1

Countering DoS Through Filtering

Omar Bashir

Communications Enabling Technologies

obashir@enabtech.com

2

Sequence• Roots of IP Spoofing

• Effective Anti-Spoofing Through Ingress Filtering

• Reducing DoS Effect Through Egress Filtering

• Pushback: Countering DoS Closer to the DoS Source

• Trackback: Locating the DoS Source

3

Roots of IP Spoofing• Source Independent Routing

– Next hop forwarding in packet switched networks is not dependent on

• a packet’s original source • the path that packet has taken before it arrives at a

particular packet switch

– Enhances the efficiency of routing mechanisms in packet switches.

• Implications– The source address of a packet may never be

required in a specific communication session.– Routers and switches do not inspect the source

addresses of packets before forwarding a packet to the next hop.

4

Roots of IP Spoofing (Contd.)

• Attackers can mask their identities by inserting false or invalid source addresses on packets before transmitting them to the destination.

• Typical invalid source addresses,– This host address, 0.0.0.0– Local loopback address, 127.0.0.1– Limited broadcast address, 255.255.255.255– Directed broadcast address.– Subnet address.

• False source addresses are addresses not assigned to the transmitting host.– Typically addresses of hosts on different subnets or internal

subnet addresses.

5

Network Ingress Filtering• RFC-2827• Automatic filtering on RAS and access routers to

drop packets with invalid or false source addresses.

• Preventative measure to block an imminent DoS attack closest to the source.– Traffic rates substantially low to enable inspection of

each outbound packet.

• Firewalls without ingress filtering capability can be configured to achieve ingress filtering.

• Logging and analysis of dropped packets necessary to identify, locate and neutralise the attacker.

6

Egress Filtering• Deny entry of a packet with an invalid source

address into a subnet.• Can also be used to filter packets with source

address fields containing local subnet addresses.

• Considered necessary due to the lack of implementation of network ingress filtering.

• May require implementation on platforms with substantial processing resources.

• Can substantially reduce the impact of DRDoS by eliminating the attack traffic before it reaches the reflectors.

7

Ingress and Egress Filtering

Ingress Filtering

Ingress Filtering

Egress Filtering

8

DoS Pushback

• DDoS attacks are treated as a congestion control problem.

• Congestion resulting from a DoS attack has to be handled by the routers.– Routers to detect and preferentially drop packets

that probably belong to an attack.– Upstream routers are also notified to drop such

packets in the order that the router’s resources be used to route legitimate traffic.

• Focus is on handling DDoS activity closer to the source where traffic rates are substantially low.

9

Traffic Characterisation

• Bad Packets– Transmitted by the attacker.– Characterised by the attack signature identified by

the congestion signature.

• Poor Packets– Packets matching the congestion signature.– Do not actually belong to the attack.

• Good Packets– Packets not matching the congestion signature but

share links or destination with the bad traffic.

10

Typical DDoS Signature and Pushback

R2 R4

R6 R7

R3

R8

Victim

R1

R5

11

Pushback Operations

• Attack Detection– Detecting the congestion signature.

• Local Rate Limiting– Packet filtering on the basis of congestion

signature.

• Upstream Notification– Informing the upstream routers of the congestion

condition and its signature.

• Upstream Rate Limiting– Packet filtering on the basis of congestion at the

upstream routers.

12

Congestion Detection• Typical congestion identifiers

– Higher packet drop rates.– Typically

• wi > 1.2wo

• Principal determinant– Victim’s address.

• The algorithm prepares the list of prefixes of destination addresses and the number of packets dropped for each prefix.

13

Congestion Detection (Contd.)

• Prefix with highest drop rate is considered to be the subnet being attacked.

• For multiple simultaneous attacks.– Determine the congestion contribution for the prefix

with highest drop rate.• wb

– If for other prefixes on the list wi- wb > 1.2wo, the list is rescanned to determine the second attack.

14

Rate Limiting

• Rate limiter is implemented between the input and the output queues.

