Defense Against DDoSDefense Against DDoS

Presented by ZhanxiangPresented by Zhanxiang

for [Crab] Apr. 15, 2004for [Crab] Apr. 15, 2004

DoS & DDoSDoS & DDoS DoS: “an attack with the purpose of preventing leDoS: “an attack with the purpose of preventing le

gitimate users from using a victim computing sysgitimate users from using a victim computing system or network resource” [3]tem or network resource” [3]

DDoS: “A Distributed Denial of Service (DDoS) aDDoS: “A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinattack uses many computers to launch a coordinated DoS attack against one or more targets. “ [4]ted DoS attack against one or more targets. “ [4]

You may have paid for the hardware, but do you You may have paid for the hardware, but do you really own your network?really own your network?

Typical Attack SkillTypical Attack Skill

SYN FloodingSYN Flooding IP spoofingIP spoofingBandwidth attackBandwidth attackFilling victim’s hard disk spaceFilling victim’s hard disk space……

What can DoS lead to?What can DoS lead to?

WebsiteWebsiteDNSDNSMail ServerMail ServerEmergencyEmergency

Many tools are available for DoS attack anMany tools are available for DoS attack and teenagers must like to try them.[2]d teenagers must like to try them.[2]

Case StudyCase Study

DDoSDDoS attack hits attack hits clickbankclickbank and and spamcop.netspamcop.net, by Mirko Zorz, June 25, 200, by Mirko Zorz, June 25, 2003 3

Super Bowl fuels gambling sites' extortion Super Bowl fuels gambling sites' extortion fearsfears, by Paul Roberts, IDG News Service, Jan, by Paul Roberts, IDG News Service, January 28, 2004 uary 28, 2004

DefenseDefense

Two general area:Two general area:Defense against IP spoofingDefense against IP spoofingDefense against bandwidth flooding attackDefense against bandwidth flooding attack

Turn to LingxuanTurn to Lingxuan

Against Bandwidth Flooding AttackAgainst Bandwidth Flooding Attack

Goal: stop attacks on their way to the victimsGoal: stop attacks on their way to the victims Scheme: SIFF[1]Scheme: SIFF[1]

SIFF: AssumptionsSIFF: Assumptions

Marking space in the IP header.Marking space in the IP header.

Routers mark every packet.Routers mark every packet.

Short-term Route Stability.Short-term Route Stability.

IdeaIdea

Divide all traffic into Divide all traffic into Privileged: Always get transferPrivileged: Always get transfer Unprivileged: Transferred if not affect Unprivileged: Transferred if not affect

Privileged packetsPrivileged packets

Unprivileged -------------------> Privileged Unprivileged -------------------> Privileged

handshake handshake

(to get the privilege token)(to get the privilege token)

Idea (cont.)Idea (cont.)

Routers Routers mark packets in hand shakesmark packets in hand shakesmatch privilege token while forwarding match privilege token while forwarding

packetspackets

Recipient refuse the attack flow by Recipient refuse the attack flow by not providing the privilege token not providing the privilege token or provide a false oneor provide a false one

Packet Identifier DesignPacket Identifier Design

Flags field Flags field (3-bits).(3-bits). SF: Packet is non-legacySF: Packet is non-legacy PT: EXP or DTAPT: EXP or DTA CU: Capability reply present or notCU: Capability reply present or not

Capability: Capability: Marks modified by routersMarks modified by routers C-R: C-R: recipients to signal to sender a capabilityrecipients to signal to sender a capability

HandshakeHandshake

Client Server

EXP(0)

EXP(α)

EXP(0) {α}EXP(β){α}

DTA(!α){β}

DTA(!α){β}

Legend:

Packet-Type (Capability) {Capability Reply}

……

Routers

Router Marking CalculationRouter Marking Calculation

IP of the Interface that at which the packet arrived at

IP of the Last-hop router’s outgoing

interface

Source IP and Destination IP of

the packet

Keyed Hash Fun Last z bits Marking

Marking Scheme for EXPMarking Scheme for EXP

Packets with a capability field of all zeros get Packets with a capability field of all zeros get marked with an additional 1bit. marked with an additional 1bit.

Routers push their markings into the least Routers push their markings into the least significant bits of the capability field. significant bits of the capability field.

Authentication scheme for DTAAuthentication scheme for DTA

Routers check the marking in the least Routers check the marking in the least significant bits of the capability field, and rotate it significant bits of the capability field, and rotate it into the most significant bits, if it is equal to what into the most significant bits, if it is equal to what the marking would be for an EXPLORER packet.the marking would be for an EXPLORER packet.

?

Key SwitchKey Switch

Why?Why? If the hash fun does not change periodically, If the hash fun does not change periodically,

an attacker can simply obtain a capability an attacker can simply obtain a capability through a seemingly legitimate request, and through a seemingly legitimate request, and then use it to flood the server with privileged then use it to flood the server with privileged traffic.traffic.

SolutionSolutionWindowed authentication and markingWindowed authentication and marking

Windowed authentication and Windowed authentication and Marking for DTAMarking for DTA

Routers check that the marking equals one of thRouters check that the marking equals one of the valid markings in its window and always rotate e valid markings in its window and always rotate the newest marking in the window into the capabthe newest marking in the window into the capability field.ility field.

Do Guesses work?Do Guesses work?

x: # of markings each routx: # of markings each router maintains in its window;er maintains in its window;

z: # of bits per router marz: # of bits per router marking;king;

P(x, z): probability that a rP(x, z): probability that a randomly guessed capabiliandomly guessed capability will pass a particular roty will pass a particular router.uter.

Can Privilege Channel be Can Privilege Channel be Established Under Unprivileged Established Under Unprivileged

Packet Flooding?Packet Flooding?

i: hops of the network;i: hops of the network;

εε ii: Probability of gettin: Probability of gettin

g dropped at any one g dropped at any one of those routersof those routers

LimitationsLimitations

Depend on mechanism to detect attackDepend on mechanism to detect attack

Network with some router not Network with some router not implemented SIFFimplemented SIFF

Colluding attackerColluding attacker

Host granularity not application granularityHost granularity not application granularity

ReferenceReference

[1] SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Floodin[1] SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. With g Attacks. With AviAvi YaarYaar and and Dawn SongDawn Song. Appears in . Appears in 2004 IEEE Symposium on Security and Privacy2004 IEEE Symposium on Security and Privacy

[2] Tools: [2] Tools: http://staff.washington.edu/dittrich/misc/ddos/http://staff.washington.edu/dittrich/misc/ddos/

[3][3] David Karig and Ruby Lee, “Remote Denial of Service Attacks David Karig and Ruby Lee, “Remote Denial of Service Attacks and Countermeasures,” and Countermeasures,” Princeton University Department of Princeton University Department of Electrical Engineering Technical Report CE-L2001-002Electrical Engineering Technical Report CE-L2001-002 , Octo, October 2001.ber 2001.

[4][4] Lincoln Stein and John N. Stuart. “The World Wide Web SecurLincoln Stein and John N. Stuart. “The World Wide Web Security FAQ”, Version 3.1.2, February 4, 2002. ity FAQ”, Version 3.1.2, February 4, 2002. http://www.w3.org/security/faq/http://www.w3.org/security/faq/ (8 April 2003). (8 April 2003).