Characterizing%20and%20Defending%20Against%20DDoS%20Attacks

1
Characterizing and Defending Against DDoS Attacks
Christos Papadopoulos ..and many others
2
How Do Computers Find Each Other?
Computer1
Computer 2
3
What Are the Different Kinds of Addresses?

• Have domain name (e.g., www.usc.edu)
• Global, human readable name
• DNS translates name to IP address (e.g.
  128.125.19.146)
• Global, understood by all networks
• Finally, we need local net address
• e.g., Ethernet (08-00-2c-19-dc-45)
• Local, works only on a particular network

4
Domain Naming System (DNS)
Local DNS server
Computer 1
Whats the IP address for www.usc.edu?
It is 128.125.19.146
DNS address manually configured into OS
5
Finding Ether AddressAddress Resolution (ARP)
Broadcast who knows the Ethernet address for
128.125.51.41?
Ethernet
Broadcast I do, it is 08-00-2c-19-dc-45
Ethernet
6
Sending a Packet Through the Internet
Routers send packet to next closest point
H
R
H

R
H
H
R
R
R
R
R
The Internet routes packets based on their
destination!
H
R
H Hosts R Routers
H
7
Smurf Attack
broadcast echo request source address is
spoofed to be targets address
many echo replies are received by the target,
since most machines on the amplifier network
respond to the broadcast
8
TCP SYN Flooding- A more powerful attack -
SPOOFED SYN
SYN - ACK
FINAL ACK NEVER SENT
nonexistent host
9
So, What Is DDoS?

• Distributed Denial of Service
• New, more pernicious type of attack
• Many hosts gang up to attack another host
• Network resource attack
• Bandwidth
• State

10
Why Should We Care?

• Successfully used to attack prominent sites in
  the Internet by those with a primitive
  understanding of internet protocols
• It is relatively easy to do, but hard to detect
  and stop
• It is only going to get worse unless we develop
  adequate protection mechanisms

11
Anatomy of an Attack

• Compromise a large set of machines
• Install attack tools
• Instruct all attack machines to initiate attack
  against a victim
• Process highly automated

12
Phase 1 Compromise

• A (stolen) account is used as repository for
  attack tools.
• A scan is performed to identify potential
  victims.
• A script is used to compromise the victims.

13
Phase 2 Install Attack Tools

• An automated installation script is then run on
  the owned systems to download and install the
  attack tool(s) from the repository.
• Optionally, a root kit is installed on the
  compromised systems.

14
Phase 3 Launch attack

• Launch a coordinated DDoS from different sites
  against a single victim.
• Network pipes of attackers can be small, but
  aggregated bw is far larger than victims pipe.
• Victims ISP may not notice elevated traffic.
• DDoS attacks are harder to track than a DoS.

15
(No Transcript)
16
Some Known DDoS attack tools

• Trin00
• Tribal Flood Network (TFN)
• Tribal Flood Network 2000 (TFN2K)
• Stacheldraht

17
Stacheldraht

• Combines features of trin00 and TFN.
• Adds encryption between the attacker and masters
  and automated update of agents.
• Communication between attacker and masters take
  place on tcp port 16660.
• Daemons receive commands from masters through
  ICMP echo replies
• ICMP, UDP, SYN flood and SMURF attack.

18
./client 192.168.0.1 stacheldraht (c)
in 1999 by ... trying to connect... connection
established. -------------------------------------
- enter the passphrase sicken ------------------
-------------------- entering interactive
session. welcome
to stacheldraht typ
e .help if you are lame stacheldraht(status a!1
d!0)gt
19
stacheldraht(status a!1 d!0)gt.help available
commands in this version are --------------------
------------------------------ .mtimer .mudp
.micmp .msyn .msort .mping .madd .mlist .msadd
.msrem .distro .help .setusize .setisize .mdie
.sprange .mstop .killall .showdead
.showalive ---------------------------------------
----------- stacheldraht(status a!1 d!0)gt
20
Some Commands -------- .distro user
server Instructs the agent to install and run a
new copy of itself using the Berkeley "rcp"
command, on the system "server", using the
account "user" (e.g., "rcp user_at_serverlinux.bin
ttymon") .madd ip1ip2ipN Add IP addresses
to list of attack victims. .madd
ip1ip2ipN Add IP addresses to list of
attack victims. .mdie Sends die request to all
agents.
21
COSSACK Coordinated Suppressionof Simultaneous
Attacks
Computer Networks Division ISI http//www.isi.edu
/cossack
22
People