• For wi > 1.2wo, wl = wi - 1.2wo

• If wb > wl then rate limit the aggregate to wl.

• If wb < wl then drop all traffic matching the congestion signature and allow the remaining traffic to pass through the rate limiter.– Traffic allowed by the rate limiter is not treated

preferentially.

15

Pushback• Congestion condition and signature notified to

upstream routers.• Pushback protocol messages

– Request• Transmitted to upstream routers and received from

downstream routers.• Suggest rate limiting to the upstream routers.

– Response• Generated by upstream routers.• Used to determine modifications in the pushback process.

– Cancel• Instruction to upstream router for canceling the rate

limiting operation.

• Described in the IETF draft – draft-floyd-pushback-messages-00.txt

16

Pushback Mechanism

R2 R4

R6 R7

R3

R8

R1

R5

-

- - -

- - - -

-

- - -

- - -

Victim

17

Traceback

• Identification of the network paths traversed by the attacking traffic.

• Principal categories– Intrusive traceback

• Controlled flooding• ICMP traceback

– Non-intrusive traceback• Input debugging• Logging• Packet marking

18

Controlled Flooding• Test links by flooding them with large bursts of

traffic and observing its affect on the attack traffic.

• Victim coerces selected hosts along the upstream route to iteratively flood incoming routes on routers detected to be in path of the attack traffic.

• Requires a pre-generated map of Internet topology.

• DoS attack on DoS attack– Considered unsuitable as it might affect traffic to

other routes sharing routers to the victim’s path.

19

ICMP Traceback• Explicit router generated ICMP traceback messages.• To forward, at a low rate, with one of the packets

forwarded by the router an ICMP packet containing – The contents of the forwarded packet.– Information about the adjacent routers along the path to the

destination.

• In a flooding attack, a victim can reconstruct path to the attacker using these messages.

• Issues– ICMP differentiation– ICMP traceback spoofing

• IETF draft draft-bellovin-itrace-00.txt

20

Input Debugging

• Filter packets on the egress to the router and determine the input port they arrived at.

• In an attack, the victim can use the attack signature to query the closest router to determine link on which they reached the router.

• Router upstream to that link can be successively queried to determine the identity of the attacker.

• Considerable management overhead.

21

Logging

• Packet details are logged at key routers.

• Data mining applied to determine path traversed by the packets.

• Considerably useful for post-attack analysis.

• Considerable resource requirements.

22

Packet Marking• Marking packets probabilistically or

deterministically with the addresses of routers they traverse.

• Marking techniques– Node append

• Append each node’s address to the end of the packet as it traverses the network.

– Node sampling• Sampling the path one node at a time.

– Edge sampling• In addition to sampling nodes, also encode the distance

of the attacker to the node.

23

Conclusions• Enforcement of ingress filtering as preventative

measure.• Enforcement of egress filtering to reduce the

possibility of spoofed attack and reflection traffic.

• Inter-ISP cooperation,– Data collection– Attack signature determination– Attack analysis

• Pushing the attack closer to the attackers and zombies.

24

Q&A• Most upstream ISPs do not allow filtering, how can

pushback be implemented in this case ?– Possibly by using traceback to determine the ISP

hosting the attacker and using a firewall signaling protocol to signal the access routers at that ISP to perform ingress filtering at the source.

• In pushback, an attacker can generate spoof requests to upstream routers performing DoS ?– Requests to upstream routers are suggestions to the

upstream routers to perform filtering on the suggested signature. It is possible for the upstream routers determine their own attack signature and perform filtering on that basis.

– Use encryption and authentication on requests and responses.

25

Q&A• Pushback may be effective incase of a

sustained attack. How does it scale to a pulse attack where the attacker generates a surge at intervals to start a pushback. In this case pushback itself becomes DoS and by the time the network neutralises another pulse arrives.– More effective pattern matching– Hysteresis in triggering pushback– Determine pulse attack periodicity and patterns

through data logging and analysis. Use predictive measures to be prepared for the attack before it occurs.