RCS: A Distributed Mechanism Against Link Flooding DDoS Attacks

Transcription

1 RCS: A Distributed Mechanism Against Link Flooding DDoS Attacks Yong Cui, Lingjian Song, and Ke Xu Department of Computer Science and Technology, Tsinghua University, Beijing, , P.R. China {cy, slj, xuke}@csnet1.cs.tsinghua.edu.cn Abstract. DoS/DDoS attacks especially the Link Flooding have exerted severe threat on Internet. In this paper we propose a novel mechanism called Rate Control System (RCS) against Link Flooding based on the correlation analysis of upper link flows. According to the feature of aggregate in DDoS attack, RCS takes DDoS attack problem as a way of flow control to simplify the situation and deploys the flow controller at the routers near the victims. As the key point of our mechanism, an algorithm is designed to differentiate the malicious packets and the normal ones and we classify the packets according to TCP flags in order to tell different flows apart. In addition we detect the malicious aggregate using correlation analysis to make clear the type and the location of the attack. Simulation results demonstrate the performance for detecting the Link Flooding DDoS attacks. 1 Introduction As the Internet becomes popular, the worms and hacker intrusions frequently annoy people s daily life, which recalls people of the severe problem of network security [1]. Among various attacks, DoS/DDoS attacks attacking Internet by exploiting the flaws of the protocols [2,3] are often referred as to the primary threat to the Internet. The DoS/DDoS attacks can fall into two categories. One kind of the attacks makes target of single host, while another kind aims at the network infrastructure [4]. The former breaks down the victim by exhausting its resource, such as TCP-SYN flood [5], ping of death. The latter congests the network to prevent the normal user form the access to the Internet, for example ICMP flood, Smurf, UDP flood etc. The latter is often called Link Flooding for short. Because Link Flooding is designed against Internet infrastructure like core routers and DNS servers, it can be a disaster. Moreover there is a variation of DDoS Link Flooding called Distributed Reflection Denial of Service (DRDoS). Its detailed information can be found in [6]. How to defend DoS/DDoS attack effectively is a heated topic these years. Many scholars has done a lot of researches and made some progresses in defending attacks. The defenses available are either designed only for several attacks or cost a lot. As new attacks emerge rapidly, a universal defense model is needed to crack the attackers. In this paper we propose a mechanism called RCS based on the correlation analysis of upper link flows I. Chong and K. Kawahara (Eds.): ICOIN 2006, LNCS 3961, pp , c Springer-Verlag Berlin Heidelberg 2006

2 RCS: A Distributed Mechanism Against Link Flooding DDoS Attacks 765 to counter the Link Flooding. At the very beginning we make clear the goals of the defense mechanism after deep analysis of Link Flooding. One is to protect the links and avoid congestion collapse and the other is to keep the quality of service during Link Flooding. Then we establish a model using the optimization theory to meet the goals. In the meantime we view defense of Link Flooding in a way of flow control to simplify the situation and deploy the flow controller at the routers near the victims to mitigate the load of links. 2 Related Work In the recent research, people get some insights into DoS/DDoS attack: (1) More than 90% of the DoS attacks use TCP [2,5]. (2) The attack involves huge volume of packets and has a noticeable increase in terms of the number of packets [7]. (3)The malicious congestion is usually caused by flow aggregate [8]. There are many defensive techniques has been proposed. They can fall into three kinds of method. Method 1: Filtering the malicious packets according to the pattern of data stream or single packet. This method is also can be divided into two kinds. The first kind is to filter forged packets. Some approaches make use of router, analyze the IP head of each packet and filter the ones with the wrong IP address that is out of normal range, for example ingress filtering [9]and SAVE [10]. In the Hop- Count mechanism [11], a mapping table IP2HC between IP address and the Hop- Count is built to filter the forged packets. In addition Adrian Perrig proposed Pi [4] to counter IP address fabricating. The second kind is to detection the anomaly data flow by analyzing the statistical pattern, for example the recent research PacketScore mechanism [12]. By comparing the suspect traffic pattern and the normal traffic profile, the difference can be view as the result of the attack. Method 2: As the difference between the bad packets and the good ones is subtle, it is not so easy to take them apart. In addition there is no clear difference to tell whether it is an attack or just a flash crowd [7]. Some scholars then convert the defense problem to resource allocation problem. The Pushback [16] mechanism controls the rate of flows hat cause congestion in the near routers or upper ones by analyzing the granularity of the aggregate. Similarly the Router Throttle [17] controls the flow at the k-level routers using the max-min fair algorithm to allocate the resource. These methods also cost a lot in the deployment of the controller. Moreover when the aggregate is composed of numerous flows, each of which might be low-bandwidth, the Router Throttle will be degraded severely. Method 3: For the concealment of source of DDoS attack, people do some researches on IP traceback in order to locate the source of attack. Source traceback does not directly address the DDoS problem. It serves as a reactive detection and deterrent tool against attack sources, for example Bellovin s ITRACE [13], D. Dean s algebraic approach [14] and Savage s IP marking mechanism [15]. They are all designed to reveal the location of the attack source. However the DDoS

