View
219
Download
0
Embed Size (px)
Citation preview
http://www.cs.bu.edu/groups/wing
“A Taxonomy of DDoS Attack and DDoS Defense Mechanisms”
By Jelena Mirkovic and Peter Reiher (CCR April 2004)
NSRG - Network Security Reading Group:
Vijay Erramilli Nahur Fonseca Abhishek Sharma Georgios Smaragdakis
and Prof John W. Byers
Outline
Overview of DDoS
Taxonomy of DDoS Attacks
DDoS Activity
Taxonomy of DDoS Defenses
Examples of DDoS Defenses
Overview
(D)DoS := explicit attempt to prevent the legitimate use of a service
Why this is part of today’s internet? Current Internet Design is focused on
effectiveness of moving packets. Internet Resource Limitations. Control is distributed.
Taxonomy of DDoS Attacks [MR04]
DDoS Attack Mechanisms
Classification By.. Degree
of Automation
Exploited Weakness
Source Address Validity
Possibility of Characterization
Attack Rate Dynamics
Impact on the Victim
Victim Type
Persistence of Agent Set
Classification By Degree
of Automation
Mainly Worms Manually (Semi-)Automated
Scanning Strategies: Random Scanning (CRv2) Hitlist Scanning Permutation Scanning – sub HitList (Warhol) Topological Scanning (E-mail Worms) Local Subnet Scanning (CRv2, nimba)
Classification By Degree
of Automation
Vulnerability Scanning Strategies Horizontal: same port of different machines Vertical: all ports of one machine Coordinated Stealthy
Propagation Mechanism Central Source (Li0n worm) Back-chaining (Ramer Worm, Morris worm) Autonomous Propagation (CR, Warhol)
Classification By Exploit WeaknessTo Deny Service
Searching for specific feature or bug SYN ACK attack,
NAPTHA /connection queue
CGI Request attack /CPU
Flooding (reflectors) DNS Request attacks Smurf attacks (ICMP reply attacks)
Classification By Source Address
Validity
Spoofing Techniques Random Spoofed Source Address Subnet Spoofed Source Address (hard to detect) En Route Spoofed Source Address (future)
address along the path from the slave to the victim Fixed Spoofed Source Address
Classification By Attack RateDynamics
Constant Rate Attacker can deploy a min number of
machines Patterns in traffic
Variable Rate Increasing Rate Fluctuating Rate
(Low Rate attacks like Shrew, Rat and RoQ)
Classification By Possibility of
Characterization
Filterable Filtered by a firewall eg. UDP flooding, ICMP
echo flood to Web Servers, DNS (TCP).
Non-Filterablemainly try to consume bandwidth, using a mixture of TCP SYN, TCP Attack, ICMP ECHO/
REPLY, and UDP packets.
Classification By Persistence of
Agent (Slave) Set
Constant Slave Set Lack of synchronization
Variable Slave Set eg. Take turns (waves) of floods of packets
Classification By Victim Type
Application Attack packets indistinguishable from legitimate
packets at the transport level. A lot of applications that have to be modeled.
Host CPU/Stack
Resource Critical resource eg. DNS, router, bottleneck
Network Traffic
Infrastructure Misconfiguration by the attacker/BGP (future)
Classification By Impact on the Victim
Disruptive Deny the victim’s service to its clients
Degrading Consumes some portion of the victim’s
resources. Not easily detected Lead to Disruptive DoS in high load periods
Attack Tools
Very Easy to find code (eg. http://www.ussrback.com/distributed.htm)
Trinoo: Flood Attack The communication link btw Attacker and slaves is encrypted.
TFN2k: Flood Attack, but also allows SYN, ICMP flood and Smurf Attacks. The communication link btw Attacker and slaves is
encrypted.
…
Outline
Overview of DDoS
Taxonomy of DDoS Attacks
DDoS Activity
Taxonomy of DDoS Defenses
Examples of DDoS Defenses
Backscatter Analysis
Assumptions Flood attack Randomly spoofed
source address Victims always
respond Backscatter is
evidence of ongoing attack
Responses are equaly distributed across IP
E(x) = nm/232, m=pktsR > R’ 232/n , n=224
Biases Underestimate due to
Ingress filtering, Reflector attack, Packet losses, Rate limiting,
Minor factor due to random port scans on the observed hosts.
Why bother? “Fact” 2: cost
What’s the worst-case worm ? A lot of resources, a nation state, to find A zero-day (never seen) vulnerability in A widely used service. Infect intranets first and then the Internet Very fast (e.g. flash worms). < 1 day. Cause data damage, hardware damage.
How much would it cost ? A conservative linear model based on:
recovery, data, work-hour and BIOS costs US$50 Bi
Taxonomy of DDoS Defenses
Preventive x Reactive
Degree of Cooperation Autonomous Cooperative Interdependent
Deployment Location Victim network Intermediate network Source network
Preventive
Prevention Goal1. Attack Prevention2. DoS Prevention
Secured Target1. System security2. Protocol security
Prevention Method1. Resource Accounting2. Resource Multiplication
Reactive
Detection Strategy1. Pattern2. Anomaly3. Third Party
Response Strategy1. Agent Identification2. Rate-limiting3. Filtering4. Reconfiguration
Proactive / Reactive Actions
Autonomous – independent defense at the point of deployment
Cooperative – perform better in joint operation.
