Defending against Large-ScaleDistributed Denial-of-Service

Attacks

Department of Electrical and Computer Engineering

Advanced Research in Information Assurance and Security (ARIAS) Lab

Virginia Tech

Jung-Min Park

2

Overview of DoS Attacks

What is a DoS attack? An attack that disrupts network services to legitimate clients

Large-scale Distributed DoS (DDoS) attack of Feb. 2000 A DDoS attack took down Yahoo, EBay, and Amazon.com Outage caused millions of dollars in lost revenue

Hundreds of attacks are observed each day Global corporations lost over $1.39 trillion in revenue due

to security breaches in 2000, and Over 60% are due to viruses and DoS attacks

(http://www.captusnetworks.com/BeenDoSd.pdf)

FBI reports indicate DoS attacks are on the rise

3

Taxonomy of DoS Attacks

Attacks that exploit system design weaknesses Teardrop attack Ping-of-death attack Land attack SYN flood attack

Attacks that exploit the weakness of particular protocols Attacks against authentication protocols Attacks against key agreement protocols

Attacks that exploit the asymmetry between “line rate” and throughput of hosts and routers Flooding-based DDoS attacks

4

Flooding-based DDoS Attacks

Exploits the asymmetry between “line rate” and throughput of hosts and routers

Large volume of packets is sent toward a victim

Consumes bandwidth and processing power of the victim

DDoS attacks utilize attack handlers and zombies to hide the identity of the real attacker

5

Lines of Defense Against DDoS Attacks• Apply software patch

• SYN cookies, client puzzles

• Design DoS attack resistant systems

• Overlay networks• Signature (misuse) detection

• Anomaly detection• Client puzzles

• Aggregate filtering, pushback

• Overlay networks• IP traceback: packet marking

• IP traceback: packet logging

• “Attack traceback”

Prevention and preemption

(before the attack)Detection

(during the attack)

Mitigation and filtering

(during the attack)attack source traceback

and identification(during and after the

attack)

TRACK:A New Approach to IP Traceback

7

The IP Traceback Problem

IP traceback strategies:

Probabilistic Packet Marking (PPM)

Packet Logging

Attack Detection

Traceback to the zombie’s border router

8

Limitations of Current IP Traceback Schemes

Do not support last-hop traceback Packet logging schemes

Significant computation overhead on routers Significant storage overhead on routers

Packet marking Not scalable: Complexity of path reconstruction process

increases rapidly as number of attackers increase Large number of packets need to be collected

9

rouTer poRt mArking and paCKet filtering (TRACK)

Objective: Reduce computation complexity of path reconstruction

Reduce number of packets that need to be collected

Support last-hop traceback

Support gradual deployment

Filter attack traffic using traceback information

Attack Detection

Router Port Markingfor traceback

Packet filtering at theborder router of

the zombies

10

Basic Principles of TRACK

A string composed of locally-unique router interface port numbers is a globally unique identifier of a path.

V

A

B C D

E F G H I J

L M N O P Q R S4

21 18

11

50

21

29

34

42

47

27

7 62

36 8 5214

19

24

61

C1 C2 C3 C4

32

11

Marking Traceback Information in the IP Header

12

Router Port Marking Procedure

Active Port Marking Mode (APMM) at probability of p :

Distance

XORPort NumberMarking Flag

1 Port Number

Last 5-digit of TTL

Passive Port Marking Mode (PPMM) at probability of 1 – p :

XOR

If Marking Flag = 1

Port Number

13

Path Reconstruction Process of TRACK

Objective Recover the port number sequence of an attack path and

convert them into a sequence of router IP addresses

Approach Distribute the path reconstruction process among the

victim’s upstream routers (victim attacker’s border router)(similar to Pushback)

Employ a trace table and trace packets Use same info. to filter attack traffic at the border router of

the attacker

Computational Complexity: O(N2)

14

Path Reconstruction Process of TRACK

MKF = 1, XOR = PN = 18,Distance = TTL5 (254) = 30

MKF = 1, PN = 18,Distance = 30, TTL5 = 27, XOR = 2 (=18 47 34 21);

d = 30 – 27 = 3

Assume C3 is sending packets to VM is in APMM; F, B, and A are in PPMM

15

Path Reconstruction Process of TRACK

Router closest to V in APMM *

Hop Count: d Port Number: PN(d)

XOR: XOR(d)

A 0 21 [010101]** 21

B 1 34 [100010] 55 ( 34 = 21)

F 2 47 [100111] 16 ( 47 = 55)

M 3 18 [010010] 02 ( 18 = 16)

d = Distance – TTL5

XOR(d+1) PN(d+1) = XOR(d)

C3’s path: 21-34-47-18

16

Number of Packets Needed for Path Reconstruction

p = 0.04 p = 0.01

17

False Positive Rate

Skitter Internet map Complete tree topology model

18

Gradual Deployment

Complete tree topology modelSkitter Internet map

Chained Puzzles:A Novel Approach to IP-Layer

Puzzles

20

Client Puzzle Protocols

A technique used to mitigate DoS attacks that does not rely on distinguishing between attack traffic and legitimate client traffic

Puzzles are typically based on difficult problems from cryptosystems Partial reversal of a hash

function Exhaustive key search in a

private key cryptosystem

ClientServer/Router

Puzzle Request

Puzzle Challenge

Puzzle Solution

21

Basic Principles of Chained Puzzles

Puzzle algorithm: Exhaustive key search of XTEA6 XTEA6: Truncated version of the XTEA encryption

algorithm

Puzzle Routers Puzzle distribution and verification is performed by the

“first-hop” border router called a Puzzle Router Puzzles are enabled by downstream Puzzle Routers

22

Message Exchange Between Puzzle Routers

Downstream Puzzle Routers enable puzzles at the upstream Puzzle Routers

Puzzle Router Puzzle RouterICMP Congestion Notifications

Flow of Traffic

`

Zombie or Legitimate Client

Server

23

Optimal Location for Detection and Mitigation

Detection: DDoS attacks are detected easily near the server or the main victim of the attack (packet loss, heavy congestion, etc.)

