Defending Against Distributed Denial of Service Attacks

1
Defending Against Distributed Denial of Service
Attacks

• Tao Peng
• Supervisors Dr. Chris Leckie, Prof. Rao Kotagiri

2
Distributed Denial of Service (DDoS) Attack
Overwhelming stream of fake requests consumes
all resources on a server or network
Router
Attacker
. . . .
Attacker
. . . .
Victim
Attacker
Normal User
Normal User
3
Distributed Denial of Service Attack

• Fundamental Reasons
• Attackers can spoof source addresses
• Many vulnerable computers on the Internet
• Impact
• Annoying disturbance to Internet users
• Complete shutdown of major web sites, such as
  Yahoo, CNN, Amazon, eBay (Feb. 2000)
• A great danger to E-commernce
• and may be life-threatening!

4
Previous Work on DDoS Attack Defense

• Attack Prevention
• Ingress Filtering rfc2267 checks the
  integrity of the IP address at the access point
• needs universal deployment to be effective
• Router-based Packet Filtering Park01
  checks the integrity of the IP address according
  to Internet topology
• needs to modify the routing protocol (e.g.
  BGP)
• Attack Detection
• MULTOPS Gil 01 checks the ratio between
  incoming and outgoing flow rates
• not a stable attack feature
• Statistically-based Anomaly Detection
  Zhang01 identifies an attack if the traffic
  does not match a pre-built traffic profile
  raises a high computational overhead

5
Previous Work on DDoS Attack Defense

• Attack Source Identification
• Probabilistic Packet Marking Savage00
  Routers insert path information into packets
  probabilistically
• Needs to collect many packets to locate DDoS
  attack sources
• Hash-based Traceback Snoeren01 Routers
  keep the hash value of each packet
• It needs huge storage for one router to keep
  all the hash values
• Attack Reaction
• Router-based Pushback Mahajan02 The
  victim infers attack paths hop-by-hop based on
  traffic volume
• less effective for uniformly distributed
  DDoS attacks

6
Outline
History-based Attack Detection
History-based IP Filtering

• Victim Model
• Victim-Router Model
• Router-Router Model

Adjusted Probabilistic Packet Marking Selective
Pushback
Reflector Attack Detection
7
Overview of Our Defense Models
Router-Router Model
Victim-Router Model
Victim Model
Attacker
. . . .
Attacker
. . . .
Victim
Attacker
Router
Normal User
Normal User
8
Victim Model Defense
Challenge How to detect and filter attack
traffic accurately and efficiently
Attacker
. . . .
Attacker
. . . .
Victim
Attacker
Router
Normal User
Normal User
9
Outline
History-based Attack Detection History-based IP
Filtering

• Victim Model
• Victim-Router Model
• Router-Router Model

Adjusted Probabilistic Packet Marking Selective
Pushback
Reflector attack detection
10
Motivations for Victim Model (VM) Defense

• Normal operation
• Most IP addresses seen before
• During attack
• Most IP addresses are new (randomly spoofed)
• e.g. Jung02
• Normal operation 83 of IP addresses seen
  before
• During Code Red Worm attack lt14 IP
  addresses seen before

11
History-based Attack Detection
Background traffic is taken from the University
of Auckland
Simulated attack

• Monitoring traffic volume
• high false positive rate

false positive
of new IP addr.
Monitoring of new IP addresses very
effective in detecting attacks
100
50
12
Our Contribution History-based Attack Detection

• Monitor the new IP addresses (Xn)
• in sampling period n
• Cumulative Sum (CUSUM) algorithm
• Detect changes in the time series Xn
• using the non-parametric Cumulative Sum
• (CUSUM) algorithm. Brodsky93

13
CUSUM Algorithm

• Goal detect abrupt change in a time series Xn
• Initially CUSUM test statistic y00
• For each sampling interval n
• Zn Xn ß
• (ß is an offset so that Zn is
  normally negative)
• yn (yn-1 Zn)
• If test statistic yn gt threshold
• report a change

14
Example of CUSUM Algorithm for Attack Detection
of new IP addresses
is the CUSUM statistic that is generated
from using the CUSUM algorithm
Sampling interval (n)
15
Evaluation of the History-based Attack Detection

• Simulated DDoS attack traffic using packet traces
  from
• the University of Auckland as normal
  background traffic.
• Two detection approaches
• First-mile Router Detection detect outgoing
  attacks to the University of Auckland.
• Last-mile Router Detection detect incoming
  attacks from the University of Auckland.
• Varied the number of new IP addresses used by the
  attacker.
• Used 10 seconds as the sampling interval.

