Characterizing%20and%20Defending%20Against%20DDoS%20Attacks - PowerPoint PPT Presentation

About This Presentation
Title:

Characterizing%20and%20Defending%20Against%20DDoS%20Attacks

Description:

Characterizing and Defending Against DDoS Attacks. Christos ... Cogent. Genuity. Los Nettos. Trace Machine. 140Mbps,38kpps. JPL. Caltech. TRW. USC. Centergate ... – PowerPoint PPT presentation

Number of Views:112
Avg rating:3.0/5.0
Slides: 41
Provided by: scie343
Learn more at: http://ilab.usc.edu
Category:

less

Transcript and Presenter's Notes

Title: Characterizing%20and%20Defending%20Against%20DDoS%20Attacks


1
Characterizing and Defending Against DDoS Attacks
Christos Papadopoulos ..and many others
2
How Do Computers Find Each Other?
Computer1
Computer 2
3
What Are the Different Kinds of Addresses?
  • Have domain name (e.g., www.usc.edu)
  • Global, human readable name
  • DNS translates name to IP address (e.g.
    128.125.19.146)
  • Global, understood by all networks
  • Finally, we need local net address
  • e.g., Ethernet (08-00-2c-19-dc-45)
  • Local, works only on a particular network

4
Domain Naming System (DNS)
Local DNS server
Computer 1
Whats the IP address for www.usc.edu?
It is 128.125.19.146
DNS address manually configured into OS
5
Finding Ether AddressAddress Resolution (ARP)
Broadcast who knows the Ethernet address for
128.125.51.41?
Ethernet
Broadcast I do, it is 08-00-2c-19-dc-45
Ethernet
6
Sending a Packet Through the Internet
Routers send packet to next closest point
H
R
H

R
H
H
R
R
R
R
R
The Internet routes packets based on their
destination!
H
R
H Hosts R Routers
H
7
Smurf Attack
broadcast echo request source address is
spoofed to be targets address
many echo replies are received by the target,
since most machines on the amplifier network
respond to the broadcast
8
TCP SYN Flooding- A more powerful attack -
SPOOFED SYN
SYN - ACK
FINAL ACK NEVER SENT
nonexistent host
9
So, What Is DDoS?
  • Distributed Denial of Service
  • New, more pernicious type of attack
  • Many hosts gang up to attack another host
  • Network resource attack
  • Bandwidth
  • State

10
Why Should We Care?
  • Successfully used to attack prominent sites in
    the Internet by those with a primitive
    understanding of internet protocols
  • It is relatively easy to do, but hard to detect
    and stop
  • It is only going to get worse unless we develop
    adequate protection mechanisms

11
Anatomy of an Attack
  • Compromise a large set of machines
  • Install attack tools
  • Instruct all attack machines to initiate attack
    against a victim
  • Process highly automated

12
Phase 1 Compromise
  • A (stolen) account is used as repository for
    attack tools.
  • A scan is performed to identify potential
    victims.
  • A script is used to compromise the victims.

13
Phase 2 Install Attack Tools
  • An automated installation script is then run on
    the owned systems to download and install the
    attack tool(s) from the repository.
  • Optionally, a root kit is installed on the
    compromised systems.

14
Phase 3 Launch attack
  • Launch a coordinated DDoS from different sites
    against a single victim.
  • Network pipes of attackers can be small, but
    aggregated bw is far larger than victims pipe.
  • Victims ISP may not notice elevated traffic.
  • DDoS attacks are harder to track than a DoS.

15
(No Transcript)
16
Some Known DDoS attack tools
  • Trin00
  • Tribal Flood Network (TFN)
  • Tribal Flood Network 2000 (TFN2K)
  • Stacheldraht

17
Stacheldraht
  • Combines features of trin00 and TFN.
  • Adds encryption between the attacker and masters
    and automated update of agents.
  • Communication between attacker and masters take
    place on tcp port 16660.
  • Daemons receive commands from masters through
    ICMP echo replies
  • ICMP, UDP, SYN flood and SMURF attack.

