Distributed Denial-of-Service Attack Prevention using Route-Based Distributed Packet Filtering. Heejo Lee

Similar documents
On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Single Packet IP Traceback in AS-level Partial Deployment Scenario

A hybrid IP Trace Back Scheme Using Integrate Packet logging with hash Table under Fixed Storage

An Authentication Based Source Address Spoofing Prevention Method Deployed in IPv6 Edge Network

Denial of Service, Traceback and Anonymity

TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMS

Denial of Service. EJ Jung 11/08/10

DDoS and Traceback 1

Enhancing the Reliability and Accuracy of Passive IP Traceback using Completion Condition

Spoofer Location Detection Using Passive Ip Trace back

Denial of Service (DoS) attacks and countermeasures

Distributed Denial of Service (DDoS)

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Prof. N. P. Karlekar Project Guide Dept. computer Sinhgad Institute of Technology

A Survey on Different IP Traceback Techniques for finding The Location of Spoofers Amruta Kokate, Prof.Pramod Patil

A Framework for Optimizing IP over Ethernet Naming System

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Masafumi OE Youki Kadobayashi Suguru Yamaguchi Nara Institute Science and Technology, JAPAN

SIMULATION OF THE COMBINED METHOD

Correlation Based Approach with a Sliding Window Model to Detect and Mitigate Ddos Attacks

DENIAL OF SERVICE ATTACKS

CSE 565 Computer Security Fall 2018

IP Traceback Based on Chinese Remainder Theorem

Unicast Reverse Path Forwarding Loose Mode

International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN

INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & TECHNOLOGY (IJCET)

Mitigating IP Spoofing by Validating BGP Routes Updates

MITIGATION OF DENIAL OF SERVICE ATTACK USING ICMP BASED IP TRACKBACK. J. Gautam, M. Kasi Nivetha, S. Anitha Sri and P. Madasamy

Aparna Rani Dept. of Computer Network Engineering Poojya Doddappa Appa College of Engineering Kalaburagi, Karnataka, India

MIB-ITrace-CP: An Improvement of ICMP-Based Traceback Efficiency in Network Forensic Analysis

A Novel Packet Marking Scheme for IP Traceback

Single Packet ICMP Traceback Technique using Router Interface

IP traceback through (authenticated) deterministic flow marking: an empirical evaluation

PERFORMANCE EVALUATION OF ROUTE-BASED DISTRIBUTED PACKET FILTERING FOR DDOS PREVENTION IN LARGE-SCALE NETWORKS. A Thesis. Submitted to the Faculty

RETRIEVAL OF DATA IN DDoS ATTACKS BY TRACKING ATTACKERS USING NODE OPTIMIZATION TECHNIQUE

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

ICMP Traceback Messages

Survey of Several IP Traceback Mechanisms and Path Reconstruction

DoS Attacks. Network Traceback. The Ultimate Goal. The Ultimate Goal. Overview of Traceback Ideas. Easy to launch. Hard to trace.

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Analysis. Group 5 Mohammad Ahmad Ryadh Almuaili

Design and Simulation Implementation of an Improved PPM Approach

Comparative Study of IP Trace back Techniques

EE 122: Network Security

Internet level Traceback System for Identifying the Locations of IP Spoofers from Path Backscatter

A New Mechanism For Approach of IP Spoofers: Passive IP Traceback Using Backscatter Messages

Keywords MANET, DDoS, Floodingattack, Pdr.

Detection of Spoofing Attacks Using Intrusive Filters For DDoS

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Forensic Analysis for Epidemic Attacks in Federated Networks

Distributed Denial of Service

Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback. Basheer Al-Duwairi, Member, IEEE, and G. Manimaran, Member, IEEE

Denial of Service and Distributed Denial of Service Attacks

Network Policy Enforcement

A Precise and Practical IP Traceback Technique Based on Packet Marking and Logging *

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense

Chapter 7. Denial of Service Attacks

A New Path for Reconstruction Based on Packet Logging & Marking Scheme

What are attackers after? Distributed Denial of Service and information flow, if time. How disaster strikes. Steal money. Use computer resources

Markov Chain Modeling of the Probabilistic Packet Marking Algorithm

POSSIBLE INTRUSIONS IP TRACE-BACK IN CLOUD COMPUTING ENVIRONMENT

IP TRACEBACK (PIT): A NOVEL PARADIGM TO CATCH THE IP SPOOFERS

An IP Traceback using Packet Logging & Marking Schemes for Path Reconstruction

AS Connectedness Based on Multiple Vantage Points and the Resulting Topologies

ABSTRACT. in defeating Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks.

