1 / 52

Distributed Denial of Services the Problem, its Solutions, and their Problems

Distributed Denial of Services the Problem, its Solutions, and their Problems. Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ wu@cs.ucdavis.edu. Denial of Service attack beyond Authenticity, Authority, and Privacy. victims.

tavi
Télécharger la présentation

Distributed Denial of Services the Problem, its Solutions, and their Problems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed Denial of Servicesthe Problem, its Solutions, and their Problems Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ wu@cs.ucdavis.edu S. Felix Wu --UCCS Visit

  2. Denial of Service attack beyond Authenticity, Authority, and Privacy victims finite resources-- bandwidth, connections, buffer space…. Services are Denied! attacker consume all or most of the resources! Computer system S. Felix Wu --UCCS Visit

  3. no service or degraded service Distributed DoS yahoo, ebay, msn,... Slave Slave Slave Attack traffic aggregated! Master Slave Slave Denial of Service! Slave Hundreds/thousands of Slaves simultaneously launch attacks! S. Felix Wu --UCCS Visit

  4. The Plain DDoS Model(1999-2000) Slaves Victim Masters Attackers src: random dst: victim : : .com . ... ISP 1,500 bytes per pkt ~10K bits per pkt ~100K pkts per second 2000 slaves 50 pkts per second per slave 0.5M bits per second S. Felix Wu --UCCS Visit

  5. Reflector • Use a legitimate network server/client as the reflector to avoid being traced. (stepping stone). Reflector Service Reply Packet src: Reflector dst: Victim Service Request Packet src: Victim dst: Reflector Slave Victim S. Felix Wu --UCCS Visit

  6. The Reflective DDOS Model(2000) Reflectors Slaves Victim Masters Attackers src: victim dst: reflector : : .com . ... ISP src: reflector dst: victim S. Felix Wu --UCCS Visit

  7. Internet Source Accountability AOL UCD A B UUNet Header src: AOL dst:UCD Payload …………….. S. Felix Wu --UCCS Visit

  8. Possible Solutions • Stop it!! • egress/ingress filtering • aggregated-flow anomaly-based rate limiting • ISP, dot-COM,... • Trace it!! • where are the slaves and masters? • Law enforcement agencies,... S. Felix Wu --UCCS Visit

  9. Ingress/egress filteringboosting source accountability Net: 169.237.6.* filtering policies drop it or not?? 207.12.1.56 Is the source IP address of this incoming IP packet valid from this particular network interface??? 1. Static configuration 2. Routing table reverse look-up 3. Routing information analysis (BGP/OSPF/RIP) S. Felix Wu --UCCS Visit

  10. Aggregate-Based Congestion Controlavoiding micro-flow management 80% 50% RED buffer (Random Early Dropping) good for aggressive but responsive TCP flows... S. Felix Wu --UCCS Visit

  11. Aggregate-Based Congestion Controlavoiding micro-flow management yes 80% 50% rate limiters High bandwidth AG-Flow? no E.g., all ICMP packets toward dst: 169.237.6.*. High-Bandwidth AG-Flow Analyzer (1). How to determine the signature of an AG-Flow?? (2). How to set the limited rate for an AG-Flow?? S. Felix Wu --UCCS Visit

  12. Packet Tracing • A transit router puts a mark in the data packets themselves. (like UPS/FedEx) • find the space in the packet to perform the mark? • A transit router puts a mark outside of the data packets. (I have seen it!!) • find the bandwidth in the Internet? S. Felix Wu --UCCS Visit

  13. Statistical Packet Marking Slaves Victim Masters Attackers src: random dst: victim : : .com . ... ISP S. Felix Wu --UCCS Visit

  14. ver hlen TOS Total Length Identification flags offset Header checksum Time to live Protocol Source IP address Destination IP address offset Distance Edge fragment 0 2 3 7 8 15 A6 R7 A5 R9 R6 R8 R 5 R3 R4 R2 R1 Marking procedure at router R: for each packet w let x be a random number from [0..1) if x < p then write R into w.start and 0 into w.distance else if w.distance == 0then write R into w.end increment w.distance S. Felix Wu --UCCS Visit

  15. Problems with Packet Marking • 16 bits is unreliable and restrictive. • partial IP header information • weak authentication • inefficiency • can not handle reflective DDoS. • require modification of TCP protocol stack (and specification) -- not sure exactly how to do it completely and correctly. S. Felix Wu --UCCS Visit

