Title: Distributed Denial of Services the Problem, its Solutions, and their Problems
1Distributed Denial of Servicesthe Problem, its
Solutions, and their Problems
- Dr. S. Felix Wu
- Computer Science Department
- University of California, Davis
- http//www.cs.ucdavis.edu/wu/
- wu_at_cs.ucdavis.edu
2Denial of Service attack beyond Authenticity,
Authority, and Privacy
victims
finite resources-- bandwidth, connections, buffer
space.
Services are Denied!
attacker
consume all or most of the resources!
Computer system
3no service or degraded service
Distributed DoS yahoo, ebay, msn,...
Slave
Slave
Slave
Attack traffic aggregated!
Master
Slave
Slave
Denial of Service!
Slave
Hundreds/thousands of Slaves simultaneously
launch attacks!
4The Plain DDoS Model (1999-2000)
Slaves
Victim
Masters
Attackers
src random dst victim
.com
...
ISP
.
1,500 bytes per pkt 10K bits per pkt 100K pkts
per second 2000 slaves 50 pkts per second per
slave 0.5M bits per second
5Reflector
- Use a legitimate network server/client as the
reflector to avoid being traced. (stepping stone).
Reflector
Service Reply Packet src Reflector
dst Victim
Service Request Packet src Victim dst Reflector
Victim
Slave
6The Reflective DDOS Model (2000)
Reflectors
Slaves
Victim
Masters
Attackers
src victim dst reflector
.com
...
ISP
.
src reflector dst victim
7Internet Source Accountability
AOL
UCD
A
B
UUNet
Header src AOL dstUCD
Payload ..
8Possible Solutions
- Stop it!!
- egress/ingress filtering
- aggregated-flow anomaly-based rate limiting
- ISP, dot-COM,...
- Trace it!!
- where are the slaves and masters?
- Law enforcement agencies,...
9Ingress/egress filteringboosting source
accountability
Net 169.237.6.
filtering policies
drop it or not??
207.12.1.56
Is the source IP address of this incoming IP
packet valid from this particular network
interface???
1. Static configuration 2. Routing table reverse
look-up 3. Routing information analysis
(BGP/OSPF/RIP)
10Aggregate-Based Congestion Controlavoiding
micro-flow management
50
80
RED buffer (Random Early Dropping)
good for aggressive but responsive TCP flows...
11Aggregate-Based Congestion Controlavoiding
micro-flow management
yes
50
80
rate limiters
High bandwidth AG-Flow?
no
E.g., all ICMP packets toward dst 169.237.6..
High-Bandwidth AG-Flow Analyzer
(1). How to determine the signature of an
AG-Flow?? (2). How to set the limited rate for an
AG-Flow??
12Packet Tracing
- A transit router puts a mark in the data packets
themselves. (like UPS/FedEx) - find the space in the packet to perform the mark?
- A transit router puts a mark outside of the data
packets. (I have seen it!!) - find the bandwidth in the Internet?
13Statistical Packet Marking
Slaves
Victim
Masters
Attackers
src random dst victim
.com
...
ISP
.
14A6
R7
A5
R9
R6
R8
R 5
R4
R3
R2
R1
Marking procedure at router R for each
packet w let x be a random number
from 0..1) if x lt p then
write R into w.start and 0 into
w.distance else if
w.distance 0 then
write R into w.end increment
w.distance
15Problems with Packet Marking
- 16 bits is unreliable and restrictive.
- partial IP header information
- weak authentication
- inefficiency
- can not handle reflective DDoS.
- require modification of TCP protocol stack (and
specification) -- not sure exactly how to do it
completely and correctly.
16Reflectors
Slaves
???
Victim
???
Masters
Attackers
src victim dst reflector
.com
...
ISP
.
src reflector dst victim
17ICMP Traceback
- For a very small probability (about 1 in 20,000),
each router will send the destination a new ICMP
message indicating the previous hop for that
packet. - Net traffic increase at endpoint is probably
acceptable.
iTrace it or not??