A General Model of Probabilistic Packet Marking for IP Traceback

Chapter 10: Denial-of-Services

(Submit to Bright Internet Global Summit - BIGS)

A Lightweight IP Traceback Mechanism on IPv6

DDoS defense mechanisms: a state of the art research

A Novel Approach to Denial-of-Service Attack Detection with Tracebacking

A Probabilistic Packet Marking scheme with LT Code for IP Traceback

ABSTRACT. A network is an architecture with a lot of scope for attacks. The rise in attacks has been

An Investigation about the Simulation of IP Traceback and Various IP Traceback Strategies

Routing Security* CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring * Thanks to Steve Bellovin for slide source material.

On deterministic packet marking

On IPv6 Traceback. obaidgnetworking.khu.ac.kr,cshonggkhu.ac.kr. highlights the related works; Section 3 will give an overview

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Network Data Streaming A Computer Scientist s Journey in Signal Processing

IP Spoof Prevented Technique to Prevent IP Spoofed Attack

Enhancing Probabilistic Packet Marking by Integrating Dynamic Probability and Time to Live (TTL) Clustering

AN UNIQUE SCHEME FOR DETECTING IP SPOOFERS USING PASSIVE IP TRACEBACK

Packet track and traceback mechanism against denial of service attacks

The Internet is not always a friendly place In fact, hosts on the Internet are under constant attack How to deal with this is a large topic

DDOS Attack Prevention Technique in Cloud

IP TRACEBACK Scenarios. By Tenali. Naga Mani & Jyosyula. Bala Savitha CSE Gudlavalleru Engineering College. GJCST-E Classification : C.2.

On Design and Evaluation of Intention-Driven ICMP Traceback

Topic 3 part 2 Traffic analysis; Routing Attacks &Traffic Redirection Fourth Stage

An Efficient and Practical Defense Method Against DDoS Attack at the Source-End

A SECURITY FRAMEWORK BASED ON FLOW MARKING IP-TRACEBACK TECHNIQUES

Artificial Neural Network To Detect Know And Unknown DDOS Attack

Security for SIP-based VoIP Communications Solutions

Experience with SPM in IPv6

Realizing a Source Authentic Internet

To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets. Xiaowei Yang Duke Unversity

Transcription:

CERIAS Security Seminar Jan. 17, 2001 Distributed Denial-of-Service Attack Prevention using Route-Based Distributed Packet Filtering Heejo Lee heejo@cerias.purdue.edu Network Systems Lab and CERIAS This is joint work with Prof. Kihong Park. Introduction to Denial-of-Service (DoS) attacks Related works and research motivation Route-based distributed packet filtering Effectiveness for DDoS attack prevention Concluding remarks 2/40 1

Attacker Server Normal User Overwhelming of fake requests consumes all resources on a server or network! 3/40 DoS Attack Style Demanding more resources than the target system can supply Network-based DoS attacks with IP spoofing Launching a distributed DoS (DDoS) attack DoS Attack Impact Complete shutdown a web site. Yahoo, CNN, Amazon, ebay (Feb. 2000) The greatest threat in e-commerce. 4/40 2

2000 Information Security Industry Survey, Sep. 2000 51% companies experienced DoS attacks. Top 10 Security Stories of 2000, ZDNet News, Dec. 2000 No.1 and No.2 stories are related to DoS. New Year s DDoS Advisory, NIPC, Dec. 2000 More effective DDoS exploits have been developed. Trin00,Tribal Flood Net, TFN2K,MStream, Stacheldraht, Trinity V3, Shaft, Godswrath 5/40 Vulnerability Any system is susceptible to DoS attacks. Traceback Problem IP spoofing enables an attacker to hide his identity. Easy to attack, hard to protect! 6/40 3