16
Last-Mile Router Detection Performance At the
Victim (For Incoming Traffic)
Attacks with 200 new IP addresses
Attacks with 18 new IP addresses
17
First-Mile Router Detection Performance At the
Source (For Outgoing Traffic)
Attacks with 10 new IP addresses
Attacks with 2 new IP addresses
18
Detection Performance
Last-mile Router
First-mile Router
Detection Accuracy of attacks being detected
19
Summary

• Easily detects attacks at source
• Able to accurately detect attacks at victim
• Challenge how to filter attack traffic without
• disturbing normal traffic?

20
Outline
History-based Attack Detection History-based IP
Filtering

• Victim Model
• Victim-Router Model
• Router-Router Model

Adjusted Probabilistic Packet Marking Selective
Pushback
Reflector attack detection
21
History-based IP Filtering

• Use IP Address Database (IAD) to keep previous
  frequent source IP addresses.
• During an attack, if the source address of a
  packet
• is not in IAD, the packet is denied.
• How to design an efficient IAD
• How to maintain an IAD

Challenge
22
IP Address Database (IAD) Design

• The IP Addresses we want to protect
• Appeared in the network many times
• Have been involved in non-trivial sessions
• Design rules for IAD
• Rule 1 number of days when IP address appeared
• Rule 2 number of packets generated by IP address

23
Maintaining and Operating IAD

• Use a sliding-window training period.
• If no attack in training period,
• add IP addresses that satisfy design
  rules.
• Remove inactive IP addresses.

24
Implementing the IAD Using a Bloom Filter Bloom
1970

• For each IP packet, the Bloom Filter computes k
  independent N-bit digests of the 32-bit source IP
  address, and sets the corresponding bits in the 2
  -bit table

N
25
Evaluation of History-based IP Filtering

• Test effectiveness of design rules for IP Address
  Database (IAD)
• Test filtering accuracy of IAD

26
Data Traces

• Auckland Trace continuous 6.5 week IP header
  trace taken at the University of Auckland
• (class B network) with a OC3 (155.52 Mbps)
  Internet access link
• Small ISP Trace one month of traffic that went
  into a class C network located in Australia

27
Simulation Architecture
Sending attack traffic
Sending attack traffic
Victim configured with HIF filter
Reproducing Auckland/Small ISP traffic
28
Consistency of the IP Addresses
Percentage of IP addresses on single days that
have previously appeared in the past 2 weeks
Auckland Trace
Small ISP Trace
29
Accuracy of Rule 1 days appeared (d)
d1
d2
d3
Filtering
Filtering Accuracy of legitimate traffic
protected Auckland Trace, History length is 14
days
30
Accuracy of Rule 2 packets appeared (u)
u4
u5
u6
u7
Auckland trace, History length is 21 days
31
Filtering Accuracy versus Memory for IAD on
Auckland trace
Legitimate traffic, March 26
All traffic, March 26
All traffic, March 27
32
Summary of Victim Model
Advantages

• VM can efficiently identify and filter DDoS
  attack traffic
• Customers have high incentives to implement VM
• Fewer false positives than relying on traffic
  volume
• Challenge
• How to save more network bandwidth?

33
Victim-Router Model Defense

• Adjusted Probabilistic Packet Marking
• Selective Pushback

Attacker
. . . .
Attacker
. . . .
Victim
Attacker
Router
Normal User
Normal User
34
Outline
History-based Attack Detection History-based IP
Filtering

• Victim Model
• Victim-Router Model
• Router-Router Model

Adjusted Probabilistic Packet Marking Selective
Pushback
Reflector attack detection
35
Probabilistic Packet Marking Savage00
X
R2
R1
X
R1
R4
R2
R3
V
R5
R6
R3
Router inscribes ( ) onto a
packet with probability p
V
X Source V Victim R1,R2,R6 Routers
Attack path reconstruction
36
Example Probabilistic Packet Marking
X
R1
R2
R3
V
37
Path Reconstruction in PPM
We need a sample from each router in order to
reconstruct the complete path. Probability to
receive a packet marked by the router that is d
hops away
Ad
Problem !!! Less likely to receive packets marked
by more distant routers.
Note d is the number of hops between the source
and the destination
38
Our Contribution Adjusted PPM
Ad
Pd
Uniform Probability
d
d
d distance to victim from router
Pd
Ad
Adjusted Probability
d
d
Fewer packets needed to reconstruct attach path
39
Outline
History-based Attack Detection History-based IP
Filtering

