“A Taxonomy of DDoS Attack and DDoS Defense Mechanisms”
Download
Report
Transcript “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms”
“A Taxonomy of DDoS Attack
and DDoS Defense Mechanisms”
By Jelena Mirkovic and Peter Reiher (CCR April 2004)
NSRG - Network Security Reading Group:
Vijay Erramilli Nahur Fonseca
Abhishek Sharma Georgios Smaragdakis
and Prof John W. Byers
http://www.cs.bu.edu/groups/wing
Outline
Overview of DDoS
Taxonomy of DDoS Attacks
DDoS Activity
Taxonomy of DDoS Defenses
Examples of DDoS Defenses
Overview
(D)DoS := explicit attempt to prevent the
legitimate use of a service
Why this is part of today’s internet?
Current Internet Design is focused on
effectiveness of moving packets.
Internet Resource Limitations.
Control is distributed.
DDoS Overview
Taxonomy of DDoS Attacks
[MR04]
DDoS Attack Mechanisms
Classification
By.. Degree
of Automation
Impact on
the Victim
Exploited
Weakness
Victim Type
Source
Address
Validity
Attack Rate
Dynamics
Persistence
of Agent Set
Possibility of
Characterization
Classification
By Degree
of Automation
Mainly Worms
Manually
(Semi-)Automated
Scanning Strategies:
Random Scanning (CRv2)
Hitlist Scanning
Permutation Scanning – sub HitList (Warhol)
Topological Scanning (E-mail Worms)
Local Subnet Scanning (CRv2, nimba)
Classification
By Degree
of Automation
Vulnerability Scanning Strategies
Horizontal: same port of different machines
Vertical: all ports of one machine
Coordinated
Stealthy
Propagation Mechanism
Central Source (Li0n worm)
Back-chaining (Ramer Worm, Morris worm)
Autonomous Propagation (CR, Warhol)
Classification By
Exploit Weakness
To Deny Service
Searching for specific
feature or bug
SYN ACK attack,
NAPTHA /connection
queue
CGI Request attack
/CPU
Flooding (reflectors)
DNS Request attacks
Smurf attacks
(ICMP reply attacks)
Classification By
Source Address
Validity
Spoofing Techniques
Random Spoofed Source Address
Subnet Spoofed Source Address
(hard to detect)
En Route Spoofed Source Address (future)
address along the path from the slave to
the victim
Fixed Spoofed Source Address
Classification By
Attack Rate
Dynamics
Constant Rate
Attacker can deploy a min number of
machines
Patterns in traffic
Variable Rate
Increasing Rate
Fluctuating Rate
(Low Rate attacks like Shrew, Rat and RoQ)
Classification By
Possibility of
Characterization
Filterable
Filtered by a firewall eg. UDP flooding, ICMP
echo flood to Web Servers, DNS (TCP).
Non-Filterable
mainly try to consume bandwidth, using a
mixture of TCP SYN, TCP Attack, ICMP ECHO/
REPLY, and UDP packets.
Classification By
Persistence of
Agent (Slave) Set
Constant Slave Set
Lack of synchronization
Variable Slave Set
eg. Take turns (waves) of floods of packets
Classification By
Victim Type
Application
Attack packets indistinguishable from legitimate
packets at the transport level.
A lot of applications that have to be modeled.
Host
CPU/Stack
Resource
Critical resource eg. DNS, router, bottleneck
Network
Traffic
Infrastructure
Misconfiguration by the attacker/BGP (future)
Classification By
Impact on
the Victim
Disruptive
Deny the victim’s service to its clients
Degrading
Consumes some portion of the victim’s
resources.
Not easily detected
Lead to Disruptive DoS in high load periods
Attack Tools
Very Easy to find code
(eg. http://www.ussrback.com/distributed.htm)
Trinoo: Flood Attack The communication link btw Attacker and
slaves is encrypted.
TFN2k: Flood Attack, but also allows SYN, ICMP flood and Smurf
Attacks. The communication link btw Attacker and slaves is
encrypted.
…
Outline
Overview of DDoS
Taxonomy of DDoS Attacks
DDoS Activity
Taxonomy of DDoS Defenses
Examples of DDoS Defenses
Why bother ? Fact 1: prevalence
David Moore, et al. Infering Internet Denial-of-Service Activity
Backscatter Analysis
Assumptions
Flood attack
Randomly spoofed
source address
Victims always
respond
Backscatter is
evidence of ongoing
attack
Responses are equaly
distributed across IP
E(x) = nm/232, m=pkts
R > R’ 232/n , n=224
Biases
Underestimate due to
Ingress filtering,
Reflector attack,
Packet losses,
Rate limiting,
Minor factor due to
random port scans on
the observed hosts.
Backscatter Results
Why bother? “Fact” 2: cost
What’s the worst-case worm ?
A lot of resources, a nation state, to find
A zero-day (never seen) vulnerability in
A widely used service.
Infect intranets first and then the Internet
Very fast (e.g. flash worms). < 1 day.
Cause data damage, hardware damage.
How much would it cost ?
A conservative linear model based on:
recovery, data, work-hour and BIOS costs
US$50 Bi
Taxonomy of DDoS Defenses
Preventive x Reactive
Degree of Cooperation
Autonomous
Cooperative
Interdependent
Deployment Location
Victim network
Intermediate network
Source network
Proactive / Reactive Actions
Preventive
Prevention Goal
1. Attack Prevention
2. DoS Prevention
Secured Target
1. System security
2. Protocol security
Prevention Method
1. Resource Accounting
2. Resource Multiplication
Reactive
Detection Strategy
1. Pattern
2. Anomaly
3. Third Party
Response Strategy
1.