Resource management Mitigating the impact on a victim [Schuba97, Banga99]. Does not eliminate the problem. Edge filtering Ingress filtering in border gateways [Ferguson00]. Requires prolonged period for broad deployment. IP traceback Trace back to the origin of the attacking source. Recently a few approaches have been proposed: Traffic analysis,icmp trace messages, packet marking. 7/40 Traffic analysis [Sager98] Trace via traffic logs at routers High storage and processing overhead ICMP traceback messages [Bellovin00] IETF itrace working group Extra traffic and authentication problem Probabilistic packet marking [Savage00] Probabilistically inscribe trace information on a packet Efficient and implementable 8/40 4

s v 1 v 2 s v 1 v 3 t v 2 v 3 t Router v i inscribes (v i-1,v i ) onto a packet with probability p. Attack path reconstruction 9/40 Probabilistic packet marking (PPM) Merits Probabilistically inscribe its local path information Use constant space in the packet header Reconstruct the attack path with high probability Efficiency and implementability Weaknesses Marking field spoofing problem 10/40 5

s s Attack path v 1 v 2 Forged path v 3 t s v 1 v 2 v 3 s t An attacker can use fake marking to forge a path that is equally likely as the true attack path. Reconstructed attack path 11/40 Analysis under marking field spoofing: Single source attacks Effective localization to within 2~5 sites. Distributed attacks Uncertainty amplification on DDoS. Further information Park and Lee, Tech. Rep. CSD-00-013, Purdue University, which will be presented at IEEE INFOCOM 2001. http://www.cs.purdue.edu/nsl/ppm-tech.ps 12/40 6

Resource Ingress Manage Filtering Traffic Analysis ICMP Messages PPM DPF Cost O Deployment O O O Traceback O O O O Protection O Scalability O : poor, : good, O: excellent 13/40 Weaknesses of IP Traceback Mechanisms Post-mortem: debilitating effect before corrective actions Bad scalability: susceptible to DDoS Demand for DDoS protection Find a protective and incrementally deployable approach 14/40 7

Packet filtering using routing information Filter spoofed packets traveling unexpected routes from their specified addresses. Distributed filtering Collective filtering on autonomous systems (AS). 15/40 1 0 2 3 5 4 6 7 8 9 Routing path of node 2 Attack with node 2 address 16/40 8

1 0 2 3 5 4 6 7 8 9 Routing paths from node 2 G: network topology T: filtering nodes R: routing policies F: filtering function 17/40 AS Connectivity Graph G(V,E) V: a set of nodes, where a node is an AS. V =n. E: a set of links in G. Node Type T-node: a set of filtering nodes. Filter internal traffic as well as incoming traffic U-node: a set of nodes without filtering. V = T U 18/40 9

Routing (R) R(u,v) L(u,v) where L(u,v) is set of all loop-free paths from u to v. Routing Policies Tight: single shortest-path routing, R(u,v) = 1. Multipath: multiple routing paths, 1 < R(u,v) < L(u,v). Loose: any loop-free path routing, R(u,v) = L(u,v). 19/40 Filter for a link e A function of a source and a destination Route-based filters F e Maximal filter Semi-maximal filter : V 2 {0,1} 20/40 10

Maximal filter Use of all (src/dst) pairs of routing paths. Huge filtering table O(n 2 ), e.g., 4GB for 16bit AS s. Semi-maximal filter F e 0, if ( s, t) = 1, e R( s, t); otherwise. Use of only source addresses coming via the link. O(n), e.g., 8KB for all AS s. F e 0, ' ( s, t) = 1, if e R(s,v) for some otherwise. v V ; 21/40 BGP (Border Gateway Protocol) Routing Updates - Initiated by node 2 - Shortest path routing 1 0 2:2 2:2 2 2:2 2:2 3 2:3 2 5 4 2:4 3 2 2:5 2 2: 6 5 2 6 7 2: 6 5 2 After Completing BGP Updates from Every Nodes Routing Table of Node 2 0: 0 1:1 3:3 4: 3 4 5: 5 6: 5 6 Filtering Tables of Node 2 (0,2): 0111111111 (1,2): 1011111111 (3,2): 1110011111 (5,2): 1111100000 8 2: 7 6 5 2 9 0: allow 1: deny 22/40 11

