1

Experiments and Tools for Experiments and Tools for DDoS AttacksDDoS Attacks

Roman Chertov, Sonia Fahmy, Rupak Sanjel, Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness ShroffNess Shroff

Center for Education and Research in Center for Education and Research in Information Assurance and Security (CERIAS)Information Assurance and Security (CERIAS)

Purdue UniversityPurdue University

October 25October 25thth, 2004, 2004

2

Objectives Design, integrate, and deploy a methodology and

tools for performing realistic and reproducible DDoS experiments: Tools to configure traffic and attacks Tools for automation of experiments, measurements, and

visualization of results Integration of multiple third-party software components

Understand the testing requirements of different types of third party detection and defense mechanisms

Gain insight into the phenomenology of attacks including their first-order and their second-order effects, and impact on defenses

3

Accomplishments

Designed and implemented experimental tools: Scriptable event system to control and synchronize

events at multiple nodes Automated measurement tools, log processing tools,

and plotting tools Automated configuration of interactive and replayed

background traffic, routing, attack parameters, and measurements

Generated requirements for DETER to easily support the testing of third party products (e.g., ManHunt, Sentivist)

4

Accomplishments (cont’d)

Analytical characterization, simulations, and experiments for low-rate TCP-targeted DDoS attacks

Preliminary analysis of BGP behavior during DDoS, and BGP impact on DDoS

5

Demonstration Topology

6

Scriptable Event System

Having more than a few computers proves a real challenge to handle in a fast and reasonable manner.

Must have a central way to delegate arbitrary tasks to experimental nodes.

Event completion notification is required to trigger further events in the experiment.

7

Routing

DeterLab experiments can be used with static or OSPF routing; however, there is no support of BGP, RIP, ISIS etc

eBGP and iBGP routing can be accomplished with Quagga routing daemons

Initialization scripts coupled with the central control make it easy to restart all of the routers in experiment to get a clean starting point.

8

Measurement

Measurement of systems statistics at different points in the network can yield an understanding of what events are occurring in the entire network.

A tool based on a 1sec timer records CPU, PPSin, PPSout, BPSin, BPSout, RTO, Memory. The collected logs can be aggregated and used to produce graphs via a collection of scripts.

Future scripts will have an ability to correlate events between system measurements/ routing log files

9

Measurement (cont’d)

10

Challenges in Testing Third-Party Mechanisms

ManHunt license is IP/MAC specific Control of machine selection in DETER

Administration software: some products for Windows XP only, e.g., Sentivist. Luckily command line interface provided in this case.

Some mechanisms require their hardware to be installed (sensors/authentication).

Certain features of mechanisms like traceback/pushback are dependant on interaction with the network devices (routers/switches)

11

Challenges (cont’d)How to install sensors?

Current solution: hardware bridging: cannot install more than one sensor serious problem since prior research has shown the limited effectiveness of single point sensing

Future solution: software bridging

12

Challenges (cont’d)

Sentivist Sensor distributed as bootable CD-ROM Is it possible to “boot” a machine from an ISO image? Perhaps using FreeBSD network install (Sentivist

Sensor built on FreeBSD), but no administrative privilege to do so

Otherwise, need someone to insert CD-ROM in drive Sentivist Sensor installation requires interaction:

Must establish serial console connection to machine: COM1 or COM2, no COM1 on DETER IBM machines

Else need someone to use a monitor and keyboard

13

Plans Continue development of experiment automation

and instrumentation/plotting tools and documentation

Design increasingly high fidelity experimental suites

Continue investigation of TCP-targeted DDoS attacks in more depth, and compare analytical and simulation results with DETER testbed results to identify artifacts

14

Plans (cont’d)

Investigate routing problems/attacks, and compare with DETER testbed results

Continue to collaborate with routing team and McAfee team to identify experimental scenarios and build tools for routing experiments