Autonomic Response to Distributed Denial of Service Attacks

1
Autonomic Response to Distributed Denial of
Service Attacks

• Paper by Dan Sterne, Kelly Djahandari, Brett
  Wilson, Bill Babson, Dan Schnackenberg,
  Harley Holliday and Travis Reid
• Presented by Jesus F. Morales

2
Overview

• Introduction the problem
• Proposed solution
• The experiment
• Results
• Observations
• Conclusions

3
Introduction

• The problem
• Distributed Denial of Service (DDoS) attacks
• Hacker toolkits
• January 2001
• DDoS attack against websites hosting Hotmail,
  MSN, Expedia and other large services
• Services inaccessible for 22 hours

4
Current state of response

• Relies on expert, manual labor by network
  administrators
• Response includes two main activities
• Input debugging
• Find routers physical interfaces used for the
  attack (statistics, network traffic probes)
• Mitigation of network traffic flow
• Packet filtering or rate limiting at the
  associated router
• Contact upstream organizations

5
Current state of response drawbacks

• Requires immediate availability of highly skilled
  network administrators
• Time consuming
• Downtime costs
• It does not scale
• What about attacks involving hundreds of
  networks?
• Whack a mole attacks

6
Proposed solution

• Intruder Detection and Isolation Protocol (IDIP)
• Protocol for reporting intrusion-related events
  and coordinating attack tracebacks and automated
  response actions
• Cooperative Intrusion Traceback and Response
  Architecture (CITRA)
• The architecture based on IDIP
• Authors have adapted CITRA and IDIP for DDoS
  attacks

7
CITRA components and attack traceback and
mitigation
8
Attack response

• Policy mechanisms for each CITRA component along
  the attack path determine the adequate response
• Block attacked service port on all requests from
  attackers address or network for a specified
  amount of time
• At CITRA-enabled hosts
• Kill offending process
• Disable offending users account
• Goal use the narrowest network response
• Stop the attack
• Minimize impact on legitimate users
• Reports with responses taken is sent to the
  Discovery Coordinator (DC)
• Global view and system topology allows,
  hopefully, for the best community-wide response

9
Experiment Autonomic response to DDoS

• The problem
• Sophisticated DDoS toolkits generate traffic that
  blends in with legitimate traffic
• Cannot be blocked by router packet filters
  without blocking legitimate traffic
• Traffic rate limiting may be more useful
• Experiment goals
• Prove that CITRA and IDIP can defend against DDoS
  attacks
• In particular, against a Stacheldraht v4 attack

10
Experiment Stacheldraht toolkit and test
application

• Stacheldraht toolkit
• Can generate ICMP, UDP and TCP floods and Smurf
  attacks
• Provides one or more master servers that control
  agents (flood sources)
• Can target floods at arbitrary machines and ports
• Test application
• Audio/video streaming
• RealNetworks RealSystem sever
• RealPlayer client

11
Experiment topology and scenario
12
Experiment settings

• Test data
• 8-minute 11-seconds continuous motion video
• Encoded at 200.1 Kbps
• RealPlayet
• Best quality video setting (10 Mbps bandwidth)
• Data buffering 5 seconds (the minimum)
• Transport protocol UDP
• Attack
• Target is the RealSystem server
• UDP packets indistinguishable from control
  packets sent to the server from RealPlayer clients

13
Experiment Stacheldraht flooding and autonomic
rate limiting
14
Experiment results Normal run
15
Experiment results Flood run
16
Experimental results Full recovery run
17
Experimental results Degraded recovery run
18
Observations

• Degraded recovery probably due to detectors slow
  response speed (366 MHz Pentium II)
• Independent experiment
• Results confirmed
• Full recovery obtained every time
• Higher performance detector
• CITRAs response effective after 2 seconds vs. 10
  12 seconds.
• Results are preliminary
• UDP allows traceback and mitigation request with
  one IP packet vs. TCP would require a three-way
  handshake first. May result in a slower
  propagation upstream

19
Conclusions

• DDoS attacks an increasing threat to the Internet
• Manual defense is inadequate
• CITRA prototype for DDoS with rate limiting
  function seems to be a promising automatic
  response