Distributed Denial of Services the Problem, its Solutions, and their Problems - PowerPoint PPT Presentation

About This Presentation
Title:

Distributed Denial of Services the Problem, its Solutions, and their Problems

Description:

( like UPS/FedEx) find the space in the packet to perform the mark? ... .com. Attackers. src: random. dst: victim. Are you sure that this. is from a slave or not? ... – PowerPoint PPT presentation

Number of Views:71
Avg rating:3.0/5.0
Slides: 53
Provided by: sfel6
Learn more at: http://cs.uccs.edu
Category:

less

Transcript and Presenter's Notes

Title: Distributed Denial of Services the Problem, its Solutions, and their Problems


1
Distributed Denial of Servicesthe Problem, its
Solutions, and their Problems
  • Dr. S. Felix Wu
  • Computer Science Department
  • University of California, Davis
  • http//www.cs.ucdavis.edu/wu/
  • wu_at_cs.ucdavis.edu

2
Denial of Service attack beyond Authenticity,
Authority, and Privacy
victims
finite resources-- bandwidth, connections, buffer
space.
Services are Denied!
attacker
consume all or most of the resources!
Computer system
3
no service or degraded service
Distributed DoS yahoo, ebay, msn,...
Slave
Slave
Slave
Attack traffic aggregated!
Master
Slave
Slave
Denial of Service!
Slave
Hundreds/thousands of Slaves simultaneously
launch attacks!
4
The Plain DDoS Model (1999-2000)
Slaves
Victim
Masters
Attackers
src random dst victim

.com
...
ISP
.
1,500 bytes per pkt 10K bits per pkt 100K pkts
per second 2000 slaves 50 pkts per second per
slave 0.5M bits per second
5
Reflector
  • Use a legitimate network server/client as the
    reflector to avoid being traced. (stepping stone).

Reflector
Service Reply Packet src Reflector
dst Victim
Service Request Packet src Victim dst Reflector
Victim
Slave
6
The Reflective DDOS Model (2000)
Reflectors
Slaves
Victim
Masters
Attackers
src victim dst reflector

.com
...
ISP
.
src reflector dst victim
7
Internet Source Accountability
AOL
UCD
A
B
UUNet
Header src AOL dstUCD
Payload ..
8
Possible Solutions
  • Stop it!!
  • egress/ingress filtering
  • aggregated-flow anomaly-based rate limiting
  • ISP, dot-COM,...
  • Trace it!!
  • where are the slaves and masters?
  • Law enforcement agencies,...

9
Ingress/egress filteringboosting source
accountability
Net 169.237.6.
filtering policies
drop it or not??
207.12.1.56
Is the source IP address of this incoming IP
packet valid from this particular network
interface???
1. Static configuration 2. Routing table reverse
look-up 3. Routing information analysis
(BGP/OSPF/RIP)
10
Aggregate-Based Congestion Controlavoiding
micro-flow management
50
80
RED buffer (Random Early Dropping)
good for aggressive but responsive TCP flows...
11
Aggregate-Based Congestion Controlavoiding
micro-flow management
yes
50
80
rate limiters
High bandwidth AG-Flow?
no
E.g., all ICMP packets toward dst 169.237.6..
High-Bandwidth AG-Flow Analyzer
(1). How to determine the signature of an
AG-Flow?? (2). How to set the limited rate for an
AG-Flow??
12
Packet Tracing
  • A transit router puts a mark in the data packets
    themselves. (like UPS/FedEx)
  • find the space in the packet to perform the mark?
  • A transit router puts a mark outside of the data
    packets. (I have seen it!!)
  • find the bandwidth in the Internet?

13
Statistical Packet Marking
Slaves
Victim
Masters
Attackers
src random dst victim

.com
...
ISP
.
14
A6
R7
A5
R9

R6
R8
R 5
R4
R3

R2
R1
Marking procedure at router R for each
packet w let x be a random number
from 0..1) if x lt p then
write R into w.start and 0 into
w.distance else if
w.distance 0 then
write R into w.end increment
w.distance
15
Problems with Packet Marking
  • 16 bits is unreliable and restrictive.
  • partial IP header information
  • weak authentication
  • inefficiency
  • can not handle reflective DDoS.
  • require modification of TCP protocol stack (and
    specification) -- not sure exactly how to do it
    completely and correctly.

