Title: HopCount Filtering: An Effective Defense Against Spoofed DDos Traffic
1Hop-Count Filtering An Effective Defense Against
Spoofed DDos Traffic
- Cheng Jin CS Department Caltech Pasadena
- Haining Wang CS Department College of William and
Mary Williamsburg - Kang G. Shin EECS Department University of
Michigan Ann Arbor - CCS03, October 2731, 2003
2Outline
- Introduction
- Hop-count inspection
- Feasibility of hop-count filtering
- Effectiveness of HCF
- Construction of HCF table
- Running states of HCF
- Resource Savings
- Related work
- Conclusion and future work
3INTRODUCTION
- IP spoofing makes DDoS attack more difficult to
defend against. - Conceal flooding sources and localities in
flooding traffic - Coax legitimate hosts into becoming reflectors
- Two approaches to thwart DDoS attack
- Router-based
- Victim-based
4INTRODUCTION
- Router-based improve routing infrastructure
- Off-line analysis of flooding traffic
- Off-line IP traceback
- On-line filtering of DDoS traffic inside routers
- Rely on IP router enhancement
- Victim-based enhances the resilience of
Internet servers against attacks - Advantage of being immediately deployable
- Current approach resource management
5INTRODUCTION
- Hop-Count Filtering (HCF)
- Victim-based filtering
- Using TTL field of IP header to determine hop
counts - build an IP-to-hop count(IP2HC) mapping table
- using a moderate amount of storage
- clustering address prefixes based on hop-count.
- pollution-proof method
- update procedure for the IP2HC mapping table that
prevents pollution by HCF-aware attackers. - IP2HC mapping table initialization and adding new
IP addresses - Two running states alert and action
6HOP-COUNT INSPECTIONTTL-based Hop-Count
Computation
- The challenge in hop-count computation
- a destination only sees the final TTL value.
- Final TTL value initial TTL value hop-count
- cannot assume a single static initial TTL value
for each IP address. - Fortunately, most modern OSs use only a few
initial TTL values, 30, 32, 60, 64, 128, 255. - most of these initial TTL values are far apart
- except 30,32 60,64,32,60
- Since Internet traces have shown that few
Internet hosts are apart by more than 30 hops
7HOP-COUNT INSPECTIONInspection Algorithm
8FEASIBILITY OF HCFHop-Count Stability
- The feasibility of HCF hinges on three factors
- (1) stability of hop-counts
- (2) diversity of hop-count distribution
- (3) robustness against possible evasions
- stability of hop-counts
- Frequent changes in the hop-count
- excessive mapping updates
- out-of-date mapping
- Dictated by the end-to-end routing behaviors
- two thirds of the Internet paths persist for
either days or weeks - 95of the paths had fewer than five observable
daily changes
9FEASIBILITY OF HCFDiversity of Hop-Count
Distribution
- a diverse hop-count distribution is critical to
effective filtering. - the hop-count distributions at all traceroute
gateways - the Gaussian distribution (bell-shaped curve) is
a good first-order approximation. - We are interested in the girth of a distribution
- We are not making any definitive claim of whether
hop-count distributions are Gaussian or not. - The largest percentage of IP addresses that have
a common hop-count value is only 10.
10FEASIBILITY OF HCFDiversity of Hop-Count
Distribution
11FEASIBILITY OF HCFDiversity of Hop-Count
Distribution
12FEASIBILITY OF HCFDiversity of Hop-Count
Distribution
most of the mean values fall between 14 and 19 hop
13FEASIBILITY OF HCFDiversity of Hop-Count
Distribution
standard deviations between 3 and 5 hops.
14FEASIBILITY OF HCFRobustness against Evasion
- The key for an attacker to evade HCF is to set an
appropriate initial TTL value - build a priori an IP2HC mapping table that covers
the entire random IP address space. - attacker cannot observe the final TTL values of
normal traffic at the victim. - have to compromise at least one end-host behind
every stub network whose IP addresses are in the
random IP address space
15FEASIBILITY OF HCFRobustness against Evasion
- Without compromising end-host
- probe the hs value for the quiescent host
- (1) force the victim into the action state by
launching a DDoS attack - (2) probe the quiescent host and extract the
latest value of its IP ID field of the header - (3) send a spoofed packet with a tentative
initial TTL - (4) re-probe the quiescent host and check if its
IP ID has increased by more than one. - accurate router-level topology of the Internet /
the underlying routing algorithms and policies. - topology maps are generally time-averaged
approximations - the routing policies are not disclosed to the
public.
