Title: SourceEnd Defense System against DDoS attacks
1Source-End Defense System against DDoS attacks
- Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and
Sheng Hsuan Wang - Distributed System and Network Security Lab.
- Department of Computer Science and Information
Engineering - National Chiao Tung University
- WADIS03
2Outline
- Introduction to DDoS attacks.
- Current DDoS defense strategies
- Review of D-WARD
- Proposed DDoS defense scheme
- Evaluation
- Conclusions and future work
3DDoS attacks
- What is a Denial-of-Service (DoS) attack
- Degrade the service quality or completely disable
the target service by overloading critical
resources of the target system or by exploiting
software bugs. - What is a Distributed DoS (DDoS) attack
- The objective is the same with DoS attacks but is
accomplished by a of compromised hosts
distributed over the Internet.
4Mechanisms against DDoS attacks (1)
- Victim-end
- Most existing Intrusion detection systems and
DoS/DDoS tolerant system design fall in this
category. - Used to protect a set of hosts from being
attacked. - Advantages and disadvantages
- DDoS attacks are easily detected due to the
aggregate of huge traffic volume. - From a networks perspective, protecting is
consider ineffective. Attack flows can still
incur congestion along the attack path.
5Mechanisms against DDoS attacks (2)
- Infrastructure-based
- DDoS defense lines are constructed towards attack
sources to reduce network congestion. - Attack packets are filtered out by Internet core
routers. - Advantages and disadvantages
- The effectiveness of filtering is improved.
- An Internet-wide authentication framework is
required. - Internet core routers must be upgrade to filter
out attack packets in high speeds
6Mechanisms against DDoS attacks (3)
- Source-end
- DDoS defense mechanism are used to prevent
monitored hosts from participating in DDoS
attacks. - Attack packets are dropped at sources. It allows
preventing attack traffic from entering the
Internet. - Advantages and disadvantages
- The effectiveness of packet filter is the best.
- It is very hard to identify DDoS attack flows at
sources since the traffic is not so aggregate. - It require the support of all edge routers.
In summary, source-end DDoS defense strategy is
the most effective and with moderate deployment
cost.
7D-WARD A Source-End DDoS defense scheme
- J. Mickovic et al. Attacking DDoS at the
Source, IEEE ICNP02 - Ideas behind D-WARD DDoS attack flows can be
identified by comparing flow statistics against
normal flow models. Signals of DDoS attacks - High Packet loss rate
- The level of network congestion (or say packet
loss rate) reflects on the ratio of number of
packets sent to and received from the peer. - High packet sending rate This may also indicate
a DDoS attack - A large number of connections to the peer
8D-WARD Architecture
9D-WARD Observation Component
- Gather per flow statistics
- Flow The aggregate traffic between monitored IP
addresses and a foreign IP address. - Observation interval A basic time frame for one
observation - The number of packet and bytes sent to and
received from the peer - The number of active connections
- Legitimate flow model
- TCP flows
- Psent/Prcv lt TCPrto (set to 3)
- ICMP flows
- Psent/Prcv lt ICMPrto (set to 1.1)
- UDP flows
- nconn lt MAXconn (set to 100)
- pconn gt MINpkts (set to 1)
- Bsent lt UDPrate (set to 10MBps)
10Motivations
- Using a global threshold of Psent/Prcv for TCP
flows would result in high false positive and
high false negative. In the following context,
this ratio is denoted as O/I - High false positive
- flows with O/I greater than 3 in its normal
operation would be classified as attack flows - High false negative
- low-rate attacks will not be detected. Consider a
flow with O/I 1, then O/I only reaches 2 when
the packet loss rate is 50.
In one word, using a single O/I threshold for
different flows is problematic.
11Basic Idea
- Ideas behind the proposed scheme
- Focus detecting DDoS attacks based on TCP
- 96 of current attacks are based on TCP. Only 2
use UDP and 2 use ICMP - The level of congestion should be determined
according previous behavior of the each monitored
flow. - Two more DDoS characteristics are utilized for
detecting attacks - Distribution the number of hosts sending packets
to the destination in each observation period - Continuity reflect to the observation that a
DDoS attack always lasts for an extended period
of time.
