Transcript “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms”

“A Taxonomy of DDoS Attack
and DDoS Defense Mechanisms”
By Jelena Mirkovic and Peter Reiher (CCR April 2004)
NSRG - Network Security Reading Group:
Vijay Erramilli Nahur Fonseca
Abhishek Sharma Georgios Smaragdakis
and Prof John W. Byers
http://www.cs.bu.edu/groups/wing
Outline
 Overview of DDoS
 Taxonomy of DDoS Attacks
 DDoS Activity
 Taxonomy of DDoS Defenses
 Examples of DDoS Defenses
Overview
(D)DoS := explicit attempt to prevent the
legitimate use of a service
Why this is part of today’s internet?
 Current Internet Design is focused on
effectiveness of moving packets.
 Internet Resource Limitations.
 Control is distributed.
DDoS Overview
Taxonomy of DDoS Attacks
[MR04]
DDoS Attack Mechanisms
Classification
By.. Degree
of Automation
Impact on
the Victim
Exploited
Weakness
Victim Type
Source
Address
Validity
Attack Rate
Dynamics
Persistence
of Agent Set
Possibility of
Characterization
Classification
By Degree
of Automation
 Mainly Worms
 Manually
 (Semi-)Automated
 Scanning Strategies:
 Random Scanning (CRv2)
 Hitlist Scanning
 Permutation Scanning – sub HitList (Warhol)
 Topological Scanning (E-mail Worms)
 Local Subnet Scanning (CRv2, nimba)
Classification
By Degree
of Automation
 Vulnerability Scanning Strategies
 Horizontal: same port of different machines
 Vertical: all ports of one machine
 Coordinated
 Stealthy
 Propagation Mechanism
 Central Source (Li0n worm)
 Back-chaining (Ramer Worm, Morris worm)
 Autonomous Propagation (CR, Warhol)
Classification By
Exploit Weakness
To Deny Service
 Searching for specific
feature or bug
 SYN ACK attack,
NAPTHA /connection
queue
 CGI Request attack
/CPU
 Flooding (reflectors)
 DNS Request attacks
 Smurf attacks
(ICMP reply attacks)
Classification By
Source Address
Validity
Spoofing Techniques
 Random Spoofed Source Address
 Subnet Spoofed Source Address
(hard to detect)
 En Route Spoofed Source Address (future)
address along the path from the slave to
the victim
 Fixed Spoofed Source Address
Classification By
Attack Rate
Dynamics
Constant Rate
 Attacker can deploy a min number of
machines
 Patterns in traffic
Variable Rate
 Increasing Rate
 Fluctuating Rate
(Low Rate attacks like Shrew, Rat and RoQ)
Classification By
Possibility of
Characterization
Filterable
 Filtered by a firewall eg. UDP flooding, ICMP
echo flood to Web Servers, DNS (TCP).
 Non-Filterable
mainly try to consume bandwidth, using a
mixture of TCP SYN, TCP Attack, ICMP ECHO/
REPLY, and UDP packets.
Classification By
Persistence of
Agent (Slave) Set
Constant Slave Set
 Lack of synchronization
Variable Slave Set
 eg. Take turns (waves) of floods of packets
Classification By
Victim Type
 Application
 Attack packets indistinguishable from legitimate
packets at the transport level.
 A lot of applications that have to be modeled.
 Host
 CPU/Stack
 Resource
 Critical resource eg. DNS, router, bottleneck
 Network
 Traffic
 Infrastructure
 Misconfiguration by the attacker/BGP (future)
Classification By
Impact on
the Victim
Disruptive
 Deny the victim’s service to its clients
Degrading
 Consumes some portion of the victim’s
resources.
 Not easily detected
 Lead to Disruptive DoS in high load periods
Attack Tools
 Very Easy to find code
(eg. http://www.ussrback.com/distributed.htm)
Trinoo: Flood Attack The communication link btw Attacker and
slaves is encrypted.
TFN2k: Flood Attack, but also allows SYN, ICMP flood and Smurf
Attacks. The communication link btw Attacker and slaves is
encrypted.
…
Outline
 Overview of DDoS
 Taxonomy of DDoS Attacks
 DDoS Activity
 Taxonomy of DDoS Defenses
 Examples of DDoS Defenses
Why bother ? Fact 1: prevalence
David Moore, et al. Infering Internet Denial-of-Service Activity
Backscatter Analysis
 Assumptions
 Flood attack
 Randomly spoofed
source address
 Victims always
respond
 Backscatter is
evidence of ongoing
attack
 Responses are equaly
distributed across IP
E(x) = nm/232, m=pkts
R > R’ 232/n , n=224
 Biases
 Underestimate due to
 Ingress filtering,
 Reflector attack,
 Packet losses,
 Rate limiting,
 Minor factor due to
random port scans on
the observed hosts.
Backscatter Results
Why bother? “Fact” 2: cost
 What’s the worst-case worm ?






