1 countering dos through filtering omar bashir communications enabling technologies...
TRANSCRIPT
1
Countering DoS Through Filtering
Omar Bashir
Communications Enabling Technologies
2
Sequence• Roots of IP Spoofing
• Effective Anti-Spoofing Through Ingress Filtering
• Reducing DoS Effect Through Egress Filtering
• Pushback: Countering DoS Closer to the DoS Source
• Trackback: Locating the DoS Source
3
Roots of IP Spoofing• Source Independent Routing
– Next hop forwarding in packet switched networks is not dependent on
• a packet’s original source • the path that packet has taken before it arrives at a
particular packet switch
– Enhances the efficiency of routing mechanisms in packet switches.
• Implications– The source address of a packet may never be
required in a specific communication session.– Routers and switches do not inspect the source
addresses of packets before forwarding a packet to the next hop.
4
Roots of IP Spoofing (Contd.)
• Attackers can mask their identities by inserting false or invalid source addresses on packets before transmitting them to the destination.
• Typical invalid source addresses,– This host address, 0.0.0.0– Local loopback address, 127.0.0.1– Limited broadcast address, 255.255.255.255– Directed broadcast address.– Subnet address.
• False source addresses are addresses not assigned to the transmitting host.– Typically addresses of hosts on different subnets or internal
subnet addresses.
5
Network Ingress Filtering• RFC-2827• Automatic filtering on RAS and access routers to
drop packets with invalid or false source addresses.
• Preventative measure to block an imminent DoS attack closest to the source.– Traffic rates substantially low to enable inspection of
each outbound packet.
• Firewalls without ingress filtering capability can be configured to achieve ingress filtering.
• Logging and analysis of dropped packets necessary to identify, locate and neutralise the attacker.
6
Egress Filtering• Deny entry of a packet with an invalid source
address into a subnet.• Can also be used to filter packets with source
address fields containing local subnet addresses.
• Considered necessary due to the lack of implementation of network ingress filtering.
• May require implementation on platforms with substantial processing resources.
• Can substantially reduce the impact of DRDoS by eliminating the attack traffic before it reaches the reflectors.
7
Ingress and Egress Filtering
Ingress Filtering
Ingress Filtering
Egress Filtering
8
DoS Pushback
• DDoS attacks are treated as a congestion control problem.
• Congestion resulting from a DoS attack has to be handled by the routers.– Routers to detect and preferentially drop packets
that probably belong to an attack.– Upstream routers are also notified to drop such
packets in the order that the router’s resources be used to route legitimate traffic.
• Focus is on handling DDoS activity closer to the source where traffic rates are substantially low.
9
Traffic Characterisation
• Bad Packets– Transmitted by the attacker.– Characterised by the attack signature identified by
the congestion signature.
• Poor Packets– Packets matching the congestion signature.– Do not actually belong to the attack.
• Good Packets– Packets not matching the congestion signature but
share links or destination with the bad traffic.
10
Typical DDoS Signature and Pushback
R2 R4
R6 R7
R3
R8
Victim
R1
R5
11
Pushback Operations
• Attack Detection– Detecting the congestion signature.
• Local Rate Limiting– Packet filtering on the basis of congestion
signature.
• Upstream Notification– Informing the upstream routers of the congestion
condition and its signature.
• Upstream Rate Limiting– Packet filtering on the basis of congestion at the
upstream routers.
12
Congestion Detection• Typical congestion identifiers
– Higher packet drop rates.– Typically
• wi > 1.2wo
• Principal determinant– Victim’s address.
• The algorithm prepares the list of prefixes of destination addresses and the number of packets dropped for each prefix.
13
Congestion Detection (Contd.)
• Prefix with highest drop rate is considered to be the subnet being attacked.
• For multiple simultaneous attacks.– Determine the congestion contribution for the prefix
with highest drop rate.• wb
– If for other prefixes on the list wi- wb > 1.2wo, the list is rescanned to determine the second attack.
14
Rate Limiting
• Rate limiter is implemented between the input and the output queues.
