denial of serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-aug2004.pdf · trend to ddos •...
TRANSCRIPT
![Page 2: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/2.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 2
• Introduction
• Basics of DoS
• Distributed DoS (DDoS)
• Defenses
• Tracing Attacks
Outline
![Page 3: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/3.jpg)
Introduction
![Page 4: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/4.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 4
What is DoS?
• 4 types of DoS attack
- Resource starvation -- disrupt a resource on a particular machine
• Example: consume CPU cycles, memory
- Bandwidth consumption -- block all network access by flooding traffic
• Usually distributed DoS (DDoS) used for flooding
![Page 5: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/5.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 5
What is DoS (cont)
- Programming flaws -- failure of application or operating system to handle exceptional conditions
• Example: very long data input
- Routing and DNS attacks
• Change routing tables or DNS caches
![Page 6: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/6.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 6
Recent Cases
• August 17, 1999 U. Minnesota campus network shut down by DoS attack
• February 7, 2000 DoS shut down Yahoo, eBay, Amazon, Buy.com, CNN, other Web sites
• October 21, 2002 DoS against Internet root name servers (up to 150,000 pings/second)
![Page 7: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/7.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 7
Recent Cases (cont)
• January 2004 DDoS against SCO Web site
- SCO unpopular for lawsuits against Linux
• June 2004 DDoS against Akamai’s servers
![Page 8: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/8.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 8
Recent Cases (cont)
• Jan. 2004 - today: DDoS attacks against online gambling Web sites, to extort money
- Nov. 2003 British police arrested suspects in Latvia
- 20 July 2004 Russian and British police arrested extortion group in St Petersburg
- Believe many other groups worldwide
![Page 9: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/9.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 9
Goals and Motivations
• Unlike most security attacks, goal is not control of computers
• Goal is usually revenge or extortion, but any motives are possible
• DoS attacks get little respect from hackers (because too easy), but can be highly effective
![Page 10: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/10.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 10
• DoS attacks are common
Prevalence
% Organizationseffected by DoSattacks
*2003 CSI/FBI Computer Crime and Security Survey
1999 2000 2001 2002 2003
31% 27%36% 40% 42%
![Page 11: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/11.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 11
• DoS is costly to organizations (second behind theft of proprietary info.)
Damage Costs
*2003 CSI/FBI Computer Crime and Security Survey
2000 2001 2002 2003
$108K $122K$297K
$1.4M
Average lossper organization
due to DoSattacks
![Page 12: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/12.jpg)
Basics of DoS
![Page 13: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/13.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 13
• Land attack: IP packet with source address same as destination address
- Target Windows NT before Service Pack 4
• Causes machine to loop, consuming CPU cycles
Direct Attacks - Land
![Page 14: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/14.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 14
Direct Attacks - Teardrop
• Teardrop attack: overlapping IP fragments
- Target old Linux systems, Windows NT/95
• Some systems cannot reassemble overlapping IP fragments properly -- could cause system to reboot or crash
![Page 15: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/15.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 15
Direct Attacks- Ping of Death
• Ping of death attack: ICMP ping message longer than 65,536 bytes
- Target early versions of various operating systems
• Some systems could crash or freeze
![Page 16: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/16.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 16
Direct Attacks - SYN Flood
• SYN flood attack: many TCP SYN requests but no SYN/ACKs
- Target any system
• Target starts to open many TCP (half-open) connections
• Number of half-open connections is limited -- then machine cannot open any real connections
![Page 17: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/17.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 17
SYN Flood (cont)
Target keeps half-open connections, waiting for SYN/ACK to complete connections
TCP SYN
SYN/ACK
TCP SYN
SYN/ACK
![Page 18: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/18.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 18
Indirect Attacks - Smurf
• Smurf attack: ICMP echo request (ping) with fake source IP address to IP broadcast address
- Fake source address is target
- Computers must return ICMP echo replies
- Works with any systems
![Page 19: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/19.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 19
Smurf (Reflector) Attack
Target
Ping with forged source address to
IP broadcast address
LAN
Each host sends ping reply to forged address (target)
![Page 20: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/20.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 20
Smurf (cont)
• One packet is “amplified” (multiplied) into many
• Attacker’s address is not seen
• Many innocent machines are used for attack
• Some LANs restrict or disable broadcast address
![Page 21: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/21.jpg)
Distributed DoS (DDoS)
![Page 22: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/22.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 22
Trend to DDoS
• Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS attacks easier and more common
• 7 Feb. 2000 DDoS attacks took down Yahoo, e*Trade, eBay, Buy.com, CNN.com for several hours
• DDoS attacks are now common
![Page 23: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/23.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 23
What is DDoS?