16
Reflectors
Slaves
???
Victim
???
Masters
Attackers
src victim dst reflector

.com
...
ISP
.
src reflector dst victim
17
ICMP Traceback
  • For a very small probability (about 1 in 20,000),
    each router will send the destination a new ICMP
    message indicating the previous hop for that
    packet.
  • Net traffic increase at endpoint is probably
    acceptable.

iTrace it or not??
18
Original iTrace
Slaves
Victim
Masters
Attackers
src random dst victim

.com
...
ISP
.
19
iTrace in Reflective DDOS
Reflectors
Slaves
Victim
Masters
Attackers
src victim dst reflector

.com
...
ISP
.
src reflector dst victim
20
Improved ICMP Traceback
  • For a very few packets (about 1 in 20,000), each
    router will send the destination and the source a
    new ICMP message indicating the previous hop for
    that packet.
  • Net traffic increase at endpoint is probably
    acceptable.

21
Who has spoofed me??
Reflector
Service Request Packet src Victim dst Reflector
Service Reply Packet src Reflector
dst Victim
source Traceback Messages
Victim
Slave
22
Improved iTrace
Reflectors
Slaves
Victim
Masters
Attackers
src victim dst reflector

.com
...
ISP
.
src reflector dst victim
23
Is that really me???
Service Request Packet src Victim dst
www.yahoo.com
How can I tell??
Victim
ISP
source Traceback Messages
24
Maybe it is my friend...
Slaves
Victim
Masters
Attackers
src random dst victim

.com
...
ISP
.
Are you sure that this is from a slave or not?
customers
25
Emitting a relatively small amount
Slaves
Victim
Masters
Attackers
src random dst victim

.com
...
ISP
.
26
iTrace Probability 1/20,000
Attack traffic
Background traffic
For a router with lots of background traffic,
it will take a long time before we really
generate a useful iTrace.
27
A Statistic Problem with iTrace
  • Routers closer to the victims have higher
    probability to generate iTrace packets toward the
    true victims in the first N iTrace messages
    generated.
  • Routers closer to the DDoS slaves might have
    relatively small probability (smaller than the
    routers around the victims) to generate useful
    iTrace packets fast enough.

28
Usefulness
  • Useful
  • It carries attack packets.
  • Valuable
  • It carries attack packets from a router that is
    very close to the original slaves.
  • We have not received the same kind of iTrace
    messages before.
  • The iTrace messages are received fast.

29
Three Types of Nodes
  • DDoS victim with the intention to trace the
    slaves.
  • DDoS victim without the intention.
  • non-DDoS victims (assuming they do not have the
    intention as well -- and very likely they hope
    they wont receive ones).

30
Intention-driven iTrace
  • Different destination hosts, networks,
    domains/ASs have different intention levels in
    receiving iTrace packets.
  • We propose to add one iTrace-intention bit.
  • Some of them might not care about iTrace, and
    some of them might not be under DDoS attacks, for
    example.

31
Issues
  • How to determine the intention bit
  • How to distribute the intention bits to routers
    globally?
  • How to use the intention bits at each router?

32
(No Transcript)
33
iTrace/Intention-Driven iTrace architecture
Decision Module
iTrace Generation (1/20000)
BGP routing table
intention bits
iTrace generation bit, (1/20000)
packets
packet- forwarding table
34
Processing Overhead
1/20K iTrace message trigger occurs 1. Select
and Set one iTrace bit in the forwarding table.
Processing for each data packet 1. if the iTrace
flag bit is 1, (1). send an iTrace message for
this data packet. (2). reset the iTrace bit to
0.
35
I(n) iTrace bit
152.1.23.0/24
0
(1). Before iTrace trigger
169.20.3.0/24
0
192.1.0.0/16
0
207.3.4.183/20
0
152.1.0.0/16
0
155.0.0.0/16
0
152.1.23.0/24
0
(2). After iTrace trigger
169.20.3.0/24
0
192.1.0.0/16
0
207.3.4.183/20
0
152.1.0.0/16
1
155.0.0.0/16
0
36
I(n) iTrace bit
152.1.23.0/24
(3). After iTrace sent
0
169.20.3.0/24
0
192.1.0.0/16
0
207.3.4.183/20
0
152.1.0.0/16
0
155.0.0.0/16
0
37
(No Transcript)
38
Usefulness in MSMV
0
39
How to distribute I(n)?
  • YABE (Yet Another BGP Extension)
  • For every BGP route update, we include I(n) as a
    new string in the community attribute
  • 0xiTrace-Intention0x0-1 (optional
    transitive)
  • These I(n) values will be forwarded or even
    aggregated by the routers who understand this
    new community attribute.
  • aggregation I(new) max I(n)
  • Rate-Limiting on Intention Update
  • should not be more frequent than Keep-Alive
    messages.
  • should not trigger any major route computation.

