Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 217 times |
Download: | 2 times |
1
Sonia Fahmy Ness ShroffSonia Fahmy Ness Shroff
StudentsStudents: Roman Chertov Rupak Sanjel: Roman Chertov Rupak SanjelCenter for Education and Research in Center for Education and Research in
Information Assurance and Security (CERIAS)Information Assurance and Security (CERIAS)Purdue UniversityPurdue University
October 25October 25thth, 2004, 2004
Experiments with DDoS and Experiments with DDoS and RoutingRouting
2
Objectives Design, integrate, and deploy a methodology and
tools for performing realistic and reproducible DDoS experiments: Tools to configure traffic and attacks Tools for automation of experiments, measurements, and
visualization of results Integration of multiple third-party software components
Understand the testing requirements of different types of third party detection and defense mechanisms
Gain insight into the phenomenology of attacks including their first-order and their second-order effects, and impact on defenses
3
Accomplishments
Designed and implemented experimental tools: Scriptable event system to control and synchronize
events at multiple nodes Automated measurement tools, log processing tools,
and plotting tools Automated configuration of interactive and replayed
background traffic, routing, attack parameters, and measurements
Generated requirements for DETER to easily support the testing of third party products (e.g., ManHunt, Sentivist)
4
Accomplishments (cont’d)
Analytical characterization, simulations, and experiments for low-rate TCP-targeted DDoS attacks
Preliminary analysis of BGP behavior during DDoS, and BGP impact on DDoS
5
TCP-Targeted Attacks
Varied: Attack burst length l and sleep period T-l A. Kuzmanovic and E. W. Knightly. Low-rate targeted denial of
service attacks. SIGCOMM 2003. M. Guirguis et al. Exploiting the transients of adaptation for
RoQ attacks on Internet resources. ICNP 2004. H. Sun et al. Defending against low-rate TCP attacks: Dynamic
detection and protection. ICNP 2004.
Objective: Understand attack effectiveness (damage versus effort) in
terms of application-level, transport-level, and network-level metrics at multiple nodes
T-l
ll
Time
Rate
R
8
Web Clients/Server
Server Throughput
0
10
20
30
40
50
60
70
80
90
0 20 40 60 80
Burst Length (ms)
Mb
it/s
ec
Total Number of Pages Read
0
50000
100000
150000
200000
250000
300000
350000
0 20 40 60 80
Burst Length (ms)
Nu
mb
er
of
Pag
es
Average Client Throughput
0
0.5
1
1.5
2
2.5
0 20 40 60 80
Burst Length (ms)
Mb
it/s
ec
Average Respone Time
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0 20 40 60 80
Burst Length (ms)
Ave
rage
Res
pons
e Ti
me
(sec
)
9
Attack Parameters vs. RTT
0.38 Mbps without an attack 0.75 Mbps without an attack
Client with 63 ms RTT to the server
10
Short RTT
1.00 Mbps without an attack 1.40 Mbps without an attack
Client with 12.6 ms RTT to the server
11
Attack 100-1000 Unacked data during 5MB file transfer (31.97 sec = 160.16 KB/sec)
ttcp Experiments
12
Emulation vs. Simulation Effects of attack sleep period on the average congestion window of a single
TCP (SACK) from TTCP tool
The attack flow is multiplexed with the data flow
Attack Sleep Period Effect on Average Congestion Window
0
5
10
15
20
25
500 1000 1500 2000 2500 3000 3500 4000 4500
Attack Sleep Period (ms)
Cw
nd
(p
acke
t #)
Deter
NS
14
Scenario
• At 222 sec, nodes 8, 11, and 14 attack node 9 (zebra router running BGP) for 400 seconds.
• No activity for 200 seconds. Allow all nodes to stabilize.
• Nodes 8, 11, and 14 attack node 9 for 400 seconds again. Node 36 attacks node 10 (neighbor of node 9) for 400 seconds.
18
Lessons Learned Insights into sensitivity to emulation environment
Some effects we observe may not be observed on actual routers and vice versa (architecture and buffer sizes)
Emulab and DETER results significantly differ for the same test scenario (CPU speed)
Priority for routing packets in Cisco routers Limit on the degree of router nodes, delays, bandwidths
Difficulties in testing third party products Products (hardware or software) connect to hubs, switches, or routers
Layer 2/layer 3 emulation and automatic discovery/allocation can simplify DETER use for testing third party mechanisms
Due to licenses, we need to control machine selection in DETER Windows XP is required to test some products, e.g., Sentivist
administration interface Difficult to evaluate performance when mechanism is a black box
e.g., cannot mark attack traffic and must solely rely on knowledge of attack
19
Plans Continue development of experiment automation
and instrumentation/plotting tools and documentation
Design increasingly high fidelity experimental suites
Continue investigation of TCP-targeted DDoS attacks in more depth, and compare analytical and simulation results with DETER testbed results to identify artifacts