Defending against LargeScale Distributed DenialofService Attacks - PowerPoint PPT Presentation

About This Presentation
Title:

Defending against LargeScale Distributed DenialofService Attacks

Description:

Puzzles are typically based on difficult problems from cryptosystems ... Subsequent puzzles are created by the client independently ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 40
Provided by: Ruil
Learn more at: https://www.csm.ornl.gov
Category:

less

Transcript and Presenter's Notes

Title: Defending against LargeScale Distributed DenialofService Attacks


1
Defending against Large-ScaleDistributed
Denial-of-Service Attacks
  • Department of Electrical and Computer Engineering
  • Advanced Research in Information Assurance and
    Security (ARIAS) Lab
  • Virginia Tech
  • Jung-Min Park

2
Overview of DoS Attacks
  • What is a DoS attack?
  • An attack that disrupts network services to
    legitimate clients
  • Large-scale Distributed DoS (DDoS) attack of Feb.
    2000
  • A DDoS attack took down Yahoo, EBay, and
    Amazon.com
  • Outage caused millions of dollars in lost revenue
  • Hundreds of attacks are observed each day
  • Global corporations lost over 1.39 trillion in
    revenue due to security breaches in 2000, and
  • Over 60 are due to viruses and DoS attacks
    (http//www.captusnetworks.com/BeenDoSd.pdf)
  • FBI reports indicate DoS attacks are on the rise

3
Taxonomy of DoS Attacks
  • Attacks that exploit system design weaknesses
  • Teardrop attack
  • Ping-of-death attack
  • Land attack
  • SYN flood attack
  • Attacks that exploit the weakness of particular
    protocols
  • Attacks against authentication protocols
  • Attacks against key agreement protocols
  • Attacks that exploit the asymmetry between line
    rate and throughput of hosts and routers
  • Flooding-based DDoS attacks

4
Flooding-based DDoS Attacks
  • Exploits the asymmetry between line rate and
    throughput of hosts and routers
  • Large volume of packets is sent toward a victim
  • Consumes bandwidth and processing power of the
    victim
  • DDoS attacks utilize attack handlers and zombies
    to hide the identity of the real attacker

5
Lines of Defense Against DDoS Attacks
  • Apply software patch
  • SYN cookies, client puzzles
  • Design DoS attack resistant systems
  • Overlay networks
  • Signature (misuse) detection
  • Anomaly detection
  • Client puzzles
  • Aggregate filtering, pushback
  • Overlay networks
  • IP traceback packet marking
  • IP traceback packet logging
  • Attack traceback

6
TRACKA New Approach to IP Traceback
7
The IP Traceback Problem
  • IP traceback strategies
  • Probabilistic Packet Marking (PPM)
  • Packet Logging

8
Limitations of Current IP Traceback Schemes
  • Do not support last-hop traceback
  • Packet logging schemes
  • Significant computation overhead on routers
  • Significant storage overhead on routers
  • Packet marking
  • Not scalable Complexity of path reconstruction
    process increases rapidly as number of attackers
    increase
  • Large number of packets need to be collected

9
rouTer poRt mArking and paCKet filtering (TRACK)
  • Objective
  • Reduce computation complexity of path
    reconstruction
  • Reduce number of packets that need to be
    collected
  • Support last-hop traceback
  • Support gradual deployment
  • Filter attack traffic using traceback information

10
Basic Principles of TRACK
A string composed of locally-unique router
interface port numbers is a globally unique
identifier of a path.
11
Marking Traceback Information in the IP Header
12
Router Port Marking Procedure
Active Port Marking Mode (APMM) at probability of
p
Passive Port Marking Mode (PPMM) at probability
of 1 p
13
Path Reconstruction Process of TRACK
  • Objective
  • Recover the port number sequence of an attack
    path and convert them into a sequence of router
    IP addresses
  • Approach
  • Distribute the path reconstruction process among
    the victims upstream routers (victim ?
    attackers border router)(similar to Pushback)
  • Employ a trace table and trace packets
  • Use same info. to filter attack traffic at the
    border router of the attacker
  • Computational Complexity O(N2)

14
Path Reconstruction Process of TRACK
MKF 1, XOR PN 18,Distance TTL5 (254) 30
Assume C3 is sending packets to V M is in APMM
F, B, and A are in PPMM
MKF 1, PN 18,Distance 30, TTL5 27, XOR
2 (18 ? 47 ? 34 ? 21) d 30 27 3
15
Path Reconstruction Process of TRACK
d Distance TTL5
XOR(d1) ? PN(d1) XOR(d) C3s path
21-34-47-18
16
Number of Packets Needed for Path Reconstruction
p 0.01
p 0.04
17
False Positive Rate
Skitter Internet map
Complete tree topology model
18
Gradual Deployment
Skitter Internet map
Complete tree topology model
19
Chained PuzzlesA Novel Approach to IP-Layer
Puzzles
20
Client Puzzle Protocols
  • A technique used to mitigate DoS attacks that
    does not rely on distinguishing between attack
    traffic and legitimate client traffic
  • Puzzles are typically based on difficult problems
    from cryptosystems
  • Partial reversal of a hash function
  • Exhaustive key search in a private key
    cryptosystem

