Transcript DDoS Breakout Session Presentation [14 slides] (817 KB PPT file)

Experiments and Tools for
DDoS Attacks
Roman Chertov, Sonia Fahmy, Rupak Sanjel,
Ness Shroff
Center for Education and Research in
Information Assurance and Security (CERIAS)
Purdue University
October 25th, 2004
1
Objectives
 Design, integrate, and deploy a methodology and
tools for performing realistic and reproducible
DDoS experiments:



Tools to configure traffic and attacks
Tools for automation of experiments, measurements, and
visualization of results
Integration of multiple third-party software components
 Understand the testing requirements of different
types of third party detection and defense
mechanisms
 Gain insight into the phenomenology of attacks
including their first-order and their second-order
effects, and impact on defenses
2
Accomplishments
 Designed and implemented experimental tools:
 Scriptable
event system to control and synchronize
events at multiple nodes
 Automated measurement tools, log processing tools,
and plotting tools
 Automated configuration of interactive and replayed
background traffic, routing, attack parameters, and
measurements
 Generated requirements for DETER to easily support
the testing of third party products (e.g., ManHunt,
Sentivist)
3
Accomplishments (cont’d)
 Analytical characterization, simulations, and
experiments for low-rate TCP-targeted DDoS
attacks
 Preliminary analysis of BGP behavior during
DDoS, and BGP impact on DDoS
4
Demonstration Topology
5
Scriptable Event System
 Having more than a few computers proves a
real challenge to handle in a fast and
reasonable manner.
 Must have a central way to delegate
arbitrary tasks to experimental nodes.
 Event completion notification is required to
trigger further events in the experiment.
6
Routing
 DeterLab experiments can be used with static
or OSPF routing; however, there is no support
of BGP, RIP, ISIS etc
 eBGP and iBGP routing can be accomplished
with Quagga routing daemons
 Initialization scripts coupled with the central
control make it easy to restart all of the
routers in experiment to get a clean starting
point.
7
Measurement
 Measurement of systems statistics at different
points in the network can yield an
understanding of what events are occurring in
the entire network.
 A tool based on a 1sec timer records CPU,
PPSin, PPSout, BPSin, BPSout, RTO,
Memory. The collected logs can be
aggregated and used to produce graphs via a
collection of scripts.
 Future scripts will have an ability to correlate
events between system measurements/
routing log files
8
Measurement (cont’d)
9
Challenges in Testing Third-Party
Mechanisms
 ManHunt license is IP/MAC specific  Control of
machine selection in DETER
 Administration software: some products for
Windows XP only, e.g., Sentivist. Luckily
command line interface provided in this case.
 Some mechanisms require their hardware to be
installed (sensors/authentication).
 Certain features of mechanisms like
traceback/pushback are dependant on interaction
with the network devices (routers/switches)
10
Challenges (cont’d)
How to install sensors?
Current solution: hardware bridging: cannot install
more than one sensor  serious problem since
prior research has shown the limited effectiveness
of single point sensing
Future solution:
software bridging
11
Challenges (cont’d)
 Sentivist Sensor distributed as bootable CD-ROM
Is it possible to “boot” a machine from an ISO image?
Perhaps using FreeBSD network install (Sentivist
Sensor built on FreeBSD), but no administrative
privilege to do so
Otherwise, need someone to insert CD-ROM in drive
 Sentivist Sensor installation requires interaction:
Must establish serial console connection to machine:
COM1 or COM2, no COM1 on DETER IBM machines
Else need someone to use a monitor and keyboard
12
Plans
 Continue development of experiment automation
and instrumentation/plotting tools and
documentation
 Design increasingly high fidelity experimental
suites
 Continue investigation of TCP-targeted DDoS
attacks in more depth, and compare analytical
and simulation results with DETER testbed
results to identify artifacts
13
Plans (cont’d)
 Investigate routing problems/attacks, and
compare with DETER testbed results
 Continue to collaborate with routing team
and McAfee team to identify
experimental scenarios and build
tools for routing experiments
14