SourceEnd Defense System against DDoS attacks

1
Source-End Defense System against DDoS attacks

• Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and
  Sheng Hsuan Wang
• Distributed System and Network Security Lab.
• Department of Computer Science and Information
  Engineering
• National Chiao Tung University
• WADIS03

2
Outline

• Introduction to DDoS attacks.
• Current DDoS defense strategies
• Review of D-WARD
• Proposed DDoS defense scheme
• Evaluation
• Conclusions and future work

3
DDoS attacks

• What is a Denial-of-Service (DoS) attack
• Degrade the service quality or completely disable
  the target service by overloading critical
  resources of the target system or by exploiting
  software bugs.
• What is a Distributed DoS (DDoS) attack
• The objective is the same with DoS attacks but is
  accomplished by a of compromised hosts
  distributed over the Internet.

4
Mechanisms against DDoS attacks (1)

• Victim-end
• Most existing Intrusion detection systems and
  DoS/DDoS tolerant system design fall in this
  category.
• Used to protect a set of hosts from being
  attacked.
• Advantages and disadvantages
• DDoS attacks are easily detected due to the
  aggregate of huge traffic volume.
• From a networks perspective, protecting is
  consider ineffective. Attack flows can still
  incur congestion along the attack path.

5
Mechanisms against DDoS attacks (2)

• Infrastructure-based
• DDoS defense lines are constructed towards attack
  sources to reduce network congestion.
• Attack packets are filtered out by Internet core
  routers.
• Advantages and disadvantages
• The effectiveness of filtering is improved.
• An Internet-wide authentication framework is
  required.
• Internet core routers must be upgrade to filter
  out attack packets in high speeds

6
Mechanisms against DDoS attacks (3)

• Source-end
• DDoS defense mechanism are used to prevent
  monitored hosts from participating in DDoS
  attacks.
• Attack packets are dropped at sources. It allows
  preventing attack traffic from entering the
  Internet.
• Advantages and disadvantages
• The effectiveness of packet filter is the best.
• It is very hard to identify DDoS attack flows at
  sources since the traffic is not so aggregate.
• It require the support of all edge routers.

In summary, source-end DDoS defense strategy is
the most effective and with moderate deployment
cost.
7
D-WARD A Source-End DDoS defense scheme

• J. Mickovic et al. Attacking DDoS at the
  Source, IEEE ICNP02
• Ideas behind D-WARD DDoS attack flows can be
  identified by comparing flow statistics against
  normal flow models. Signals of DDoS attacks
• High Packet loss rate
• The level of network congestion (or say packet
  loss rate) reflects on the ratio of number of
  packets sent to and received from the peer.
• High packet sending rate This may also indicate
  a DDoS attack
• A large number of connections to the peer

8
D-WARD Architecture
9
D-WARD Observation Component

• Gather per flow statistics
• Flow The aggregate traffic between monitored IP
  addresses and a foreign IP address.
• Observation interval A basic time frame for one
  observation
• The number of packet and bytes sent to and
  received from the peer
• The number of active connections
• Legitimate flow model
• TCP flows
• Psent/Prcv lt TCPrto (set to 3)
• ICMP flows
• Psent/Prcv lt ICMPrto (set to 1.1)
• UDP flows
• nconn lt MAXconn (set to 100)
• pconn gt MINpkts (set to 1)
• Bsent lt UDPrate (set to 10MBps)

10
Motivations

• Using a global threshold of Psent/Prcv for TCP
  flows would result in high false positive and
  high false negative. In the following context,
  this ratio is denoted as O/I
• High false positive
• flows with O/I greater than 3 in its normal
  operation would be classified as attack flows
• High false negative
• low-rate attacks will not be detected. Consider a
  flow with O/I 1, then O/I only reaches 2 when
  the packet loss rate is 50.

In one word, using a single O/I threshold for
different flows is problematic.
11
Basic Idea

• Ideas behind the proposed scheme
• Focus detecting DDoS attacks based on TCP
• 96 of current attacks are based on TCP. Only 2
  use UDP and 2 use ICMP
• The level of congestion should be determined
  according previous behavior of the each monitored
  flow.
• Two more DDoS characteristics are utilized for
  detecting attacks
• Distribution the number of hosts sending packets
  to the destination in each observation period
• Continuity reflect to the observation that a
  DDoS attack always lasts for an extended period
  of time.

