D-WARD: DDoS Network Attack Recognition and Defense - PowerPoint PPT Presentation

About This Presentation
Title:

D-WARD: DDoS Network Attack Recognition and Defense

Description:

D-WARD: DDoS Network Attack Recognition and Defense PhD Qualifying Exam Jelena Mirkovi PhD Advisor: Peter Reiher 01/23/2002 Design and implement DDoS defense system ... – PowerPoint PPT presentation

Number of Views:198
Avg rating:3.0/5.0
Slides: 40
Provided by: JelenaM1
Learn more at: https://lasr.cs.ucla.edu
Category:

less

Transcript and Presenter's Notes

Title: D-WARD: DDoS Network Attack Recognition and Defense


1
D-WARDDDoS Network Attack Recognition and
Defense
  • PhD Qualifying Exam
  • Jelena Mirkovic
  • PhD Advisor Peter Reiher
  • 01/23/2002

2
  • Design and implement DDoS defense system
  • located at source network
  • autonomously detects and stops attacking flows
  • does not affect legitimate flows

2/39
3
Overview
  • Problem Statement
  • Related Work
  • Desirable Characteristics
  • D-WARD
  • Thesis Goals
  • Conclusion

3/39
4
What is a DoS Attack?
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
4/39
5
What is a DDoS Attack?
5/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
6
DDoS Defense Problem
  • Large number of unwitting participants
  • No common characteristics of DDoS streams
  • No administrative domain cooperation
  • Automated tools
  • Hidden identity of participants
  • Persistent security holes on the Internet

6/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
7
DDoS Prevention
  • Compromise prevention
  • security patches
  • virus detection programs
  • intrusion detection systems (IDS)
  • High deployment cannot be enforced

7/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
8
DDoS Defense
INTERMEDIATE NETWORK
VICTIM NETWORK
SOURCE NETWORK
8/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
9
Victim Network
  • Intrusion Detection Systems
  • On-off control approach
  • Router monitoring tools (CISCO)
  • Victim can successfully detect the attack
  • - Victim is helpless if
  • attack consists of legitimate packets or
  • attack is of large volume

9/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
10
Intermediate Network
  • WATCHERS
  • Traceback
  • Pushback
  • Spoofing prevention
  • Routers can effectively constrain/trace the
    attack
  • - Possible performance degradation
  • - Interdomain politics of isolation
  • - Attack detection is hard
  • - Communication has to be secured

10/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
11
Source Network
  • MULTOPS
  • Source routers can effectively constrain/trace
    the attack
  • Internet resources are preserved
  • - Attack detection is hard
  • - Many deployment points needed for high
    efficacy

11/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
12
Desirable Characteristics
  • High security
  • Reliable attack detection
  • Independent detection and response
  • Low performance cost
  • Incremental benefit with incremental deployment
  • Handle recurring attacks
  • Traceback
  • Cooperation

REQUIRED
OPTIONAL
12/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
13
D-WARD
  • DDoS defense system in Source Network
  • Source Router detects attack and responds
  • Monitors the two-way traffic
  • Suspect flows are rate-limited
  • Further observations lead to decrease or
    increase of rate-limit

13/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
14
System Architecture
14/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
15
Statistics Gathering
  • Statistics help discover difficulties
  • Only IP header data is used
  • Statistics classified per peer IP address
  • Statistics cache size is limited and the cache
    is purged periodically
  • Records for normal flows deleted
  • Records for transient and attack flows reset

15/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
16
Traffic Models
  • TCP requires proportional reverse flow
  • Non-TCP traffic requires NO reverse flow
  • Non-TCP servers usually send constant amount of
    packets/Bytes per second to a given peer

16/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
17
Traffic Models
  • Model of normal TCP traffic
  • low ratio of number of sent/number of received
    packets
  • Model of normal non-TCP traffic
  • mean and standard deviation of number of sent
    packets/Bytes for certain destination
  • Non-TCP models created in training phase

17/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
18
Flow Classification
  • Comparison with models of normal traffic
  • compliant - within limits of the model
  • attack - outside of model limits
  • Well behaved or not
  • normal - well-behaved compliant flows
  • transient - non well-behaved compliant flows

18/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
19
Throttling Component
  • ATTACK Exponential decrease
  • TRANSIENT Slow recovery, linear increase
  • NORMAL Fast recovery, exponential increase

19/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
20
Experiment 1
CLIENT
ATTACKER
ROUTER
VICTIM
ATTACKER
20/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
21
attack starts
attack stops
21/39
22
attack starts
attack stops
22/39
23
Experiment 2
CLIENT
ATTACKER
ROUTER
VICTIM
ATTACKER
23/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
24
legitimate traffic starts
attack starts
attack stops
24/39
25
Legitimate traffic starts
attack stops
attack starts
FTP starts
25/39
26
Experiment 3
CLIENT
ATTACKER
ROUTER
VICTIM
ATTACKER
26/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
27
Legitimate traffic starts
attack stops
FTP starts
attack starts
27/39
28
attack starts
attack stops
28/39
29
Experiment 4
CLIENT
ATTACKER
ROUTER
VICTIM
ATTACKER
29/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
30
attack starts
attack stops
30/39
31
attack starts
attack stops
31/39
32
Summary of Results
  • D-WARD successfully detects and stops attacks
  • Legitimate clients from other domains benefit
    greatly
  • System is friendly to non-TCP traffic
  • Legitimate TCP connections from source network
    are slowed down
  • There is no fairness guarantee to normal flows

32/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
33
Attack Detection
  • Choice of monitored parameters
  • reliability vs performance
  • separating legitimate from attack flows
  • Creation and update of models
  • Cooperation with other Source Routers
  • Cooperation with the victim
  • Recurring attacks

33/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
34
Attack Response
  • Effectiveness vs fairness of response
  • aggressiveness should depend on reliability of
    classification
  • design of feedback mechanism
  • Traceback of the attack
  • Interaction of multiple DDoS defense systems

34/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
35
Security
  • Attackers follow developments in security
  • Attackers could attempt to avoid detection
  • pulsing attacks
  • generating reverse packets
  • gradually use up victims resources
  • mistrain models
  • Attackers could attempt to misuse the system
  • drop legitimate packets
  • Attackers might DDoS Source Router

35/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
36
Partial Deployment
  • Effectiveness depends on degree of deployment
  • Does not protect deploying network so motivation
    is low
  • Legal factors could help
  • Additional incentive
  • minimal changes to existing routers
  • low cost
  • good performance

36/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
37
Deployment on Core Routers
  • Large coverage with less deployment points
  • Router performance must not be degraded
  • Rate limit has impact on large portion of flows ?
    few false positives a must

37/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
38
Timeline
Year1 Year2 Jan
Apr Jul Oct Jan
Apr Jul Oct
7
10
1
9
12
3
5
8
2
11
4
6
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
38/39
39
Conclusions
  • DDoS attacks are a serious threat
  • A design of effective detection and response
    strategy is a must
  • D-WARD successfully detects and constraints the
    attacks but has undesired impact on legitimate
    flows
  • Further research needed to refine the system and
    devise deployment strategy

39/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
Write a Comment
User Comments (0)
About PowerShow.com