Transcript Denial of Service

Denial of Service
A Brief Overview
Denial of Service
• Significance of DoS in Internet Security
• Low-Rate DoS Attacks
– Timing and detection
– Defense
• High-Rate, Distributed Attacks
– Botnets
– Detection and Defense Strategies
Significance of DoS
• Accessibility to services is a key part of
Internet Security.
• The number of web sites and companies
effected by DoS attacks is high, and rising.
• Banking companies attacked for revenge.
• Businesses forced to pay criminals to prevent
monetary losses caused by shutdown of their
web sites.
ITU-T Recommendation X.805 Security Architecture [1]
Low-Rate TCP DoS Attack
• Periodic short burst exploiting the minimum
retransmission timeout of TCP flows.
• Kuzmanovic and Knightly showed these
attacks are feasible while difficult to detect.
• Sun et al. proposed a distributed detection
mechanism employing pattern matching using
Dynamic Time Warping.
TCP Retransmission Timer [6]
Low-Rate Attack Timing [8]
Dynamic Time Warping Histogram [8]
Proposed Defense
• Router detects matching traffic on output
port, looks for it on each input port. If found
on input port, push back detection to
upstream routers.
• If not detected at input ports, assume
distributed attack method is being used.
• Use Deficit Round Robin (DRR) scheduling to
ensure fairness for flow from each input.
Distributed Denial of Service
DDoS
Distributed Denial of Service
DDoS
•
•
•
•
Role of Botnets
Botnet Creation
Botnet Control Mechanism
DDoS Defense Strategies
[5]
Estimated Size of Botnets
• Conficker (DownAdUp) worm (2008) –
7,000,000 to 10,500,000 hosts.
• Mariposa (2008) – 12,000,000 hosts
• Bredolab (2009) – 30,000,000 hosts
• Most botnets have not been fully infiltrated or
shut down… total amount of remotely
controlled machines is unknown.
• Source: F-Secure, Infosecurity (UK), and Kaspersky Lab
Botnet Creation
• Host computers are infected by worms,
viruses, or by execution of trojan-horse
software.
• Worm propagation between web servers
causes normally safe and legitimate web sites
to serve malicious content to users, infecting
the user’s computer.
Worm-Based Botnet Creation [2]
Botnet Command and Control
• Most common method of control is through
use of Internet Relay Chat (IRC) protocols and
servers.
• Infected machines may also connect to
controlling servers using HTTP protocol.
IRC Controlled Botnet [4]
DDoS Defense Strategies
• Monitoring and early detection.
• Adaptive detection and defense employing
Hop-Count Filtering.
• Collaborative detection over multiple
domains.
• Traffic Visualization
Monitoring and Detection
• Detect malware propagation during early,
exponential growth phase. (trend detection)
• Look for similar statistical characteristics.
• Growth rate converges around a constant,
positive exponential rate.
• Non-uniform scan worm (Blaster) detection
benefits from a widely distributed detection
network.
Worm Propagation Model [10]
Code Red and Blaster Propagation [9]
Worm Monitoring System [10]
Adaptive Defense
• Suitable for large traffic flows, such as worm
propagation and DDoS.
• Relies a good estimation of attack severity.
• Works to minimize sum of the costs of false
positives and false negatives, by choosing the
optimal configuration.
• Easy to detect SYN flooding, but hard to filter.
• Hop count filtering.
Hop Count Filtering
• Spoofed packets may have a modified TTL in
the IP header, but attackers cannot know the
true hop count from the machines whose IP
address it is faking to the target.
• Memory constraints prevent storage of hopcount for every address, so address
aggregation is used.
• Filter selectivity adjusted adaptively.
Adaptive Defense Architecture [9]
Adaptive HCF Cost [9]
Adaptive Defense Performance [9]
Collaborative Detection Method
• Use a distributed system to leverage network
topology.
• Implement in core ISP network domains
covering edge networks where protected
systems are physically connected.
• Detection at traffic superflow level
• Distributed Change-Point Detection (DCD)
• Change Aggregation Trees (CAT)
Superflow Traffic Model [3]
Distributed Change-Point Detection
•
•
•
•
Hierarchical detection architecture
Deployed over multiple domains
Central CAT server in each domain
Merges CAT sub-trees from collaborative
servers into a global CAT, with the root at the
victim’s location.
• Three layer organization.
DCD Three Layer Organization
• At lowest layer, a single router detects local
traffic fluctuations using a change-point
detection program.
• At each network domain, a CAT server
constructs CAT sub-tree according to alerts
collected from routers.
• At highest layer, CAT servers form an overlay
network, communicating over VPN channels.
Visualization Research Example
• Using Hierarchical Network Maps
• Treemap approach, with each node in the
hierarchy drawn as a box placed inside its
parent.
• Using dimensions of IP address and time, the
application of Internet monitoring can be
realized.
Botnet Growth Example
• Rapid spread of botnet computers in China in
August 2006 over an eight day period, as
observed by a large service provider.
• Prefix labels anonymized here because of
privacy concerns.
Botnet Infections: Day 1 [7]
Botnet Infections: Day 5 [7]
Botnet Infections: Day 9 [7]
Conclusion
• Denial of Service attacks are a continuing
problem.
• Active research is underway to study
vulnerabilities to attacks and methods of
mitigation.
• Much work remains to be done before the
problem will be solved.
Questions ?