an adaptable inter-domain infrastructure against dos attacks georgios koutepas national technical...
TRANSCRIPT
An Adaptable Inter-Domain An Adaptable Inter-Domain InfrastructureInfrastructure
Against DoS AttacksAgainst DoS Attacks
Georgios KoutepasNational Technical University of Athens,
Greece
SSGRR 2003wSSGRR 2003w
January 10, 2003
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
What is "What is "Denial of ServiceDenial of Service"?"?
• An attack to suspend the availability of a service• Until recently the "bad guys" tried to enter our
systems. Now it’s:
""If not us, then NobodyIf not us, then Nobody""• No break-in attempts, no information stealing,
although they can be combined with other attacks to confuse Intrusion Detection Systems.
• No easy solutions! DoS is still mostly a research issue
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
Main Characteristics of DoSMain Characteristics of DoS
• Variable targets: – Single hosts or whole domains– Computer systems or networks– ImportantImportant: Active network components (e.g.
routers) also vulnerable and possible targets!• Variable uses & effects:
– Hacker "turf" wars– High profile commercial targets (or just
competitors…).– Useful in cyber-warfare, terrorism etc…
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
Brief HistoryBrief History
First Phase (starting in the '90s): Single System DoS• Started as bug/vulnerability exploitation• The targets are single hosts - single services• One single malicious packet many times is enoughSecond Phase (1996-2000): Resource Consuming DoS• Resource consuming requests from many sources• Internet infrastructure used for attack amplificationThird Phase (after 2000): Distributed DoS• Bandwidth of network connections is the main
target• Use of many pirated machines, possibly many
attack stages, that will have an escalating effect to saturate the victim(s)
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
Brief History (cont.)Brief History (cont.)
Important Events:• February 7-11 2000: Big commercial sites (CNN,
Yahoo, E-Bay) are taken down by flooding of their networks.– The attacks capture the attention of the media– The US President assembles emergency council
members of Internet, e-commerce companies, civil liberties organizations, and security experts to jointly announce actions strengthening Internet and computer network security
• January 2002: The British ISP CloudNine suspends operations because of continuous interruption in Internet connectivity.
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
1. Taking Control
2. Commandingthe attack
Distributed DoSDistributed DoS
Target
domain
"zombies"
Pirated machines
Domain A
Pirated machines
Domain B
Attacker
X
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
A DDoS Attack Domain-wiseA DDoS Attack Domain-wise
Sources of the attack
Innocent Domains, but their connectivity is affected
Attack TransitDomains Target Domain
Sources of the attack
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
DDoS FactsDDoS Facts
• Some hundred of persistent flows are enough to knock a large network off the Internet
• Incoming traffic has to be controlled, outsideoutside the victim’s domain, at the upstream providers
• Usually source IPs spoofedspoofed on attack packets• Offending systems may be controlled without their
users suspecting it• Possibly many levels of command & control:
– Attacker-Manager-Agents
• Examples of automatic tools for such attacks: "Trinoo", "Stacheldraht", and "TFN2K", also called rootkits
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
Multi-tier attackMulti-tier attack
Target
domain
"zombies"Attack Agents
Attacker
X
AttackMaster
AttackMaster
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
Reflection DDoS AttackReflection DDoS Attack
Target
domain
"zombies"
Attacker
X
AttackMaster
Routers
Web or otherservers
Legitimate TCP SYNrequests
TCP SYN-ACKanswers
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
Reaction to DDoSReaction to DDoS
• The malicious flows have to be determined. Timely reaction is critical!
• The attack characteristics have to be communicated (in any way possible) upstream. This usually has to be done manually and is an uncertain and time-consuming procedure.
• Filters that will block attack traffic must be set up and maintained. Their effectiveness must be verified.
• The bandwidth penalty is still present throughout all the affected networks. Actions are required on all the networks along the attack path
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
Reaction to DDoS (cont.)Reaction to DDoS (cont.)
• Another possible solution (helps the ISP): stop all traffic to the target. Direct it to a central point and discard it. Completes the attack!
• Trace-back efforts:– Following the routing (if sources not spoofed)– Step by step through ISPs. Difficult to convince
them if not concerned about the bandwidth penalty
• Conclusion: It’s not a matter of a single site
Our Solution:Our Solution:Inter-Domain Cooperative IDS Inter-Domain Cooperative IDS
EntitiesEntities
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
Inter-Domain Cooperative IDS Inter-Domain Cooperative IDS EntitiesEntities
Cooperative IDSEntity
Non-participatingDomain
ParticipatingDomain
NotificationPropagation(Multicast)
Activation offilters and reactionaccordingto local Policies
The Cooperative IDS Entities constitute an Overlay Network
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
Main Design Characteristics: Main Design Characteristics: ArchitectureArchitecture
• Unit of Reaction to the attack: each administrative domain
• Requires agreement between domains but this is not difficult, since they preserve their independence
• Actions along the attack path in as many networks as possible
• Minimizing the bandwidth loss not only at the victim but at each step in the attack. Non-malicious traffic has then better chances to get-through
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
The EntitiesThe Entities
• The Entities compose the infrastructure– They are the trusted points for the domain – They manage all communications and reaction within
the domain, aimed to stopping an on-going attack– Communications by multicast methods– They are on the top of the local IDS hierarchy, thus
combine the local picture with the one from peers– They are controlled locally according to the choices
and policies of the administrator• They can implement reaction filters to routers, BUT:
– Their duration is controlled, the admin is aware of them and it’s possible to adjust to shifting attack patterns
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
Main Design Characteristics: Main Design Characteristics: Entity ImplementationEntity Implementation
• Lightweight and Modular software architecture, different components performing the various tasks
• Java Management Extensions (JMX) framework for control and configuration
• Using the Intrusion Detection Message Exchange Format (IDMEF) in all messages achieves compatibility with standards and inter-operability with installed IDS infrastructure
• Multicast advantages:– Independence from specific installation host– Stealthy presence– Possible parallel operation of backup Entities
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
Main Design Characteristics: Main Design Characteristics: Internal Entity ArchitectureInternal Entity Architecture
Alerts
Heartbeats
LocalNotifications
CommunicationUnit
FilteringUnit
AnalysisUnit
EventInfo
ConfigurationTranscription
ResponseUnit
JMX Infrastructure
Response Policies
Management Console
PeerEntities
Local NetworkLocal NetworkComponentsComponents
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
What happens during an Attack What happens during an Attack
Cooperative IDSEntity
Non-participatingDomain
Hot-spareEntities
(1) The Attack may be detected in many places in the same time with the help of local IDS
!
!
!
!!
!
(2) The alerted Entities notify all other ones in their community, using multicast
(3) Some of them may determine that they are not on the attack path
(4) The rest, automatically, set up filters to suppress the attack
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
Additional ConceptsAdditional Concepts
• It is possible to create “communities” of entities and distribute the notifications only within. Only events transcending two communities will be let to pass, thus limiting traffic and notification overhead
• The communities can be set up thanks to multicast either:– Geographically (by the TTL on the packets)– According to common interests etc. (by different groups)
• Security– The messages are encrypted against eavesdropping BUT
by symmetric cryptography– Additionally there are timestamps and digital signatures
on the messages to avoid repetition attacks
Adaptable Inter-Domain Infrastructure Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003Against DoS Attacks, SSGRRw 2003
Current StatusCurrent Status
• Currently developing a prototype– Linking with a Panoptis / Netflow detection
engine• Plans to deploy it in the Greek Academic Network• Testing the effectiveness of a peer-2-peer
communications scheme in addition to multicast• Developing the Hot-Spare concepts
Questions and AnswersQuestions and Answers