2.
3.
4.
Agent Identification
Rate-limiting
Filtering
Reconfiguration
Degree of Cooperation
Autonomous – independent defense at
the point of deployment
Cooperative – perform better in joint
operation.
Interdependent – cannot operate
autonomously.
Deployment Location
Victim network – most common, the
most interested party.
Intermediate network – ISP can
provide the service, potential to
cooperation.
Source network – prevent DDoS at the
source, least motivation (Tragedy of the
Commons).
Examples of Defenses
Preventive
Reactive
At Victim
Autonomous
IDS, SNORT
Intermediate
At Source
Cooperative
Puzzles
In-Filter
D-WARD
Interdependent
SOS
Traceback
IDS, Snort
Intrusion Detection System
Purpose: to sniff all traffic on a network and to compare
the network packets with certain patterns.
Sniff all traffic
Preprocess
Patten matching
Policy
Enforcement
Deny
SOS: Secure Overlay Service
Proactively prevent DoS to allow legitimate users to
communicate with critical target.
+ Illegitimate packets are dropped
+ Proxy forwards authentic traffic
- Attackers take over source
- Attackers may spoof proxy IP
- Attackers spoof address
- Attackers may attack proxy
- Sources have mobile IP
SOS: Architecture
A node on or off the overlay that wants to
send a transmission to a target
A node on the overlay, it receives traffic
destined for the target and ,after verifying the
legitimacy of the traffic, forwards it to a secret
servlet
A node on the overlay that acts as the only
entry point to the target
Target node that wishes to receive
transmissions from validated sources
A node on the overlay that accepts traffic to
the target from approved source points
Ingress Filtering (RFC2267)
An ingress filter on "router 2” restricts traffic to allow
only source addresses within the 9.0.0.0/8 prefix.
Problems with special cases, for example, mobile IP.
Still can spoof addresses within the same prefix.
D-WARD
Monitors each peer
in both ways.
Keep per flow
statistics.
Compare to “normal
traffic” models.
Detect anomalies.
Throttle malicious
users.
Cliente Puzzles: Intuiton
???
Table for four
at 8 o’clock.
Name of Mr. Smith.
Please solve this
puzzle.
O.K.,O.K.
Mr. Smith
Restauranteur
Intuition
Suppose:
A puzzle takes an hour to solve
There are 40 tables in restaurant
Reserve at most one day in advance
A legitimate patron can easily reserve a table,
but:
Intuition
???
???
???
???
???
???
Would-be saboteur has too many puzzles to solve
The client puzzle protocol
Client
Service request
R
Server
Buffer
O.K.
IP traceback
The ability to trace IP packets to their
origin.
IP spoofing
Ingress filtering prevents IP address
manipulation
not fully enforced due to political and
technical
reasons.
Some ISPs refuse to install inbound filters to
prevent source-address spoofing.
IP traceback approaches
Reactive : initiate the traceback process
in response to an attack
e.g. Input debugging and controlled flooding
Must be completed while the attack is active;
ineffective once the attack ceases
Require large degree of ISP cooperationextensive administrative burden, difficult
legal and policy issues.
Input debugging: Figure from IP Traceback: A New Denialof-Service Deterrent?, H. Aljifri, IEEE Security & Privacy, 2003.
Proactive IP traceback
Record tracing measures as packets are routed
through the network.
Traceback data used for attack path reconstruction
and subsequent attacker identification.
Techniques:
Logging
Messaging
Packet-marking
Logging
Log packets at key routers throughout
the Internet and then use data-mining
techniques to extract information about
attack traffic’s source.
Huge amount of processing and storage
power needed to store the logs.
Need to save and share information
among ISPs : logistical and legal
problems, as well as privacy concerns.
How to reduce the resource demand?
Probabilistic sampling of the packet stream and
compression.
SPIE (Source Path Isolation Engine), A. Snoeren et.
al. Makes use of Bloom filters to store a hash digest of
only the relevant invariant portions of a packet
Overlay Network of sensors, tracing agents and managing
agents.
Selectively log traffic – after an attack is recognized.
Log only certain relevant characteristics
Increased speed and less storage.
ICMP-based traceback: Figure from IP Traceback: A New Denialof-Service Deterrent?, H. Aljifri, IEEE Security & Privacy, 2003.
ICMP-based traceback vs DDoS
In a DDoS attack, each zombie contributes only
a small amount of the total attack traffic.
The probability of choosing an attack packet is
much smaller than the sampling rate used.
The victim probably will get many ICMP
traceback messages from the closest routers
but very few originating near the zombies’
machines.
Intension-driven ICMP traceback : more
effective against DDoS.
Packet-Marking : Figure from IP Traceback: A New Denialof-Service Deterrent?, H. Aljifri, IEEE Security & Privacy, 2003.
Packet Marking
To be effective, packet marking should not increase the
packets’ size (to avoid additional downstream
fragmentation, thus increasing network traffic).
Secure enough to prevent attackers from generating false
markings.
Must work within the existing IP specifications : the
specified order and length of fields in an IP header.
Packet-marking algorithms and associated routers must be
fast enough to allow real-time packet marking.
Probabilistic Packet Marking
Received widespread attention; active area of research
Discussion
What is the cost of ISPs to prevent
DDoS?
Law Enforcement of Homogeneous
Control?
Is DDoS an important problem for
WINGers?
Can be part of the iBENCH:
Safe & Secure Composition…
Can be part of the ITM:
Soft state and sampling of flows?