1 / 23

CS 563.9.2 DoS Overview DoS Countermeasures

CS 563.9.2 DoS Overview DoS Countermeasures. Presented by: Fariba Khan DoS Group: Fariba Khan, Omid Fatemieh, Roger Fliege University of Illinois Spring 2006. DoS Defense Research. Pushback Traceback Ingress filtering Secure Overlay Services Pi (Packet marking) TVA

evelyn-navarro
Télécharger la présentation

CS 563.9.2 DoS Overview DoS Countermeasures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS 563.9.2 DoS OverviewDoS Countermeasures Presented by: Fariba Khan DoS Group: Fariba Khan, Omid Fatemieh, Roger Fliege University of Illinois Spring 2006

  2. DoS Defense Research • Pushback • Traceback • Ingress filtering • Secure Overlay Services • Pi (Packet marking) • TVA • Network architecture improvement • Proof of Work • Locality and Entropy

  3. Look for severe congestion Congestion signature Push back rate-limit Signature Too broad Too narrow Router Upgrade Traffic state Too much too late Pushback Mahajan, Bellovin, Floyd, Ioannidis, Paxson, Shenker 02

  4. Locate source of attack Persuade ISP for filter Traceback and Ingress Filtering Ingress D Egress D ISP D 204.69.207.0/24 Leaf network Ingress D Egress D Mirkovic, Dietrich, Dittrich, Reiher 04

  5. Traceback Taxonomy Gao, Ansari 05

  6. Authenticate client communication Longer/slower route Closed network Beacon Secret servlet Overlay Access Point target Filtered region Secure Overlay Services Sourcepoint Overlay Nodes Keromytis, Misra, Rubenstein, 02

  7. xx xx xx xx 00 xx xx 10 11 00 00 xx xx xx 11 Pi (Packet marking) • Marking Scheme • Each router marks n bits into IP Identification field • Marking Function • Last n bits of hash (eg. MD5) of router IP address • Marking Aggregation • Router pushes marking into IP Identification field π A π π V • There is just so much space in IP identification field Yarr, Perrig, Song 03

  8. TVA (Capability) Alice PreCapability (Pi)= hash(srcIP, destIP, time, secret) RTS Pre1 • RTS rate limited • 1-5% of bandwidth • Pi Queue at Router • Most recent Pi Pre1, Pre2 CNN Yang, Wetherall, Anderson 05

  9. TVA (Capability) Alice Capability = timestamp || Hash (N, T, PreCap) CAP Cap1, Cap2 • N bytes, T seconds • Stateless receiver • Does not store N, T • Bounded router state (Per destination Q) • Input link C, minimum sending rate N/T • C/(N/T) records CAP Cap1, Cap2 CAP Cap1, Cap2 CNN

  10. More … • Proof of Work • Schemes requiring work from part of client (cryptographic puzzle, RTT) • Locality • Model of people communication • Model of attack behavior • Entropy • Self-similarity of attack traffic • QoS • Provide guarantee in terms of bandwidth [Gligor03]

  11. Why is DDoS Defense hard? • Simplicity • Plug-and-play attack tools • Traffic variety (similarity) • Attack traffic is as good as legitimate traffic • IP spoofing • High-volume traffic • Traffic profiling hard, requires per-packet processing • Numerous agent machines • Weak spot in Internet topology • Highly connected and well-provisioned spots relay traffic for rest of the internet. Mirkovic, Dietrich, Dittrich, Reiher 04

  12. DDoS Defense Challenges • Distributed response required • Cooperation between many points • Economic and social factor • Source deploys filter to protect destination • Legislative measures • Lack of detailed attack information • Frequency of attack types, attack parameters • Backscatter, ISI/USC • Lack of defense benchmark • How should the performance be measured? • NSF benchmarking effort • Difficulty of large scale testing • Testbed mimicking Internet • PlanetLab Mirkovic, Reiher 04

  13. Taxonomy of DDoS Defenses Mirkovic, Reiher 04

  14. Taxonomy of DDoS Defenses • Preventive vs. Reactive • Degree of Cooperation • Autonomous • Cooperative • Interdependent • Deployment Location • Victim network • Intermediate network • Source network

  15. Preventive Actions • Attack Prevention • Prevent attacker launch an attack • Secured Target • Machine secured, attacker loses army • System security • Patches, firewall, IDS, • Protocol security • Change Internet to have stateless TCP handshake, IP validity, authentication • DoS Prevention • Improve system to be attack resilient • Prevention Method • Resource Accounting • Resource allocation based on privileges of user • Resource Multiplication • Server pools, high bandwidth links

  16. Detection Strategy Pattern Signatures of known attacks stored Anomaly Model of normal system behavior Standard Detect half-open TCP Trained Traffic dynamics, expected system performance Third Party Traceback Response Strategy Agent Identification Rate-limiting Filtering Reconfiguration Change the topology of victim or the network to add more resources or isolate attack machines. Reactive Actions

  17. Degree of Cooperation • Autonomous – independent defense at the point of deployment • Cooperative – perform better in joint operation. • Interdependent – cannot operate autonomously.

  18. Source Network Victim Network Middle of Network Source Network Source Network Deployment Location • Victim network – most common, the most interested party. • Intermediate network – ISP can provide the service, potential to cooperation. • Source network – prevent DDoS at the source, least motivation

  19. Examples of Defense Erramilli04

  20. Other Views of DDoS Taxonomy Lee03

  21. Other factors • Stateless vs. Stateful • Internet architecture • Router modification • Application modification

  22. DoS Defense Goals • Effectiveness • Completeness • Legitimate traffic performance • Low false positive • Low deployment and operational cost

  23. References • Z. Gao and N. Ansari, Tracing Cyber Attacks from the Practical Perspective, IEEE Communications Magazine, Vol.43, No. 5, pp.123-131, May 2005. • V. Gligor, Guaranteeing Access in Spite of Service-Flooding Attacks (Proc. of the Security Protocols Workshop, Sidney Sussex College, Cambridge, UK, April 2-4, 2003. Lecture Notes in Computer Science, Springer-Verlag, 2004.) • A. Keromytis, V. Misra, and D. Rubenstein, SOS: Secure Overlay Services, in Proceedings ofACM SIGCOMM'02, (Pittsburgh, PA), August 2002. • Ruby B. Lee, Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures, Princeton University, 2003. • Mahajan, R., Bellovin, S. M., Floyd, S., Ioannidis, J., Paxson, V., and Shenker, S. 2002. Controlling high bandwidth aggregates in the network. SIGCOMM Comput. Commun. Rev. 32, 3 (Jul. 2002), 62-73. • J. Mirkovic, S. Dietrich, D. Dittrich and P. Reiher, Internet Denial of Service: Attack and Defense Mechanisms, Prentice Hall PTR, ISBN 0-13-147573-8. • Jelena Mirkovic, and Peter Reiher, A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, ACM SIGCOMM CCR, 2004. • A. Yaar, A. Perrig, and D. Song. Pi: A Path Identification Mechanism to Defend against DDoS Attacks. In IEEE Symposium on Security and Privacy, May 2003. • X. Yang, D. Wetherall, and T. Anderson, A DoS-limiting Network Architecture, In Proc. ACM SIGCOMM, (Philadelphia, PA), Aug. 2005.

More Related