Mitigation: Preventing or mitigating an attack is best performed as close to the source of the attack as possible

Zombies``` ` `

24

Puzzle Distribution

How do we distribute puzzles? Easy in TCP 3-way handshake

IP is connectionless and a client puzzle protocol is connection oriented

1. Client asks for a puzzle2. Server sends the puzzle to the client3. Client solves the puzzle, sends the solution back to the

server Solution

Puzzle solution chaining

ClientServer/Router

Puzzle Request

Puzzle Challenge

Puzzle Solution

25

Puzzle Solution Chaining

When Puzzles are enabled, “bootstrapping” procedure is needed to create the first puzzle

Subsequent puzzles are created by the client independently

Current solution becomes plaintext for the next puzzle

26

Puzzle Solution Chaining – cont’d

Client creates a chain of puzzlesClient Puzzle

RouterP1

Puzzle Challenge

P1 (w/Solution)

P2 (w/Solution)

P3 (w/Solution)

P4 (w/Solution)

The Puzzle Router reissues the puzzle challenge periodically

27

Probabilistic Verification

Probabilistic verification Puzzle Routers verify incoming puzzles according to a

given probability Increase performance and throughput of the Puzzle

Routers

Verify Puzzle?

Verify

No

Yes

Correct?Yes

No

Incoming Link Outbound Link

Drop Packet

28

Simulation Results: NPSR

Normal Packet Survival Ratio (NPSR) Percentage of legitimate packets that can make their way

to the victim in the midst of a DDoS attack

0 2 5 8 10 12 150.75

0.8

0.85

0.9

0.95

1

Puzzle difficulty level d

Nor

mal

pac

ket

surv

ival

rat

io

Normal Packet Survival Ratio versus Puzzle Difficulty Level

Standard IP

AP, Q = 0

AP, Q = 25AP, Q = 50

AP, Q = 100

29

Future Work

IP Traceback Improve scalability Better support of gradual deployment Minimize the number of false positives Support IP fragments Support router degrees greater than 64

Client puzzle protocol Specification of a Puzzle Router’s functions Resolve protocol architecture issues Counter puzzle protocol circumvention Ensure fairness

Questions?

31

Conclusion

Last-hop traceback capability: a step closer to attack traceback

Support of gradual deployment: more realistic solution Using router port instead of router as the atomic unit for

traceback: fewer packets and less computational complexity for path reconstruction, finer granularity, and less false positive

Attack detection at the victim and packet filtering at the zombies’ border routers: the optimal location for both modules

32

Backup

33

Path Reconstruction Process of TRACK

Router closest to V in APMM

Hop Count: d

Port Number: PN(d)

XOR: XOR(d)

A 0 21 [010101] 21 [010101]

A 0 42 [101010] 42 [101010]

B 1 34 [100010] 55 [110111] ( 34 = 21)

C 1 62 [111110] 20 [010100] ( 62 = 42)

F 2 47 [100111] 16 [010000] ( 47 = 55)

H 2 08 [001000] 28 [011100] ( 08 = 20)

M 3 18 [010010] 02 [000010] ( 18 = 16)

P 3 32 [100000] 60 [111100] ( 32 = 28)

Objective Recover the port number sequence of an attack path and

convert them into a sequence of router IP addresses

Approach Distribute the path reconstruction process among the victim’s

upstream routers (victim attacker’s border router)(similar to Pushback)

Employ a trace table and trace packets

Use same info. to filter attack traffic at the border router of the attacker

Computational Complexity: O(N2)

34

Limitation of Current Attack Mitigation Schemes

Problem Conventional countermeasures attempt to detect and filter

at the same location

Fact Attack detection is easier closer to the victim, packet

filtering is more effective closer to the attack source

Solution Separate the two functions in separate modules

35

Attack Mitigation (Packet Filtering)

Location of attack detectionand packet filtering:

At the victim In the network At the attack source

Attack Detection

Packet Filtering

36

Probabilistic Packet Marking (Basics)

Routers mark packets with fragments of its IP addresses probabilistically

Identification field in IP header is used (The probability of IP fragmentation is 0.25%)

The victim can collect IP fragments from many packets to reconstruct attacking path

37

Overhead of Packet Logging

For a OC-192 link:

TRACK: 50k destination IP address insertion or update per second; 900MB/hours storage, upper-bounded by 20GB

The scheme in [Snoe01]: 60 million hash operations per second; 44GB storage per hour, bounded by the maximum allowed traceback time

The scheme in [Li04]: 8 million hash operations per second; 5.2GB storage per hour, bounded by the maximum allowed traceback time

38

False Positive Analysis

39

Gradual Deployment

Neighbor-Discovery Handshake Protocol

Jump back to source during path reconstruction

V

A

B C D

E F G H I J

L M N O P Q R S4

21 18

11

50

21

29

34

42

47

27

7 62

36 8 5214

19

24

61

C1 C2 C3 C4

32