Embed Size (px)
Citation preview
A Dynamic A Dynamic Packet Stamping Packet Stamping Methodology for Methodology for DDoS DefenseDDoS Defense
Project PresentationProject Presentationbyby
Maitreya Natu, Kireeti Valicherla, Namratha HundigopalMaitreya Natu, Kireeti Valicherla, Namratha Hundigopal
CISC 859CISC 859University of DelawareUniversity of Delaware
05/11/2004 CISC 859 2
OutlineOutline• Objectives• Problem Description• Related Work• Proposed Solution• Implementation Details• Results• Future Work• Conclusion
05/11/2004 CISC 859 3
Objectives of the ProjectObjectives of the Project• Propose a new simple and effective
solution to stamp IP packet to enable easy authentication of IP packets so as to counter DDoS Attacks.
• Implement the above solution and conduct experiments on emulab testbed to verify its effectiveness.
05/11/2004 CISC 859 4
Problem DescriptionProblem Description• DDoS is enormous threat to Internet.
• Many public websites available which don’t verify the authenticity of their users.
• Victims overwhelmed with requests and the legitimate users are denied service.
05/11/2004 CISC 859 5
Why DDoS difficult to solve?Why DDoS difficult to solve?• No authentication required to use services
• Little chance of attacker being caught
• Difficult to differentiate attack from legitimate traffic
• Huge Number of Vulnerable machines available
• Problem of finite resources
05/11/2004 CISC 859 6
Related WorkRelated Work• IP Easy-pass: Edge Resource Access Control by H. Wang, A. Bose, M. El-Gendy, K. G. Shin
• Practical Network Support for IP Tracebackby S. Savage, D. Wetherall, A. Karlin, T. Anderson
• StackPiby A. Perrig, D. Song. A. Yaar
05/11/2004 CISC 859 7
IP Easy-pass: Edge Resource Access ControlIP Easy-pass: Edge Resource Access Control by H. Wang, A. Bose, M. El-Gendy, K. G. Shin by H. Wang, A. Bose, M. El-Gendy, K. G. Shin
• What we liked about this paper?– Per Packet Filtering based on IP Easy
Pass– Dynamic Passes
• What we didn’t like about this paper?– Space Overhead– Encryption and Decryption Overhead
05/11/2004 CISC 859 8
Practical Network Support for IP Traceback Practical Network Support for IP Traceback by S. Savage, D. Wetherall, A. Karlin, T. Anderson by S. Savage, D. Wetherall, A. Karlin, T. Anderson
• What we liked about this paper?– The use of IP identification field for
storing marks in the packets.
• What we didn’t like about this paper?– Reactive in nature
05/11/2004 CISC 859 9
StackPiStackPiby A. Perrig, D. Song. A. Yaar by A. Perrig, D. Song. A. Yaar
• What we liked about this paper?– Per Packet Filtering– Proactive approach
• What we didn’t like about this paper?– Stale Pass– Complicated
05/11/2004 CISC 859 10
Desired Properties in Desired Properties in Proposed Solution Proposed Solution
• Simple to implement• Limited Overheads• Limited increase in end to end delay• Per Packet Filtering• Easily Deployable• Robust
05/11/2004 CISC 859 11
Proposed SolutionProposed Solution
• Create mechanism which would distinguish legitimate IP packets from attack packets.
• Drop all the packets which fail the filtering test.
05/11/2004 CISC 859 12
How to differentiate attack How to differentiate attack and legitimate packets?and legitimate packets?
• Generate Unique ID for each packet
• Store this key in the IP header’s identification field to avoid space overheads
• Routers check the packets ID field to check whether the given packet is genuine or not before forwarding to destination (Victim)
05/11/2004 CISC 859 13
Issues with key generationIssues with key generation• Complex generation techniques at client
so that key spoofing is difficult to do
• Simple verification at router so that router overhead remains small
• Keep changing the keys so that attackers don’t have time to predict the keys
05/11/2004 CISC 859 14
How does our solution How does our solution work?work?
• Generation of keys is done at client• Initial communication between client and
core router takes place to understand the initial key
• Generation of legitimate packets takes place
• Verification of packets done at core routers
• Router drops or accepts packets based on the key value
05/11/2004 CISC 859 15
Other IssuesOther Issues• We use a sliding window to take care of
packet loss or reordering.
• As we use dynamic pass and not a stale pass replay attacks are also avoided.
• Our solution can be used with any Transport or Application protocol as we just change IP ID field.