3 766 Y. Cui, L. Song, and K. Xu in large scale especially the DRDoS, which use the reflectors to attack, make the source traceback less effective. It makes no sense to locate the innocent reflectors. All defenses mentioned above can fall into two kinds in the point of view of deployment: the router-based and the host-based. The router-based method such as the Pushback [16] makes improvements to routers, while the host-based such as Hop-Count mechanism approach enhances the ability to restore of Internet servers against attacks. The router based method take advantage of the resource of router like high-bandwidth, but the deployment is difficult and cost a lost. The latter with less deployment difficulty need strong host server and bandwidth. The methods or approaches mentioned above all have some shortcomings. As new attacks emerge rapidly, there is no perfect solution so far. How to learn for the methods available and combine their advantage together is a challenge. A universal defense model is needed to crack the attackers. 3 Problem Definition In this section we describe the target r ' n ( t ) r n ( t) network, and define the related variables and formula. Figure 1 depicts v n the target network topology. We model ' r2 (t) r2 (t ) it as a connected graph G =(V,E), v 2 g s r0 (t) wherev is the set of nodes, E is the set of edges and c e is the capacity of e(e ' r1 (t) r1 (t) E). The node s stands for the victim, which accesses Internet through v 1 Fig. 1. The topology of target net work the node g. We suppose there are n nodes {v 1,v 2,v 3,..., v n } called upper nodes can reach s through g. In this model, we only consider the packets flows whose destination is s. Foreachv i at time t we define the r i (t) as the inbound packet rate and r i (t) as the outbound one. the Rate from g to s is r 0 (t), and the load of the link gs is r load (t), which equals the sum of the entire upper link rate. We have r load (t) = r i (t) (1) i=1,2,...,n The discussion in the rest of the paper is base on the topology to depict the attack. If the hacker wants to attack s, the link gs is mostly vulnerable. Normally the link load r load (t) islessthanc gs, so all the packets can reach s without any trouble. However when hacker employs DDoS or DRDoS attack to flood s, there are numerous flows that converge at g, which cause an aggregate. When a link is congested and persistently overloaded, all flows traversing that link experience significantly degraded service over an extended period time. Supposing all the packets fall into m categories (the way of classification will mentioned later), for each v i at time t we define r ij (t) as the inbound packet rate, which is belong to the j th category, and r ij (t) as the outbound one. We

4 RCS: A Distributed Mechanism Against Link Flooding DDoS Attacks 767 use the matrices r(t) =[r ij (t)] n m and r (t) =[r ij (t)] n m to denote the rates of flow. The row of the matrix stands for the serial number of node, while the column means the serial number of packet category. From now on we view a flow as a specific category, if there is not any special announcement. 4 Modeling 4.1 Utility Function The goals of defense we mentioned before are to protect the links and avoid congestion collapse and to keep the quality of service (QoS) during Link Flooding. To describe the QoS, we use the utility function U(p, q) toevaluateit.the parameter p is the probability that a user continues to be served without interrupt and the q is the probability that a new user coming can get the service immediately while attacking. We define the function as follows: U(p, q) =ap + bq (2) Eqn. (2) apparently consist of two parts: the utility of existing users and the new comer. a and b stand for the weight of each part. The reason we classify the users is that different users will affected by different attacks. 4.2 Defense Model For a better understanding, we use the mathematic tool to describe the defense based on router. In addition we build a simple model employing the optimization theory to depict the mechanism counter the attack. We view the first goal of defense mechanism as the constraint of the problem, and the second goal as target function, converting two targets problem to single one, which simplify the problem. So we have the model: Max { U(p, q) r(t) = F [r st. (t)] (3) r load <c gs Eqn. (3) shows the problem we face in the defense of attack. As the core of the defense mechanism, the formula r(t) =F [r (t)] means a transform from matrix r (t) tor(t), which is done by the router just as mentioned in the section 3. The inequation r load <c gs is the constraint that secures the link from overload. In the reality our defense mechanism will make it by limiting the inbound rate so as to prevent the link overloading. The target of the model is to maximize the utility of users with the guarantee of these constraints. 5 Defense Mechanism RCS In this section we will detail our defense mechanism RCS. RCS will be invoked only when a congestion occur. Even when it is just a normal congestion that may

