Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | lauren-horton |
View: | 216 times |
Download: | 0 times |
Denial of Service
• Significance of DoS in Internet Security• Low-Rate DoS Attacks– Timing and detection– Defense
• High-Rate, Distributed Attacks– Botnets– Detection and Defense Strategies
Significance of DoS
• Accessibility to services is a key part of Internet Security.
• The number of web sites and companies effected by DoS attacks is high, and rising.
• Banking companies attacked for revenge.• Businesses forced to pay criminals to prevent
monetary losses caused by shutdown of their web sites.
Low-Rate TCP DoS Attack
• Periodic short burst exploiting the minimum retransmission timeout of TCP flows.
• Kuzmanovic and Knightly showed these attacks are feasible while difficult to detect.
• Sun et al. proposed a distributed detection mechanism employing pattern matching using Dynamic Time Warping.
Proposed Defense
• Router detects matching traffic on output port, looks for it on each input port. If found on input port, push back detection to upstream routers.
• If not detected at input ports, assume distributed attack method is being used.
• Use Deficit Round Robin (DRR) scheduling to ensure fairness for flow from each input.
Distributed Denial of ServiceDDoS
• Role of Botnets• Botnet Creation• Botnet Control Mechanism• DDoS Defense Strategies
Estimated Size of Botnets
• Conficker (DownAdUp) worm (2008) – 7,000,000 to 10,500,000 hosts.
• Mariposa (2008) – 12,000,000 hosts• Bredolab (2009) – 30,000,000 hosts• Most botnets have not been fully infiltrated or
shut down… total amount of remotely controlled machines is unknown.
• Source: F-Secure, Infosecurity (UK), and Kaspersky Lab
Botnet Creation
• Host computers are infected by worms, viruses, or by execution of trojan-horse software.
• Worm propagation between web servers causes normally safe and legitimate web sites to serve malicious content to users, infecting the user’s computer.
Botnet Command and Control
• Most common method of control is through use of Internet Relay Chat (IRC) protocols and servers.
• Infected machines may also connect to controlling servers using HTTP protocol.
DDoS Defense Strategies
• Monitoring and early detection.• Adaptive detection and defense employing
Hop-Count Filtering.• Collaborative detection over multiple
domains.• Traffic Visualization
Monitoring and Detection
• Detect malware propagation during early, exponential growth phase. (trend detection)
• Look for similar statistical characteristics.• Growth rate converges around a constant,
positive exponential rate.• Non-uniform scan worm (Blaster) detection
benefits from a widely distributed detection network.
Adaptive Defense
• Suitable for large traffic flows, such as worm propagation and DDoS.
• Relies a good estimation of attack severity.• Works to minimize sum of the costs of false
positives and false negatives, by choosing the optimal configuration.
• Easy to detect SYN flooding, but hard to filter.• Hop count filtering.
Hop Count Filtering
• Spoofed packets may have a modified TTL in the IP header, but attackers cannot know the true hop count from the machines whose IP address it is faking to the target.
• Memory constraints prevent storage of hop-count for every address, so address aggregation is used.
• Filter selectivity adjusted adaptively.
Collaborative Detection Method
• Use a distributed system to leverage network topology.
• Implement in core ISP network domains covering edge networks where protected systems are physically connected.
• Detection at traffic superflow level• Distributed Change-Point Detection (DCD)• Change Aggregation Trees (CAT)
Distributed Change-Point Detection
• Hierarchical detection architecture• Deployed over multiple domains• Central CAT server in each domain• Merges CAT sub-trees from collaborative
servers into a global CAT, with the root at the victim’s location.
• Three layer organization.
DCD Three Layer Organization
• At lowest layer, a single router detects local traffic fluctuations using a change-point detection program.
• At each network domain, a CAT server constructs CAT sub-tree according to alerts collected from routers.
• At highest layer, CAT servers form an overlay network, communicating over VPN channels.
Visualization Research Example
• Using Hierarchical Network Maps• Treemap approach, with each node in the
hierarchy drawn as a box placed inside its parent.
• Using dimensions of IP address and time, the application of Internet monitoring can be realized.
Botnet Growth Example
• Rapid spread of botnet computers in China in August 2006 over an eight day period, as observed by a large service provider.
• Prefix labels anonymized here because of privacy concerns.
Conclusion
• Denial of Service attacks are a continuing problem.
• Active research is underway to study vulnerabilities to attacks and methods of mitigation.
• Much work remains to be done before the problem will be solved.