Autonomic Response to Distributed Denial of Service Attacks - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Autonomic Response to Distributed Denial of Service Attacks

Description:

Autonomic Response to Distributed Denial of Service Attacks ... 'Whack a mole' attacks. 6. Proposed solution. Intruder Detection and Isolation Protocol (IDIP) ... – PowerPoint PPT presentation

Number of Views:56
Avg rating:3.0/5.0
Slides: 20
Provided by: ph764
Category:

less

Transcript and Presenter's Notes

Title: Autonomic Response to Distributed Denial of Service Attacks


1
Autonomic Response to Distributed Denial of
Service Attacks
  • Paper by Dan Sterne, Kelly Djahandari, Brett
    Wilson, Bill Babson, Dan Schnackenberg,
    Harley Holliday and Travis Reid
  • Presented by Jesus F. Morales

2
Overview
  • Introduction the problem
  • Proposed solution
  • The experiment
  • Results
  • Observations
  • Conclusions

3
Introduction
  • The problem
  • Distributed Denial of Service (DDoS) attacks
  • Hacker toolkits
  • January 2001
  • DDoS attack against websites hosting Hotmail,
    MSN, Expedia and other large services
  • Services inaccessible for 22 hours

4
Current state of response
  • Relies on expert, manual labor by network
    administrators
  • Response includes two main activities
  • Input debugging
  • Find routers physical interfaces used for the
    attack (statistics, network traffic probes)
  • Mitigation of network traffic flow
  • Packet filtering or rate limiting at the
    associated router
  • Contact upstream organizations

5
Current state of response drawbacks
  • Requires immediate availability of highly skilled
    network administrators
  • Time consuming
  • Downtime costs
  • It does not scale
  • What about attacks involving hundreds of
    networks?
  • Whack a mole attacks

6
Proposed solution
  • Intruder Detection and Isolation Protocol (IDIP)
  • Protocol for reporting intrusion-related events
    and coordinating attack tracebacks and automated
    response actions
  • Cooperative Intrusion Traceback and Response
    Architecture (CITRA)
  • The architecture based on IDIP
  • Authors have adapted CITRA and IDIP for DDoS
    attacks

7
CITRA components and attack traceback and
mitigation
8
Attack response
  • Policy mechanisms for each CITRA component along
    the attack path determine the adequate response
  • Block attacked service port on all requests from
    attackers address or network for a specified
    amount of time
  • At CITRA-enabled hosts
  • Kill offending process
  • Disable offending users account
  • Goal use the narrowest network response
  • Stop the attack
  • Minimize impact on legitimate users
  • Reports with responses taken is sent to the
    Discovery Coordinator (DC)
  • Global view and system topology allows,
    hopefully, for the best community-wide response

9
Experiment Autonomic response to DDoS
  • The problem
  • Sophisticated DDoS toolkits generate traffic that
    blends in with legitimate traffic
  • Cannot be blocked by router packet filters
    without blocking legitimate traffic
  • Traffic rate limiting may be more useful
  • Experiment goals
  • Prove that CITRA and IDIP can defend against DDoS
    attacks
  • In particular, against a Stacheldraht v4 attack

10
Experiment Stacheldraht toolkit and test
application
  • Stacheldraht toolkit
  • Can generate ICMP, UDP and TCP floods and Smurf
    attacks
  • Provides one or more master servers that control
    agents (flood sources)
  • Can target floods at arbitrary machines and ports
  • Test application
  • Audio/video streaming
  • RealNetworks RealSystem sever
  • RealPlayer client

11
Experiment topology and scenario
12
Experiment settings
  • Test data
  • 8-minute 11-seconds continuous motion video
  • Encoded at 200.1 Kbps
  • RealPlayet
  • Best quality video setting (10 Mbps bandwidth)
  • Data buffering 5 seconds (the minimum)
  • Transport protocol UDP
  • Attack
  • Target is the RealSystem server
  • UDP packets indistinguishable from control
    packets sent to the server from RealPlayer clients

13
Experiment Stacheldraht flooding and autonomic
rate limiting
14
Experiment results Normal run
15
Experiment results Flood run
16
Experimental results Full recovery run
17
Experimental results Degraded recovery run
18
Observations
  • Degraded recovery probably due to detectors slow
    response speed (366 MHz Pentium II)
  • Independent experiment
  • Results confirmed
  • Full recovery obtained every time
  • Higher performance detector
  • CITRAs response effective after 2 seconds vs. 10
    12 seconds.
  • Results are preliminary
  • UDP allows traceback and mitigation request with
    one IP packet vs. TCP would require a three-way
    handshake first. May result in a slower
    propagation upstream

19
Conclusions
  • DDoS attacks an increasing threat to the Internet
  • Manual defense is inadequate
  • CITRA prototype for DDoS with rate limiting
    function seems to be a promising automatic
    response
Write a Comment
User Comments (0)
About PowerShow.com