5 768 Y. Cui, L. Song, and K. Xu be caused by flash crowds, the mechanism will play an active role in mitigation of congestion. 5.1 The Classification of Packets Most of the attacks exploit the shortcoming of the protocols, and different attacks have different characteristics. Learning the feature of DDoS in section 2 and the method mentioned in [12], we classify the packet according to the attributes in transport layer, such as the flags of TCP (URG, ACK, PSH, RST, SYN, FIN), or the ports of UDP which stand for different services. The classification is shown in Table 1. Table 1. Classification of packets Category Description Possible Attack DNS query/echo UDP Port 53 DRDOR ICMP query/echo ICMP(0,0)or ICMP(8,0) DRDOR TCP SYN SYN set 1 SYN flooding TCP reply of SYN SYN and ACK are 1,data length is 0 DRDOR TCP data PSH is 1,data length > 0 DDoS flooding TCP ACK of data ACK is 1 DRDOR TCP FIN FIN is 1data length is 0 DDoS flooding TCP reset RST is 1 DDoS flooding Other data The other description DDoS flooding 5.2 Detection of Aggregate Once a serious congestion is found, the mechanism will be invoked to found the cause and determine whether it is an aggregate or not. The phenomenon called flash crowds can also cause congestion which is elaborated in some literatures [7]. We define this phenomenon as follows: Definition 1 (Correlated flows). Two flows are correlated, if and only if the rates of them have positive correlation relationship. We all also define the correlation coefficient to evaluate the how them are correlated. Before the definition, we see the rate of a flow as a stochastic variable r. Definition 2. r 1 and r 2 stand for the rate of two flows, the correlation coefficient of the two flows is: re = Cov(r 1,r 2 ) D(r1 ) D(r 2 ) (4) In the real measurement the correlated flows may not be confined by the liner relationship due to the unstable network, the definition is so strict. We use an empirical threshold to determine whether two flows are correlated or not.

6 RCS: A Distributed Mechanism Against Link Flooding DDoS Attacks Flow Control In RCS a new flow control protocol is raised to counter the link flooding. When an aggregate of specific kind is detected, packets will be dropped proportionally to mitigate the load of link. In this way we not only make sure the efficiency of the links, but also differentiate the different packets and pass more normal packets. We define a rate control coefficient matrix as η, which has η =[η ij ] n m. η ij is the coefficinet of link i and type j. So we have the equation: r ij (t) =r ij (t) η ij (5) Eqn.(5)in fact realizes the function F mentioned Eq. (3). Introduce Eqn. (5) to Eqn.(3) we get : Max U(p, q) st. i=1..n,j=1...m r ij (t) η (6) ij <c gs From Eqn. (6) the solution to defend attacks is to choose appropriate η. Ifwe found the j th kind of flow that pass the node i malicious, we can reduce η ij to counter the attack. So that more normal packets can get to pass, and the utility of users will rise. 5.4 Flow Control According to Eq.(3) the transform function F is the core of defense mechanism. In this part we propose a algorithm call Link Control (LC) algorithm to convert r to r.in every period of T, we sample the inbound rate r(t) atanintervalofτ and then we get the matrix R(τ,T)in time series of which is also n rows and m Fig. 2. Rn function columns.. In each column there are n rate sequences of flows in the same kind, with which we can compute a correlation matrix according to the Eq. (4). We use the vector Re(τ,T) torepresentthem matrices in m columns which are explained as Eqn. (7). Re(τ,T) = [Re j (τ,t)] m Re j (τ,t) = [Re j hl (τ,t)] n n (7) Re j hl (τ,t)= Cov(R hj (τ,t),r lj (τ,t)) D(Rhj (τ,t)) D(R lj (τ,t)) We define a matrix Rn = [Rn ij ] n m to record the correlated flows. The computation of Rn is shown in Fig. 2. The program firstly gets the Re(t, T )using R(t, T ) according to Eqn. (7) and initializes the Rn (line 1-2). Then it will search Re(t, T ) and if the correlation coefficient of two flows is larger than the

