ecs298k Distributed Denial of Services lecture - PowerPoint PPT Presentation

About This Presentation
Title:

ecs298k Distributed Denial of Services lecture

Description:

Locating the slaves (compromized hosts in Universities, e.g.) is a good first step. ... DECIDUOUS. ICMP Traceback Messages. IETF. 04/12/2001. ecs289k, spring 2001. 8 ... – PowerPoint PPT presentation

Number of Views:21
Avg rating:3.0/5.0
Slides: 26
Provided by: SFel4
Category:

less

Transcript and Presenter's Notes

Title: ecs298k Distributed Denial of Services lecture


1
ecs298kDistributed Denial of Serviceslecture 5
  • Dr. S. Felix Wu
  • Computer Science Department
  • University of California, Davis
  • http//www.cs.ucdavis.edu/wu/
  • wu_at_cs.ucdavis.edu

2
Internet Source Accountability
AOL
NCSU
A
B
UUNet
Header src AOL dstNCSU
Payload ..
3
The Plain DDOS Model (1999-2000)
Slaves
Victim
Masters
Attackers
src random dst victim

.com
...
ISP
.
4
Reflector
  • Use a legitimate network server/client as the
    reflector to avoid being traced. (stepping stone).

Reflector
Service Reply Packet src Reflector
dst Victim
Service Request Packet src Victim dst Reflector
Victim
Slave
5
The Reflective DDOS Model (2000)
Reflectors
Slaves
Victim
Masters
Attackers
src victim dst reflector

.com
...
ISP
.
src reflector dst victim
6
What is the problem?
  • Egress/ingress filtering possible??
  • Push-back Rate-Limiter
  • Locating the slaves (compromized hosts in
    Universities, e.g.) is a good first step.
  • Probably easiest to find.
  • Cut them off to help.
  • Further track down masters and the attacker.

7
What have been proposed?
  • Egress filtering using routing information
  • Lixia Zhang (UCLA), Van Jacobson (Packet
    Design),
  • Probabilistic Packet Marking
  • Steve Savage (UWa/UCSD), UCB, Purdue, UCD.
    DECIDUOUS.
  • ICMP Traceback Messages
  • IETF

8
Packet Marking in DDoS
Slaves
Victim
Masters
Attackers
src random dst victim

.com
...
ISP
.
9
A6
R7
A5
R9

R6
R8
R 5
R4
R3

R2
R1
Marking procedure at router R for each
packet w let x be a random number
from 0..1) if x lt p then
write R into w.start and 0 into
w.distance else if
w.distance 0 then
write R into w.end increment
w.distance
10
Reflectors
Slaves
Find a special honey-pot reflectors???
???
Victim
???
Masters
Attackers
src victim dst reflector

.com
...
ISP
.
src reflector dst victim
11
ICMP Traceback
  • For a very small probability or very few packets
    (about 1 in 20,000), each router will send the
    destination a new ICMP message indicating the
    previous hop for that packet.
  • Net traffic increase at endpoint is about 0.1 --
    probably acceptable.

12
Original iTrace
Slaves
Victim
Masters
Attackers
src random dst victim

.com
...
ISP
.
13
iTrace in Reflective DDOS
Reflectors
Slaves
Victim
Masters
Attackers
src victim dst reflector

.com
...
ISP
.
src reflector dst victim
14
Improved ICMP Traceback
  • For a very few packets (about 1 in 20,000), each
    router will send the destination and the source a
    new ICMP message indicating the previous hop for
    that packet.
  • Net traffic increase at endpoint is about 0.2 --
    probably acceptable.

15
Who has spoofed me??
Reflector
Service Request Packet src Victim dst Reflector
Service Reply Packet src Reflector
dst Victim
Victim
Slave
source Traceback Messages
16
Improved iTrace
Reflectors
Slaves
Victim
Masters
Attackers
src victim dst reflector

.com
...
ISP
.
src reflector dst victim
17
What we believe.
  • Egress filtering is very important!!
  • We need to develop technical solutions to filter
    packets efficiently and accurately!!
  • Probabilistic Marking will not work!!
  • It can not handle reflective DDoS!
  • iTrace-based solutions can complement egress
    filtering.
  • With a fixed probability, we might not be able to
    reliably identify the final true sources/slaves.
  • How do I know if this is my own packet or spoofed
    packet?

18
Each slave emits a relatively small amount of
attack packets
Slaves
Victim
Masters
Attackers
src random dst victim

.com
...
ISP
.
This will be a problem for any static
probabilistic schemes.
19
Who has spoofed me??
Reflector
Service Request Packet src Victim dst Reflector
Service Reply Packet src Reflector
dst Victim
Victim
Slave
source Traceback Messages
20
Is that really me???
Service Request Packet src Victim dst
www.yahoo.com
How can I tell??
Victim
ISP
source Traceback Messages
21
Maybe it is my friend...
Slaves
Victim
Masters
Attackers
src random dst victim

.com
...
ISP
.
Are you sure that this is from a slave or not?
customers
22
iTrace Packet Analyzer
  • Are those problems (I just raised) realistic?
  • In todays Internet, how likely I will receive
    iTrace packets for innocent packets?
  • How to correlate the iTrace packets to determine
  • how many slaves?
  • where are they?
  • How reliable is the answer?
  • If static, what should be the best prob?

23
Magic Marks concept
an outgoing packet
src/dst IP addresses
the rest..
Private key
128 bit digest
16 bit mark
src/dst IP addresses
selector
HMAC
either a SRC itrace or DST itrace...
iTrace message
src/dst IP addresses
the rest..
16 bit mark
24
Magic Marks design
an outgoing packet
src/dst IP addresses
the rest..
Mark Table look-up
Private key
128 bit digest
16 bit marks
Src IP address plus N bits (N8) of the dst IP
address
selector
HMAC
Pre-compute the Marking table with 2N entries!
25
A scenario
dst iTrace message
src/dst IP addresses
the rest..
16 bit mark
src
verify message
src/dst IP addresses
the rest..
16 bit mark
16 bit mark
response (Y/N)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "ecs298k Distributed Denial of Services lecture" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!