18Original iTrace
Slaves
Victim
Masters
Attackers
src random dst victim
.com
...
ISP
.
19iTrace in Reflective DDOS
Reflectors
Slaves
Victim
Masters
Attackers
src victim dst reflector
.com
...
ISP
.
src reflector dst victim
20Improved ICMP Traceback
- For a very few packets (about 1 in 20,000), each
router will send the destination and the source a
new ICMP message indicating the previous hop for
that packet. - Net traffic increase at endpoint is probably
acceptable.
21Who has spoofed me??
Reflector
Service Request Packet src Victim dst Reflector
Service Reply Packet src Reflector
dst Victim
source Traceback Messages
Victim
Slave
22Improved iTrace
Reflectors
Slaves
Victim
Masters
Attackers
src victim dst reflector
.com
...
ISP
.
src reflector dst victim
23Is that really me???
Service Request Packet src Victim dst
www.yahoo.com
How can I tell??
Victim
ISP
source Traceback Messages
24Maybe it is my friend...
Slaves
Victim
Masters
Attackers
src random dst victim
.com
...
ISP
.
Are you sure that this is from a slave or not?
customers
25Emitting a relatively small amount
Slaves
Victim
Masters
Attackers
src random dst victim
.com
...
ISP
.
26iTrace Probability 1/20,000
Attack traffic
Background traffic
For a router with lots of background traffic,
it will take a long time before we really
generate a useful iTrace.
27A Statistic Problem with iTrace
- Routers closer to the victims have higher
probability to generate iTrace packets toward the
true victims in the first N iTrace messages
generated. - Routers closer to the DDoS slaves might have
relatively small probability (smaller than the
routers around the victims) to generate useful
iTrace packets fast enough.
28Usefulness
- Useful
- It carries attack packets.
- Valuable
- It carries attack packets from a router that is
very close to the original slaves. - We have not received the same kind of iTrace
messages before. - The iTrace messages are received fast.
29Three Types of Nodes
- DDoS victim with the intention to trace the
slaves. - DDoS victim without the intention.
- non-DDoS victims (assuming they do not have the
intention as well -- and very likely they hope
they wont receive ones).
30Intention-driven iTrace
- Different destination hosts, networks,
domains/ASs have different intention levels in
receiving iTrace packets. - We propose to add one iTrace-intention bit.
- Some of them might not care about iTrace, and
some of them might not be under DDoS attacks, for
example.
31Issues
- How to determine the intention bit
- How to distribute the intention bits to routers
globally? - How to use the intention bits at each router?
32(No Transcript)
33 iTrace/Intention-Driven iTrace architecture
Decision Module
iTrace Generation (1/20000)
BGP routing table
intention bits
iTrace generation bit, (1/20000)
packets
packet- forwarding table
34Processing Overhead
1/20K iTrace message trigger occurs 1. Select
and Set one iTrace bit in the forwarding table.
Processing for each data packet 1. if the iTrace
flag bit is 1, (1). send an iTrace message for
this data packet. (2). reset the iTrace bit to
0.
35I(n) iTrace bit
152.1.23.0/24
0
(1). Before iTrace trigger
169.20.3.0/24
0
192.1.0.0/16
0
207.3.4.183/20
0
152.1.0.0/16
0
155.0.0.0/16
0
152.1.23.0/24
0
(2). After iTrace trigger
169.20.3.0/24
0
192.1.0.0/16
0
207.3.4.183/20
0
152.1.0.0/16
1
155.0.0.0/16
0
36I(n) iTrace bit
152.1.23.0/24
(3). After iTrace sent
0
169.20.3.0/24
0
192.1.0.0/16
0
207.3.4.183/20
0
152.1.0.0/16
0
155.0.0.0/16
0
37(No Transcript)
38Usefulness in MSMV
0
39How to distribute I(n)?
