Distributed Denial of Service

Similar documents
DDoS Attacks and Pushback

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

Controlling High Bandwidth Aggregates in the Network

Controlling High Bandwidth Aggregates in the Network

Chapter 7. Denial of Service Attacks

CSE Computer Security (Fall 2006)

Distributed Denial of Service (DDoS)

CSE Computer Security

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

DDoS PREVENTION TECHNIQUE

Computer Security: Principles and Practice

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

A Rate-Limiting System to Mitigate Denial of Service Attacks

Network Security (and related topics)

DENIAL OF SERVICE ATTACKS

Next Week. Network Security (and related topics) Project 3 Q/A. Agenda. My definition of network security. Network Security.

What is Distributed Denial of Service (DDoS)?

COMPUTER NETWORK SECURITY

TO DETECT AND RECOVER THE AUTHORIZED CLI- ENT BY USING ADAPTIVE ALGORITHM

Denial of Service (DoS)

HighSpeed TCP for Large Congestion Windows draft-floyd-tcp-highspeed-00.txt

CS557: Queue Management

NETWORK SECURITY. Ch. 3: Network Attacks

Denial of Service. EJ Jung 11/08/10

The Protocols that run the Internet

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

CSE 565 Computer Security Fall 2018

DDoS and Traceback 1

Lecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

IPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery

Congestion Control for High-Bandwidth-Delay-Product Networks: XCP vs. HighSpeed TCP and QuickStart

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Detection of Spoofing Attacks Using Intrusive Filters For DDoS

Distributed Denial of Service

A Proposal to add Explicit Congestion Notification (ECN) to IPv6 and to TCP

Basic NAT Example Security Recitation. Network Address Translation. NAT with Port Translation. Basic NAT. NAT with Port Translation

Forensic Analysis for Epidemic Attacks in Federated Networks

Denial of Service and Distributed Denial of Service Attacks

Check Point DDoS Protector Simple and Easy Mitigation

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

CNT Computer and Network Security: Denial of Service

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

On the State of the Inter-domain and Intra-domain Routing Security

Check Point DDoS Protector Introduction

International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN

DDoS defense mechanisms: a state of the art research

Security in inter-domain routing

Distributed Denial-of-Service Attack Prevention using Route-Based Distributed Packet Filtering. Heejo Lee

Combining Speak-up with DefCOM for Improved DDoS Defense

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

ICMP Traceback Messages

Enterprise D/DoS Mitigation Solution offering

Configuring attack detection and prevention 1

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

A Survey of Defense Mechanisms Against DDoS Flooding A

SENSS Against Volumetric DDoS Attacks

Network Security. Tadayoshi Kohno

Cloudflare Advanced DDoS Protection

68% 63% 50% 25% 24% 20% 17% Credit Theft. DDoS. Web Fraud. Cross-site Scripting. SQL Injection. Clickjack. Cross-site Request Forgery.

Chapter 10: Denial-of-Services

Contents. Denial-of-Service Attacks. Flooding Attacks. Distributed Denial-of Service Attacks. Reflector Against Denial-of-Service Attacks

Security: Worms. Presenter: AJ Fink Nov. 4, 2004

Security in Mobile Ad-hoc Networks. Wormhole Attacks

Security Whitepaper. DNS Resource Exhaustion

Traffic Engineering with Forward Fault Correction

Routing and router security in an operator environment

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

Attack Prevention Technology White Paper

CS551 Router Queue Management

Jaal: Towards Network Intrusion Detection at ISP Scale

Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

Introduction to Security. Computer Networks Term A15

Internet Attacks and Defenses

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

DDoS Defense by Offense

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

ConEx Concepts and Uses

To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets. Xiaowei Yang Duke Unversity

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Optimal Control of DDoS defense with Multi- Resource Max-min Fairness

Integrated and Differentiated Services. Christos Papadopoulos. CSU CS557, Fall 2017

DDoS: Coordinated Attacks Analysis

Basic Concepts in Intrusion Detection

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Network Security: Denial of Service (DoS) Tuomas Aura / Aapo Kalliola T Network security Aalto University, Nov-Dec 2011

Internet Indirection Infrastructure (i3)

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Detecting and mitigating interest flooding attacks in content-centric network

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Network Tomography-based Unresponsive Flow Detection and Control

BGP Security. Kevin s Attic for Security Research

Network Security. Chapter 0. Attacks and Attack Detection

Characterization of Defense Mechanisms against Distributed Denial of Service Attacks

arxiv:cs/ v1 [cs.ni] 29 Sep 2003

DDOS - Fighting Fire with Fire Michael Walfish, Hari Balakrishnan, David Karger, and Scott Shenker.