21
Basic Principles of Chained Puzzles
  • Puzzle algorithm Exhaustive key search of XTEA6
  • XTEA6 Truncated version of the XTEA encryption
    algorithm
  • Puzzle Routers
  • Puzzle distribution and verification is performed
    by the first-hop border router called a Puzzle
    Router
  • Puzzles are enabled by downstream Puzzle Routers

22
Message Exchange Between Puzzle Routers
  • Downstream Puzzle Routers enable puzzles at the
    upstream Puzzle Routers

23
Optimal Location for Detection and Mitigation
  • Detection DDoS attacks are detected easily near
    the server or the main victim of the attack
    (packet loss, heavy congestion, etc.)
  • Mitigation Preventing or mitigating an attack
    is best performed as close to the source of the
    attack as possible

24
Puzzle Distribution
  • How do we distribute puzzles?
  • Easy in TCP ? 3-way handshake
  • IP is connectionless and a client puzzle protocol
    is connection oriented
  • Client asks for a puzzle
  • Server sends the puzzle to the client
  • Client solves the puzzle, sends the solution back
    to the server
  • Solution
  • Puzzle solution chaining

25
Puzzle Solution Chaining
  • When Puzzles are enabled, bootstrapping
    procedure is needed to create the first puzzle
  • Subsequent puzzles are created by the client
    independently
  • Current solution becomes plaintext for the next
    puzzle

26
Puzzle Solution Chaining contd
  • Client creates a chain of puzzles
  • The Puzzle Router reissues the puzzle challenge
    periodically

27
Probabilistic Verification
  • Probabilistic verification
  • Puzzle Routers verify incoming puzzles according
    to a given probability
  • Increase performance and throughput of the Puzzle
    Routers

28
Simulation Results NPSR
  • Normal Packet Survival Ratio (NPSR)
  • Percentage of legitimate packets that can make
    their way to the victim in the midst of a DDoS
    attack

29
Future Work
  • IP Traceback
  • Improve scalability
  • Better support of gradual deployment
  • Minimize the number of false positives
  • Support IP fragments
  • Support router degrees greater than 64
  • Client puzzle protocol
  • Specification of a Puzzle Routers functions
  • Resolve protocol architecture issues
  • Counter puzzle protocol circumvention
  • Ensure fairness

30
Questions?
31
Conclusion
  • Last-hop traceback capability a step closer to
    attack traceback
  • Support of gradual deployment more realistic
    solution
  • Using router port instead of router as the atomic
    unit for traceback fewer packets and less
    computational complexity for path reconstruction,
    finer granularity, and less false positive
  • Attack detection at the victim and packet
    filtering at the zombies border routers the
    optimal location for both modules

32
Backup
33
Path Reconstruction Process of TRACK
  • Objective
  • Recover the port number sequence of an attack
    path and convert them into a sequence of router
    IP addresses
  • Approach
  • Distribute the path reconstruction process among
    the victims upstream routers (victim ?
    attackers border router)(similar to Pushback)
  • Employ a trace table and trace packets
  • Use same info. to filter attack traffic at the
    border router of the attacker
  • Computational Complexity O(N2)

34
Limitation of Current Attack Mitigation Schemes
  • Problem
  • Conventional countermeasures attempt to detect
    and filter at the same location
  • Fact
  • Attack detection is easier closer to the victim,
    packet filtering is more effective closer to the
    attack source
  • Solution
  • Separate the two functions in separate modules

35
Attack Mitigation (Packet Filtering)
  • Location of attack detectionand packet
    filtering
  • At the victim
  • In the network
  • At the attack source

36
Probabilistic Packet Marking (Basics)
  • Routers mark packets with fragments of its IP
    addresses probabilistically
  • Identification field in IP header is used (The
    probability of IP fragmentation is 0.25)
  • The victim can collect IP fragments from many
    packets to reconstruct attacking path

37
Overhead of Packet Logging
  • For a OC-192 link
  • TRACK 50k destination IP address insertion or
    update per second 900MB/hours storage,
    upper-bounded by 20GB
  • The scheme in Snoe01 60 million hash
    operations per second 44GB storage per hour,
    bounded by the maximum allowed traceback time
  • The scheme in Li04 8 million hash operations
    per second 5.2GB storage per hour, bounded by
    the maximum allowed traceback time

38
False Positive Analysis
39
Gradual Deployment
  • Neighbor-Discovery Handshake Protocol
  • Jump back to source during path reconstruction
Write a Comment
User Comments (0)
About PowerShow.com