12Observations on normal traffics (1)
- Observation Average O/I of different flows rage
from 3.68 to 0.5 - Flows with highest ratio
- Contains one ftp data connection. The flow last
for 227 second. Total 86685 packet (68158 packet
send out, 18527 packet send in) The average O/I
is 3.68. Standard deviation0.16. Packet loss
rate is 0.
- Standard deviation of the monitored flow are low
(usually smaller 1). It indicates that the O/I
value of flows tend to be stable in their normal
operation.
13Observations on normal traffics (2)
- Number of sources in each flow
- In each observation interval, most of flows have
only one source host sending packets to the peer.
14Proposed DDoS detection scheme
- There are two phases in our scheme.
- Learning phase Define legitimate flow model
- Detection phase Detect malicious flows and apply
rate limit - Learning phase contains two steps.
- Step 1 determine the following thresholds
- Tf the maximum allowed O/I.
- Nf the mini-threshold of O/I.
- c a parameter used to quantify the level of
distribution. - Steps 2 derive other configuration parameters
- a a value indicating the possibility that the
flow is malicious. It is generated according to
the level of congestion and the level of
distribution - af the maximum allowed value ofa
- tf the maximum allowed number of the times that
acan continually breaches af
15Flow Classification
- Four types of traffic flows Normal, Suspicious,
Attack, and Transient.
16Generation of a
- Generating a in an observation interval
-
- Sf the number of source in the flow.
- nf the O/I of the current interval.
- ? a magic number used to restrict a between 0
and 1. ? is a number between 0 and 1. - Characteristics of a
- It is between 0 and 1
- It increases with nf . If nf approaches Tf, a
approaches to 1 - a increases with the number of sources in the
flow.
Level of congestion
The impact of distribution
17Rate limiting and recovery
- Rate-Limiting
- rl imposed rate limit
- rate realized sending rate
- Mini-rate The lowest limited rate which can be
imposed on network flows. - Recovery
- If the attack flow show compliance with normal
flow model for consecutive penalty observation
periods, it is classified as transient, the
recovery process begins. - Max-rate Once the rate limit reaches Max-rate,
it is classified as normal
18Thresholds
- Configuring thresholds and other parameters
- Observation period 1 second
- Tf The maximum of the observed O/I 2
- Nf the average O/I
- c the maximum number of sources in a flow in the
monitored network. - af the averageain the learning process.
- tf the maximum consecutive number of time that
aexceeds af - ? 0.5
- Parameters learned from a monitored flow
- Sending rate 10 pkts to the destination host per
second. Maximum O/I is 1.25, Average O/I is
1.25 - Tf 2.5, nf 1.04
- c 3
- af 0.18
- tf 3
19Experiments
- Types of Experiment
- Resource consumption
- TCP SYN flooding
- link flooding
- Attack scenarios
- Constant rate attack
- Pulsing rate attack
- Increasing rate attack
- Gradual pulsing attack
20Topology
21TCP SYN Flooding Attack
22SYN floodingConstant Rate and Pulsing Rate
23SYN floodingIncreasing Rate and Gradual
Increasing Rate
24Link Overloading
25Bandwidth floodingConstant Rate and Pulsing Rate
constant
pulsing
26Bandwidth floodingIncreasing Rate and Gradual
Increasing Rate
increasing
gradual increasing
27Conclusion
- The O/I used to define the level of network
congestion must be determined according to the
previous behavior of the flow. - The number of source in the flow and the number
of observation intervals that the signal of DDoS
attacks lasts should be taken into consideration.
- Evaluation results show that the performance of
proposed system is better than D-WARD, in terms
of false positive and false negative.
28Future work
- More experiments on estimating the effectiveness
of the proposed scheme are required - A mechanism that can deal with new flows which
are not in the flow profile database - A space-effective mechanism that helps to reduce
the storage requirement for storing the profiles
of flows. - Schemes which can detect DDoS attacks based on
one-way flows such as ICMP and UDP.