Configuring attack detection and prevention 1

Transcription:

Distributed Denial of Service John Ioannidis ji@research.att.com AT&T Labs Research Joint work with Steve Bellovin, Matt Blaze (AT&T), Sally Floyd, Vern Paxson, Scott Shenker (ICIR), Ratul Mahajan (University of Washington), Angelos Keromytis (Columbia University)

Another Talk about DDoS? Fundamentals of DDoS. Taxonomy of attacks and defenses. Pushback: a promising solution. Limits of the technology. April 24, 2002 DDoS 2

Security Attacks Ordinary security attacks: Exploit target vulnerabilities. Give resources to attacker. Fixing vulnerability solves the problem. Denial-of-service attacks: Prevent others from using the targetted system. Attacker gets indirect benefits. Some DoS attacks exploit vulnerabilities. Some just eat up resources. April 24, 2002 DDoS 3

DDoS: Distributed Denial of Service Network attacks aim at flooding the victim s link. Strong attacker against weak victim. Distributed attacks use multiple sources. Lots of weak attackers against strong victim. Usual implementation: Multiple compromised machines with zombies. Masters direct zombies to attack victim. Victim overwhelmed. April 24, 2002 DDoS 4

An Attack in Progress Attack 4 Looks like attack 3 6 7 Shares links Collateral damage 2 8 D 5 1 Congested link April 24, 2002 DDoS 5

During the Attack Bad (attack) traffic does not obey E2ECC, floods links. Poor (looks like attack) traffic obeys E2ECC, backs off due to congestion on links 2-5 and 8-D. As does good (shares links with attack) traffic. Some unrelated (collateral damage) traffic backs off due to congestion on the 2-5 link. April 24, 2002 DDoS 6

Why are DDoS Attacks Hard to Defend Against? Nothing victims can do to protect themselves: Usually, attack is on connectivity. Better overall host security would help. As would source address filtering. Bandwidth management not applicable. End-to-end congestion control not applicable. Source does not obey E2E CC. Active Queue Management not applicable. Flows very short-lived. Diffserv/Intserv do not help with best-effort traffic reqs. April 24, 2002 DDoS 7

A Taxonomy for DDoS Attack End node Network Defense Detection of attack Response Traffic management Scope Timeliness Extent Impact April 24, 2002 DDoS 8

Attacks I: Target is end node. CPU attack. Cause unnecessary crypto to happen. Memory attack. SYN flood. Easier to mitigate: Proper host security. Proper protocol design (e.g., cookies). April 24, 2002 DDoS 9

Attacks II: Target is network link By target link: Usually access link (core network over-provisioned). Slow border links (to distant lands). By source of attack: Trin00/TFN style: master/slaves. Reflector attacks. By packet contents: Random (just bandwidth). Calculated (SYN, directed broadcasts). By cause: Deliberate attack. Flash crowd. April 24, 2002 DDoS 10

Characteristics of Current Attacks Several small-scale attacks a day. Fairly crude. Captured code is of abysmal quality. Have not paired up with virus writers. Anisotropic. Locality of penetrated machines. Internet too large to design an isotropic attack. Purpose seems to be ego gratification. IRC turf wars. Vandalism. We worry about tactical uses. April 24, 2002 DDoS 11

Design of a Perfect Attack Looks like legitimate traffic. Flash crowd. Isotropic/topology aware. Uses network mapping information. Adaptive. Responds to our attempts to quench it. Automatic propagation. Viruses or other software flaws. Why is the network still running? April 24, 2002 DDoS 12

Defense I: Detection Passive vs. active: Traffic monitoring. Content. Shape/characteristics. Traffic marking. ICMP TRACEBACK Packet marking (many variants). Distribution: Single point. Collaborative. April 24, 2002 DDoS 13

Defense I: Detection, cont d Timing: Proactive (runs at all times). Reactive (turned on in response to attack). Feedback: From response mechanisms. April 24, 2002 DDoS 14

Defense II: Response Traffic management: Rate limiting. Filtering. Redirection. Distribution: At specific points. Along attack path. Scope: Within an administrative domain (intra-isp). Across administrative domains. April 24, 2002 DDoS 15

Defense II: Response, cont d Cost/benefit: Innocent traffic. Collateral damage. Level of service. Vulnerabilities introduced? Identification of attacker? Just mitigating effects. Finding attacker and/or zombies. Punishing. Fixing! April 24, 2002 DDoS 16

Limits Described an N-space of attacks and defenses. Need to identify limits of solution space. Need to define metrics of success. Limiting case: flash crowd. Unexplored dimensions? Legal/social. Radically change Internet architecture. Per-packet payment? Back to virtual circuits? Active networks? April 24, 2002 DDoS 17

Pushback Router-based solution against bandwidth attacks. Attack: too many packet drops on a particular link. Aggregate: set of packets with a common feature. Find the most common aggregate in the drop set. Aggregate-based Congestion Control (ACC). Local ACC (LACC): Works independently on congested links. Pushback: Tell upstream routers to also drop aggregate. April 24, 2002 DDoS 18