Attack a:(s,t) Attacker at node a sends (s,t) packets to node t. Spoofing range S a,t attacker s point of view a set of nodes with which node a can send spoofed packets to node t. Candidate range C s,t victim s point of view a set of nodes which can send (s,t) packets. C s,t s (s,t) S a t a,t attacker victim 23/40 1 Attacker 0 2 6 F2 3 4 5 7 F1 8 9 Victim Routes to victim No filtering: S 1,9 ={0,1,2,3,4,5,6,7,8} Filtering at F1: S 1,9 ={0,1,2,3,4,5} Filtering at F1 and F2: S 1,9 ={1,2} 24/40 12

Topology G Internet AS connectivities from 1997~1999. Random topologies. Routing R Tight, multi-path routing policies. T-nodes T R30: 30 percent of nodes chosen randomly. R50: 50 percent of nodes chosen randomly. VC: a vertex cover of G(V,E). 25/40 VC of G(V,E) T=VC (u,v) E, u VC or v VC Any node in U has only T nodes as its neighbors. Finding a minimal VC NP-complete problem Two well-known algorithms used for finding a VC 26/40 13

Perfect proactivity { t : a V, S Φ1( τ ) = n { a : t V, S Φ2( τ ) = n a, t a, t τ Φ 1 (1): fraction of AS s safe from spoofing attack DDoS prevention Φ 2 (1): fraction of AS s from which no spoofed packets coming Attack volume reduction τ {( a, s, t): s S {( a, s, t): a C a, t Θ = = 2 2 n( n 1) n( n 1) Θ: penetrating ratio of spoofed packets s, t 27/40 Impractical perfect proactivity Φ 1 (1) 1 is hard to be achieved. Effective DDoS attack prevention Φ 2 (1) 0.88 renders most attack sites impotent. Significant attack volume reduction Θ 0 for random source addresses. 28/40 14

G: 1997 Internet connectivity (n=3015, E =5230) T: VC n R: Tight F: Semi-maximal Φ 1 (1) 1 is hard to achieve! Perfect proactivity is practically useless objective. 29/40 G: 1997~1999 Internet connectivity T: VC R: Tight F: Semi-maximal 1 0.9 0.8 0.7 0.6 F2 0.5 0.4 0.3 0.2 0.1 0 1997 1998 1999 DPF renders 88% of possible attack sites impotent: effectively curtail the ability to mount DDoS attacks. 30/40 15

Θ =0.0004 when T=VC 99.96% attack volume reduction Randomly generated spoofed address has almost zero chance to reach its target! 31/40 IP Traceback Capability Ψ ( τ ) = 1 { t : s V, C n s, t τ Localization: meaningful for τ greater than 1. Ψ 1 (5): fraction of AS s which can resolve the attack location to within 5 possible sites. 32/40 16

Traceback capability Ψ 1 (5)=1 for 1997~1999 AS connectivities Localization to within 5 possible sites Filtering out many spoofed flows allows source identification of an attack location. 33/40 Maximal filter requires quadratic space, but results in marginal enhancement of traceback capability. 34/40 17

Gradual reduction of traceback capability Ψ 1 (τ) 1 for =5~10 when the number of routing paths are 2~3. DPF is still effective on multi-path routing policies! 35/40 Benchmarking network topologies Internet AS connectivities from 1997-1999 Random graphs with link probability p Power-law connectivity by Inet generator Topological impacts Intimate relation to VC size and filtering performance Internet has good characteristics for DPF small VC and good performance 36/40 18

Small VC on Internet Vertex covering with 18% nodes Incremental deployment feasible 1997 Internet Connectivity - Red nodes are in VC 37/40 Random graph generation Connecting any two nodes with a link probability p. VC on random graphs requires 55% nodes. Lower performance with more T nodes. 38/40 19

Inet Generator (http://topology.eecs.umich.edu/) Generate a graph with power-law connectivity. VC on Inet graphs requires 32% nodes. Small VC has more effectiveness. 39/40 Distributed packet filtering Packet filtering mechanism using routing information Practicality Implementable with BGP Incrementally deployable Effectiveness Protection from DoS attacks Prevention from DDoS attacks Traceback capability 40/40 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback