A DoS-Resistant IP Traceback Approach. Bao-Tung Wang, Henning Schulzrinne IRT, Columbia University Friday, September 12, 2003

Transcription

1 A DoS-Resistant I Traceback Approach Bao-Tung Wang, Henning Schulzrinne IRT, Columbia University Friday, September 12, 2003

2 Overview Definitions ICM Messages I Traceback Using Messages Evaluations Conclusion

3 Introduction DoS (Denial-of-Service) DDoS (Distributed DoS) Attacks Direct DDoS Reflective DDoS I Traceback Direct DDoS Attack Slaves (Daemons) Attacker Masters (Handlers) Simple DoS Attack Reflective DDoS Attack Slaves (Daemons) Reflectors Victim

4 roposed Solutions DoS Attacks Targets Network Connectivity Network Bandwidth Network Infrastructure Attacks T SYN Flooding acket Flooding Counterfeit Routing Advertisement acket Dropping Solutions System Tuning Network rotocol Improvement I Traceback acket Filtering

5 roblems of Existing Solutions Categories Examples Bandwidth Overhead Storage Overhead Computation Overhead Link Testing outer Inferencenference Very High Low/Low Low/Low Logging SIE Fair Very High/Low Fair/Low Overlaying CenterTrack High Low /Low Low /Low In-Band Marking M AAM None None None/Very High Low/High Low/Very High Low/High Out-of of-band ICM Messaging itrace ID-iTrace i High High Fair None/High High/Fair Low/Low Low/Very High Low/High Low /Fair (A/B indicates the overhead in the network is A and that at the destination is B)

6 ICM Messages Ball ackets Messages Initiators Traffic Source Traffic Source ropagators Initiator Initiator ropagator ropagator ropagator ropagator Ball packets The corresponding messages ropagator Attack Victim/Tracer

7 Message Generation Selector Timer KeyMaker 1 Timer Keymaker 7 4 Selector 5 6 Generator B C Input port (Input queue) Output port (Output queue) B. The ball packet C. The message. Regular packets 1. Trigger ball packet selection 2. Select a ball packet 3. Extract the ball packet 4. Update the timer 5. Copy the ball packet header 6. Trigger generation 7. Generate a session key (Optional) 8. Inject message in the front of output port

8 Message ropagation Timer Keymaker 3 2 ropagator 4 1 C B C Input port (Input queue) Output port (Output queue) B. The ball packet C. The message. Regular packets 1. Receive an ICM message in an input port 2. Update the timer 3. Generate a session key (Optional) 4. Update and inject message into an output port

9 A Message TYE CODE CHECKSUM TIMESTAM DIGEST SOURCE DESTINATION SECURITY ROUTER ID REVIOUS ROUTER ID NEXT HO ROUTER ID TTL TIMESTAM HMAC ROUTER ID REVIOUS ROUTER ID NEXT HO ROUTER ID TTL TIMESTAM HMAC ICM message header message header First element of the ROUTER LIST (by Initiator) Successive ROUTER LIST elements (by ropagators)

10 Time-Release Key Chain (TRKC) Key Generation HMAC Calculation Message Authentication MD5(K t-1,i) MD5(K t,i) MD5(K t+1,i) MD5(K t+2,i) K t-1 K t+1 K t Time C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 C 9 C i : Messages K t : Session keys

11 I Traceback I Traceback for Direct DDoS Attack Agent CI Attack Agent CI Attacker CI- Initiator - ropagator Intrusion Connection Chain DoS Traffic Victim

12 I Traceback (Cont.) I Traceback for Reflective DDoS Attack Agent Attack Agent CI Attack Reflector CI Attack Reflector Attacker CI- Initiator - ropagator Intrusion Connection Chain Service Request Traffic Service Response Traffic Victim

13 Evaluations Incremental Deployment Scalability The Source The Source Initiator Initiator Regular ropagator Regular Regular Ball packets ropagator The corresponding messages Attack Victim/Tracer

14 Evaluations (Cont.) Workload Distribution Local networks IS Backbone Internet Core IS Local networks

15 Evaluations (Cont.) Security HMACs Robustness False positives olitical Issues ISs cooperation rivacy

16 Evaluations (Cont.) Bandwidth Overhead Number of attack packets required Number of ICM messages generated Storage Overhead In the network At the victim Computational Overhead In the network At the victim

17 Conclusion Effective Secure DoS-Resistant

18 Q&A Thank You Very Much