16EFFECTIVENESS OF HCFSimple Attacks
- Single source
- Given a single flooding source whose hop-count to
the victim is h, let ah denote the fraction of IP
addresses that have the same hop-count to the
victim as the flooding source. - the fraction of spoofed IP addresses that cannot
be detected is ah. The remaining fraction 1-ah
will be identified and discarded by HCF. - Multiple sources
- n sources that flood a total of F packets, each
flooding source generates F/n spoofed packets. - The fraction, Z, of identifiable spoofed packets
generated by n flooding sources is
17EFFECTIVENESS OF HCFSimple Attacks
18EFFECTIVENESS OF HCFSimple Attacks
19EFFECTIVENESS OF HCFSophisticated Attackers
20EFFECTIVENESS OF HCFSophisticated Attackers
- a uniform distribution
- the range of possible hop-counts is hi, hj
where i j and H j-i1 - the fraction of spoofed source IP addresses that
have correct TTL values, is given as - initial TTLs within the range hm,hn, based on
some known distribution - the probability of IP addresses with hop-count hk
is phk . - the fraction of the IP addresses that have a
hop-count of hk is ahk , - the fraction of the spoofed IP packets that will
not be caught by HCF is
21EFFECTIVENESS OF HCFSophisticated Attackers
Hop-count between 1020,so H11 Summations
maximum1 So maximum
22EFFECTIVENESS OF HCFSophisticated Attackers
m0,n30
23CONSTRUCTION OF HCF TABLEIP Address Aggregation
- objectives in building an HCF table are
- (1) accurate IP2HC mapping,
- (2) up-to-date IP2HC mapping
- (3) moderate storage requirement.
- By aggregating IP address
- reduce the space requirement of IP2HC
- covers those unseen co-located IP addresses
- Aggregation into 24-bit Address Prefixes
- straightforward to implement and can offer fast
lookup - a one-byte entry per network prefix for
hop-count, the storage requirement is 224 bytes
or 16 MB. - Aggregation with Hop-Count Clustering
24CONSTRUCTION OF HCF TABLEIP Address Aggregation
25CONSTRUCTION OF HCF TABLEIP Address Aggregation
26CONSTRUCTION OF HCF TABLEIP Address Aggregation
27CONSTRUCTION OF HCF TABLEPollution-Proof
Initialization and Update
- Keeping the IP2HC mapping up-to-date is necessary
- initialization and dynamic update is through TCP
connection establishment - One way to ensure that only legitimate packets
are used - attacker cannot slowly pollute an HCF table by
spoofing source IP addresses. - may be too expensive to inspect and update with
each newly-established TCP connection - user-configurable parameter to adjust the
frequency of update. - a counter p that records the number of
established TCP connections - p can also be a function of system load and
hence, updates are made more frequently when the
system is lightly-loaded. - mapping updates may require re-clustering
- hop-count changes are not a frequent event,
- the overhead incurred by re-clustering is
negligible.
28RUNNING STATES OF HCF
29RUNNING STATES OF HCF
- Introduction of the alert state
- lowers the overhead of HCF
- stop DRDoS
- HCF specifically looks for IP spoofing, so it
will be able to detect attempts to fool servers
into acting as reflectors. - Blocking Bandwidth Attacks
- detection and filtering (at the ISPs edge
router) of spoofed packets must be separated - One or more machines inside the stub network and
the access router must run HCF - at least one machine inside the stub network
maintain an updated HCF table
30RUNNING STATES OF HCF
31RESOURCE SAVINGSBuilding the Hop-Count Filter
- The test module
- resides in the IP packet receive function,
ip_rcv. - insert the filtering function before the
expensive checksum verification. - The hop-count mapping
- 4096-bucket hash table with chaining to resolve
collisions. - Each entry in the hash table represents a 24-bit
address prefix. - A binary tree is used to cluster hosts within
each 24-bit address prefix. - This tree can then be implemented as a linear
array of 127 elements. - Each element in the array stores the hop-count
value of a particular clustering. - the HCF-table update
- insert the function call into the kernel TCP code
32RESOURCE SAVINGSExperimental Evaluation
33RESOURCE SAVINGSExperimental Evaluation
Without HCF ,CPU cyclesatDbtL With HCF,CPU
cycles(1-a)atDFaatdb(tLtLF)
34RELATED WORK
- Despoof
- compares the TTL of a received packet with the
actual TTL of a test packet sent to the source IP
address - Requires the administrator to determine ,and
manually verify. - High overhead
- Detecting spoofed packets. S. Templeton/K.
Levitt. - using TTL for detecting spoofed packet
- ingress filtering
- blocks spoofed packets at edge routers,
- Rely on wide-eployment in IP routers.
- route-based distributed packet filtering (DPF)
- Given the reachability constraints
35RELATED WORK
- SAVE
- builds a table of incoming source IP addresses at
each router - associates each of its incoming interfaces with a
set of valid incoming network - Path Identifier (Pi)
- IP traceback marking
- a path fingerprint in each packet
36CONCLUSION FUTURE WORK
- HCF
- Can detect and discard spoofed IP
- Without router support
- Using moderate storage
- NAT (Network Address Translator)
- each of which may connect multiple stub networks,
- could make a single IP address appear to have
multiple valid hop-counts at the same time - install the HCF system at a victim site for
practical use