• Victim Model
• Victim-Router Model
• Router-Router Model

Adjusted Probabilistic Packet Marking Selective
Pushback
Reflector attack detection
40
Router-based Pushback Mahajan01
R6
R5
R4
L5
L6
R7
L4
L7
R3
R2
R1
L2
Pushback message
L1
L3
R0
victim
Heavy traffic flow
L0
41
Router-based Pushback Mahajan01

• Advantage
• Filter the attack traffic before it arrives at
  the victim to save more network bandwidth
• Problem
• Cause many nodes to react to the pushback scheme
• Infer attack source only by investigating its
  incoming traffic rate, not effective for highly
  distributed attack traffic

42
Our Approach Selective Pushback

• routers mark packets probabilistically
• victim builds a normal traffic distribution
  profile
• according to the marking fields
• Victim monitors recent distribution profile of
• marking fields
• If an attack is detected, pushback message is
  sent
• directly to routers with abnormal traffic
  distribution
• close to the source.

43
Selective Pushback Example
44
Evaluation of Selective Pushback

• We use the Auckland data trace as the background
  traffic.
• Traffic with different IP prefixes is assigned to
  routers randomly
• The threshold is calculated according to 15 days
  normal traffic traces.
• 3. The attack source located in R3.6 sends 16
  SYN pkts/s.

45
An example of how to identify attack source by
selective pushback
Detection threshold for R3.6
46
Summary of Victim-Router Model

• Adjusted Probabilistic Packet Marking can trace
  back the attack sources with low computational
  overhead.
• Selective Pushback can directly send pushback
  message to the routers close to the attack
  sources and is not vulnerable to highly
  distributed attack traffic.

Challenge how to stop attack traffic before it
transmits to the Internet so that the attack
damage can be minimized.
47
Router-Router Model Defense
Overwhelming stream of fake requests consumes
all resources on a server or network
Attacker
. . . .
Attacker
. . . .
Victim
Attacker
Router
Normal User
Normal User
48
Outline
History-based Attack Detection History-based IP
Filtering

• Victim Model
• Victim-Router Model
• Router-Router Model

Adjusted Probabilistic Packet Marking Selective
Pushback
Reflector attack detection
49
Reflector Attack

• A large number of
• potential reflectors
• are available on the
• Internet
• Attack traffic is
• highly distributed
• Difficult to trace
• back to the real
• attack sources

50
Reflector Attack Detection by Sharing Beliefs

• Each Intrusion Detection
• System (IDS) agent counts
• the incoming RST packets
• that is caused by SYN/ACK
• packets.
• Each IDS Agent broadcasts
• a warning message once
• the number of RST packets
• reaches a certain threshold.
• Each IDS Agent combines
• the warning message with
• the local measurement to
• make a detection decision

51
Reflector Attack Detection by Sharing Beliefs

• Advantages
• 1. Attack traffic can be stopped at the
  reflectors and
• more bandwidth can be saved.
• 2. The reflectors can further trace back to
  the zombies
• and the real attacker.
• Challenge
• When to share beliefs?

52
Learn When to Share Beliefs
Each agent calculates CUSUM statistic yn
CUSUM statistic yn
detection threshold
warning threshold
attack starts
A machine learning scheme is applied to obtain a
warning threshold, so that agent broadcasts
evidence When yn gt warning threshold
53
Summary of Router-Router Model (RRM)

• Proposed a distributed detection model to detect
  attacks close to the source
• Applied a machine learning scheme to decide when
  to share beliefs
• Used reflector attack detection as an example to
  demonstrate the strength of RRM
• RRM also applied to DDoS attack detection, refer
  to PengACISP03

54
Conclusion

• 1. We proposed three models to defeat DDoS
  attacks
• Victim Model Detect and filter attack traffic at
  the server
• Victim-Router Model The server cooperates with
  upstream routers to identify and filter attack
  traffic.
• Router-Router Model Routers close to the attack
  sources communicate with each other to detect
  attacks
• 2. Simulation results show that all three models
  are effective in defending against attacks.
• 3. Our 3 models provide an integrated solution to
  DDoS attack defense.