Defending against LargeScale Distributed DenialofService Attacks

1
Defending against Large-ScaleDistributed
Denial-of-Service Attacks

• Department of Electrical and Computer Engineering
• Advanced Research in Information Assurance and
  Security (ARIAS) Lab
• Virginia Tech
• Jung-Min Park

2
Overview of DoS Attacks

• What is a DoS attack?
• An attack that disrupts network services to
  legitimate clients
• Large-scale Distributed DoS (DDoS) attack of Feb.
  2000
• A DDoS attack took down Yahoo, EBay, and
  Amazon.com
• Outage caused millions of dollars in lost revenue
• Hundreds of attacks are observed each day
• Global corporations lost over 1.39 trillion in
  revenue due to security breaches in 2000, and
• Over 60 are due to viruses and DoS attacks
  (http//www.captusnetworks.com/BeenDoSd.pdf)
• FBI reports indicate DoS attacks are on the rise

3
Taxonomy of DoS Attacks

• Attacks that exploit system design weaknesses
• Teardrop attack
• Ping-of-death attack
• Land attack
• SYN flood attack
• Attacks that exploit the weakness of particular
  protocols
• Attacks against authentication protocols
• Attacks against key agreement protocols
• Attacks that exploit the asymmetry between line
  rate and throughput of hosts and routers
• Flooding-based DDoS attacks

4
Flooding-based DDoS Attacks

• Exploits the asymmetry between line rate and
  throughput of hosts and routers
• Large volume of packets is sent toward a victim
• Consumes bandwidth and processing power of the
  victim
• DDoS attacks utilize attack handlers and zombies
  to hide the identity of the real attacker

5
Lines of Defense Against DDoS Attacks

• Apply software patch
• SYN cookies, client puzzles
• Design DoS attack resistant systems
• Overlay networks

• Signature (misuse) detection
• Anomaly detection

• Client puzzles
• Aggregate filtering, pushback
• Overlay networks

• IP traceback packet marking
• IP traceback packet logging
• Attack traceback

6
TRACKA New Approach to IP Traceback
7
The IP Traceback Problem

• IP traceback strategies
• Probabilistic Packet Marking (PPM)
• Packet Logging

8
Limitations of Current IP Traceback Schemes

• Do not support last-hop traceback
• Packet logging schemes
• Significant computation overhead on routers
• Significant storage overhead on routers
• Packet marking
• Not scalable Complexity of path reconstruction
  process increases rapidly as number of attackers
  increase
• Large number of packets need to be collected

9
rouTer poRt mArking and paCKet filtering (TRACK)

• Objective
• Reduce computation complexity of path
  reconstruction
• Reduce number of packets that need to be
  collected
• Support last-hop traceback
• Support gradual deployment
• Filter attack traffic using traceback information

10
Basic Principles of TRACK
A string composed of locally-unique router
interface port numbers is a globally unique
identifier of a path.
11
Marking Traceback Information in the IP Header
12
Router Port Marking Procedure
Active Port Marking Mode (APMM) at probability of
p
Passive Port Marking Mode (PPMM) at probability
of 1 p
13
Path Reconstruction Process of TRACK

• Objective
• Recover the port number sequence of an attack
  path and convert them into a sequence of router
  IP addresses
• Approach
• Distribute the path reconstruction process among
  the victims upstream routers (victim ?
  attackers border router)(similar to Pushback)
• Employ a trace table and trace packets
• Use same info. to filter attack traffic at the
  border router of the attacker
• Computational Complexity O(N2)

14
Path Reconstruction Process of TRACK
MKF 1, XOR PN 18,Distance TTL5 (254) 30
Assume C3 is sending packets to V M is in APMM
F, B, and A are in PPMM
MKF 1, PN 18,Distance 30, TTL5 27, XOR
2 (18 ? 47 ? 34 ? 21) d 30 27 3
15
Path Reconstruction Process of TRACK
d Distance TTL5
XOR(d1) ? PN(d1) XOR(d) C3s path
21-34-47-18
16
Number of Packets Needed for Path Reconstruction
p 0.01
p 0.04
17
False Positive Rate
Skitter Internet map
Complete tree topology model
18
Gradual Deployment
Skitter Internet map
Complete tree topology model
19
Chained PuzzlesA Novel Approach to IP-Layer
Puzzles
20
Client Puzzle Protocols

