Transcript Definition

Network Layer Security
Distributed Denial of Service (DDoS) attacks
and the proposed solutions
November 12, 2007
Network Layer security
Definition: Network layer security is the security of IP routing
mechanism
and accessibility of networks, services and specific IP machines
under general network conditions.
Sample Network Level Threats:
IP hijacking: the IP address of a machine is stolen by another machine.
The data streams of the forst machin are diverted by the second
machine.
MAC address hijacking: Same as IP hijacking in the MC level. This is
done by abusing the ARP protocol and something known as ARP
poisoning.
Distributed Denial of service.
What is a DDoS?
•A DDoS is a collaborative effort of many machines
distributed across the internet. The machines are infected by
a piece of malware, which makes them to be abused for a
DDoS attack.
•The owners of the machines are usually un-aware of the
infection.
•The infected machines are called zombies.
•All the zombie machines are controlled by a mastermind of
the DDoS.
Illustrating a DDoS
The Victim
Edge router
Core router
DDoS source
Some of the Recent Incidents
In May 2006, Internet spammers launched a massive
DDoS attack against the anti-spam company Blue Security.
As a result of a change in DNS entries of Blue Security at the
time of the attack, the DDoS also targeted millions of blogs. In the
aftermath of this DDoS attack, Blue Security was forced to stop
providing anti-spam services and revised its business strategy
A report of Online Wired Magazine on this event reads:
“... at 4 pm on May 2, 2006, the sites went dark, and so did the
mood at Six Apart, the company that owns them. In the blink of an
eye, 10 million blogs and online communities disappeared. Flash
floods of data thundered into one network port, stopped inexplicably,
then reappeared to overwhelm another. The engineers pored over
logs, desperately looking for a cause. After an agonizing hunt, they
found it: a distributed denial-of-service attack, or DDoS”
Some of The Recent Incedents
The alleged attack of Russia against Estonia in April-May 2007:
• The crisis unleashed a wave of so-called DDoS, or Distributed Denial of
Service, attacks, where websites are suddenly swamped by tens of
thousands of visits, jamming and disabling them by overcrowding the
bandwidths for the servers running the sites. The attacks have been pouring
in from all over the world, but Estonian officials and computer security
experts say that, particularly in the early phase, some attackers were
identified by their internet addresses - many of which were Russian, and
some of which were from Russian state institutions. ...
• The attacks have come in three waves: from April 27, when the Bronze
Soldier riots erupted, peaking around May 3; then on May 8 and 9 - a
couple of the most celebrated dates in the Russian calendar, when the
country marks Victory Day over Nazi Germany, and when President
Vladimir Putin delivered another hostile speech attacking Estonia and
indirectly likening the Bush administration to the Hitler regime; and again
this week.
Source: http://www.csmonitor.com/2007/0517/p99s01-duts.html
The Root of Vulnerability
• The main root of DDoS is the fact that the
IP has an open structure and it is had to
block distributed users to send traffic to a
specific address.
• As of now, there is no solution to DDoS
problem.
• Some of the solutions partially solve the
problem.
Some of the Difficulties
• The source IP addresses are often spoofed.
Therefore, it is hard to identify the real sources.
• In the network layer and the interim routers, the
DDoS traffic looks like normal traffic.
• Often the sources are very distributed across the
internet, and the number of active sources range
from a few hundred to tens of thousands.
Example: reflected attacks
• The source sends traffic to a so-called
reflector. The source IP address is spoofed
as the IP address of the victim. Therefore,
the response of the reflector is sent to the
victim.
• Advantage: hiding the identity of the
source, and reflection gain.
Illustrating Reflected Attack
66.22.45.11
S
SYN
S: 10.1.1.12
(spoofed)
D: 66.22.45.11
SYN
R
SYN-ACK
S: 66.22.45.11
D: 10.1.1.12
S: source
R: reflector
V: Victim
SYN-ACK
10.1.1.12
V
For every SYN at the source, the victim receives 3-5 SYN-ACKs. So the attack
is amplified at the victim.
Some of the Proposed Solutions
•
•
•
•
•
•
Egress (Ingress) filtering
Route based filtering
Probabilistic packet marking
Pushback
D-ward
I-trace through ICMP messages
Ingress and Egress Filtering
• When leaving a network, the source IP
address is checked for its validity.
Therefore, the IP packets with a spoofed
source do not leave the network
Issues of Egress Filtering
• No incentive for the source domains to
implement: DDoS does not harm them!
• The attackers can still hide themselves
within the IP address range of the domain.
Route-based filtering
• A router checks to see if a packet with a
given source IP address is supposed to
pass through that router
• Routers use BGP route information for
such tests
• Route-based filtering is a generalization of
egress filtering.
Illustrating Route-based Filtering
Node 7 uses IP address belonging to node 2 when attacking node 4.
Node 6 detects that a packet from node 2 is not supposed to be received
On the interface connecting it to node 7. The packet is filtered.
Issues of Route-based Filtering
• A huge network support is needed
• Same problems as egress filtering
• Needs exchanging BGP route tables
among routers
Probabilistic Packet Marking
• Each router randomly writes a piece of its
IP address on some unused field in IP
header.
• By using enough packets, the victim can
recover the complete path to the sources.
Problems of Probabilistic Packet
Marking
• Usually, the victim needs to receive too
many packets from a source to be able to
completely recover the path.
• The sources may be programmed to stop
before they will be detectable by PPM
• It can only find the source networks not
the real source machines.
I-trace through ICMP Messages
• For each IP packet being received, with a small
probability, an ICMP packet with the complete
information of the packet and the IP address of
the router through which the packet was
forwarded is generated.
• The probability of generating an ICMP message
is 1/20,000 per receive packet
• If a DDoS source generates enough packets,
then enough ICMP messages will be generated
to help recover the complete path to the source.
Problems of I-trace through ICMP
Messages
• The approach requires sources generate
too many messages.
• It can only find the source networks not
the real source machines.
Pushback
• Pushback is based on the fact that DDoS
causes congestion
• A congestion signature is identified by the
routers in proximity of the victim.
• The congestion signature is advertised to the
upstream routers.
• Whenever there is a high rate of packets
matching the congestion signature, the
mechanism continues iteratively.
• Pushback is designed to continue toward the
sources
Illustrating Pushback
Pushback limits the traffic rate closer to the sources
Pushback in More Details
ACC: Aggregate-based Congestion Control
RED: Random Early Detection (Drop)
Problems of Pushback
• Many false positives and false negatives
• Often hard to extract a congestion
signature
• Traffic becomes very sparse close to the
sources. Therefore, pushback often fails to
continue all the way to a DDoS source.
D-WARD
• D-WARD monitors the traffic at the egress
router of a stub domain in order to
determine whether the ratio of outgoing to
incoming traffic for a set of remote
addresses is abnormally high. A high ratio
is taken as a signal that an attack is being
mounted from within the stub domain.
Issues of D-WARD
• Performance of D-WARD degrades in
detecting DDoS in transit domains
because possibility of asymmetry in
routes.
• D-WARD does not work when routes are
not symmetric.
• D-WARD is not well suited for UD traffic.