1 / 44

D-WARD 1

D-WARD 1. 1 “Attacking DDoS at the source,” Mirkovic, Prier, Reiher, ICNP 2002. Goal: detect attacks, reduce the attack traffic, recognize and favor the legitimate traffic Source-end, inline defense system Gathers statistics on flows and connections, compares them with protocol-based models:

yuki
Download Presentation

D-WARD 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. D-WARD1 1“Attacking DDoS at the source,” Mirkovic, Prier, Reiher, ICNP 2002 • Goal: detect attacks, reduce the attack traffic, recognize and favor the legitimate traffic • Source-end, inline defense system • Gathers statistics on flows and connections, compares them with protocol-based models: • Mismatching flow statistics indicate attack • Matching connection statistics indicate legitimate traffic • Dynamic and selective rate-limit algorithm: • Fast decrease to relieve the victim • Fast increase when the attack stops and on false alarms • Detects and forwards legitimate connection packets

  2. Flows And Connections

  3. D-WARD Overview

  4. D-WARD Overview

  5. D-WARD Overview

  6. Can It Work? • Extensive experiments indicate: • Fast detection of a wide range of attacks • Effective control of the attack traffic • Extremely low collateral damage • Fast removal of rate limit when attack stops • Small processing and memory overhead • Effectively stops attacks from deploying networks • Only effective in actually stopping attacks if deployed at most/all potential attacking networks • May provide synergistic benefits with other defenses

  7. Advantages And Limitations • Fast detection and control of wide range of attacks • Extremely low collateral damage • Low number of false positives • Stops attacks as soon as possible • Attackers can perform successful attacks from unprotected networks • Deployment motivation is low

  8. Netbouncer1 1“NetBouncer: Client-legitimacy-based High-performance DDoS Filtering,” Thomas, Mark, Johnson. Croall, DISCEX 2003 • Goal: detect legitimate clients and only serve their packets • Victim-end, inline defense system deployed in front of the choke point • Keeps a list of legitimate clients: • Only packets from these clients are served • Unknown clients receive a challenge to prove their legitimacy, several levels of legitimacy tests • Various QoS techniques are applied to assure fair sharing of resources by legitimate client traffic • Legitimacy of a client expires after a certain interval

  9. Netbouncer Overview Legitimacy list N

  10. Netbouncer Overview Legitimacy list N

  11. Netbouncer Overview Legitimacy list N

  12. Netbouncer Overview Legitimacy list N

  13. Can It Work? • Successfully defeats spoofed attacks • Ensures fair sharing of resources among clients that have proved to be legitimate • All legitimacy tests are stateless – defense system cannot be target of state-consumption attacks • Some legitimate clients do not support certain legitimacy tests (i.e. ping test) • Legitimate client identity can be misused for attacks • Large number of agents can still degrade service to legitimate clients, creating “flash crowd” effect

  14. Advantages And Limitations • Ensures good service to legitimate clients in the majority of cases • Does not require modifications of clients or servers • Stateless legitimacy tests ensure resiliency to DoS attacks on Netbouncer • Realistic deployment model: Autonomous solution, close to the victim • Attackers can perform successful attacks by: • Misusing identities of legitimate clients • Recruiting a large number of agents • Some legitimate clients will not be validated • Challenge generation may exhaust defense

  15. SOS1 1“ SOS: Secure Overlay Services,” Keromytis, Misra, Rubensteain, ACM SIGCOMM 2002 • Goal: route only “verified user” traffic to the server, drop everything else • Clients use overlay network to reach the server • Clients are authenticated at the overlay entrance,their packets are routed to proxies • Small set of proxies are “approved” to reach the server, all other traffic is heavily filtered out

  16. SOS • User first contacts nodes that can check its legitimacy and let him access the overlay – access points • An overlay node uses Chord overlay routing protocol to send user’s packets to a beacon • Beacon sends packets to a secret servlet • Secret servlets tunnel packets to the firewall • Firewall only lets through packets with an IP of a secret servlet • Secret servlet’s identity has to be hidden, because their source address is a passport for the realm beyond the firewall • Beacons are nodes that know the identity of secret servlets • If a node fails, other nodes can take its role

  17. SOS Overview AP B SS F AP B SS Access Point Beacon Secure Servlet Firewall

  18. SOS Overview AP B SS F AP B SS Access Point Beacon Secure Servlet Firewall

  19. SOS Overview AP B SS F AP B SS Access Point Beacon Secure Servlet Firewall

  20. SOS Overview AP B SS F AP B SS Access Point Beacon Secure Servlet Firewall

  21. Can It Work? • SOS successfully protects communication with a private server: • Access points can distinguish legitimate from attack communications • Overlay protects traffic flow • Firewall drops attack packets • Redundancy in the overlay and secrecy of the path to the target provide security against DoS attacks on SOS