• For wi > 1.2wo, wl = wi - 1.2wo
• If wb > wl then rate limit the aggregate to wl.
• If wb < wl then drop all traffic matching the congestion signature and allow the remaining traffic to pass through the rate limiter.– Traffic allowed by the rate limiter is not treated
preferentially.
15
Pushback• Congestion condition and signature notified to
upstream routers.• Pushback protocol messages
– Request• Transmitted to upstream routers and received from
downstream routers.• Suggest rate limiting to the upstream routers.
– Response• Generated by upstream routers.• Used to determine modifications in the pushback process.
– Cancel• Instruction to upstream router for canceling the rate
limiting operation.
• Described in the IETF draft – draft-floyd-pushback-messages-00.txt
16
Pushback Mechanism
R2 R4
R6 R7
R3
R8
R1
R5
-
- - -
- - - -
-
- - -
- - -
Victim
17
Traceback
• Identification of the network paths traversed by the attacking traffic.
• Principal categories– Intrusive traceback
• Controlled flooding• ICMP traceback
– Non-intrusive traceback• Input debugging• Logging• Packet marking
18
Controlled Flooding• Test links by flooding them with large bursts of
traffic and observing its affect on the attack traffic.
• Victim coerces selected hosts along the upstream route to iteratively flood incoming routes on routers detected to be in path of the attack traffic.
• Requires a pre-generated map of Internet topology.
• DoS attack on DoS attack– Considered unsuitable as it might affect traffic to
other routes sharing routers to the victim’s path.
19
ICMP Traceback• Explicit router generated ICMP traceback messages.• To forward, at a low rate, with one of the packets
forwarded by the router an ICMP packet containing – The contents of the forwarded packet.– Information about the adjacent routers along the path to the
destination.
• In a flooding attack, a victim can reconstruct path to the attacker using these messages.
• Issues– ICMP differentiation– ICMP traceback spoofing
• IETF draft draft-bellovin-itrace-00.txt
20
Input Debugging
• Filter packets on the egress to the router and determine the input port they arrived at.
• In an attack, the victim can use the attack signature to query the closest router to determine link on which they reached the router.
• Router upstream to that link can be successively queried to determine the identity of the attacker.
• Considerable management overhead.
21
Logging
• Packet details are logged at key routers.
• Data mining applied to determine path traversed by the packets.
• Considerably useful for post-attack analysis.
• Considerable resource requirements.
22
Packet Marking• Marking packets probabilistically or
deterministically with the addresses of routers they traverse.
• Marking techniques– Node append
• Append each node’s address to the end of the packet as it traverses the network.
– Node sampling• Sampling the path one node at a time.
– Edge sampling• In addition to sampling nodes, also encode the distance
of the attacker to the node.
23
Conclusions• Enforcement of ingress filtering as preventative
measure.• Enforcement of egress filtering to reduce the
possibility of spoofed attack and reflection traffic.
• Inter-ISP cooperation,– Data collection– Attack signature determination– Attack analysis
• Pushing the attack closer to the attackers and zombies.
24
Q&A• Most upstream ISPs do not allow filtering, how can
pushback be implemented in this case ?– Possibly by using traceback to determine the ISP
hosting the attacker and using a firewall signaling protocol to signal the access routers at that ISP to perform ingress filtering at the source.
• In pushback, an attacker can generate spoof requests to upstream routers performing DoS ?– Requests to upstream routers are suggestions to the
upstream routers to perform filtering on the suggested signature. It is possible for the upstream routers determine their own attack signature and perform filtering on that basis.
– Use encryption and authentication on requests and responses.
25
Q&A• Pushback may be effective incase of a
sustained attack. How does it scale to a pulse attack where the attacker generates a surge at intervals to start a pushback. In this case pushback itself becomes DoS and by the time the network neutralises another pulse arrives.– More effective pattern matching– Hysteresis in triggering pushback– Determine pulse attack periodicity and patterns
through data logging and analysis. Use predictive measures to be prepared for the attack before it occurs.