Stratum Filtering for DDoS Resilient Clouds

Size: px

Start display at page:

Download "Stratum Filtering for DDoS Resilient Clouds"

Alisha Ashlee McGee
6 years ago
Views:

Stratum Filtering for DDoS Resilient Clouds Michael Waidner <michael.waidner@sit.fraunhofer.

1 Stratum Filtering for DDoS Resilient Clouds Michael Waidner Joint work with Amir Herzberg and Haya Shulman A CRISP Member 8rd ACM Cloud Computing Security Workshop Vienna, October 28 th, 2016

2 Outline Distributed Denial of Service (DDoS) General Concept of Stratum Filtering Stratum Filtering for DNS Stratum Filtering for Web Summary 2

3 Distributed Denial of Service (DDoS) Attacks Distributed Denial of Service (DDoS) attacks deplete resources of a victim, e.g., bandwidth, storage Reached 1Tbps in September 2016 Detrimental damages from DDoS attacks Financial losses, customer trust harmed, risk for critical infrastructure 60% of consumers abandon unavailable ecommerce sites >40K USD average losses per hour of a victimized website Typically DDoS attacks exploit botnets: FBI (2014) estimates >9B USD/a losses in USA, >110B USD/a worldwide 3

4 Distributed Denial of Service (DDoS) Attacks Bots Abuse Common Services for Attacks on Victims [1] Bots send to reflectors [2] Reflectors respond & amplify DDoD attacks involve multiple bots that send traffic to victim Typically bots used limited TCP/IP sockets, e.g., cannot follow up on responses Typically using reflectors, e.g., DNS, HTTP, NTP Some reflectors provide amplification More than 500M PCs are infected annually (= 18 per second) Also other Internet-connected devices (IP cameras, etc.) 4

Distributed Denial of Service (DDoS) Attacks Existing Defenses are Expensive and Limited Most Common Defenses Rate limiting Can be foiled with multiple / spoofed IPs Stratum Filtering eliminates

5 Distributed Denial of Service (DDoS) Attacks Existing Defenses are Expensive and Limited Most Common Defenses Rate limiting Can be foiled with multiple / spoofed IPs Stratum Filtering eliminates spoofed IPs Deep Packet Inspection Significant load on firewall, can be foiled with varying the payloads Stratum Filtering uses simple filtering only Rerouting through dedicated infrastructure Special network, expensive Stratum Filtering relies on existing general purpose clouds 5

6 Amplification Reflection DDoS Attacks Our Goal: Cloud-based Defenses Cloud Cloud offers many attractive properties Supports large traffic volumes Number of ingress / egress points Multiple IP addresses Different availability zones Automated migration Stratum Filtering Utilize cloud for DDoS defense Implement once, protect many Goal: Best adversary strategy is flooding the whole cloud Naive solutions don t work: attacker can flood the internal IP of victim service 6

7 Outline Distributed Denial of Service (DDoS) General Concept of Stratum Filtering Stratum Filtering for DNS Stratum Filtering for Web Summary 7

8 Concept of Stratum Filtering Stratum Filtering Aims at Eliminating Flooding Attacks X Request S X Request Real IP or Spoofed IP Limited TCP/IP funct. cannot followup on responses Stratum Filtering Request Protect Server S by introducing a proxy, checking that X is a standard-conforming client S is hidden from the attacker S 8

9 Concept of Stratum Filtering Stratum Filtering Aims at Eliminating Flooding Attacks X Request S X Small! Request Redirect w/ challenge C Request w/ challenge V Block of IP addresses [1] Eliminate spoofed IP by forcing sender to respond C is lightweight, minimal state Non-crypto networking challenge / response: X is redirected to random address (= response) [2] Eliminate guessing and exhausting challenge Monitor for many or unexpected requests [3] Eliminate intercepting and sharing challenge among bots Test for indications of shared challenge, i.e., originator(request) originator(request w/ challenge) Request S 9