7 770 Y. Cui, L. Song, and K. Xu Algorithm LC () (1) Initialize to [1] n m ; (2) r past = ; (3) WHILE (1) (4) get R(τ,T) inlastt period from the monitor (5) get current r load (t) from the monitor; (6) control the flow according to current η; (7) timer=0; (8) DO (9) Sleep(t 0 );//wake up every t 0 (10) IF (r load >U gs ) (11) Rn = Rn(R(τ,T)) //count Rn (12) IF (Rn! =[0] n m ) for all Rn ij: if Rn ij =1thenη ij = w η ij;//adjust η according to Rn (13) ELSE for all j, i 0:ifr i0 j(t) > ρ i=1...nr ij (t),thenηi 0j = w η i0 j; /*attack through a single line*/ (14) ELSE for each η ij:η ij = w η ij /*no anomaly detected*/ (15) ELSE IF (r load <L gs) (16) IF (r 0(t) r past <ϕ) (17) turn off the RT; (18) exit(1); (19) ELSE Rn ijif Rn ij =1Than η ij = v η ij; (20) timer=timer+t 0; (21) r past = r load ; (22) WHILE (timer T) Fig. 3. Pseudocode of LC Algorithm ϕ, the corresponding Rn ij will be 1(line 3-5). Fig.3 shows the pseudocode of LC Algorithm. The algorithm pays special attention to two anomalies. One is that the huge a mount of malicious packets come from a single link. Another is the flash crowds for the special event. It is worth while to mention that our mechanism is an online real-time defense system. Every T interval the correlation analysis will be done, and η will be adjusted at the interval of τ. 6 The Simulation and Results We design a plan of simulation to evaluate our defense mechanism and analyze the effectiveness and the stability. We use the matlab 7.0 as our platform of simulation. In the LC algorithm we use T =20s, t =2s, t 0 =1sand t 0 = 90% as our default configuration. In the simulation we have 5 upper nodes, 1000 hosts, and a victim host s. Each of these hosts, 20% of which are attacking hosts, will send packets through one of the 5 nodes. The attacking hosts sending rate is 20 times of normal one. 6.1 The Analysis of ϕ We run our LC algorithm in the simulation of attack with different ϕ, andmake a record of Rn respectively to determine the ϕ. The table below is showing the average number of correlated links (ANCL) in 100 times experiments. Table. 2 tell us smaller ϕ causes more wrong correlated links, larger ϕ ignores more malicious ones. The principle of our algorithm is to maximize the degree of differentiation. We say P (re 1 >ϕ) > 90%, P (re 2 >ϕ) > 90% and P (re 3 > ϕ) > 90% are enough, which is fulfilled when ϕ equals 0.65 as shown in Fig. 4.

8 RCS: A Distributed Mechanism Against Link Flooding DDoS Attacks 771 Table 2. Classification of packets a. normal condition ϕ ANCL b. attacking condition ϕ ANCL a. the distribution of host b. three probability when ϕ = 0.65 Fig. 4. The analysis of ϕ 6.2 The Analysis of Convergence In this part we will evaluate the convergence of our algorithm with different w and v by analyzing the fluctuation of link load. Fig. 5 show the fluctuation of link load under attack when out algorithm operate with different w and v. We use the range [10 Mbps, 5 Mbps]. Fig. 5. The comparison of convergence with different w and v The parameter w reflects how tolerant our algorithm is when the load is beyond the bounds capacity. If w is small, say 0.2 in the figure, our algorithm will respond severely to limit the aggregate aggressively which makes the load unstable and less convergence. The parameter v conveys that our algorithm will

