defense against ddos
DESCRIPTION
Defense Against DDoS. Presented by Zhanxiang for [Crab] Apr. 15, 2004. DoS & DDoS. DoS: “an attack with the purpose of preventing legitimate users from using a victim computing system or network resource” [3] - PowerPoint PPT PresentationTRANSCRIPT
Defense Against DDoSDefense Against DDoS
Presented by ZhanxiangPresented by Zhanxiang
for [Crab] Apr. 15, 2004for [Crab] Apr. 15, 2004
DoS & DDoSDoS & DDoS DoS: “an attack with the purpose of preventing leDoS: “an attack with the purpose of preventing le
gitimate users from using a victim computing sysgitimate users from using a victim computing system or network resource” [3]tem or network resource” [3]
DDoS: “A Distributed Denial of Service (DDoS) aDDoS: “A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinattack uses many computers to launch a coordinated DoS attack against one or more targets. “ [4]ted DoS attack against one or more targets. “ [4]
You may have paid for the hardware, but do you You may have paid for the hardware, but do you really own your network?really own your network?
Typical Attack SkillTypical Attack Skill
SYN FloodingSYN Flooding IP spoofingIP spoofingBandwidth attackBandwidth attackFilling victim’s hard disk spaceFilling victim’s hard disk space……
What can DoS lead to?What can DoS lead to?
WebsiteWebsiteDNSDNSMail ServerMail ServerEmergencyEmergency
Many tools are available for DoS attack anMany tools are available for DoS attack and teenagers must like to try them.[2]d teenagers must like to try them.[2]
Case StudyCase Study
DDoSDDoS attack hits attack hits clickbankclickbank and and spamcop.netspamcop.net, by Mirko Zorz, June 25, 200, by Mirko Zorz, June 25, 2003 3
Super Bowl fuels gambling sites' extortion Super Bowl fuels gambling sites' extortion fearsfears, by Paul Roberts, IDG News Service, Jan, by Paul Roberts, IDG News Service, January 28, 2004 uary 28, 2004
DefenseDefense
Two general area:Two general area:Defense against IP spoofingDefense against IP spoofingDefense against bandwidth flooding attackDefense against bandwidth flooding attack
Turn to LingxuanTurn to Lingxuan
Against Bandwidth Flooding AttackAgainst Bandwidth Flooding Attack
Goal: stop attacks on their way to the victimsGoal: stop attacks on their way to the victims Scheme: SIFF[1]Scheme: SIFF[1]
SIFF: AssumptionsSIFF: Assumptions
Marking space in the IP header.Marking space in the IP header.
Routers mark every packet.Routers mark every packet.
Short-term Route Stability.Short-term Route Stability.
IdeaIdea
Divide all traffic into Divide all traffic into Privileged: Always get transferPrivileged: Always get transfer Unprivileged: Transferred if not affect Unprivileged: Transferred if not affect
Privileged packetsPrivileged packets
Unprivileged -------------------> Privileged Unprivileged -------------------> Privileged
handshake handshake
(to get the privilege token)(to get the privilege token)
Idea (cont.)Idea (cont.)
Routers Routers mark packets in hand shakesmark packets in hand shakesmatch privilege token while forwarding match privilege token while forwarding
packetspackets
Recipient refuse the attack flow by Recipient refuse the attack flow by not providing the privilege token not providing the privilege token or provide a false oneor provide a false one
Packet Identifier DesignPacket Identifier Design
Flags field Flags field (3-bits).(3-bits). SF: Packet is non-legacySF: Packet is non-legacy PT: EXP or DTAPT: EXP or DTA CU: Capability reply present or notCU: Capability reply present or not
Capability: Capability: Marks modified by routersMarks modified by routers C-R: C-R: recipients to signal to sender a capabilityrecipients to signal to sender a capability
HandshakeHandshake
Client Server
EXP(0)
EXP(α)
EXP(0) {α}EXP(β){α}
DTA(!α){β}
DTA(!α){β}
Legend:
Packet-Type (Capability) {Capability Reply}
……
Routers
Router Marking CalculationRouter Marking Calculation
IP of the Interface that at which the packet arrived at
IP of the Last-hop router’s outgoing
interface
Source IP and Destination IP of
the packet
Keyed Hash Fun Last z bits Marking
Marking Scheme for EXPMarking Scheme for EXP
Packets with a capability field of all zeros get Packets with a capability field of all zeros get marked with an additional 1bit. marked with an additional 1bit.
Routers push their markings into the least Routers push their markings into the least significant bits of the capability field. significant bits of the capability field.
Authentication scheme for DTAAuthentication scheme for DTA
Routers check the marking in the least Routers check the marking in the least significant bits of the capability field, and rotate it significant bits of the capability field, and rotate it into the most significant bits, if it is equal to what into the most significant bits, if it is equal to what the marking would be for an EXPLORER packet.the marking would be for an EXPLORER packet.
?
Key SwitchKey Switch
Why?Why? If the hash fun does not change periodically, If the hash fun does not change periodically,
an attacker can simply obtain a capability an attacker can simply obtain a capability through a seemingly legitimate request, and through a seemingly legitimate request, and then use it to flood the server with privileged then use it to flood the server with privileged traffic.traffic.
SolutionSolutionWindowed authentication and markingWindowed authentication and marking
Windowed authentication and Windowed authentication and Marking for DTAMarking for DTA
Routers check that the marking equals one of thRouters check that the marking equals one of the valid markings in its window and always rotate e valid markings in its window and always rotate the newest marking in the window into the capabthe newest marking in the window into the capability field.ility field.
Do Guesses work?Do Guesses work?
x: # of markings each routx: # of markings each router maintains in its window;er maintains in its window;
z: # of bits per router marz: # of bits per router marking;king;
P(x, z): probability that a rP(x, z): probability that a randomly guessed capabiliandomly guessed capability will pass a particular roty will pass a particular router.uter.
Can Privilege Channel be Can Privilege Channel be Established Under Unprivileged Established Under Unprivileged
Packet Flooding?Packet Flooding?
i: hops of the network;i: hops of the network;
εε ii: Probability of gettin: Probability of gettin
g dropped at any one g dropped at any one of those routersof those routers
LimitationsLimitations
Depend on mechanism to detect attackDepend on mechanism to detect attack
Network with some router not Network with some router not implemented SIFFimplemented SIFF
Colluding attackerColluding attacker
Host granularity not application granularityHost granularity not application granularity
ReferenceReference
[1] SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Floodin[1] SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. With g Attacks. With AviAvi YaarYaar and and Dawn SongDawn Song. Appears in . Appears in 2004 IEEE Symposium on Security and Privacy2004 IEEE Symposium on Security and Privacy
[2] Tools: [2] Tools: http://staff.washington.edu/dittrich/misc/ddos/http://staff.washington.edu/dittrich/misc/ddos/
[3][3] David Karig and Ruby Lee, “Remote Denial of Service Attacks David Karig and Ruby Lee, “Remote Denial of Service Attacks and Countermeasures,” and Countermeasures,” Princeton University Department of Princeton University Department of Electrical Engineering Technical Report CE-L2001-002Electrical Engineering Technical Report CE-L2001-002 , Octo, October 2001.ber 2001.
[4][4] Lincoln Stein and John N. Stuart. “The World Wide Web SecurLincoln Stein and John N. Stuart. “The World Wide Web Security FAQ”, Version 3.1.2, February 4, 2002. ity FAQ”, Version 3.1.2, February 4, 2002. http://www.w3.org/security/faq/http://www.w3.org/security/faq/ (8 April 2003). (8 April 2003).