A lot of resources, a nation state, to find
A zero-day (never seen) vulnerability in
A widely used service.
Infect intranets first and then the Internet
Very fast (e.g. flash worms). < 1 day.
Cause data damage, hardware damage.
 How much would it cost ?
 A conservative linear model based on:
recovery, data, work-hour and BIOS costs
 US$50 Bi
Taxonomy of DDoS Defenses
 Preventive x Reactive
 Degree of Cooperation
 Autonomous
 Cooperative
 Interdependent
 Deployment Location
 Victim network
 Intermediate network
 Source network
Proactive / Reactive Actions
 Preventive

Prevention Goal
1. Attack Prevention
2. DoS Prevention

Secured Target
1. System security
2. Protocol security

Prevention Method
1. Resource Accounting
2. Resource Multiplication
 Reactive
 Detection Strategy
1. Pattern
2. Anomaly
3. Third Party
 Response Strategy
1.
2.
3.
4.
Agent Identification
Rate-limiting
Filtering
Reconfiguration
Degree of Cooperation
 Autonomous – independent defense at
the point of deployment
 Cooperative – perform better in joint
operation.
 Interdependent – cannot operate
autonomously.
Deployment Location
 Victim network – most common, the
most interested party.
 Intermediate network – ISP can
provide the service, potential to
cooperation.
 Source network – prevent DDoS at the
source, least motivation (Tragedy of the
Commons).
Examples of Defenses
Preventive
Reactive
At Victim
Autonomous
IDS, SNORT
Intermediate
At Source
Cooperative
Puzzles
In-Filter
D-WARD
Interdependent
SOS
Traceback
IDS, Snort
 Intrusion Detection System
 Purpose: to sniff all traffic on a network and to compare
the network packets with certain patterns.
Sniff all traffic
Preprocess
Patten matching
Policy
Enforcement
Deny
SOS: Secure Overlay Service
 Proactively prevent DoS to allow legitimate users to
communicate with critical target.
+ Illegitimate packets are dropped
+ Proxy forwards authentic traffic
- Attackers take over source
- Attackers may spoof proxy IP
- Attackers spoof address
- Attackers may attack proxy
- Sources have mobile IP
SOS: Architecture
A node on or off the overlay that wants to
send a transmission to a target
A node on the overlay, it receives traffic
destined for the target and ,after verifying the
legitimacy of the traffic, forwards it to a secret
servlet
A node on the overlay that acts as the only
entry point to the target
Target node that wishes to receive
transmissions from validated sources
A node on the overlay that accepts traffic to
the target from approved source points
Ingress Filtering (RFC2267)
 An ingress filter on "router 2” restricts traffic to allow
only source addresses within the 9.0.0.0/8 prefix.
 Problems with special cases, for example, mobile IP.
 Still can spoof addresses within the same prefix.
D-WARD
 Monitors each peer
in both ways.
 Keep per flow
statistics.
 Compare to “normal
traffic” models.
 Detect anomalies.
 Throttle malicious
users.
Cliente Puzzles: Intuiton
???
Table for four
at 8 o’clock.
Name of Mr. Smith.
Please solve this
puzzle.
O.K.,O.K.
Mr. Smith
Restauranteur
Intuition
Suppose:
A puzzle takes an hour to solve
There are 40 tables in restaurant
Reserve at most one day in advance
A legitimate patron can easily reserve a table,
but:
Intuition
???
???
???
???
???
???
Would-be saboteur has too many puzzles to solve
The client puzzle protocol
Client
Service request
R
Server
Buffer
O.K.
IP traceback
The ability to trace IP packets to their
origin.
IP spoofing
Ingress filtering prevents IP address
manipulation
 not fully enforced due to political and
technical
reasons.
 Some ISPs refuse to install inbound filters to
prevent source-address spoofing.
IP traceback approaches
Reactive : initiate the traceback process
in response to an attack
 e.g. Input debugging and controlled flooding
 Must be completed while the attack is active;
ineffective once the attack ceases
 Require large degree of ISP cooperationextensive administrative burden, difficult
legal and policy issues.
Input debugging: Figure from IP Traceback: A New Denialof-Service Deterrent?, H. Aljifri, IEEE Security & Privacy, 2003.
Proactive IP traceback
 Record tracing measures as packets are routed
through the network.
 Traceback data used for attack path reconstruction
and subsequent attacker identification.
 Techniques:
 Logging
 Messaging
 Packet-marking
Logging
Log packets at key routers throughout
the Internet and then use data-mining
techniques to extract information about
attack traffic’s source.
Huge amount of processing and storage
power needed to store the logs.
Need to save and share information
among ISPs : logistical and legal
problems, as well as privacy concerns.
How to reduce the resource demand?
 Probabilistic sampling of the packet stream and
compression.
 SPIE (Source Path Isolation Engine), A. Snoeren et.
al. Makes use of Bloom filters to store a hash digest of
only the relevant invariant portions of a packet
 Overlay Network of sensors, tracing agents and managing
agents.
 Selectively log traffic – after an attack is recognized.
 Log only certain relevant characteristics
 Increased speed and less storage.
ICMP-based traceback: Figure from IP Traceback: A New Denialof-Service Deterrent?, H. Aljifri, IEEE Security & Privacy, 2003.
ICMP-based traceback vs DDoS
 In a DDoS attack, each zombie contributes only
a small amount of the total attack traffic.
 The probability of choosing an attack packet is
much smaller than the sampling rate used.
 The victim probably will get many ICMP
traceback messages from the closest routers
but very few originating near the zombies’
machines.
 Intension-driven ICMP traceback : more
effective against DDoS.
Packet-Marking : Figure from IP Traceback: A New Denialof-Service Deterrent?, H. Aljifri, IEEE Security & Privacy, 2003.
Packet Marking
 To be effective, packet marking should not increase the
packets’ size (to avoid additional downstream
fragmentation, thus increasing network traffic).
 Secure enough to prevent attackers from generating false
markings.
 Must work within the existing IP specifications : the
specified order and length of fields in an IP header.
 Packet-marking algorithms and associated routers must be
fast enough to allow real-time packet marking.
 Probabilistic Packet Marking
 Received widespread attention; active area of research
Discussion
 What is the cost of ISPs to prevent
DDoS?
 Law Enforcement of Homogeneous
Control?
 Is DDoS an important problem for
WINGers?
 Can be part of the iBENCH:
Safe & Secure Composition…
 Can be part of the ITM:
Soft state and sampling of flows?