12
Observations on normal traffics (1)

• Observation Average O/I of different flows rage
  from 3.68 to 0.5
• Flows with highest ratio
• Contains one ftp data connection. The flow last
  for 227 second. Total 86685 packet (68158 packet
  send out, 18527 packet send in) The average O/I
  is 3.68. Standard deviation0.16. Packet loss
  rate is 0.

• Standard deviation of the monitored flow are low
  (usually smaller 1). It indicates that the O/I
  value of flows tend to be stable in their normal
  operation.

13
Observations on normal traffics (2)

• Number of sources in each flow
• In each observation interval, most of flows have
  only one source host sending packets to the peer.

14
Proposed DDoS detection scheme

• There are two phases in our scheme.
• Learning phase Define legitimate flow model
• Detection phase Detect malicious flows and apply
  rate limit
• Learning phase contains two steps.
• Step 1 determine the following thresholds
• Tf the maximum allowed O/I.
• Nf the mini-threshold of O/I.
• c a parameter used to quantify the level of
  distribution.
• Steps 2 derive other configuration parameters
• a a value indicating the possibility that the
  flow is malicious. It is generated according to
  the level of congestion and the level of
  distribution
• af the maximum allowed value ofa
• tf the maximum allowed number of the times that
  acan continually breaches af

15
Flow Classification

• Four types of traffic flows Normal, Suspicious,
  Attack, and Transient.

16
Generation of a

• Generating a in an observation interval
• Sf the number of source in the flow.
• nf the O/I of the current interval.
• ? a magic number used to restrict a between 0
  and 1. ? is a number between 0 and 1.
• Characteristics of a
• It is between 0 and 1
• It increases with nf . If nf approaches Tf, a
  approaches to 1
• a increases with the number of sources in the
  flow.

Level of congestion
The impact of distribution
17
Rate limiting and recovery

• Rate-Limiting
• rl imposed rate limit
• rate realized sending rate
• Mini-rate The lowest limited rate which can be
  imposed on network flows.
• Recovery
• If the attack flow show compliance with normal
  flow model for consecutive penalty observation
  periods, it is classified as transient, the
  recovery process begins.
• Max-rate Once the rate limit reaches Max-rate,
  it is classified as normal

18
Thresholds

• Configuring thresholds and other parameters
• Observation period 1 second
• Tf The maximum of the observed O/I 2
• Nf the average O/I
• c the maximum number of sources in a flow in the
  monitored network.
• af the averageain the learning process.
• tf the maximum consecutive number of time that
  aexceeds af
• ? 0.5
• Parameters learned from a monitored flow
• Sending rate 10 pkts to the destination host per
  second. Maximum O/I is 1.25, Average O/I is
  1.25
• Tf 2.5, nf 1.04
• c 3
• af 0.18
• tf 3

19
Experiments

• Types of Experiment
• Resource consumption
• TCP SYN flooding
• link flooding
• Attack scenarios
• Constant rate attack
• Pulsing rate attack
• Increasing rate attack
• Gradual pulsing attack

20
Topology
21
TCP SYN Flooding Attack
22
SYN floodingConstant Rate and Pulsing Rate
23
SYN floodingIncreasing Rate and Gradual
Increasing Rate
24
Link Overloading
25
Bandwidth floodingConstant Rate and Pulsing Rate
constant
pulsing
26
Bandwidth floodingIncreasing Rate and Gradual
Increasing Rate
increasing
gradual increasing
27
Conclusion

• The O/I used to define the level of network
  congestion must be determined according to the
  previous behavior of the flow.
• The number of source in the flow and the number
  of observation intervals that the signal of DDoS
  attacks lasts should be taken into consideration.
  
• Evaluation results show that the performance of
  proposed system is better than D-WARD, in terms
  of false positive and false negative.

28
Future work

• More experiments on estimating the effectiveness
  of the proposed scheme are required
• A mechanism that can deal with new flows which
  are not in the flow profile database
• A space-effective mechanism that helps to reduce
  the storage requirement for storing the profiles
  of flows.
• Schemes which can detect DDoS attacks based on
  one-way flows such as ICMP and UDP.