9 772 Y. Cui, L. Song, and K. Xu a. different algorithms and no protection b. the utility under different attacks c. different distribution of attacking host d. the degradation under various attacks Fig. 6. The analysis of performance of our algorithm recover the flows, when the flows are over-controlled. From the figure after 100s the larger v is the more convergent it will be. But between 70s and 80s the larger v is the load will fluctuate more severely. It is worthwhile to mention that w and v should be adjusted according to the degree of attack in order to achieve the optimized result. 6.3 The Analysis of Performance The performance of defense mechanism we understand is the pass rate of good packets (PRGP). The pass rate is the proportion of packets that is not dropped to the total. Fig.6.a depicts the performance comparison of our LC algorithm, max-min fair algorithm [17] and the situation with on protection. The experiment shows the advantage of LC algorithm against one kind of attack. The experiment in Fig.6.b is designed to analyze the utility under different attacks with a = b = 10. We assume the victim s is a web server, and the attack lunch SYN flooding, UDP flooding and ACK flood respectively. As the result show UDP flooding do not affect the TCP services, and SYN flooding will affect the request packets. The ACK flood affects both of them which cause a least utility. Fig.6.c shows the performance under attack from different number of links. If the attacking packet comes form less links, the attacking behavior are more obvious, and our algorithm is easier to recognize and control it. As there are more links that do not

10 RCS: A Distributed Mechanism Against Link Flooding DDoS Attacks 773 need limitation, the pass rate of good packet is surely higher. Our algorithm has the assumption that hacker attack victim using only one kind of attack. Finally we discuss the degradation of our algorithm when attacker lunch multi-attacks shown in Fig.6.d. As we see the more attack types the worse the performance is. The experiment proved that when attacker coins all kinds of packets to attack, our LC algorithm will be degraded to Max-min fair. It is way to improve. 6.4 Conclusion In this paper we develop and evaluate a mechanism against Link Flooding based on the correlation analysis of upper link flows. Deployed on the near routers our defense mechanism can mitigate the congestion caused by excessive volume of traffic and effectively differentiate the malicious flows and the normal ones. We evaluate our mechanism by simulation, and the result shows our mechanism is a promising method to counter the link flooding. More attention was paid to the attacks in which the hacker uses only one kind of attacks which is mostly prevalent. We will do researches on the multi-attacks in our future work. References 1. A.K Ghosh, J. Wanken, F. Charron : Detecting anomalous and unknown intrusions against programs. Proceedings of the 14th Annual Computer Security Applications Conference 2. D. Moore, G. Voelker and S. Savage : Inferring Internet Denial of Service Activity. Proceedings of USENIX Security Symposium, 2001,August L. Garber: Denial-of-service attack rip the internet. IEEE Computer, April A. Yaar : Pi: A path identification mechanism to defend against ddos attacks. In Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA, May H. Wang, D. Zhang, and K. Shin : Detecting SYN flooding attacks. In Proceedings of IEEE INFOCOM, pages , June Vern Paxson : An Analysis of Using Reflectors for Distributed Denial-of-service. Computer Communication Review31(3) Jung, J., Krishnamurthy, B., AND Rabinovich, M.: Flash crowds and denial of service attacks: Characterization and implications for cdns and web sites. In Proceedings of the 11th WWW Conference (Honolulu, HI, May 2002) 8. Ratul Mahajan, Steven M. Bellovin, Sally Floyd, and John Ioannidis : Controlling high bandwidth aggregates in the network. Submitted to ACM SIGCOMM P. Ferguson and D. Senie : Network Ingress Filtering: Defeating Denialof-service Attacks which employ IP Source Address Spoofing J. Li, J. Mirkovic, M.Wang, P. Reiher, and L. Zhang : SAVE:Source address validity enforcement protocol. In Proceedings of IEEE INFOCOMM 2001, Apr C. Jin, H. Wang and K. G. Shin : Hop-count filtering: An effective defense against spoofed DDoS traffic. In Proceedings of the 10th ACM Conference on Computer and Communications Security, October Yoohwan Kim, and Wing Cheong Lau : PacketScore: Statistics-based Overload Control against Distributed Denial-of-Service Attacks. IEEE INFOCOM 2004

11 774 Y. Cui, L. Song, and K. Xu 13. Bellovin : ICMP Traceback Messages AT&T Labs. Research smb/papers/draft-bellovin-itrace-00.txt. 14. D. Dean, M. Franklin, and A. Stubblefield : An algebraic approach to IP traceback. ACM Transactions on Information and System Security, May S. Savage, D. Wetherall, A. Karlin and T. Anderson : Practical Network Support for IP Traceback, Proc.ACM/SIGCOMM, pp , August J. Ioannidis : Implementing pushback:router-based defense against DDoS attacks. In Proceedings of the 2002 ISOC Symposium on Network and Distributed Security 17. David K.Y.Yau, John C.S.Lui,and F.Liang : Defending Against Distributed Denialof-service Attacks with Max-min Fair Server-centric Router Throttles. In IEEE International Workshop on Quality of Service (IWQoS), 2002