Title: Autonomic Response to Distributed Denial of Service Attacks
1Autonomic Response to Distributed Denial of
Service Attacks
- Paper by Dan Sterne, Kelly Djahandari, Brett
Wilson, Bill Babson, Dan Schnackenberg,
Harley Holliday and Travis Reid - Presented by Jesus F. Morales
2Overview
- Introduction the problem
- Proposed solution
- The experiment
- Results
- Observations
- Conclusions
3Introduction
- The problem
- Distributed Denial of Service (DDoS) attacks
- Hacker toolkits
- January 2001
- DDoS attack against websites hosting Hotmail,
MSN, Expedia and other large services - Services inaccessible for 22 hours
4Current state of response
- Relies on expert, manual labor by network
administrators - Response includes two main activities
- Input debugging
- Find routers physical interfaces used for the
attack (statistics, network traffic probes) - Mitigation of network traffic flow
- Packet filtering or rate limiting at the
associated router - Contact upstream organizations
5Current state of response drawbacks
- Requires immediate availability of highly skilled
network administrators - Time consuming
- Downtime costs
- It does not scale
- What about attacks involving hundreds of
networks? - Whack a mole attacks
6Proposed solution
- Intruder Detection and Isolation Protocol (IDIP)
- Protocol for reporting intrusion-related events
and coordinating attack tracebacks and automated
response actions - Cooperative Intrusion Traceback and Response
Architecture (CITRA) - The architecture based on IDIP
- Authors have adapted CITRA and IDIP for DDoS
attacks
7CITRA components and attack traceback and
mitigation
8Attack response
- Policy mechanisms for each CITRA component along
the attack path determine the adequate response - Block attacked service port on all requests from
attackers address or network for a specified
amount of time - At CITRA-enabled hosts
- Kill offending process
- Disable offending users account
- Goal use the narrowest network response
- Stop the attack
- Minimize impact on legitimate users
- Reports with responses taken is sent to the
Discovery Coordinator (DC) - Global view and system topology allows,
hopefully, for the best community-wide response
9Experiment Autonomic response to DDoS
- The problem
- Sophisticated DDoS toolkits generate traffic that
blends in with legitimate traffic - Cannot be blocked by router packet filters
without blocking legitimate traffic - Traffic rate limiting may be more useful
- Experiment goals
- Prove that CITRA and IDIP can defend against DDoS
attacks - In particular, against a Stacheldraht v4 attack
10Experiment Stacheldraht toolkit and test
application
- Stacheldraht toolkit
- Can generate ICMP, UDP and TCP floods and Smurf
attacks - Provides one or more master servers that control
agents (flood sources) - Can target floods at arbitrary machines and ports
- Test application
- Audio/video streaming
- RealNetworks RealSystem sever
- RealPlayer client
11Experiment topology and scenario
12Experiment settings
- Test data
- 8-minute 11-seconds continuous motion video
- Encoded at 200.1 Kbps
- RealPlayet
- Best quality video setting (10 Mbps bandwidth)
- Data buffering 5 seconds (the minimum)
- Transport protocol UDP
- Attack
- Target is the RealSystem server
- UDP packets indistinguishable from control
packets sent to the server from RealPlayer clients
13Experiment Stacheldraht flooding and autonomic
rate limiting
14Experiment results Normal run
15Experiment results Flood run
16Experimental results Full recovery run
17Experimental results Degraded recovery run
18Observations
- Degraded recovery probably due to detectors slow
response speed (366 MHz Pentium II) - Independent experiment
- Results confirmed
- Full recovery obtained every time
- Higher performance detector
- CITRAs response effective after 2 seconds vs. 10
12 seconds. - Results are preliminary
- UDP allows traceback and mitigation request with
one IP packet vs. TCP would require a three-way
handshake first. May result in a slower
propagation upstream
19Conclusions
- DDoS attacks an increasing threat to the Internet
- Manual defense is inadequate
- CITRA prototype for DDoS with rate limiting
function seems to be a promising automatic
response