563.3.2 DoS Detection and Defense Computer Security II CS463/ECE424 University of Illinois
Why is DDoS Defense hard? • Simplicity • Plug-and-play attack tools • Traffic variety (similarity) • Attack traffic is as good as legitimate traffic • IP spoofing • High-volume traffic • Traffic profiling hard, requires per-packet processing • Short time span • Numerous agent machines • Weak spot in Internet topology • Highly connected and well-provisioned spots relay traffic for rest of the internet. [MirkovicDDR04]
Spread of Code Red II Code Red traffic approaching the White House
Detecting DoS Part 1 of 2 • How common are DoS attacks and what is their nature? • Idea: conduct a survey of potential victims. Problem: how does a victim know it is was under attack? • Can an ISP recognize an attack using data gathered by its routers?
In-Network Monitoring [SekarDSMZ06]
Detecting DoS Part 2 of 2 • Another idea: detect bad behavior that is a symptom of DoS without cooperation of ISP. Examples: • Detect flows that violate TCP congestion control rules. • Detect spoofing.
Backscatter Analysis [MooreSBVS06]
Our Discussion Filtering-Based Defenses Proof-Based Defenses Cookies Client puzzles Bandwidth • Ingress and route-based filtering • Traceback/Pushback • Packet marking • Overlays
DoS Countermeasures: Ingress Filtering Spoofed packets ingress from leaf network into the Internet on to Victim Leaf network Internet 220.127.116.11/24 Victim Attack Traffic Attacker Backscatter Limit ingress traffic to return addresses in 18.104.22.168/24 [FergusonS00]
Customized On-Demand Ingress Filtering • Locate source of attack as coming through ISP D • Ask ISP D to install ingress or egress filter Egress D Ingress D ISP D 22.214.171.124/24 Victim Attacker Leaf network
Route Based Packet Filtering • Problems with ingress filtering • Limited deployment • Any gaps limit effectiveness of existing deployment • Generalization: filter packets based on routing information from the Internet Autonomous System (AS) topology Illustration of route-based packet filtering executed at node 6. Node 7 uses IP address belonging to node 2 when attacking node 4. [ParkL01]
Pushback • Look for severe congestion • Congestion signature • Push back rate-limit • Signature • Too broad • Too narrow • Router • Upgrade • Traffic state • Too much too late [MahajanBFIPS02]
xx xx xx xx 00 xx xx 10 11 00 00 xx xx xx 11 Packet Marking • Pi Marking Scheme • Each router marks n bits into IP Identification field • Marking Function • Last n bits of hash (eg. MD5) of router IP address • Marking Aggregation • Router pushes marking into IP Identification field • Pi filters • Hi bandwidth flows (defined by marking) can be dropped by routers and victim π A π π V • There is just so much space in IP identification field [YarrPS03]
Beacon Secret servlet Overlay Access Point target Filtered region Secure Overlay Services Client • Authenticate client communication • Longer/slower route • Closed network Overlay Nodes Internet Route Overlay hops Secure channel [KeromytisMR02]
DDoS Defense Challenges • Distributed response required • Cooperation between many points • Economic and social factor • Source deploys filter to protect destination • Legislative measures • Lack of detailed attack information • Frequency of attack types, attack parameters, increasing attack scale • Backscatter, Internet Telescope • Lack of defense benchmark • How should the performance be measured? • NSF benchmarking effort • Difficulty of large scale testing • Test bed mimicking Internet (e.g. PlanetLab and DETER) [MirkovicR04]
Taxonomy of DDoS Defenses • Preventive vs. Reactive • Degree of Cooperation • Autonomous • Cooperative • Interdependent • Deployment Location • Victim network • Intermediate network • Source network
Reactive Strategies Detection Response Agent Identification Rate-limiting Filtering Reconfiguration Change the topology of victim or the network to add more resources or isolate attack machines. • Pattern • Signatures of known attacks stored • Anomaly • Model of normal system behavior • Standard • Detect half-open TCP • Trained • Traffic dynamics, expected system performance • Third Party • Traceback
Degree of Cooperation • Autonomous – independent defense at the point of deployment • Cooperative – perform better in joint operation • Interdependent – cannot operate autonomously
Source Network Victim Network Middle of Network Source Network Source Network Deployment Location • Victim network – most common, the most interested party. • Intermediate network – ISP can provide the service, potential to cooperation. • Source network – prevent DDoS at the source, least motivation
Other factors • Stateless vs. Stateful • Internet architecture • Router modification • Application modification
Reading Part 1 of 2 • [SekarDSMZ06] LADS: Large-scale Automated DDoS detection System, Vyas Sekar, Nick Duffield, Oliver Spatscheck, Jacobus van der Merwe, and Hui Zhang. USENIX ATC 2006. • [MooreSBVS06] Inferring Internet Denial-of-service activity, David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage. ACM Transactions on Computer Systems, 24(2), 2006. • [FergusonS00] Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, P. Ferguson and D. Senie. IETF RFC 2827, 2000. • [ParkL01] On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets, Kihong Park and Heejo Lee. SIGCOMM 2001. • [YaarPS03s] Pi: A Path Identification Mechanism to Defend against DDoS Attacks, Abraham Yaar, Adrian Perrig, and Dawn Song, IEEE Security and Privacy, 2003.
Reading Part 2 of 2 • [MirkovicDDR04] Internet Denial of Service Attack and Defense Mechanisms, Jelena Mirkovic, Sven Dietrich, David Dittrich, and Peter Reiher. Pearson 2004. • [MirkovicR04] A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms, Jelena Mirkovic and Peter Reiher. Computer Communications Review, Vol. 34, No. 2, April 2004. • [GaoA05] Tracing Cyber attacks from the practical perspective, Zhiqiang Gao and Nirwan Ansari. IEEE Communications Magazine, May 2005. • [KeromytisMR02] SOS: Secure Overlay Services (2002), Angelos D. Keromytis, Vishal Misra, Dan Rubenstein. ACM SIGCOMM 2002.
Discussion • What should be the qualities of a “good” detection technique? • What are the pros and cons of monitoring flows to see if they are “TCP-like” as a way to prevent DoS?