1
AMON-SENSSScalableDDoSDetectionforISPs
JelenaMirkovic(USC/ISI),RajatTandon(USC)
DDoSAttackDetectionChallenge
• Mostattackscreatelargevolumeatthetarget– Someattacksdonot– Sometargetscanhandlelargevolume
• Mostattacksareveryshortorintermittent– Wedonotwantfrequentfalsepositivesbutwanttodetectandhandlelargeattacks
• Mostattackslaunchedbynumeroussources– Soareportscans– Someattackslaunchedbyonesourceorafewofthem
2
DDoSAttackSignatureChallenge
• Signaturederivationishard– Usuallyrequiresmodelinghownormaltrafficlookslikeforagivendestination,usingmanyfeatures
– ItdoesnotscaletokeepstatisticsabouteverypotentialattacktargetatanISP(manyrecords,manytargets)
• CPUcostofprocessingeachpacket/flow• Memorycostofstoringstatistics• Manyoftherecordsarestoredneedlessly
– Thedestinationdoesnotcomeunderattack– Mostofthestatsstorednotrelevantforthesignature
3
AMON• WewereinspiredbyAMON[1]byMeritNetworks
– Keepsstatisticsfordetectioninamatrixofbins,aggregatingtrafficbetweenmanysource-destinationpairs• Volumeand/ornumberofpackets
– UseBoyer-Moorealgorithmtodetectheavy-hittersourcesanddestinationsforeachbin
4[1]https://arxiv.org/abs/1509.00268
destinationsso
urce
s
AMON-SENSS• Keepsstatisticsfordetectioninanarrayofbins,
aggregatingtraffictomanyaddresses– Volume
– Asymmetryscore(numberandtypeofasymmetricpkts)• Foraflow:asym_score=asym_factor*num_pkts
5
destinations
proto flags srcport dstport asym_factor
TCP PSH any any 0
TCP noPSH service user -1
TCP noPSH user service 1
UDP n/a service user -1
UDP n/a user service 1
VolumeandAsymmetry• Bothvolumeandasymmetrymustbeabnormaltodetecta
possibleattack– Abnormalheremeansnotwithintheirhistoricranges
• mean±5*stdev– Highvolumebutasymmetrywithinexpectedrangesmaymean
largedatatransfers,whichdestinationcanhandle– Highasymmetrybutvolumewithinexpectedrangesmaymean
scanningactivity• Wecanalsorequirethatabnormalitylastsforsome
sustainedperiod– Toavoidlargescanstriggeringdetection
• Todetectanattack’sstop:– Bothvolumeandasymmetrymustremainwithintheir
historicalrangesforasustainedperiodoftime
6
7
IllustrationVolume
Asymmetry
Tooshort Detectiondelay
SignatureGeneration• Proactivelysampleflowswhoseasymmetrymatchesasymmetryofthebin– Wheneverbothvolumeandasymmetryareabnormal
• Proactivelygeneratesignaturesoversamples– MaskingsrcIP,srcport,dstport– KeepingprotoanddstIP– Foreachcombinationkeeponlythemostrepresentativesignature–coveringmostsamples
• Findasignaturethatcoversenoughsamples– Andexplainsmostoftheasymmetryseen– Prefermorespecificsignaturesbutonlywhentheyarenotmuchworseatexplainingtheasymmetry
8
IllustrationSignature Asymmetryexplained*:* è164.76.176.0:* udp 97%*:* è164.76.176.0:43967 udp <1%*:53 è164.76.176.0:* udp 95%*:53 è164.76.176.0:43967 udp <1%58.177.216.0:* è164.76.176.0:* udp <1%58.177.216.0:* è164.76.176.0:43967 udp <1%58.177.216.0:53 è164.76.176.0:* udp <1%58.177.216.0:53 è164.76.176.0:43967 udp <1%
9
AmorespecificsignatureperformsabitworsethanlessspecificoneButhaslowerchanceoffalsepositives
SignatureTesting
• Oncesignatureisgeneratedwetestittoseeifitworkswell– Collectmatchingflowsindirectandreversedirection– Onceenoughflowsarecollected,evaluatehowmanyaregood(nonTCPsymmetricorTCPPSH)andhowmanyarebad(asymmetric)
– Ifgood/(good+bad)<thresholdproclaimthisisagoodsignatureandinstallit
• Alwayscollectbinstatisticspriortodropping– Alsocollectinfohowmuchtrafficisdropped
10
11
IllustrationVolume
Asymmetry
Droppedtraffic
Testing
• TestedonfiveMeritNetworkattacktracesfromIMPACT– Detectedalltheattacksnotedinthemetadata– Detectedmanymoreattacks
12
trace duration #attacks Largestsize Longestduration
chargen 1day 61 0.9Gbpssynflood 19hsynflood
dns_ampl 1day 43 4.5GbpsDNSreflection 0.5hNTPreflection
ntp-ddos 2weeks 2,448 2.4GbpsNTPreflection 6dayssynflood
radb_ddos 2days 71 1.8GbpsDNSreflection 0.5hUDPflood
ssdp 2hours 1 0.03Gbps,5minSSDPreflectionflood
ObservationsAboutAttacks
• Numberofattacksperdayconsistentwithknownliterature– RecentIMCpaper[1]finds20Mattacksin2years~100perdayinanetworkofMeritNet’ssize
• Durationofattacksisalsoconsistentwith[1]– Mostattacksareshortandon-off,whichmakesdetectionandmitigationhard
• Long-lastingattacksareusuallylowvolume
13
[1]MillionsofTargetsUnderAttack:aMacroscopicCharacterizationoftheDoSEcosystemM.Jonker,A.King,J.Krupp,C.Rossow,A.Sperotto,A.DainottiACMSIGCOMMInternetMeasurementConferenceIMC2017
AMON-SENSSPerformance
• Processes6hoftrafficin1h• Verysmallmemoryfootprint
– LargeCPUfootprint,mostlyforNetflowreading,canbecontrolledperprocess
14