• 2-phase attack
• Stealthy preparation: many computers (often home PCs with broadband) are infected with DoS agent (Trojan horse)
• Attack: computers are instructed to flood traffic to target
![Page 24: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/24.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 24
DDoS network
Attacker
Some hosts are set up as “masters”, wait for commands from attacker
Many “daemons” wait for commands from masters
Flood
Target
![Page 25: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/25.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 25
DDoS Concerns
• Automated DDoS tools easy to find
• DDoS attack can be launched with single instruction
• Attacker is not directly involved during attack -- hard to trace
• Many innocent computers are compromised (maybe 10,000-100,000)
![Page 26: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/26.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 26
DDoS Tools
• Trin00
• TFN
• TFN2K
• Stacheldraht
• Worms: Code Red, Nimda, Lion,…
![Page 27: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/27.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 27
Trin00
• Trin00 was used in August 1999 DDoS attack on U. of Minnessota
• Attacker steals an account to use
• Takes over Solaris and Linux systems with buffer overflow attack
- A few are chosen as “masters”
- The others are chosen as daemons
![Page 28: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/28.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 28
Trin00 network
Attacker
Masters
Daemons
Telnet to TCP port 27665
UDP ports 27444 and 31335
![Page 29: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/29.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 29
Trin00 (cont)
• Masters understand various commands:
- Start/stop DoS an IP address
- Set attack time/duration
- Ping daemons
- Disable daemons
- List daemons
![Page 30: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/30.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 30
Trin00 (cont)
• Daemons understand commands:
- DoS an IP address
- Set attack time/duration
- Ping request
- Shut down
• DoS attack is UDP flood to random ports
![Page 31: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/31.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 31
TFN (Tribe Flood Network)
• Similar to Trin00 with more capabilities:
• More ways for attacker to communicate with masters
• ICMP is used between masters and daemons, instead of TCP, because network monitoring tools sometimes do not look into ICMP data field
![Page 32: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/32.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 32
TFN (cont)
• More types of attacks:
- UDP flood
- ICMP echo request flood
- SYN flood
- Smurf attack
![Page 33: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/33.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 33
TFN2K (TFN 2000)
• More capabilities added to TFN:
• Randomly chooses TCP, UDP, or ICMP for messages
- More difficult to track TFN2K traffic
• All traffic is one way (attacker to masters, masters to daemons)
- Daemons never transmit, not even acknowledgements -- harder to detect
![Page 34: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/34.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 34
TFN2K (cont)
• Masters transmit commands 20 times, hoping daemons will receive at least once
• Random decoy messages are sent to confuse any network monitoring
• Messages are encrypted for privacy
• Teardrop and Land attacks are added
![Page 35: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/35.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 35
Stacheldraht
• Stacheldraht (German for “barbed wire”) based on TFN with added features
• Attacker uses encrypted telnet-like connection to send commands to masters
• Daemons can upgrade on demand by download new program code
![Page 36: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/36.jpg)
Defenses
![Page 37: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/37.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 37
• DoS attacks use various methods, so different defenses are needed
• Land, Teardrop, and ping of death have been fixed in current operating systems
• Current operating systems can detect SYN floods and implement protection
• Directed broadcasts are now usually disabled to protect against Smurf attacks
Defenses in General
![Page 38: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/38.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 38
Defenses in General (cont)
• Defenses against DDoS attacks is most difficult
- Prevention: specialized tools are available to detect known DDoS tools, but new DDoS tools may be undetectable
- During attack: firewalls and routers can filter, block, and slow down attack traffic
- During and after attack: various ideas proposed for IP traceback
![Page 39: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/39.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 39
Proposed Pushback Scheme
• Backpressure:
Target
DDoStraffic
Congestedrouter
Messages to rate limit or
drop packets going to
target
![Page 40: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/40.jpg)
Tracing Attacks
![Page 41: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/41.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 41
• IP traceback: to find the real source of DDoS attack when packets are spoofed
• Difficulties
- Internet not designed for traceback (routers are stateless)
- DDoS networks have multiple layers -- attacking daemons are innocent victims, not real attacker
Problem and Difficulties
![Page 42: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/42.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 42
Current Traceback
• Today traceback is completely manual -- too slow and complicated
• Log into router A, find traffic coming from router B, log into router B, and so on
TargetRouterA
RouterB
RouterC
Find AFind BFind C
![Page 43: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/43.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 43
Traceback - Proposals
• Routers record information about forwarded packets for later inquiry
• Routers add information to forwarded packets (packet marking)
• Routers send information about forwarded packets via another channel (e.g., ICMP)
![Page 44: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/44.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 44
MCI DosTrack
• Automates the manual backtrack process with Perl scripts at routers
• Perl scripts find upstream interface at each router for packets going to target
TargetRouterA
RouterB
RouterC
Find AFind BFind C
PerlPerlPerl
![Page 45: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/45.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 45
CenterTrack
• DosTrack retraces route hop by hop -- could take long time
• CenterTrack proposes overlay network of IP tunnels to reroute traffic through special tracking routers
- Tracking routers can retrace more quickly to find edge router near source
![Page 46: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/46.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 46
CenterTrack
TargetSource
Tracking router
Attack traffic is rerouted via
tunnels
![Page 47: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/47.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 47
CenterTrack
TargetSource
Tracking router
Only 2 hops
Traceback Traceback
