the crossfire attack

The Crossfire Attack

MIN SU K KAN G, SO O B UM L EE , V IR GIL D. GLIG OR

EC E DE PARTME N T A N D C YLAB

C ARN EG IE MELLO N U N IV ERS ITY

2013 IEEE Symposium on Security and Privacy

2

Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION

3

Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION

4

INTRODUCTION – Old DDoSTypical attack:

floods server with HTTP, UDP, SYN, ICMP…… packets

Persistence:Maximum: 2.5 daysAverage: 1.5days

Adversary’s Challenge:DDoS Attacks are either Persistent or Scalable to N Servers

N traffic to 1 server => high-intensity traffic triggers network detectionDetection not triggered => low-intensity traffic is insufficient for N srevers

5

INTRODUCTION – Crossfire AttackLink flooding by botnets cannot be easily counteredSpoofed IP addresses.Can flood links without using unwanted traffic.Launch an attack with low-intensity traffic flows that cross a

targeted link at roughly the same time and flood it.

6

A link-flooding attack that degrades/cuts off network connections of scalable N-server area persistently.Scalable N-Server areas

N = small(e.g., 1-1000 servers), medium(e.g., all servers in a US state), large(e.g., the West Coast of the US)

Persistent:Attack traffic is indistinguishable from legitimate

Low-rate, changing sets of flowsAttack is “ moving target ” for same N-server area

Changing target links before triggering alarms

INTRODUCTION – Crossfire Attack

7

INTRODUCTION – Definitions

8

Attack flows => Indistinguishable from legitimate

INTRODUCTION – 1 link crossfire

9

Attack flows => Alarms not triggered

INTRODUCTION – 1 link crossfire

link-failure detection latency, Interior Gateway Protocol(IGP) routers (OSPF)

Default waiting time: 40sec, Failure detection: 217 secExterior Gateway Protocol(EGP) routers(BGP) Default waiting time: 180sec, Failure detection : 1,076 sec

10

Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION

11

THE CROSSFIRE ATTACK

12

Public servers : To construct an attack topology centered at target area

Decoy servers: To create attack flow

THE CROSSFIRE ATTACK

13

ATTACK - Step 1 : Link Map Construction

( 72% )

(1) Traceroute ( B->S )(2) Link-Persistence

14

ATTACK - Step 2 : Attack setup

(1) Flow-Density Computation(2) Target-Link Selection

DR: Degradation Ratio

15

ATTACK - Step 3 : Bot Coordination

(1) Attack-Flow Assignment(2) Target-Link Flooding

16

Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION

17

ATTACK PERSISTENCE AND COSTData-Plane-Only Attack : Indefinite Duration

Link failure detectionTraffic engineering

Proactive Attack Techniques : Rolling AttackMaintaining the same target links

Changes bot and decoy serversMaintaining the same target area

Changes target links

18

Attack bots available from Pay-per Install (PPI) markets [2011]

ATTACK PERSISTENCE AND COST

In experiments : 49% in US or UK, 37% in Europe, 14% rest of the world10 target links : can be as low as 107,200 bots. Cost approximately $9K

19

Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION

20

EXPERIMENT SETUP AND RESULTSBots:

1,072 traceroute nodes 620 PlanetLab nodes, 452 LG(Looking Glass) servers

21

EXPERIMENT SETUP AND RESULTSDecoy servers:

552 institutions (i.e., universities and colleges ) on both the East Coast (10 states) and West Coast (7 states) of the US

2737 public web servers within Univ1 in Pennsylvania7411 public web servers within Univ2 in Massachusetts

22

EXPERIMENT SETUP AND RESULTSTarget Areas:

23

EXPERIMENT SETUP AND RESULTS

24

EXPERIMENT SETUP AND RESULTS Link map

Run a traceroute six times to diagnose link persistence

25

EXPERIMENT SETUP AND RESULTS

26

EXPERIMENT SETUP AND RESULTSAverage rate when flooding 10 Target Links against Pennsylvania

27

Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION

28

The Coremelt Attack

29

“Spamhaus” Attack

30

RELATED WORK

31

Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS CONCLUSION

32

CONCLUSIONAttack CharacteristicsUndetectability at the Target Area.Indistinguishability of Flows in RoutersPersistenceFlexibility

New DDoS Attack: The Crossfire AttackScalable & Persistent

Internet-scale experimentFeasibility of the attackHigh impact with low cost

33

Q&A