Interdependent – cannot operate autonomously.
Degree of Cooperation
Victim network – most common, the most interested party.
Intermediate network – ISP can provide the service, potential to cooperation.
Source network – prevent DDoS at the source, least motivation (Tragedy of the Commons).
Deployment Location
Examples of Defenses
Preventive
Reactive Autonomous Cooperative Interdependent
At Victim IDS, SNORT Puzzles
Intermediate In-FilterSOS
Traceback
At Source D-WARD
IDS, Snort
Intrusion Detection System Purpose: to sniff all traffic on a network and to compare
the network packets with certain patterns.
Sniff all traffic
Preprocess
Patten matching
PolicyEnforcement
Deny
SOS: Secure Overlay Service
Proactively prevent DoS to allow legitimate users to communicate with critical target.
+ Illegitimate packets are dropped
- Attackers take over source
- Attackers spoof address
- Sources have mobile IP
+ Proxy forwards authentic traffic
- Attackers may spoof proxy IP
- Attackers may attack proxy
SOS: Architecture
A node on or off the overlay that wants to send a transmission to a target
A node on the overlay that acts as the only entry point to the target
A node on the overlay, it receives traffic destined for the target and ,after verifying the legitimacy of the traffic, forwards it to a secret
servlet
Target node that wishes to receive transmissions from validated sources
A node on the overlay that accepts traffic to the target from approved source points
Ingress Filtering (RFC2267)
An ingress filter on "router 2” restricts traffic to allow only source addresses within the 9.0.0.0/8 prefix.
Problems with special cases, for example, mobile IP. Still can spoof addresses within the same prefix.
D-WARD
Monitors each peer in both ways.
Keep per flow statistics.
Compare to “normal traffic” models.
Detect anomalies. Throttle malicious
users.
Cliente Puzzles: Intuiton
Restauranteur
Table for fourat 8 o’clock. Name of Mr. Smith.
Please solve thispuzzle.O.K.,
Mr. SmithO.K.
???
A puzzle takes an hour to solve There are 40 tables in restaurant Reserve at most one day in advance
Intuition
A legitimate patron can easily reserve a table,but:
Suppose:
IP traceback
The ability to trace IP packets to their origin.
IP spoofing Ingress filtering prevents IP address
manipulation not fully enforced due to political and
technicalreasons.
Some ISPs refuse to install inbound filters to prevent source-address spoofing.
IP traceback approaches
Reactive : initiate the traceback process in response to an attack e.g. Input debugging and controlled flooding Must be completed while the attack is active;
ineffective once the attack ceases Require large degree of ISP cooperation-
extensive administrative burden, difficult legal and policy issues.
Input debugging: Figure from IP Traceback: A New Denial-of-Service Deterrent?, H. Aljifri, IEEE Security & Privacy, 2003.
Proactive IP traceback
Record tracing measures as packets are routed through the network.
Traceback data used for attack path reconstruction and subsequent attacker identification.
Techniques: Logging Messaging Packet-marking
Logging
Log packets at key routers throughout the Internet and then use data-mining techniques to extract information about attack traffic’s source.
Huge amount of processing and storage power needed to store the logs.
Need to save and share information among ISPs : logistical and legal problems, as well as privacy concerns.
How to reduce the resource demand?
Probabilistic sampling of the packet stream and compression. SPIE (Source Path Isolation Engine), A. Snoeren et. al.
Makes use of Bloom filters to store a hash digest of only the relevant invariant portions of a packet
Overlay Network of sensors, tracing agents and managing agents. Selectively log traffic – after an attack is recognized. Log only certain relevant characteristics Increased speed and less storage.
ICMP-based traceback: Figure from IP Traceback: A New Denial-of-Service Deterrent?, H. Aljifri, IEEE Security & Privacy, 2003.
ICMP-based traceback vs DDoS
In a DDoS attack, each zombie contributes only a small amount of the total attack traffic.
The probability of choosing an attack packet is much smaller than the sampling rate used.
The victim probably will get many ICMP traceback messages from the closest routers but very few originating near the zombies’ machines.
Intension-driven ICMP traceback : more effective against DDoS.
Packet-Marking : Figure from IP Traceback: A New Denial-of-Service Deterrent?, H. Aljifri, IEEE Security & Privacy, 2003.
Packet Marking
To be effective, packet marking should not increase the packets’ size (to avoid additional downstream fragmentation, thus increasing network traffic).
Secure enough to prevent attackers from generating false markings.
Must work within the existing IP specifications : the specified order and length of fields in an IP header.
Packet-marking algorithms and associated routers must be fast enough to allow real-time packet marking. Probabilistic Packet Marking Received widespread attention; active area of research