  16. Reflectors Slaves ??? ??? Victim Masters Attackers src: victim dst: reflector : : .com . ... ISP src: reflector dst: victim S. Felix Wu --UCCS Visit

  17. ICMP Traceback • For a very small probability (about 1 in 20,000), each router will send the destination a new ICMP message indicating the previous hop for that packet. • Net traffic increase at endpoint is probably acceptable. iTrace it or not?? S. Felix Wu --UCCS Visit

  18. Original iTrace Slaves Victim Masters Attackers src: random dst: victim : : .com . ... ISP S. Felix Wu --UCCS Visit

  19. iTrace in Reflective DDOS Reflectors Slaves Victim Masters Attackers src: victim dst: reflector : : .com . ... ISP src: reflector dst: victim S. Felix Wu --UCCS Visit

  20. Improved ICMP Traceback • For a very few packets (about 1 in 20,000), each router will send the destinationandthe source a new ICMP message indicating the previous hop for that packet. • Net traffic increase at endpoint is probably acceptable. S. Felix Wu --UCCS Visit

  21. Who has spoofed me?? Reflector Service Request Packet src: Victim dst: Reflector Service Reply Packet src: Reflector dst: Victim source Traceback Messages Slave Victim S. Felix Wu --UCCS Visit

  22. Improved iTrace Reflectors Slaves Victim Masters Attackers src: victim dst: reflector : : .com . ... ISP src: reflector dst: victim S. Felix Wu --UCCS Visit

  23. Is that really me??? Service Request Packet src: Victim dst: www.yahoo.com How can I tell?? ISP Victim source Traceback Messages S. Felix Wu --UCCS Visit

  24. Maybe it is my friend... Slaves Victim Masters Attackers src: random dst: victim : : .com . ... ISP Are you sure that this is from a slave or not? customers S. Felix Wu --UCCS Visit

  25. Emitting a “relatively small” amount Slaves Victim Masters Attackers src: random dst: victim : : .com . ... ISP S. Felix Wu --UCCS Visit

  26. iTrace Probability: 1/20,000 Attack traffic Background traffic For a router with “lots” of background traffic, it will take a long time before we really generate a “useful” iTrace. S. Felix Wu --UCCS Visit

  27. A Statistic Problem with iTrace • Routers closer to the victims have higher probability to generate iTrace packets toward the true victims in the first N iTrace messages generated. • Routers closer to the DDoS slaves might have relatively small probability (smaller than the routers around the victims) to generate “useful” iTrace packets fast enough. S. Felix Wu --UCCS Visit

  28. “Usefulness” • Useful: • It carries attack packets. • Valuable: • It carries attack packets from a router that is very close to the original slaves. • We have not received the same “kind” of iTrace messages before. • The iTrace messages are received fast. S. Felix Wu --UCCS Visit

  29. Three Types of Nodes • DDoS victim with the intention to trace the slaves. • DDoS victim without the intention. • non-DDoS victims (assuming they do not have the intention as well -- and very likely they hope they won’t receive ones). S. Felix Wu --UCCS Visit

  30. Intention-driven iTrace • Different destinationhosts, networks, domains/ASs have different “intention levels” in receiving iTrace packets. • We propose to add one “iTrace-intention” bit. • Some of them might not care about iTrace, and some of them might not be under DDoS attacks, for example. S. Felix Wu --UCCS Visit

  31. Issues • How to determine the intention bit • How to distribute the intention bits to routers globally? • How to use the intention bits at each router? S. Felix Wu --UCCS Visit

  32. S. Felix Wu --UCCS Visit

  33. iTrace/Intention-Driven iTrace architecture iTrace Generation (1/20000) Decision Module BGP routing table intention bits iTrace generation bit, (1/20000) packets packet- forwarding table S. Felix Wu --UCCS Visit

  34. Processing Overhead 1/20K iTrace message trigger occurs: 1. Select and Set one iTrace bit in the forwarding table. Processing for each data packet: 1. if the iTrace flag bit is 1, (1). send an iTrace message for this data packet. (2). reset the iTrace bit to 0. S. Felix Wu --UCCS Visit

  35. I(n) iTrace bit (1). Before iTrace trigger: 152.1.23.0/24 0 169.20.3.0/24 0 192.1.0.0/16 0 207.3.4.183/20 0 152.1.0.0/16 0 155.0.0.0/16 0 (2). After iTrace trigger: 152.1.23.0/24 0 169.20.3.0/24 0 192.1.0.0/16 0 207.3.4.183/20 0 152.1.0.0/16 1 155.0.0.0/16 0 S. Felix Wu --UCCS Visit