• Co-PIs Christos Papadopoulos, Bob Lindell
  (USC/ISI)
• Affiliations Ramesh Govindan (USC/ISI)
• Staff John Mehringer (ISI)
• Students Alefiya Hussain (USC)
• DARPA synergies
• DWARD - Peter Reiher, Jelena Mirkovic (UCLA)
• SAMAN - John Heidemann (USC/ISI)

23
Cossack Overview

• Distributed set of watchdogs at network perimeter
• Local IDS
• Group communication
• Topology information (when available)
• Fully distributed approach
• Peer-to-peer rather than master-slave
• Attack-driven dynamic grouping of watchdogs
• Attack correlation via coordination with other
  watchdogs
• Independent, selective deployment of
  countermeasures

24
Cossack A Simplified View
attacker
attacker
watchdog
watchdog
W
W
attacker
attacker
watchdog
watchdog
watchdog
W
target
25
Attacks Begin
attacker
W
W
watchdog
W
target
26
Watchdogs Communicate Using YOID
attacker
W
W
watchdog
W
target
27
Attacks Detected
attacker
W
W
watchdog
W
target
28
Watchdogs Install Filters and Eliminate Attack
attacker
W
W
watchdog
W
target
29
Detecting Source Spoofed Attacks
attacker
W
W
YOID
watchdog
W
target
30
Cossack Watchdog Architecture
YOID Multicast group
31
Cossack Plugin Operation
Packet Averages Grouped by Destination Address
Packet Flow Statistics
32
Cossack Plugin Operation
Packet Averages Grouped by Destination Address
Packet Flow Statistics
33
Cossack Network Inspector

• Tool to determine detection thresholds for
  watchdogs
• Interfaces with the Cossack Snort Plugin
• Collects aggregate level network traffic
  statistics
• Traffic filters created using snort rules

34
Cossack Performance

• Response time 5 30 seconds
• Insensitive to attack type

35
Attack Capture and Analysis

• Goal Capture some attacks, analyze and learn
  from them
• Packet-level capture facilities in several sites
• Los Nettos
• USC
• CAIDA
• Telcordia, Sprint
• Spectral analysis

36
Tracing Infrastructure
Internet
Los Nettos Customers
37
Captured Attacks

• Captured and classified about 120 attacks over
  several months

Attack Class Count PPS Kbps
Single-source 37 133-1360 640-2260
Multi-source 10 16000-98000 13000-46000
Reflected 20 1300-3700 1700-3000
Unclassified 13 550-33500 1600-16000
38
Spectral Attack Analysis
F(60)
F(60)

• Multi-source attack (145 sources)
• Localization of power in low frequencies in NCS

• Single-source attack
• Strong higher frequencies and linear Normalized
  Cumulative Spectrum (NCS)

39
Spectral Analysis

• Goal identify single vs. multi-source attacks
• Single-source
• F(60) mean 268Hz (240-295Hz)
• Multi-source
• F(60) mean 172Hz (142-210Hz)
• Able to robustly categorize unclassified attacks

40
Conclusions

• Cossack is a fully distributed approach against
  DDoS attacks
• Software is operational and currently undergoing
  Red Team testing
• We continue to capture attacks, analyze and learn
  from them
• Spectral analysis work very promising
• http//www.isi.edu/cossack