10 Outline Distributed Denial of Service (DDoS) General Concept of Stratum Filtering Stratum Filtering for DNS Stratum Filtering for Web Summary 10

11 Stratum Filtering for Protection of DNS Servers foo.bar? foo.bar NS ns.sf.com ns.sf.com A w.y.z.α foo.bar? α [0,255] T[q,α] := src_ip If challenge-exhaust TCP If (T[q,α]) exists relay to nameserver If challenge-guess block / TCP w.y.z.0/24 ns.foo.bar X V S 1 3 C 2 foo.bar? DNS response DNS response 4 11

12 Detecting Shared Challenges: Typical DNS Resolution Platforms Use Mutiple IPs Our measurements show that most DNS resolution platforms use multiple IPs 50% of enterprise networks: >40 IPs 50% of ISP networks: >20 IPs 85% of open resolvers: >5 IPs Which IPs are used? Load balancers apply traffic dependent IP selection, e.g., round robin Our measurements indicate that all IP addresses participate 12

13 Stratum Filtering for Protection of DNS Servers foo.bar? foo.bar NS ns.sf.com ns.sf.com A w.y.z.α foo.bar? α [0,255] T[q,α] := src_ip If challenge-exhaust TCP If (T[q,α]) exists relay to nameserver If challenge-guess block / TCP w.y.z.0/24 ns.foo.bar X V S 1 3 C 2 foo.bar? DNS response DNS response 4 Resolution clusters vs attackers: 1 3 Real IP for receiving challenge Victim IP for reflection/amplification attack There is never an arrow from victim to attacker Prevents challenge-intercept attack 13

14 Outline Distributed Denial of Service (DDoS) General Concept of Stratum Filtering Stratum Filtering for DNS Stratum Filtering for Web Summary 14

15 Stratum Filtering for Protection of Web Servers X NS V S 1 C Firewall at IP(C) HTTP request HTTP redirect (status code 302) location header=ext_ip:ext_port HTTP request 2 4 Assign to ext_ip&ext_port Add rule for src_ip and IP-TTL ext_ip:ext_port in_ip:80 Rule: src_ip & IP-TTL if server:port mapping exists and if src_ip & IP-TTL relay HTTP request HTTP response HTTP response 6 15

16 Measuring IP-TTL Consistency IP-TTL limits the life time of packets in a network 8 bit with max value of 255 [RFC1700] recommends 64 Different OS-es start with different IP-TTL value Operating System Linux (kernel2.4/2.6) 64 FreeBSD 64 Android 64 MacOS 64 Initial IP-TTL We performed measurements of TTL consistency via ad-net Clients have stable IP TTLs Clients from different networks have distinct TTLs Windows XP, 7, Vista, Cisco (IOS 12.4)

17 Outline Distributed Denial of Service (DDoS) General Concept of Stratum Filtering Stratum Filtering for DNS Stratum Filtering for Web Summary 17

18 Summary Stratum Filtering Cloud-based concept for filtering DDoS Applied to DNS and HTTP Easy and cost-efficient implementation Three steps Eliminate flooding using spoofed IP via non-cryptographic network challenge/response Eliminate flooding using guessed challenges via efficient and non-intrusive filtering rules Eliminate attacks using sharing correctly obtained challenges within botnet. Identifying shared challenges depends on service, but can be achieved with efficient and non-intrusive filtering rules. 18

19 תודה רבה! Dank je well! Vielen Dank! Merci beaucoup! 谢谢 Thank you very much! Dziękuję! ありがとうございます شكرا لك 19

20 Prof. Dr. Michael Waidner Fraunhofer Institute for Secure Information Technology SIT Director Technische Universität Darmstadt Computer Science, Chair SIT Rheinstrasse 75, Darmstadt (Office) (Cell) 20

DNS Authentication-as-a-Service Preventing Amplification Attacks

DNS Authentication-as-a-Service Preventing Amplification Attacks Amir Herzberg Bar-Ilan University Haya Shulman Technische Universität Darmstadt Denial of Service Attacks: Statistics Reported bandwidths