1 / 19

Autonomic Response to Distributed Denial of Service Attacks

Autonomic Response to Distributed Denial of Service Attacks. Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley Holliday and Travis Reid Presented by: Jesus F. Morales. Overview. Introduction: the problem Proposed solution

ziva
Download Presentation

Autonomic Response to Distributed Denial of Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley Holliday and Travis Reid Presented by: Jesus F. Morales

  2. Overview • Introduction: the problem • Proposed solution • The experiment • Results • Observations • Conclusions

  3. Introduction • The problem • Distributed Denial of Service (DDoS) attacks • Hacker toolkits • January 2001 • DDoS attack against websites hosting Hotmail, MSN, Expedia and other large services • Services inaccessible for 22 hours

  4. Current state of response • Relies on expert, manual labor by network administrators • Response includes two main activities: • “Input debugging” • Find router’s physical interfaces used for the attack (statistics, network traffic probes) • Mitigation of network traffic flow • Packet filtering or rate limiting at the associated router • Contact upstream organizations

  5. Current state of response: drawbacks • Requires immediate availability of highly skilled network administrators • Time consuming • Downtime & costs • It does not scale • What about attacks involving hundreds of networks? • “Whack a mole” attacks

  6. Proposed solution • Intruder Detection and Isolation Protocol (IDIP) • Protocol for reporting intrusion-related events and coordinating attack tracebacks and automated response actions • Cooperative Intrusion Traceback and Response Architecture (CITRA) • The architecture based on IDIP • Authors have adapted CITRA and IDIP for DDoS attacks

  7. CITRA: components and attack traceback and mitigation

  8. Attack response • Policy mechanisms for each CITRA component along the attack path determine the adequate response • Block attacked service port on all requests from attacker’s address or network for a specified amount of time • At CITRA-enabled hosts • Kill offending process • Disable offending user’s account • Goal: use the narrowest network response • Stop the attack • Minimize impact on legitimate users • Reports with responses taken is sent to the Discovery Coordinator (DC) • Global view and system topology allows, hopefully, for the best community-wide response

  9. Experiment: Autonomic response to DDoS • The problem • Sophisticated DDoS toolkits generate traffic that “blends in” with legitimate traffic • Cannot be blocked by router packet filters without blocking legitimate traffic • Traffic rate limiting may be more useful • Experiment goals • Prove that CITRA and IDIP can defend against DDoS attacks • In particular, against a Stacheldraht v4 attack

  10. Experiment: Stacheldraht toolkit and test application • Stacheldraht toolkit • Can generate ICMP, UDP and TCP floods and Smurf attacks • Provides one or more master servers that control agents (flood sources) • Can target floods at arbitrary machines and ports • Test application • Audio/video streaming • RealNetworks’ RealSystem sever • RealPlayer client

  11. Experiment: topology and scenario

  12. Experiment: settings • Test data • 8-minute 11-seconds continuous motion video • Encoded at 200.1 Kbps • RealPlayet • Best quality video setting (10 Mbps bandwidth) • Data buffering: 5 seconds (the minimum) • Transport protocol: UDP • Attack • Target is the RealSystem server • UDP packets indistinguishable from control packets sent to the server from RealPlayer clients

  13. Experiment: Stacheldraht flooding and autonomic rate limiting

  14. Experiment results: Normal run

  15. Experiment results: Flood run

  16. Experimental results: Full recovery run

  17. Experimental results: Degraded recovery run

  18. Observations • Degraded recovery probably due to detector’s slow response speed (366 MHz Pentium II) • Independent experiment • Results confirmed • Full recovery obtained every time • Higher performance detector • CITRA’s response effective after 2 seconds vs. 10 – 12 seconds. • Results are preliminary • UDP allows traceback and mitigation request with one IP packet vs. TCP would require a three-way handshake first. May result in a slower propagation upstream

  19. Conclusions • DDoS attacks an increasing threat to the Internet • Manual defense is inadequate • CITRA prototype for DDoS with rate limiting function seems to be a promising automatic response

More Related