[PPT] - Distributed Denial of Service Attacks and Coutntermeasures PowerPoint Presentation

SLIDE 1

฀฀฀฀ ฀

฀฀฀฀

฀฀฀฀฀ ฀฀฀฀฀฀

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Distributed Denial of Service Attacks and Coutntermeasures

CSE598K/CSE545 - Advanced Network Security

Prof. McDaniel - Spring 2008

1

SLIDE 2

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

DDoS

Denial of Service attack - intentionally preventing

access to some valued resource.

Distributed DoS - attack launched from multiple

sources, e.g., compromised computers

Attacks
overload - sending more traffic than the system can handle

causing backlogs, thrashing, e.g., congestion

confusion - forcing the system into a state that is does not

know how to progress, e.g., process death

Concept: indirect DOS via reflection

2

SLIDE 3

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Open vs. Closed Systems

Open systems provide functionality to all who would

access the service as needed

Often harder to secure against DoS
Closed systems restrict access based
Generally predicate access on authentication
Often more complex (leading to more DoS?)
Key DoS concepts/realities
E2E: intel at edges, making hard to protect upstream
Byzantine failures: if a system can act in any manner, then it can

arbitrarily consume resources (threat model?)

3

SLIDE 4

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Root causes and targets

Causes (Mirkovic)
Interdependencies

between services

Limited resources
Intelligence distributed

(and not near resources)

No accountability
Targets (examples)
Applications (Gnutella)
Hosts (CSE webserver)
Resources (home dirs.)
Networks (IBM)
Infrastructure (routing)

4

SLIDE 5

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

The attack

Launching an attack
Identify some hosts
Infect them
Use them
Issues:
How do I find them?
How do I communicate with them?
What is the effect?

5

Recruit (find) Infect Use

SLIDE 6

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Scanning

1$ question: What is the best strategy for finding

vulnerable hosts on the Internet?

Random scanning
Hitlist scanning
Signpost scanning
Permutation scanning
Local subnet scanning
Concept: horizontal vs. vertical scanning
Concept: “low and slow” scanning

6

SLIDE 7

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Infection

0.01$ question: what is the best strategy for

distributing the malware

Central source
Back-chaining
Autonomous (in-band)
External (peer-to-peer)
Open question: is it possible to detect what is malware

simply by looking at the payload of a packet?

7

SLIDE 8

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Modeling Infection

Assume
n hosts in network.
Pr(host is vulnerable) = k
s hosts are initially seeded
Uniform distribution of vulnerable host
Random scanning
One host can test/infect one other host in a single “round”
Give psuedo-code for a recursive function for the

infection of the network at round t

Think of the simplest model possible.

8

f(t, n, s) =?

SLIDE 9

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

An approx. model

function f( t, n, s, k ) { if ( t == 0 ) return( s ); hosts = f(t-1, n, s, k); return( hosts + (hosts*k) ); }

Q: what happens as t approaches inf? Q: what about collisions? (how do you model them?)

9

SLIDE 10

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Simulated Infection

10

100000 200000 300000 400000 500000 600000 700000 800000 900000 1e+06 2000 4000 6000 8000 10000 12000 14000 Time (in rounds) Simple Infection Model (s=1, n=1*10^7, k=0.001) Infected hosts

Q: why does it take so long to reach the POC?

SLIDE 11

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

The attacks (redux)

Semantic/confusion - exploiting a characteristic of the

environment to force into bad state

Overload - brute force traffic toward some service
Overload rates: constant, pulse, variable
Q: what are the consequences of each of these patterns
Enabling factor: IP address spoofing
Source address spoofing is common, mostly random
Plausible address spoofing is less common
Fixed address is used in reflection more often
Note: this makes use of backscatter effective

11

SLIDE 12

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Network Backscatter

A network telescope is a virtual device that listens to

the traffic on “dark” (unused) address space.

Observation: during DDoS attacks, most tools fake

their source IP address randomly-the victim responds to the random IP, e.g., SYN ACK, ICMP port unreach.

