operation Packet Averages Grouped by Destination Address Packet Flow Statistics

  32. Cossack Network Inspector Tool to determine detection thresholds for watchdogs • Interfaces with the Cossack Snort Plugin • Collects aggregate level network traffic statistics • Traffic filters created using snort rules

  33. Cossack Performance • Response time: 5 – 30 seconds • Insensitive to attack type

  34. Attack Capture and Analysis Goal: Capture some attacks, analyze and learn from them • Packet-level capture facilities in several sites: • Los Nettos • USC • CAIDA • [Telcordia, Sprint] • Spectral analysis

  35. Cogent Verio Genuity LA-MAE Los Nettos Trace Machine 140Mbps,38kpps JPL Caltech Centergate TRW USC Tracing Infrastructure Internet Los Nettos Customers

  36. Captured Attacks • Captured and classified about 120 attacks over several months

  37. Spectral Attack Analysis F(60%) F(60%) • Single-source attack • Strong higher frequencies and linear Normalized Cumulative Spectrum (NCS) • Multi-source attack (145 sources) • Localization of power in low frequencies in NCS

  38. Spectral Analysis Goal: identify single vs. multi-source attacks • Single-source: F(60%) mean 268Hz (240-295Hz) • Multi-source: F(60%) mean 172Hz (142-210Hz) • Able to robustly categorize unclassified attacks

  39. Conclusions • Cossack is a fully distributed approach against DDoS attacks • Software is operational and currently undergoing Red Team testing • We continue to capture attacks, analyze and learn from them • Spectral analysis work very promising http://www.isi.edu/cossack

More Related