• A technique used to mitigate DoS attacks that
  does not rely on distinguishing between attack
  traffic and legitimate client traffic
• Puzzles are typically based on difficult problems
  from cryptosystems
• Partial reversal of a hash function
• Exhaustive key search in a private key
  cryptosystem

21
Basic Principles of Chained Puzzles

• Puzzle algorithm Exhaustive key search of XTEA6
• XTEA6 Truncated version of the XTEA encryption
  algorithm

• Puzzle Routers
• Puzzle distribution and verification is performed
  by the first-hop border router called a Puzzle
  Router
• Puzzles are enabled by downstream Puzzle Routers

22
Message Exchange Between Puzzle Routers

• Downstream Puzzle Routers enable puzzles at the
  upstream Puzzle Routers

23
Optimal Location for Detection and Mitigation

• Detection DDoS attacks are detected easily near
  the server or the main victim of the attack
  (packet loss, heavy congestion, etc.)
• Mitigation Preventing or mitigating an attack
  is best performed as close to the source of the
  attack as possible

24
Puzzle Distribution

• How do we distribute puzzles?
• Easy in TCP ? 3-way handshake
• IP is connectionless and a client puzzle protocol
  is connection oriented
• Client asks for a puzzle
• Server sends the puzzle to the client
• Client solves the puzzle, sends the solution back
  to the server

• Solution
• Puzzle solution chaining

25
Puzzle Solution Chaining

• When Puzzles are enabled, bootstrapping
  procedure is needed to create the first puzzle
• Subsequent puzzles are created by the client
  independently
• Current solution becomes plaintext for the next
  puzzle

26
Puzzle Solution Chaining contd

• Client creates a chain of puzzles

• The Puzzle Router reissues the puzzle challenge
  periodically

27
Probabilistic Verification

• Probabilistic verification
• Puzzle Routers verify incoming puzzles according
  to a given probability
• Increase performance and throughput of the Puzzle
  Routers

28
Simulation Results NPSR

• Normal Packet Survival Ratio (NPSR)
• Percentage of legitimate packets that can make
  their way to the victim in the midst of a DDoS
  attack

29
Future Work

• IP Traceback
• Improve scalability
• Better support of gradual deployment
• Minimize the number of false positives
• Support IP fragments
• Support router degrees greater than 64
• Client puzzle protocol
• Specification of a Puzzle Routers functions
• Resolve protocol architecture issues
• Counter puzzle protocol circumvention
• Ensure fairness

30
Questions?
31
Conclusion

• Last-hop traceback capability a step closer to
  attack traceback
• Support of gradual deployment more realistic
  solution
• Using router port instead of router as the atomic
  unit for traceback fewer packets and less
  computational complexity for path reconstruction,
  finer granularity, and less false positive
• Attack detection at the victim and packet
  filtering at the zombies border routers the
  optimal location for both modules

32
Backup
33
Path Reconstruction Process of TRACK

• Objective
• Recover the port number sequence of an attack
  path and convert them into a sequence of router
  IP addresses
• Approach
• Distribute the path reconstruction process among
  the victims upstream routers (victim ?
  attackers border router)(similar to Pushback)
• Employ a trace table and trace packets
• Use same info. to filter attack traffic at the
  border router of the attacker
• Computational Complexity O(N2)

34
Limitation of Current Attack Mitigation Schemes

• Problem
• Conventional countermeasures attempt to detect
  and filter at the same location
• Fact
• Attack detection is easier closer to the victim,
  packet filtering is more effective closer to the
  attack source
• Solution
• Separate the two functions in separate modules

35
Attack Mitigation (Packet Filtering)

• Location of attack detectionand packet
  filtering
• At the victim
• In the network
• At the attack source

36
Probabilistic Packet Marking (Basics)

• Routers mark packets with fragments of its IP
  addresses probabilistically
• Identification field in IP header is used (The
  probability of IP fragmentation is 0.25)
• The victim can collect IP fragments from many
  packets to reconstruct attacking path

37
Overhead of Packet Logging

• For a OC-192 link
• TRACK 50k destination IP address insertion or
  update per second 900MB/hours storage,
  upper-bounded by 20GB
• The scheme in Snoe01 60 million hash
  operations per second 44GB storage per hour,
  bounded by the maximum allowed traceback time
• The scheme in Li04 8 million hash operations
  per second 5.2GB storage per hour, bounded by
  the maximum allowed traceback time

38
False Positive Analysis
39
Gradual Deployment

• Neighbor-Discovery Handshake Protocol
• Jump back to source during path reconstruction