40
Signaling (BGP extension)
AS800
AS 100
Intention-bit update request
AS200
IDS
AS 120
AS900
AS250
AS300
BGP update prefix 900 attribute Intend to
receive iTrace
AS500
AS600
AS700
41
Summary
  • Improve the probability of useful iTrace.
  • Require some minor changes to the router
    forwarding process.
  • Require a new BGP community string.
  • The amount of generated iTrace messages should be
    no more than the current iTrace proposal.

42
DECIDUOUS
  • Reliably identify the source(s) of attack
    packets. (Tracing)
  • Intrusion Detection, Response, Source
    Identification.
  • Collaborating with Edge Routers or Security
    Gateways that support IPSEC or other types of
    Tunnels
  • Utilize the IPSEC framework
  • Requirements for IPSEC Policy System
  • Interacting with IDS and IRS/FW.

43
Spoofed IP Address
AOL
NCSU
A
B
UUNet
Header src AOL dstNCSU
Payload ..
44
IPSec Tunnel
AOL
NCSU
A
B
UUNet
Header src AOL dst NCSU
Payload ..
45
Every single SA that has been or has not been
used by the attack packet will provide some
location information about the true source.
Attackers Target
Router or Security Gateway
Intrusion Detection System
IPsec PHIL/API
IPSEC Module
IPSEC Module
freeSWAN Pluto
IPSEC/AH, tunnel mode
Depending on the results from both IDS and IPSEC
modules as well as the nature of the detected
attack itself, the Deciduous daemon will decide
dynamically where to setup SAs.
Deciduous Daemon
46
Collaboration
NCSU
ISP
Attackers Target
Internet Core
Intrusion Detection System
IPsec PHIL/API
IPSEC Module
Deciduous Daemon
47
Tunnel Path
NCSU
ISP
Attackers Target
Internet Core
Intrusion Detection System
IPsec PHIL/API
IPSEC Module
Phase II-SA
Deciduous Daemon
Deciduous Daemon
48
DECIDUOUS Testbed at SHANG LAB
  • Simple Single Source
  • Simple multiple Sources
  • Coordinated Multiple Sources

eth0 192.168.1.2
Sun 2
eth0 152,1.75.163
eth0 192.168.1.4
eth0 152.1.75.164
eth0 152.1.75.166
eth2
eth0 152.1.75.175
eth1
2
eth1
172.16.0.0 255.255.0.0
eth1
eth2
eth1
Stone 163
Stone 4
Redwing 164
Squeeze 175
Norwork 166
eth2
eth1
192.168.2.0 255.255.255.0
1
5
4
1
10.0.0.0 255..0.0.0
192.168.4.0 255.255.255.0
192.168.5.0 255.255.255.0
3
192.168.3.0 255.255.255.0
eth1
eth2
Hychang2 3
eth1
Bone 177
192.168.1.3 eth0
152.1.75.177 eth0
49
Results
50
Magic Marks concept
an outgoing packet
src/dst IP addresses
the rest..
Private key
128 bit digest
16 bit mark
src/dst IP addresses
selector
HMAC
either a SRC itrace or DST itrace...
iTrace message
src/dst IP addresses
the rest..
16 bit mark
51
Magic Marks design
an outgoing packet
src/dst IP addresses
the rest..
Mark Table look-up
Private key
128 bit digest
16 bit marks
Src IP address plus N bits (N8) of the dst IP
address
selector
HMAC
Pre-compute the Marking table with 2N entries!
52
A scenario
dst iTrace message
src/dst IP addresses
the rest..
16 bit mark
src
verify message
src/dst IP addresses
the rest..
16 bit mark
16 bit mark
response (Y/N)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Distributed Denial of Services the Problem, its Solutions, and their Problems" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!