characterizing and defending against ddos attacks christos papadopoulos..and many others
Post on 21-Dec-2015
222 views
TRANSCRIPT
![Page 1: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/1.jpg)
Characterizing and Defending Against DDoS Attacks
Christos Papadopoulos
..and many others
![Page 2: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/2.jpg)
How Do Computers Find Each Other?
Internet
Computer1 Computer 2
![Page 3: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/3.jpg)
What Are the Different Kinds of Addresses?
Have domain name (e.g., www.usc.edu) Global, human readable name
DNS translates name to IP address (e.g. 128.125.19.146) Global, understood by all networks
Finally, we need local net address e.g., Ethernet (08-00-2c-19-dc-45) Local, works only on a particular network
![Page 4: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/4.jpg)
Domain Naming System (DNS)
Local DNS server
What’s the IP address for www.usc.edu?
Computer 1
It is 128.125.19.146
DNS address manually configured into OS
![Page 5: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/5.jpg)
Finding Ether Address:Address Resolution (ARP)
Ethernet
Broadcast: who knows the Ethernet address for 128.125.51.41?
Ethernet
Broadcast: I do, it is08-00-2c-19-dc-45
![Page 6: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/6.jpg)
Sending a Packet Through the Internet
R
R
R
RRHH
H
H
H
R
RH
R
Routers send packet to next closest point
H: Hosts
R: Routers
The Internet routes packets based on their destination!
![Page 7: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/7.jpg)
Smurf Attack
attacker
target
broadcastecho request
source address is spoofed to be
target’s address
many echo replies are received by the target, since most machines
on the amplifier network respond to the broadcast
amplifiernetwork
![Page 8: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/8.jpg)
TCP SYN Flooding- A more powerful attack -
client(port = 33623/tcp)
server(port = 23/tcp)
SYN
SYN - ACK
ACK
[session proceeds][ACK set for remainder of session]
target(port = 23/tcp)
SPOOFED SYN
SYN - ACK
FINAL ACK NEVER SENT
nonexistent host
![Page 9: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/9.jpg)
So, What Is DDoS?
Distributed Denial of Service New, more pernicious type of attack Many hosts “gang” up to attack another host Network resource attack:
Bandwidth State
![Page 10: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/10.jpg)
Why Should We Care?
Successfully used to attack prominent sites in the Internet by those with a primitive understanding of internet protocols
It is relatively easy to do, but hard to detect and stop
It is only going to get worse unless we develop adequate protection mechanisms
![Page 11: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/11.jpg)
Anatomy of an Attack
Compromise a large set of machines Install attack tools Instruct all attack machines to initiate attack
against a victim
Process highly automated
![Page 12: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/12.jpg)
Phase 1: Compromise
A (stolen) account is used as repository for attack tools.
A scan is performed to identify potential victims.
A script is used to compromise the victims.
![Page 13: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/13.jpg)
Phase 2: Install Attack Tools
• An automated installation script is then run on the “owned” systems to download and install the attack tool(s) from the repository.
• Optionally, a “root kit” is installed on the compromised systems.
![Page 14: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/14.jpg)
Phase 3: Launch attackPhase 3: Launch attack
•Launch a coordinated DDoS from different sites against a single victim.
•Network pipes of attackers can be small, but aggregated bw is far larger than victim’s pipe.
•Victim’s ISP may not notice elevated traffic.
•DDoS attacks are harder to track than a DoS.
![Page 15: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/15.jpg)
![Page 16: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/16.jpg)
Some Known DDoS attack Some Known DDoS attack toolstools
Trin00
Tribal Flood Network (TFN)
Tribal Flood Network 2000 (TFN2K)
Stacheldraht
![Page 17: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/17.jpg)
Combines features of trin00 and TFN.
Adds encryption between the attacker and masters and automated update of agents.
Communication between attacker and masters take place on tcp port 16660.
Daemons receive commands from masters through ICMP echo replies
ICMP, UDP, SYN flood and SMURF attack.
StacheldrahtStacheldraht
![Page 18: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/18.jpg)
# ./client 192.168.0.1[*] stacheldraht [*](c) in 1999 by ...trying to connect...connection established.--------------------------------------enter the passphrase : sicken--------------------------------------entering interactive session.******************************welcome to stacheldraht******************************type .help if you are lamestacheldraht(status: a!1 d!0)>
![Page 19: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/19.jpg)
stacheldraht(status: a!1 d!0)>.helpavailable commands in this version are:--------------------------------------------------.mtimer .mudp .micmp .msyn .msort .mping.madd .mlist .msadd .msrem .distro .help.setusize .setisize .mdie .sprange .mstop .killall.showdead .showalive--------------------------------------------------stacheldraht(status: a!1 d!0)>
![Page 20: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/20.jpg)
Some Commands--------.distro user server
Instructs the agent to install and run a new copy of itself
using the Berkeley "rcp" command, on the system "server",
using the account "user" (e.g., "rcp user@server:linux.bin ttymon")
.madd ip1[:ip2[:ipN]]Add IP addresses to list of attack victims.