  22. Advantages And Limitations • Ensures communication of “verified user” with the victim • Resilient to overlay node failure • Resilient to DoS on the defense system • Does not work for public service • Clients must be aware of overlay and use it to access the victim • Traffic routed through the overlay travels on suboptimal path • Still allows brute force attack on links leading to the firewall • If the attacker can find it

  23. Client Puzzles1 1“Client puzzles: A cryptographic countermeasure against connection depletion attacks,” Juels, Brainard, NDSS 1999 • Goal: defend against connection depletion attacks • When under attack: • Server distributes small cryptographic puzzles to clients requesting service • Clients spend resources to solve the puzzles • Correct solution, submitted on time, leads to state allocation and connection establishment • Non-validated connection packets are dropped • Puzzle generation is stateless • Client cannot reuse puzzle solutions • Attacker cannot make use of intercepted packets

  24. Client Puzzles Overview

  25. Client Puzzles Overview

  26. Client Puzzles Overview

  27. Can It Work? • Client puzzles guarantee that each client has spent a certain amount of resources • Server determines the difficulty of the puzzle according to its resource consumption • Effectively server controls its resource consumption • Protocol is safe against replay or interception attacks • Other flooding attacks will still work

  28. Advantages And Limitations • Forces the attacker to spend resources, protects server resources from depletion • Attacker can only generate a certain number ofsuccessful connections from one agent machine • Low overhead on server • Requires client modification • Will not work against highly distributed attacks • Will not work against bandwidth consumption attacks • Puzzle verification consumes server resources

  29. COSSACK1 1“COSSACK: Coordinated Suppression of Simultaneous Attacks,” Papadopoulos, Lindell, Mehringer, Hussain, Govindan, DISCEX 2003 • Goal: detect the attack, place response near the sources • COSSACK watchdogs are located at edge networks and organized into a multicast tree • Client watchdog detects the attack, notifies all involved sources via multicast tree • Sources join victim-specific group and exchange information • Involved sources perform smart filtering to control attack traffic

  30. COSSACK Overview W W W W W W

  31. COSSACK Overview W W W W W W

  32. COSSACK Overview W W W W W W

  33. COSSACK Overview W W W W W W

  34. Can It Work? • Victim-end detection is very accurate • Source-end response effectively stops attack, minimizes collateral damage • COSSACK should successfully detect and stop flooding attacks from protected networks • May inflict collateral damage if attack is similar to legitimate traffic

  35. Advantages And Limitations • Accurate detection at the victim, effective response at the source • No changes are required at client machines • Multicast communication is not scalable • Attacks from unprotected networks cannot be stopped • Collateral damage will be inflicted if attack is similar to legitimate traffic

  36. DefCOM1 1“Forming alliance for DDoS defense,” Mirkovic, Robinson, Reiher, Kuenning, NSPW 2003 • Goal: detect the attack, rate-limit the attack traffic, forward legitimate traffic • DefCOM nodes build an overlay network • Three types of nodes: • Alert generator – detect the attack, inform other nodes • Classifier – separate legitimate from suspicious traffic, forward legitimate packets marked with legitimate mark, rate-limit suspicious packets, mark them with monitored mark • Rate-limiter – rate limit all traffic to the victim, give the highest priority to legitimate, then to marked traffic • Alert generators and classifiers deployed at the edge, rate-limiters deployed at the core

  37. DefCOM Overview C RL AG C RL Alert Generator Rate-Limiter Classifier Overlay

  38. DefCOM Overview C RL AG C RL Alert Generator Rate-Limiter Classifier Overlay

  39. DefCOM Overview C RL AG C RL Alert Generator Rate-Limiter Classifier Overlay

  40. DefCOM Overview C RL AG C RL Alert Generator Rate-Limiter Classifier Overlay

  41. DefCOM Overview C RL AG C RL Alert Generator Rate-Limiter Classifier Overlay

  42. DefCOM Overview C RL AG C RL Alert Generator Rate-Limiter Classifier Overlay

  43. Can It Work? • Victim-end detection is very accurate • Source-end response effectively stops attacks • Rate-limiters in the core handle attacks from networks that do not have classifier nodes • Classifiers minimize collateral damage • DefCOM should successfully stop flooding attacks, while guaranteeing good service to legitimate traffic

  44. Advantages And Limitations • All actions are performed where they are most successful: • Accurate detection at the victim • Rate-limiting in the core • Traffic differentiation at the source • Selective response provides low collateral damage • Core nodes handle attacks from legacy networks • Overlay architecture provides scalability • Only a few deployment points are needed • Only effective with some core router deployment • Compromised overlay nodes can damage operation

More Related