  36. I(n) iTrace bit (3). After iTrace sent: 152.1.23.0/24 0 169.20.3.0/24 0 192.1.0.0/16 0 207.3.4.183/20 0 152.1.0.0/16 0 155.0.0.0/16 0 S. Felix Wu --UCCS Visit

  37. S. Felix Wu --UCCS Visit

  38. Usefulness in MSMV 0 S. Felix Wu --UCCS Visit

  39. How to distribute I(n)? • YABE: (Yet Another BGP Extension) • For every BGP route update, we include I(n) as a new string in the community attribute: • 0x[iTrace-Intention]:0x[0-1] (optional & transitive) • These I(n) values will be forwarded or even aggregated by the routers who understand this new community attribute. • aggregation: I(new) = max {I(n)} • Rate-Limiting on Intention Update: • should not be more frequent than Keep-Alive messages. • should not trigger any major route computation. S. Felix Wu --UCCS Visit

  40. Signaling (BGP extension) AS800 AS 100 Intention-bit update request AS200 IDS AS 120 AS900 AS250 AS300 BGP update prefix: 900 attribute: Intend to receive iTrace AS500 AS600 AS700 S. Felix Wu --UCCS Visit

  41. Summary • Improve the probability of “useful” iTrace. • Require some “minor” changes to the router forwarding process. • Require a new BGP community string. • The amount of generated iTrace messages should be no more than the current iTrace proposal. S. Felix Wu --UCCS Visit

  42. DECIDUOUS • Reliably identify the source(s) of attack packets. (Tracing) • Intrusion Detection, Response, Source Identification. • Collaborating with Edge Routers or Security Gateways that support IPSEC or other types of Tunnels • Utilize the IPSEC framework • Requirements for IPSEC Policy System • Interacting with IDS and IRS/FW. S. Felix Wu --UCCS Visit

  43. Spoofed IP Address AOL NCSU A B UUNet Header src: AOL dst:NCSU Payload …………….. S. Felix Wu --UCCS Visit

  44. Header + IPSec src: A SPI=0x104 dst: B IPSec Tunnel AOL A NCSU B UUNet Header src: AOL dst: NCSU Payload …………….. S. Felix Wu --UCCS Visit

  45. Every single SA that has been or has not been used by the attack packet will provide some location information about the true source. Attacker’s Target Router or Security Gateway Intrusion Detection System IPsec PHIL/API IPSEC Module IPSEC Module freeSWAN & Pluto IPSEC/AH, tunnel mode Depending on the results from both IDS and IPSEC modules as well as the nature of the detected attack itself, the Deciduous daemon will decide dynamically where to setup SAs. Deciduous Daemon S. Felix Wu --UCCS Visit

  46. NCSU ISP Collaboration Attacker’s Target Internet Core Intrusion Detection System IPsec PHIL/API IPSEC Module Deciduous Daemon S. Felix Wu --UCCS Visit

  47. NCSU ISP Tunnel Path Attacker’s Target Internet Core Intrusion Detection System IPsec PHIL/API IPSEC Module Phase II-SA Deciduous Daemon Deciduous Daemon S. Felix Wu --UCCS Visit

  48. DECIDUOUS Testbed at SHANG LAB • Simple Single Source • Simple multiple Sources • Coordinated Multiple Sources eth0 192.168.1.2 Sun 2 eth0 152,1.75.163 eth0 192.168.1.4 eth0 152.1.75.164 eth0 152.1.75.166 eth2 eth0 152.1.75.175 eth1 2 eth1 172.16.0.0 255.255.0.0 eth1 eth2 eth1 Stone 163 Stone 4 Squeeze 175 Redwing 164 eth2 eth1 Norwork 166 192.168.2.0 255.255.255.0 5 4 1 1 10.0.0.0 255..0.0.0 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255.0 3 192.168.3.0 255.255.255.0 eth1 eth2 Hychang2 3 eth1 Bone 177 192.168.1.3 eth0 152.1.75.177 eth0 S. Felix Wu --UCCS Visit

  49. Results S. Felix Wu --UCCS Visit

  50. Magic Marks: concept an outgoing packet src/dst IP addresses the rest….. Private key 128 bit digest 16 bit mark src/dst IP addresses selector HMAC either a SRC itrace or DST itrace... iTrace message src/dst IP addresses 16 bit mark the rest….. S. Felix Wu --UCCS Visit

More Related