D-WARD: A Source-End Defense against Flooding Denial-of-Service Attacks

1
D-WARD A Source-End Defense against Flooding
Denial-of-Service Attacks

• Jelena Mirkovic, Member, IEEE
• Peter Reiher, Member, IEEE

IEEE Transactions on Dependable and Secure
Computing, vol. 2, No. 3, July-Sept. 2005
Presented by ??? (Allen C.B. Kuo), OpLab, IM, NTU
2
Authors

• PhD degree from the UCLA in
  2003
• Assistant professor at
  the UDel currently
• Member of the IEEE
• PhD degree from the UCLA in 1987
• Associate professor at the UCLA currently
• Member of the IEEE

3
Outline

• Introduction
• DoS Attacks and Defenses
• D-WARD Design
• Performance Results
• Conclusions

4
Introduction

• Defenses against flooding DDoS attacks.
• Flooding attacks do damage at the victim lies
  simply in the vast amount of traffic.
• Source-end defense is proposed.
• Autonomous attack detection and accurate response
  is proposed.

5
DoS Attack
Victim
6
DDoS Attack
Victim
7
DDoS Attack (contd.)
8
DDoS Defense
Intermediate network
Victim
Victim network
Source network
9
DDoS Defense (contd.)

• Victim network
• Intrusion detection systems
• Advantages and disadvantages
• Victim can successfully detect the attack.
• Can not defense if attack consists of legitimate
  packets.
• Congestion occurs in attack path.

10
DDoS Defense (contd.)

• Intermediate network
• Filter packets at a core router
• Advantages and disadvantages
• Routers can effectively constrain/trace the
  attack.
• Possible performance degradation.
• Interdomain politic issues.
• Communication has to be secured

11
DDoS Defense (contd.)

• Source network
• Attack detection is hard
• Internet resources are preserved
• Deploy sophisticated traffic profiling strategies
• Low collateral damage to legitimate traffic

12
D-WARD Design

• Overview
• Architecture
• Stealthy attackers
• Security

13
Overview of D-WARD

• DDoS Network Attack Recognition and Defense
• A source-end DDoS defense system
• Monitors the two-way traffic
• Suspect flows are rate-limited
• A gateway between source network and the rest of
  the Internet

14
D-WARD Architecture
Observation Component
Traffic statistics
Internet
Source Router
Rate-Limiting Component
Source Network
Rate-limiting rules
15
D-WARD Architecture (contd.)
16
Observation Component

• The anomalies that may be signs of a DDoS attack
• Nonresponsive foreign host Aggressive sending
  rate coupled with low response rate.
• Presence of IP spoofing

17
Observation Component (contd.)

• Aggregate flow will be classified as
• Attack
• Mismatch the model
• Packet drops due to rate-limiting
• Suspicious
• Has recently been classified as attack
• Compliance Period
• Normal

18
Observation Component (contd.)

• Legitimate traffic models
• TCP aggregate flows
• Threshold sent/received packet ratio
• ICMP aggregate flows
• UDP aggregate flows

19
Observation Component (contd.)

• TCP connection model
• Threshold sent/received packet ration
• UDP connection model
• Be built on per-application basis

20
Rate-Limiting Component

• Aggregate flow compliance factor
• the byte amount of agflow traffic
  forwarded to the victim during the last
  observation interval
• the byte amount of agflow traffic
  dropped due to rate limiting during the last
  observation interval

21
Rate-Limiting Component (contd.)
Configuration parameter
Subsequent attack happens, decrease to the Min
Rate

• Attack
• exponential decrease
• Transient
• linear increase
• Normal
• exponential increase

The speed of the recovery
The speed of the recovery, Increase to the Max
Rate
22
Parameter Values
23
Stealthy Attackers

• Small-rate or nonspoofed attacks
• e.g. TCP SYN attack, TCP flood attack
• Low-frequency pulsing attacks
• Periodic DoS
• Spoofing acknowledgments
• Attacker spoofs replied packets from foreign host

24
Security

• Clever attackers disguise as normal
• Generate legitimate-like TCP connections
• Agflow and connection tables overflow
• DoS D-WARD
• Lack of reverse traffic
• DoS source network
• Spoof a legitimate users traffic

25
Performance Results

• Experiment Setup
• Results in Controlled Experiments
• Results in Real Operation

26
Experiment Setup

• Test topology
• Background workload of legitimate traffic
• Attack characteristics

27
One of the test topologies
28
Results in Controlled Experiments

• UDP flooding attacks
• ICMP flooding attacks
• TCP SYN flooding attacks
• Low-Rate and distributed target attacks
• False alarms and legitimate packet drops

29
UDP Flooding Attacks
30
ICMP Flooding Attacks
31
TCP SYN Flooding Attacks
32
Low-Rate and Distributed Target Attacks
TCP SYN
UDP
33
Low-Rate and Distributed Target Attacks (contd.)
ICMP
34
False Alarms and Legitimate Packet Drops
35
Performance Results in Real Operation
36
Conclusions

• A source-end DDoS defense system is proposed
• Ensuring good service to legitimate clients
• Provide a dynamic and selective source-end
  response
• Integrated with distributed defense

37
Some Thoughts and Discussion

• If the resources are limited, how to deploy the
  defense system?
• How to measure the survivability in DDoS attack
  scenario?

38
DefCOM Defensive Cooperative Overlay Mesh

• University of California, Los AngelesLaboratory
  for Advanced Systems Research
• Source http//www.lasr.cs.ucla.edu/defcom/

39
(No Transcript)
40
(No Transcript)
41
(No Transcript)
42
(No Transcript)
43
Q A
44
References

• http//www.isi.edu/deter/documents.html
• http//staff.washington.edu/dittrich/misc/ddos/
• http//www.lasr.cs.ucla.edu/defcom/
• http//fmg-www.cs.ucla.edu/ddos/
• http//lasr.cs.ucla.edu/ddos/dwardthesis.pdf
• http//www.eecis.udel.edu/sunshine/index.htm

45
Thanks for your attention!!