Implementation Implementation DetailsDetails
bybyMaitreya NatuMaitreya Natu
05/11/2004 CISC 859 17
05/11/2004 CISC 859 18
f1 f100f101
Client uses SHA to generate a queue of 101 keys
05/11/2004 CISC 859 19
f1 f100f101
Client sends the 101st key to the router for before sending the data packets
05/11/2004 CISC 859 20
10.1.4.2 f101
f1 f100
0 0 0 0 0 0 0 0
•Router receives the key and stores it in a client table•Router maintains a window to keep track of arriving packets
05/11/2004 CISC 859 21
10.1.4.2 f101
f1 f99
f100
0 0 0 0 0 0 0 0
•Client inserts a new key (here f100 ) in the IP ID field of each outgoing packet•We use the dos code to insert the key in ID field
05/11/2004 CISC 859 22
10.1.4.2 f101
f1 f99
f100
0 0 0 0 0 0 0 0
05/11/2004 CISC 859 23
10.1.4.2 f101
f1 f99
f100
0 0 0 0 0 0 0 0
05/11/2004 CISC 859 24
10.1.4.2 f101
f1 f99
f100
f (f100) = f101
0 0 0 0 0 0 0 0
•Router captures each packet and extracts the key from the IP ID field•We use capture code to capture incoming packets•It identifies the source IP address and accepts packets only with valid IP addresses•For each packet with a valid IP address, applies SHA on the ID key to detect if the key is in the window range
f101 f94
05/11/2004 CISC 859 25
10.1.4.2 f101
f1 f99
f100
f (f100) = f101
1 0 0 0 0 0 0 0
•Router sets the corresponding bit in the window and forwards the packet
05/11/2004 CISC 859 26
10.1.4.2 f100
f1 f99
f100
1 0 0 0 0 0 0 0
•Router sets the corresponding bit in the window and forwards the packet
05/11/2004 CISC 859 27
10.1.4.2 f101
f1 f98
f99
1 1 0 0 0 0 0 0
05/11/2004 CISC 859 28
10.1.4.2 f101
f1 f97
f98
1 1 1 0 0 0 0 0
05/11/2004 CISC 859 29
10.1.4.2 f101
f1 f96
f97
1 1 1 1 0 0 0 0
05/11/2004 CISC 859 30
10.1.4.2 f97
f1 f96
1 1 1 1 0 0 0 0
f97
•When the first four bits of the window are set, the window is advanced by 4 bits by setting the client key to the 4th key (here f97) received
05/11/2004 CISC 859 31
10.1.4.2 f97
f1 f95
f96
0 0 0 0 0 0 0 0
•The window is advanced by 4 bits by left shifting by 4 bits to process further packets
05/11/2004 CISC 859 32
10.1.4.2 f101
f1 f92
1 1 0 1 0 1 1 0
05/11/2004 CISC 859 33
10.1.4.2 f101
f1 f92
f93
1 1 0 1 0 1 1 0
05/11/2004 CISC 859 34
10.1.4.2 f93
f1 f92
1 1 0 1 0 1 1 1
f93
•If the first 4 bits are not set due to packet loss, then the window is shifted when the 8th packet is received, changing the client key to the 8th key (here f93) received
05/11/2004 CISC 859 35
10.1.4.2 f93
f1 f91
f92
0 0 0 0 0 0 0 0
•The window is advanced by 8 bits by left shifting by 8 bits to process further packets
ResultsResultsByBy
Namratha HundigopalNamratha Hundigopal
05/11/2004 CISC 859 37
TopologyTopology
V
LANLAN5Mb 5Mb
250 kb
1Mb 1Mb
05/11/2004 CISC 859 38
ResultsResults
Total legitimate packet at victim with varying attacker's sending rate (with and w/o pass)
0
50
100
150
200
250
5 10 20 30 40 50 60 90 120 130
Sending rate of an attcker(pkts/sec)
Nu
m o
f le
git
imate
pkts
at
vic
tim
w/o filter
with filter
Client 20 pkts/sec for 10 sec Attacker 5 – 130 pkts/sec for 15 sec
05/11/2004 CISC 859 39
Total legitimate packets at victim with varying attackers sending rates (with and w/o pass)
0
50
100
150
200
250
5 10 20 30 40 50 60 70
Sending rate of attackers (pkts/sec)
Nu
m o
f le
git
imate
pkts
at
vic
tim
w/o filter
with filter
Client 20 pkts/sec for 10 secAttacker 5 – 70 pkts/sec for 15 sec
05/11/2004 CISC 859 40
Measure of end to end delay for legitimate packets with one attacker
9980
10000
10020
10040
10060
10080
10100
1 2 3
en
d t
o e
nd
de
lay
(m
s)
w/o filter with filter spoofing
(with filter)
05/11/2004 CISC 859 41
Measure of end to end delay for legitimate packets with two attackers
10000
10500
11000
11500
12000
12500
13000
13500
14000
1 2 3
en
d t
o e
nd
de
aly
(m
s)
1 legitimate with 2 attacker
w/o filter with filter spoofing
(with filter)
05/11/2004 CISC 859 42
Future Work Future Work
• Implementation of initial handshake between legitimate clients and router
• Extension of the scheme to achieve a secure end to end path
• Testing with smart attacks
• Testing with real time applications
05/11/2004 CISC 859 43
ConclusionConclusion• Proposed a stamping technique to identify
legitimate packets
• Implemented the algorithm on emulab testbed
• It effectively prevents legitimate packets from loss for all flooding rates we considered with negligible increase in end to end delay
05/11/2004 CISC 859 44
Question or Comments?Question or Comments?
Thank you Thank you