Involving the Routers Detect. Which routers detect the attack? How do they do it? Inform. Are other routers informed? How? Limit. What traffic is dropped? Where? April 24, 2002 DDoS 19

An Attack in Progress (again) Attack 4 Looks like attack 3 6 7 Shares links Collateral damage 2 8 D 5 1 Congested link April 24, 2002 DDoS 20

Local Rate-limiting Router 8 can preferentially drop bad traffic. This would allow more good traffic to flow in from 7 but would not improve things for the rest. Too much traffic coming in from 5 and 6. Collateral damage is still occurring. April 24, 2002 DDoS 21

Pushback Router 8 rate-limits. Detects where bad traffic is coming from. Directs upstream routers where most of traffic is coming from (5 and 6) to rate-limit on its behalf. Recurse! 5 and 6 now see congestion for bad traffic and push further back. More non-attack traffic flows. April 24, 2002 DDoS 22

After Pushback Attack 4 Looks like attack 3 6 7 Shares links Collateral damage 2 8 D 5 1 April 24, 2002 DDoS 23

Involving the Routers Detect. Which routers detect the attack? How do they do it? Inform. Are other routers informed? How? Limit. What traffic is dropped? Where? April 24, 2002 DDoS 24

Setting the Evil Bit Attack signature and congestion signature. CS approximates the Evil Bit. Detect what the Aggregate should be. Collect set of dropped packets ( drop set ). Just sampling is OK. Match against forwarding table. Easy way of identifying attacks on subnets. Pick most frequent prefix(es). Update the rate limiter. April 24, 2002 DDoS 25

Involving the Routers Detect. Which routers detect the attack? How do they do it? Inform. Are other routers informed? How? Limit. What traffic is dropped? Where? April 24, 2002 DDoS 26

Pushback Messages If local rate-limiting decreases congestion, stop. Otherwise, tell upstream routers with the largest contributions to also rate-limit (pushback request). Upstream routers apply the same algorithm to decide whether to propagate (push further back). Originator sets a maximum depth. Downstream messages provide feedback. No explicit acknowledgements or crash recovery (soft state). April 24, 2002 DDoS 27

Involving the Routers Detect. Which routers detect the attack? How do they do it? Inform. Are other routers informed? How? Limit. What traffic is dropped? Where? April 24, 2002 DDoS 28

Local Rate Limiting Source can be local or downstream pushbackd. Preferentially drop packets matching aggregate(s). Implemented as IPFW pipe under FreeBSD. Will also be done with ALTQ. Commercial routers have various ways of rate-limiting. Packets admitted by the RL passed to Output Q. No preferential treatment! April 24, 2002 DDoS 29

Pushback Router Architecture Input Qs Output Q?CS RL Q Adjust RL Dropped packets Update CS Pushback daemon PB April 24, 2002 DDoS 30

Decoupling of Components pushbackd need not run on the routers. Router can sample the drop set Attached processor updates router s RL. Different machines can run different detection algorithms. But we must agree on format of pushback messages. draft-floyd-pushback-messages-0?.txt April 24, 2002 DDoS 31

Knobs to Adjust Congestion signature derivation. Rate-limiting aggressiveness. Upstream distribution of bandwidth rate-limiting requests. Damping of feedback control loop (between requests for limiting and results). April 24, 2002 DDoS 32

Simulation Results Various topologies. Small attacks. Large attacks. Flash crowds. Various bandwidth allocation algorithms. Various detection algorithms. April 24, 2002 DDoS 33

Small Topology April 24, 2002 DDoS 34

April 24, 2002 DDoS 35

Big Topology, Web-like Behavior April 24, 2002 DDoS 36

Throughput with 4 Bad Hosts April 24, 2002 DDoS 37

Throughput with 32 Bad Hosts April 24, 2002 DDoS 38

Flash Crowd Behavior April 24, 2002 DDoS 39

Problems Does not work for isotropic attacks. Not an issue (yet). Flash crowds. Penalizes traffic coming from fatter pipes. May need to inject artificial asymmetry. Security. TTL 255 for adjacent routers! IPsec within same ISP. Trust/policy issues at borders. Should not become source of new abuses! April 24, 2002 DDoS 40

Future Work Better detection. Traffic patterns. Distributed monitoring. IDS. Integration with commercial routers. Deployment in the field. Standardization efforts. April 24, 2002 DDoS 41

Summary DDoS treated as a congestion control problem. Handled inside the network. Three parts: Detection. Approximation of the evil bit. Rate limiting. Aggregate-based Congestion Control. Pushback. Involve upstream routers. http://www.icir.org/pushback April 24, 2002 DDoS 42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback