200 likes | 322 Views
Sonia Fahmy Ness Shroff Students : Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University October 25 th , 2004. Experiments with DDoS and Routing. Objectives.
E N D
Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University October 25th, 2004 Experiments with DDoS and Routing
Objectives • Design, integrate, and deploy a methodology and tools for performing realistic and reproducible DDoS experiments: • Tools to configure traffic and attacks • Tools for automation of experiments, measurements, and visualization of results • Integration of multiple third-party software components • Understand the testing requirements of different types of third party detection and defense mechanisms • Gain insight into the phenomenology of attacks including their first-order and their second-order effects, and impact on defenses
Accomplishments • Designed and implemented experimental tools: • Scriptable event system to control and synchronize events at multiple nodes • Automated measurement tools, log processing tools, and plotting tools • Automated configuration of interactive and replayed background traffic, routing, attack parameters, and measurements • Generated requirements for DETER to easily support the testing of third party products (e.g., ManHunt, Sentivist)
Accomplishments (cont’d) • Analytical characterization,simulations, and experiments for low-rate TCP-targeted DDoS attacks • Preliminary analysis of BGP behavior during DDoS, and BGP impact on DDoS
TCP-Targeted Attacks • Varied: Attack burst length l and sleep period T-l • A. Kuzmanovic and E. W. Knightly. Low-rate targeted denial of service attacks. SIGCOMM 2003. • M. Guirguis et al. Exploiting the transients of adaptation for RoQ attacks on Internet resources. ICNP 2004. • H. Sun et al. Defending against low-rate TCP attacks: Dynamic detection and protection. ICNP 2004. • Objective: • Understand attack effectiveness (damage versus effort) in terms of application-level, transport-level, and network-level metrics at multiple nodes l l Rate T-l R Time
Attack Parameters vs. RTT 0.38 Mbps without an attack 0.75 Mbps without an attack Client with 63 ms RTT to the server
Short RTT 1.00 Mbps without an attack 1.40 Mbps without an attack Client with 12.6 ms RTT to the server
ttcp Experiments Attack 100-1000 Unacked data during 5MB file transfer (31.97 sec = 160.16 KB/sec)
Emulation vs. Simulation • Effects of attack sleep period on the average congestion window of a single TCP (SACK) from TTCP tool • The attack flow is multiplexed with the data flow
Routing • Need to understand magnitude of potential problems, causes, and defenses
Scenario • At 222 sec, nodes 8, 11, and 14 attack node 9 (zebra router running BGP) for 400 seconds. • No activity for 200 seconds. Allow all nodes to stabilize. • Nodes 8, 11, and 14 attack node 9 for 400 seconds again. Node 36 attacks node 10 (neighbor of node 9) for 400 seconds.
Lessons Learned • Insights into sensitivity to emulation environment • Some effects we observe may not be observed on actual routers and vice versa (architecture and buffer sizes) • Emulab and DETER results significantly differ for the same test scenario (CPU speed) • Priority for routing packets in Cisco routers • Limit on the degree of router nodes, delays, bandwidths • Difficulties in testing third party products • Products (hardware or software) connect to hubs, switches, or routers • Layer 2/layer 3 emulation and automatic discovery/allocation can simplify DETER use for testing third party mechanisms • Due to licenses, we need to control machine selection in DETER • Windows XP is required to test some products, e.g., Sentivist administration interface • Difficult to evaluate performance when mechanism is a black box e.g., cannot mark attack traffic and must solely rely on knowledge of attack
Plans • Continue development of experiment automation and instrumentation/plotting tools and documentation • Design increasingly high fidelity experimental suites • Continue investigation of TCP-targeted DDoS attacks in more depth, and compare analytical and simulation results with DETER testbed results to identify artifacts
Plans (cont’d) • Investigate routing problems/attacks, and compare with DETER testbed results • Continue to collaborate with routing team and McAfee team to identify experimental scenarios and build tools for routing experiments