.madd ip1[:ip2[:ipN]]Add IP addresses to list of attack victims.
.mdieSends die request to all agents.
![Page 21: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/21.jpg)
COSSACK: Coordinated Suppression
of Simultaneous Attacks
Computer Networks DivisionISI
http://www.isi.edu/cossack
![Page 22: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/22.jpg)
People
Co-PIs: Christos Papadopoulos, Bob Lindell (USC/ISI)
Affiliations: Ramesh Govindan (USC/ISI) Staff: John Mehringer (ISI) Students: Alefiya Hussain (USC) DARPA synergies:
DWARD - Peter Reiher, Jelena Mirkovic (UCLA) SAMAN - John Heidemann (USC/ISI)
![Page 23: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/23.jpg)
Cossack Overview
Distributed set of watchdogs at network perimeterLocal IDSGroup communicationTopology information (when available)
Fully distributed approachPeer-to-peer rather than master-slaveAttack-driven dynamic grouping of watchdogsAttack correlation via coordination with other
watchdogsIndependent, selective deployment of countermeasures
![Page 24: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/24.jpg)
Cossack: A Simplified View
WW
W
target
watchdog
attacker
attacker
attacker
attacker
watchdog
watchdog
watchdog
watchdog
![Page 25: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/25.jpg)
Attacks Begin
WW
W
target
watchdog
attacker
![Page 26: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/26.jpg)
Watchdogs Communicate Using YOID
WW
W
target
watchdog
attacker
YOID
![Page 27: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/27.jpg)
Attacks Detected
WW
W
target
watchdog
attacker
YOID
![Page 28: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/28.jpg)
Watchdogs Install Filters and Eliminate Attack
WW
W
target
watchdog
attacker
![Page 29: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/29.jpg)
Detecting Source Spoofed Attacks
WW
W
target
watchdog
attacker
YOID
![Page 30: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/30.jpg)
Cossack Watchdog Architecture
Yoid Multicast InterfaceDistributed Blackboard
SnortInterface
RateMonitor
Other IDS(D-WARD)
Router Control
PulsingDetector
CiscoInterface
LinuxIPTables
RouterInterface
EventMonitor
YOID Multicast group
![Page 31: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/31.jpg)
Cossack Plugin Operation
Packet Flow Statistics
Packet Averages Grouped by
Destination Address
Yoid Multicast Interface
Distributed Blackboard
SnortInterface
RateMonitor
Other IDS(D-WARD)
Router Control
PulsingDetector
CiscoInterface
LinuxIPTables
RouterInterface
EventMonitor
Request more stats
![Page 32: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/32.jpg)
Cossack Plugin Operation
Packet Flow Statistics
Packet Averages Grouped by
Destination Address
Yoid Multicast Interface
Distributed Blackboard
SnortInterface
RateMonitor
Other IDS(D-WARD)
Router Control
PulsingDetector
CiscoInterface
LinuxIPTables
RouterInterface
EventMonitor
Request for more stats
Packet AveragesGrouped by Source
Address
![Page 33: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/33.jpg)
Cossack Network InspectorTool to determine detection thresholds for watchdogs Interfaces with the Cossack Snort Plugin Collects aggregate level network traffic statistics
Traffic filters created using snort rules
![Page 34: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/34.jpg)
Cossack Performance
Response time: 5 – 30 seconds Insensitive to attack type
![Page 35: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/35.jpg)
Attack Capture and Analysis
Goal: Capture some attacks, analyze and learn from them
Packet-level capture facilities in several sites: Los Nettos USC CAIDA [Telcordia, Sprint]
Spectral analysis
![Page 36: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/36.jpg)
LA-MAE
VerioCogentGenuity
Los Nettos Trace Machine140Mbps,38kpps
JPLCaltech
TRW USCCentergate
Tracing Infrastructure
Internet
Los Nettos Customers
![Page 37: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/37.jpg)
Captured and classified about 120 attacks over several months
Attack Class Count PPS Kbps
Single-source 37 133-1360 640-2260
Multi-source 10 16000-98000
13000-46000
Reflected 20 1300-3700 1700-3000
Unclassified 13 550-33500 1600-16000
Captured Attacks
![Page 38: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/38.jpg)
Spectral Attack Analysis
Multi-source attack (145 sources)
Localization of power in low frequencies in NCS
Single-source attack Strong higher
frequencies and linear Normalized Cumulative Spectrum (NCS)
F(60%) F(60%)
![Page 39: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/39.jpg)
Spectral AnalysisGoal: identify single vs. multi-
source attacks• Single-source:
F(60%) mean 268Hz (240-295Hz)
• Multi-source: F(60%) mean 172Hz (142-
210Hz)
• Able to robustly categorize unclassified attacks
![Page 40: Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others](https://reader036.vdocument.in/reader036/viewer/2022062320/56649d5d5503460f94a3cd66/html5/thumbnails/40.jpg)
Conclusions
Cossack is a fully distributed approach against DDoS attacks
Software is operational and currently undergoing Red Team testing
We continue to capture attacks, analyze and learn from them
Spectral analysis work very promising
http://www.isi.edu/cossack