1 / 21

MULTOPS A data-structure for bandwidth attack detection

MULTOPS A data-structure for bandwidth attack detection. Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA thomer@lcs.mit.edu Massimiliano Poletto Mazu Networks, Inc., Cambridge, MA, USA maxp@mazunetworks.com. Bandwidth attacks.

zita
Download Presentation

MULTOPS A data-structure for bandwidth attack detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MULTOPS A data-structure for bandwidth attack detection Thomer M. GilVrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA thomer@lcs.mit.edu Massimiliano Poletto Mazu Networks, Inc., Cambridge, MA, USA maxp@mazunetworks.com

  2. Bandwidth attacks • Maliciously generated traffic congests links • Traffic is typically ICMP, UDP, or TCP • IP spoofing: fake IP source addresses • Distribution: multiple hosts pounding one victim

  3. router router MULTOPS heuristic Drop packets from sources sending disproportionate flows Normal: proportional packet rates Attack: disproportional packet rates

  4. Feb 2000: ICMP flood MULTOPS + MULTOPS identifies attackers’ addresses + MULTOPS drops packets from those addresses

  5. Implementation challenges • Precise identification of malicious addresses • Small memory footprint • Minimal impact on forwarding performance

  6. Naive data-structure + Identifies individual attackers • Requires too much memory - Most entries are zero or insignificant - Total packet rate per subnet expensive to calculate from-rate to-rate 2 0 0.0.0.0 ... ... 460 474 18.26.4.9 232 entries 2,450 189 18.26.4.10 ... ... 0 0 255.255.255.255

  7. Less naive data-structure + Requires little memory - May not detect small attacks • Prefixes very short; risky to use for dropping policy - Impossible to collect finer grained data from-rate to-rate 204 0 0.0.0.0/8 ... ... 528,238 518,234 18.0.0.0/8 256entries 309,988 20,876 19.0.0.0/8 ... ... 0 0 255.0.0.0/8

  8. MULTOPS /8 subnets + Provides packet rates on different aggregation levels + Expands and contracts dynamically + Disregards insignificant subnets and addresses + Memory efficient /16 subnets /24 subnets IP addresses

  9. from-rate ... Algorithm source: 18.26.4.9 destination: 130.37.24.4 source: 130.37.24.4 destination: 18.26.4.9 from-rate to-rate ... ... ... ... 2,986 2,746 18.0.0.0/8 ... ... ... ... ... ...

  10. 64 28 67 150 Update rate for 64.0.0.0/8 Update rate for 64.28.0.0/16; exceeds threshold: create child node Update rate for 64.28.67.0/24 in newly created node Expansion Nodes dynamically created to track finer grained packet rates IP address

  11. Contraction • MULTOPS could run out of memory • Attackers may cause this intentionally • Impose absolute memory limit • Contract stale parts of the tree periodically contract

  12. Scenario MULTOPS + MULTOPS drops packets with malicious address prefix • Collateral damage depends on length of address prefix

  13. MULTOPS dropping decision • Drop packet based on 2 criteria • Packet rate > 100 packets per second, and • Ratio > 1:3 • Values determined through experimentation • Thomer M. Gil: • note: some applications that use non-TCP protocols display proportional behavior, e.g., DNS and NFS

  14. Randomized source addresses • Impossible to identify attackers’ addresses • Easy to identify victim’s address • Drop packets based on victim’s address • 2 MULTOPS to stop both attack types • Source-based MULTOPS: non-randomized attacks • Destination-based MULTOPS: randomized attacks

  15. Reverse orientation MULTOPS + MULTOPS drops packets going to victim + Victim’s network relieved from malicious traffic - MULTOPS drops benign packets going to victim

  16. Performance • MULTOPS implemented in Click, a modular router • Forwarding speed inversely related to size of tree • Forwards up to 825,000 packets per second • Pentium III, 833MHz PC • 256MB main memory, 256KB cache • Better performance than reported in paper • Simpler mechanism to compute packet rates

  17. Cycles per packet for different attacks 16 MB 8 MB 2 MB

  18. Status • Enhanced MULTOPS used by Mazu Networks • Has detected TCP floods on commercial networks • Identified a single 8-bit malicious address prefix

  19. Future work and problems • Different ACK policies change ratio for valid traffic • Not all Internet traffic is TCP • Asymmetric routes • MULTOPS must see traffic in both directions • Requires distributed data collection

  20. Related work • Ingress/egress filtering (RFC2827) • IP Traceback (Savage et al.) • CenterTrack (Stone) • Pushback (Bellovin et al.) • RMON, Netflow (Cisco) MULTOPS is complementary

  21. Conclusion • MULTOPS identifies attacker/victim addresses • Effectiveness depends on • MULTOPS location on network • Randomized source address • MULTOPS successfully detects and stops attacks

More Related