Consequence: if you monitor the dark space you can
Detect attacks by looking at source addresses of responses
Approximate intensity by looking and inter-arrival time
In principle, you can monitor the DDoS activity on the

Internet without tapping any particular network

12

SLIDE 13

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Analysis

Attack of m packets, observing n IP addresses
Probability of receiving at least one packet:
Expected number of responses seen for attack:
Intensity of attack (in packets per second):
where R’ is average measured inter-arrival time

13

1 − (1 − n 232 )m E(X) = nm 232

R ≥ R′ 232 n

SLIDE 14

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

[Moore et. al] 2004

/8 (224 IP addresses monitored)

14

Victims

SLIDE 15

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

How long/intense?

15

Intensity Duration

SLIDE 16

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Backscatter Limitations

Addresses really randomly selected?
What is the effect of ingress/egress filtering?
Reflector attacks not caught
Do all attack packets really cause response?
Q: what do you really learn (that the victim could not

have told you)?

16

SLIDE 17

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

DDoS Solutions (prevention)

Hardening: at the host, making them less vulnerable
Yeah, right.
Protocols or service countermeasures: design for security
Computational asymmetries (puzzles), credentialed

functionality,

Filtering: dropping traffic as DoS is detected
Source identification
Rate limiting
Reconfiguration

17

SLIDE 18

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

IP Traceback

Idea: probabilistically (1/20,000) mark packets as they

are flowing toward source.

Mark with router’s IP address
Edges traversed
Reconstruct the attack path
Filter as needed
Issues:
Not much space to collect data, thus probabilistically need to

mark paths

Work has focused on how to build good reconstruction

algorithms that allow accurate reconstruction of attack paths

18

SLIDE 19

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Algorithm 1: total marking

Marking: append each router IP address to packet
Reconstruction: any attacker packet has the path on it
Comments:
Single packet convergence
Problem: not enough space to mark

19

IP HDR A B C D User Data

SLIDE 20

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Algorithm 2: Node Sampling

Marking: with probability p (often p>0.5), write router

IP address into packet (or overwrite)

Reconstruction: arrange all routers by frequency count

in received packets

over enough packets, converges to attack path because

reporting at victim inversely proportional to distance

Comments:
Problem: Not robust against multiple attackers
Problem: slow convergence

20

p(1 − p)d−1

SLIDE 21

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Algorithm 3: Edge Sampling

Marking: If packet is marked with a distance of 0
Mark packet with router IP address as
If not with probability p write router IP address into packet
Increment distance by one
Reconstruction: recover path by reconstructing by hop

paths, possibly slowly

Comments:
Problem: finding enough space is sometimes hard
XORing IP addresses provide some relief
Convergence dominated by probability that hop received

21

SLIDE 22

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

IP Pushback

Idea: identify attack traffic at victim and push route

filters upstream toward the potential source

Review the “drop tables” for discernible aggregations of most

frequently dropped kinds of traffic.

Aggregates are pushed upstream
One approach: aggregating by dest
Compute aggregated downstream sigs
IPs dropped, by longest matching route
[Ioannidis, Bellovin 02]
Pushback computed filters toward source

22

SLIDE 23

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

IP Pushback (Cont.)

Pushback has the nice property that it drops packets

before they reach the real drop interface

Congestion control is pushed upstream
Open problems/research
Algorithms for determining good attack signatures
Revocation (when/why revoke?)
Soft state?
Q: would you allow an downstream provider push

updates toward you?

A: Yes (in customer/provider relationship) and No.

23

SLIDE 24

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

WebSoS

(Closed) System for protecting Web Servers
Overlay networks
Content-based routing
Philosophically, a mix network
Approach
At server, only approved hosts are allowable packet sources
Everything else is aggressively dropped
End-host traffic accepted only if proof of credential provided
Traffic dynamically tunneled over overlay (n hops) to server
(this is the secure overlay)

24

SLIDE 25

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

WebSoS

Limitations?
Closed system
Performance
Not really a general solution?

25

SLIDE 26

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

DDos Reality

Why is DDoS so hard to solve?
Perimeter problem
Tragedy of the commons (broken incentives)
Lack of understanding of attacks (really?)
Collateral damage of countermeasures is seen as too costly

in practice (false positives cost $$$$)

Reality: most networks today treat DDoS as triage,

fixing problems as they occur in ad hoc ways

Best solutions are the man watching the network, careful

filtering of traffic as attacks are recognized

Distributed nature of sources makes most ineffective

26