18
./client 192.168.0.1 stacheldraht (c)
in 1999 by ... trying to connect... connection
established. -------------------------------------
- enter the passphrase sicken ------------------
-------------------- entering interactive
session. welcome
to stacheldraht typ
e .help if you are lame stacheldraht(status a!1
d!0)gt
19
stacheldraht(status a!1 d!0)gt.help available
commands in this version are --------------------
------------------------------ .mtimer .mudp
.micmp .msyn .msort .mping .madd .mlist .msadd
.msrem .distro .help .setusize .setisize .mdie
.sprange .mstop .killall .showdead
.showalive ---------------------------------------
----------- stacheldraht(status a!1 d!0)gt
20
Some Commands -------- .distro user
server Instructs the agent to install and run a
new copy of itself using the Berkeley "rcp"
command, on the system "server", using the
account "user" (e.g., "rcp user_at_serverlinux.bin
ttymon") .madd ip1ip2ipN Add IP addresses
to list of attack victims. .madd
ip1ip2ipN Add IP addresses to list of
attack victims. .mdie Sends die request to all
agents.
21
COSSACK Coordinated Suppressionof Simultaneous
Attacks
Computer Networks Division ISI http//www.isi.edu
/cossack
22
People
  • Co-PIs Christos Papadopoulos, Bob Lindell
    (USC/ISI)
  • Affiliations Ramesh Govindan (USC/ISI)
  • Staff John Mehringer (ISI)
  • Students Alefiya Hussain (USC)
  • DARPA synergies
  • DWARD - Peter Reiher, Jelena Mirkovic (UCLA)
  • SAMAN - John Heidemann (USC/ISI)

23
Cossack Overview
  • Distributed set of watchdogs at network perimeter
  • Local IDS
  • Group communication
  • Topology information (when available)
  • Fully distributed approach
  • Peer-to-peer rather than master-slave
  • Attack-driven dynamic grouping of watchdogs
  • Attack correlation via coordination with other
    watchdogs
  • Independent, selective deployment of
    countermeasures

24
Cossack A Simplified View
attacker
attacker
watchdog
watchdog
W
W
attacker
attacker
watchdog
watchdog
watchdog
W
target
25
Attacks Begin
attacker
W
W
watchdog
W
target
26
Watchdogs Communicate Using YOID
attacker
W
W
watchdog
W
target
27
Attacks Detected
attacker
W
W
watchdog
W
target
28
Watchdogs Install Filters and Eliminate Attack
attacker
W
W
watchdog
W
target
29
Detecting Source Spoofed Attacks
attacker
W
W
YOID
watchdog
W
target
30
Cossack Watchdog Architecture
YOID Multicast group
31
Cossack Plugin Operation
Packet Averages Grouped by Destination Address
Packet Flow Statistics
32
Cossack Plugin Operation
Packet Averages Grouped by Destination Address
Packet Flow Statistics
33
Cossack Network Inspector
  • Tool to determine detection thresholds for
    watchdogs
  • Interfaces with the Cossack Snort Plugin
  • Collects aggregate level network traffic
    statistics
  • Traffic filters created using snort rules

34
Cossack Performance
  • Response time 5 30 seconds
  • Insensitive to attack type

35
Attack Capture and Analysis
  • Goal Capture some attacks, analyze and learn
    from them
  • Packet-level capture facilities in several sites
  • Los Nettos
  • USC
  • CAIDA
  • Telcordia, Sprint
  • Spectral analysis

36
Tracing Infrastructure
Internet
Los Nettos Customers
37
Captured Attacks
  • Captured and classified about 120 attacks over
    several months

Attack Class Count PPS Kbps
Single-source 37 133-1360 640-2260
Multi-source 10 16000-98000 13000-46000
Reflected 20 1300-3700 1700-3000
Unclassified 13 550-33500 1600-16000
38
Spectral Attack Analysis
F(60)
F(60)
  • Multi-source attack (145 sources)
  • Localization of power in low frequencies in NCS
  • Single-source attack
  • Strong higher frequencies and linear Normalized
    Cumulative Spectrum (NCS)

39
Spectral Analysis
  • Goal identify single vs. multi-source attacks
  • Single-source
  • F(60) mean 268Hz (240-295Hz)
  • Multi-source
  • F(60) mean 172Hz (142-210Hz)
  • Able to robustly categorize unclassified attacks

40
Conclusions
  • Cossack is a fully distributed approach against
    DDoS attacks
  • Software is operational and currently undergoing
    Red Team testing
  • We continue to capture attacks, analyze and learn
    from them
  • Spectral analysis work very promising
  • http//www.isi.edu/cossack
Write a Comment
User Comments (0)
About PowerShow.com