![Page 48: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/48.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 48
ICMP Traceback
• Proposal for IETF
• Each router chooses a packet randomly, e.g., 1 in 20,000
- Generates special ICMP traceback packet to follow chosen packet to same destination
- ICMP traceback packet carries IP address of router
![Page 49: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/49.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 49
ICMP Traceback (cont)
TargetRouterA
RouterB
RouterC
Random packet
ICMP traceback packet identifies router C
![Page 50: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/50.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 50
Routers discovered on attack paths
Target
Target discovers a few routers initially
![Page 51: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/51.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 51
Routers discovered on attack paths
Target
More routers discovered
![Page 52: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/52.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 52
ICMP Traceback (cont)
• With enough ICMP traceback packets, DDoS target can accumulate info. about routes taken by attack
• Drawbacks:
- Extra traffic created
- May be hard to infer routes -- works best for small number of sources
- ICMP packets may be blocked by firewalls
![Page 53: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/53.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 53
Hash-based Traceback
• Routers keep a small record of recent packets using a hash function
- Hash: mathematical thumbprint of packet, virtually unique for every packet
• To trace back, routers ask their neighbors about a packet’s hash
- Packet can be traced hop by hop
![Page 54: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/54.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 54
Hash-based Traceback
TargetRouterA
RouterB
RouterC
H
Packet leaves hash Hat each router
H H
H
Hash function
Packet
Hash
![Page 55: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/55.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 55
Hash-based Traceback
Find hash Find hash Find hash
TargetRouterA
RouterB
RouterC
H H H
![Page 56: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/56.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 56
Hash-based Traceback
• No extra traffic
• Disadvantages:
- Only most recent packets are remembered
• Traceback must be soon after an attack
- Tracing is hop by hop -- can take long time for long routes
- Computation burden (hash) for every packet
![Page 57: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/57.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 57
Packet Marking
• Advantages:
- No extra traffic
- No state info. for routers
- No need to interrogate routers
• Challenge:
- Mark packets with enough info. to identify route without changing IP header format
![Page 58: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/58.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 58
Packet Marking (cont)
• Packet marking can be
- Deterministic (all packets)
- Random (subset of packets)
![Page 59: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/59.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 59
Deterministic Packet Marking
• Each packet is marked upon entry into network to identify source router
• Proposed to use 16-bit identification field for mark, but router IP address is 32 bits
- Identification field is used for fragmentation, but fragmentation occurs less than 1 percent traffic
- Need 2 packets to carry router’s address
![Page 60: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/60.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 60
Deterministic Packet Marking
TargetRouterA
RouterB
Source router C
C’s IP address
C’s IP address
half half
ID field
![Page 61: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/61.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 61
Deterministic Packet Marking
• Computation cost for every packet
• Lost packets can cause errors in traceback (need 2 packets to reconstruct source router’s IP address)
![Page 62: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/62.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 62
Probabilistic Packet Marking
• PPM proposed by U. Washington
• Routers choose packets randomly for marking with some low probability, e.g., 1/25
- Marked packets are random subset of total traffic
![Page 63: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/63.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 63
PPM (cont)
• Instead of router address, proposed mark is an “edge” (route segment)
• Edge = <address of first marking router, address of second marking router, distance between the two routers>
- Edge makes easier to infer entire route than single router address
![Page 64: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/64.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 64
PPM
TargetRouterA
RouterB
Router C
C’s IP address
Add to mark
A’s IP address
Add to mark
Mark = <C’s address, A’s address, distance 2>
![Page 65: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/65.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 65
PPM (cont)
• Mark is put into Identification field in IP header
• 16-bit ID field is too short to carry entire mark
- Mark is divided into parts, spread over 8 packets
• With enough packets, entire mark can be recovered at destination
![Page 66: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/66.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 66
Edges discovered on attack paths
Target
Target discovers a few edges initially
![Page 67: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/67.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 67
Edges discovered on attack paths
Target
Target discovers more edges
![Page 68: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/68.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 68
Edges discovered on attack paths
Target
False positives
Small chance that marks will be reconstructed incorrectly (false positives)
![Page 69: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/69.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 69
PPM (cont)
• We have proposed a random packet marking scheme
• Router chooses packets at random
- Mark is a random number, added between packet header and payload
- Limited to single ISP -- mark must be removed before packet leaves ISP
- Router sends number to network manager
![Page 70: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/70.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 70
PPM (cont)
TargetRouterA
RouterB
Router C
Random number
Networkmanager
N
![Page 71: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/71.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 71
PPM (cont)
TargetRouterA
RouterB
Router C
Also send number to
network manager
Networkmanager
N
N
Ask where packet mark N
came from
![Page 72: Denial of Serviceengweb.swan.ac.uk/~tmchen/papers/talk-bupt-ddos-Aug2004.pdf · Trend to DDoS • Nov. 1999 CERT workshop report warned that new distributed DoS tools will make DDoS](https://reader033.vdocument.in/reader033/viewer/2022041715/5e4acd579cc91845251f922a/html5/thumbnails/72.jpg)
TC/BUPT/8-7-04 SMU Engineering p. 72
Conclusions
• IP traceback for DDoS is an active research area
- Traceback is also useful to find real sources of other types of attacks
• Researchers are studying various approaches, e.g., packet marking