Title: Packet Score: Statistics-based Overload Control against Distributed Denial-of-service Attacks: Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan Chao
1Packet Score Statistics-based Overload Control
against Distributed Denial-of-service Attacks
Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H.
Jonathan Chao
- Presenter Name
- Yatin Manjrekar
2Agenda
- Introduction
- Overview of Packetscore approach
- Packetscore Methodologies
- Performance Evaluation
- Conclusion
3Introduction
- Denial-of-service attack
- overload the server to bring it down
- Distributed Denial-of-service attack
- End point attacks
- Infrastructure attack
- Limitations of Manual detection
4Introduction cont..
- D-WARD approach
- Statistical traffic profiling at the edge of the
network - Aims at stopping attack near source.
- Viability hinges on cooperation of ingress
network administrator - Deployment issue. (backbone network ?)
- Available Commercial products do not fully
automate packet differentiation , filter
enforcement
5Overview of Packetscore approach
- Three Phases (3D-R)
- Detect the onset of an attack
- Differentiate between legitimate/attack packets
using CLP - Discard packets selectively
- What is Packetscore ?
- Score based filtering approach.
6(No Transcript)
7Packetscore methodologies
- Packet differentiation via fine grain traffic
profile comparison - Assumption Some traffic characteristics are
stable during normal operation - Increase in frequency of packet attribute
indicate attacking packet - Can One guess Distribution of attribute ?
8Attribute value distribution
9Attribute value distribution cont..
10Attribute value distribution cont.
11Conditional Legitimate Probability (CLP)
- The likelihood of suspicious packet being
legitimate - Each packet carries a set of discrete-valued
attributes - Joint distribution for strongly correlated
attributes - Marginal distribution for other attributes
12Conditional Legitimate Probability (CLP)
13CLP cont..
14Variation of Nominal profiles
- The nominal traffic profile is function of time
- The traffic profile changes with day of week,
time of day - These profile changes could be handled using
periodic recalibration - Used 95 percentile to save storage
15Managing Nominal traffic profiles.
- Iceberg style histograms
- Traffic profile of each target stored in the form
of normalized histograms - Iceberg Histograms only includes most frequent
entries - Missing entries assume relative upper bound
frequency - Per target profile is kept to manageable size and
saves on storage requirement
16Real Time Profiling
- The packet attribute distributions are updated
with packet arrival - Update is decoupled from computing CLP and done
in parallel at different time scale - CLP is computed based on recent snapshot of
measured histogram - Generate set of scorebooks which map to specific
combination of attributes
17Real Time traffic profiling
18Selective Packet discarding
- On arrival of suspicious packet
- CLP as differentiating metric
- The aggregate arrival rate is adjusted. Which in
turn changes load shedding algorithm - Packet attributes are used to update traffic
profile. - CLP based score is computed using frozen
/snapshot scorebooks - Discard packet if CLP is less than threshold
- Immunity rules could be used for certain minimum
throughput requirement packets
19(No Transcript)
20Performance Evaluation
21Performance Criteria
- Difference in score distribution RA RL
- Score distribution has long/thin tail with
outliers - MinL(MaxA) is 1st(99th) percentile used
22(No Transcript)
23Different evaluated attack types
- Generic Attack
- TCP-SYN flood attack
- SQL Slammer Worm attack
- Nominal attack
- Mixed attack
- Changing attack
24(No Transcript)
25Effect of increasing Attack intensity
26Nominal Profile sensitivity
27Different options of scoring Strategies
28Scoring strategy
29Setting thresholds
30Conclusion
- Collaboration of 3D-R and DCS defend against DDoS
attacks - The proposed scheme leverages hardware
implementation of data stream processing
technique - We studied Performance and design tradeoffs of
proposed packet scoring scheme - It can tackle never seen before DDoS attack (Weak
claim ? Too many parameters?)
31