Autonomic Response to Distributed Denial of Service Attacks
Download
Report
Transcript Autonomic Response to Distributed Denial of Service Attacks
Autonomic Response to
Distributed Denial of Service
Attacks
Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson,
Bill Babson, Dan Schnackenberg,
Harley Holliday and Travis Reid
Presented by: Jesus F. Morales
Overview
Introduction: the problem
Proposed solution
The experiment
Results
Observations
Conclusions
2
Introduction
The problem
Distributed Denial of Service (DDoS)
attacks
Hacker toolkits
January 2001
DDoS attack against websites hosting Hotmail,
MSN, Expedia and other large services
Services inaccessible for 22 hours
3
Current state of response
Relies on expert, manual labor by network
administrators
Response includes two main activities:
“Input debugging”
Mitigation of network traffic flow
Find router’s physical interfaces used for the attack
(statistics, network traffic probes)
Packet filtering or rate limiting at the associated router
Contact upstream organizations
4
Current state of response:
drawbacks
Requires immediate availability of highly
skilled network administrators
Time consuming
Downtime & costs
It does not scale
What about attacks involving hundreds of
networks?
“Whack a mole” attacks
5
Proposed solution
Intruder Detection and Isolation Protocol
(IDIP)
Cooperative Intrusion Traceback and
Response Architecture (CITRA)
Protocol for reporting intrusion-related events and
coordinating attack tracebacks and automated
response actions
The architecture based on IDIP
Authors have adapted CITRA and IDIP for
DDoS attacks
6
CITRA: components and attack
traceback and mitigation
7
Attack response
Policy mechanisms for each CITRA component along the
attack path determine the adequate response
Block attacked service port on all requests from attacker’s
address or network for a specified amount of time
At CITRA-enabled hosts
Goal: use the narrowest network response
Kill offending process
Disable offending user’s account
Stop the attack
Minimize impact on legitimate users
Reports with responses taken is sent to the Discovery
Coordinator (DC)
Global view and system topology allows, hopefully, for the best
community-wide response
8
Experiment: Autonomic
response to DDoS
The problem
Sophisticated DDoS toolkits generate traffic that
“blends in” with legitimate traffic
Cannot be blocked by router packet filters without
blocking legitimate traffic
Traffic rate limiting may be more useful
Experiment goals
Prove that CITRA and IDIP can defend against
DDoS attacks
In particular, against a Stacheldraht v4 attack
9
Experiment: Stacheldraht toolkit
and test application
Stacheldraht toolkit
Can generate ICMP, UDP and TCP floods and
Smurf attacks
Provides one or more master servers that control
agents (flood sources)
Can target floods at arbitrary machines and ports
Test application
Audio/video streaming
RealNetworks’ RealSystem sever
RealPlayer client
10
Experiment: topology and
scenario
11
Experiment: settings
Test data
RealPlayet
8-minute 11-seconds continuous motion video
Encoded at 200.1 Kbps
Best quality video setting (10 Mbps bandwidth)
Data buffering: 5 seconds (the minimum)
Transport protocol: UDP
Attack
Target is the RealSystem server
UDP packets indistinguishable from control packets
sent to the server from RealPlayer clients
12
Experiment: Stacheldraht flooding
and autonomic rate limiting
13
Experiment results: Normal run
14
Experiment results: Flood run
15
Experimental results: Full recovery run
16
Experimental results: Degraded
recovery run
17
Observations
Degraded recovery probably due to detector’s slow
response speed (366 MHz Pentium II)
Independent experiment
Results confirmed
Full recovery obtained every time
Higher performance detector
CITRA’s response effective after 2 seconds vs. 10 – 12 seconds.
Results are preliminary
UDP allows traceback and mitigation request with
one IP packet vs. TCP would require a three-way
handshake first. May result in a slower propagation
upstream
18
Conclusions
DDoS attacks an increasing threat to
the Internet
Manual defense is inadequate
CITRA prototype for DDoS with rate
limiting function seems to be a
promising automatic response
19