- YABE (Yet Another BGP Extension)
- For every BGP route update, we include I(n) as a
new string in the community attribute - 0xiTrace-Intention0x0-1 (optional
transitive) - These I(n) values will be forwarded or even
aggregated by the routers who understand this
new community attribute. - aggregation I(new) max I(n)
- Rate-Limiting on Intention Update
- should not be more frequent than Keep-Alive
messages. - should not trigger any major route computation.
40Signaling (BGP extension)
AS800
AS 100
Intention-bit update request
AS200
IDS
AS 120
AS900
AS250
AS300
BGP update prefix 900 attribute Intend to
receive iTrace
AS500
AS600
AS700
41Summary
- Improve the probability of useful iTrace.
- Require some minor changes to the router
forwarding process. - Require a new BGP community string.
- The amount of generated iTrace messages should be
no more than the current iTrace proposal.
42DECIDUOUS
- Reliably identify the source(s) of attack
packets. (Tracing) - Intrusion Detection, Response, Source
Identification. - Collaborating with Edge Routers or Security
Gateways that support IPSEC or other types of
Tunnels - Utilize the IPSEC framework
- Requirements for IPSEC Policy System
- Interacting with IDS and IRS/FW.
43Spoofed IP Address
AOL
NCSU
A
B
UUNet
Header src AOL dstNCSU
Payload ..
44IPSec Tunnel
AOL
NCSU
A
B
UUNet
Header src AOL dst NCSU
Payload ..
45Every single SA that has been or has not been
used by the attack packet will provide some
location information about the true source.
Attackers Target
Router or Security Gateway
Intrusion Detection System
IPsec PHIL/API
IPSEC Module
IPSEC Module
freeSWAN Pluto
IPSEC/AH, tunnel mode
Depending on the results from both IDS and IPSEC
modules as well as the nature of the detected
attack itself, the Deciduous daemon will decide
dynamically where to setup SAs.
Deciduous Daemon
46Collaboration
NCSU
ISP
Attackers Target
Internet Core
Intrusion Detection System
IPsec PHIL/API
IPSEC Module
Deciduous Daemon
47Tunnel Path
NCSU
ISP
Attackers Target
Internet Core
Intrusion Detection System
IPsec PHIL/API
IPSEC Module
Phase II-SA
Deciduous Daemon
Deciduous Daemon
48DECIDUOUS Testbed at SHANG LAB
- Simple Single Source
- Simple multiple Sources
- Coordinated Multiple Sources
eth0 192.168.1.2
Sun 2
eth0 152,1.75.163
eth0 192.168.1.4
eth0 152.1.75.164
eth0 152.1.75.166
eth2
eth0 152.1.75.175
eth1
2
eth1
172.16.0.0 255.255.0.0
eth1
eth2
eth1
Stone 163
Stone 4
Redwing 164
Squeeze 175
Norwork 166
eth2
eth1
192.168.2.0 255.255.255.0
1
5
4
1
10.0.0.0 255..0.0.0
192.168.4.0 255.255.255.0
192.168.5.0 255.255.255.0
3
192.168.3.0 255.255.255.0
eth1
eth2
Hychang2 3
eth1
Bone 177
192.168.1.3 eth0
152.1.75.177 eth0
49Results
50Magic Marks concept
an outgoing packet
src/dst IP addresses
the rest..
Private key
128 bit digest
16 bit mark
src/dst IP addresses
selector
HMAC
either a SRC itrace or DST itrace...
iTrace message
src/dst IP addresses
the rest..
16 bit mark
51Magic Marks design
an outgoing packet
src/dst IP addresses
the rest..
Mark Table look-up
Private key
128 bit digest
16 bit marks
Src IP address plus N bits (N8) of the dst IP
address
selector
HMAC
Pre-compute the Marking table with 2N entries!
52A scenario
dst iTrace message
src/dst IP addresses
the rest..
16 bit mark
src
verify message
src/dst IP addresses
the rest..
16 bit mark
16 bit mark
response (Y/N)