distributed denial of services the problem, its solutions, and their problems

08/02/01 S. Felix Wu --UCCS Visit 1

Distributed Denial of Servicesthe Problem, its Solutions, and their Problems

Dr. S. Felix Wu

Computer Science Department

University of California, Davishttp://www.cs.ucdavis.edu/~wu/

[email protected]


Denial of Service attackbeyond Authenticity, Authority, and Privacy

Computer system

finite resources--bandwidth, connections,buffer space….

attacker

victims

consume all or mostof the resources!

Services are Denied!


Distributed DoSyahoo, ebay, msn,...

Slave

Master

Slave

Slave

Slave

SlaveSlave

Attack traffic aggregated!

Denial of Service!

Hundreds/thousands of Slaves simultaneously launch attacks!

no service ordegraded service


The Plain DDoS Model (1999-2000)

Masters

Slaves

Victim

... ISP

.com::.

Attackerssrc: randomdst: victim

1,500 bytes per pkt~10K bits per pkt~100K pkts per second

2000 slaves50 pkts per second per slave0.5M bits per second


Reflector

• Use a legitimate network server/client as the reflector to avoid being traced. (stepping stone).

Reflector

VictimSlave

Service Request Packetsrc: Victimdst: Reflector

Service Reply Packet src: Reflector dst: Victim


The Reflective DDOS Model (2000)

Masters

Slaves

Victim

... ISP

.com::.

Reflectors

Attackerssrc: victim

dst: reflector

src: reflectordst: victim


Internet Source Accountability

UCD

AOL

UUNet

Headersrc: AOLdst:UCD

Payload……………..

A

B


Possible Solutions

• Stop it!!– egress/ingress filtering– aggregated-flow anomaly-based rate limiting

• ISP, dot-COM,...

• Trace it!!– where are the slaves and masters?

• Law enforcement agencies,...


Ingress/egress filteringboosting source accountability

drop it or not??

Is the source IP address of this incoming IP packetvalid from this particular network interface???

1. Static configuration2. Routing table reverse look-up3. Routing information analysis (BGP/OSPF/RIP)

Net: 169.237.6.*

207.12.1.56

filtering policies


Aggregate-Based Congestion Controlavoiding micro-flow management

RED buffer(Random Early Dropping)

50%80%

good for aggressivebut responsive TCP flows...


Aggregate-Based Congestion Controlavoiding micro-flow management

50%80%

rate limiters

HighbandwidthAG-Flow?

yes

no

High-BandwidthAG-Flow Analyzer

E.g., all ICMP packetstoward dst: 169.237.6.*.

(1). How to determine the signature of an AG-Flow??(2). How to set the limited rate for an AG-Flow??


Packet Tracing

• A transit router puts a mark in the data packets themselves. (like UPS/FedEx)– find the space in the packet to perform the

mark?

• A transit router puts a mark outside of the data packets. (I have seen it!!)– find the bandwidth in the Internet?


Statistical Packet Marking

Masters

Slaves

Victim

... ISP

.com::.



Marking procedure at router R: for each packet w let x be a random number from [0..1) if x < p then write R into w.start and 0 into w.distance else if w.distance == 0 then write R into w.end increment w.distance

A5A5 R9R9R8R8

R4R4

R7R7R6R6

R3R3 R 5R 5

R2R2

R1R1

A6A6

ver hlen TOS Total Length

Identification flags offset

Time to live Protocol Header checksum

Source IP address

Destination IP address

offset Distance Edge fragment

0 2 3 7 8 15


Problems with Packet Marking

• 16 bits is unreliable and restrictive.– partial IP header information– weak authentication– inefficiency

• can not handle reflective DDoS.– require modification of TCP protocol stack

(and specification) -- not sure exactly how to do it completely and correctly.


Masters

Slaves

Victim

... ISP

.com::.

Reflectors


dst: reflector


???

???


ICMP Traceback• For a very small probability (about 1 in 20,000),

each router will send the destination a new ICMP message indicating the previous hop for that packet.

• Net traffic increase at endpoint is probably acceptable.

iTrace it or not??


Original iTrace

Masters

Slaves

Victim

... ISP

.com::.



iTrace in Reflective DDOS

Masters

Slaves

Victim

... ISP

.com::.

Reflectors


dst: reflector



Improved ICMP Traceback

• For a very few packets (about 1 in 20,000), each router will send the destination and the source a new ICMP message indicating the previous hop for that packet.

• Net traffic increase at endpoint is probably acceptable.


Reflector

VictimSlave

Service Request Packetsrc: Victimdst: Reflector

Service Reply Packet src: Reflector dst: Victim

sourceTracebackMessages

Who has spoofed me??


Improved iTrace

Masters

Slaves

Victim

... ISP

.com::.

Reflectors


dst: reflector



VictimISP

Service Request Packetsrc: Victimdst: www.yahoo.com

sourceTracebackMessages

Is that really me???

How can I tell??


Maybe it is my friend...

Masters

Slaves

Victim

... ISP

.com::.


Are you sure that thisis from a slave or not?

customers


Emitting a “relatively small” amount

Masters

Slaves

Victim

... ISP

.com::.



iTrace Probability: 1/20,000

Attack traffic

Background traffic

For a router with “lots” of background traffic, it will takea long time before we really generate a “useful” iTrace.


A Statistic Problem with iTrace

• Routers closer to the victims have higher probability to generate iTrace packets toward the true victims in the first N iTrace messages generated.

• Routers closer to the DDoS slaves might have relatively small probability (smaller than the routers around the victims) to generate “useful” iTrace packets fast enough.


“Usefulness”

• Useful:– It carries attack packets.

• Valuable:– It carries attack packets from a router that is

very close to the original slaves.– We have not received the same “kind” of iTrace

messages before.– The iTrace messages are received fast.


Three Types of Nodes

• DDoS victim with the intention to trace the slaves.

• DDoS victim without the intention.

• non-DDoS victims (assuming they do not have the intention as well -- and very likely they hope they won’t receive ones).


Intention-driven iTrace

• Different destination hosts, networks, domains/ASs have different “intention levels” in receiving iTrace packets.– We propose to add one “iTrace-intention” bit.

• Some of them might not care about iTrace, and some of them might not be under DDoS attacks, for example.


Issues

• How to determine the intention bit

• How to distribute the intention bits to routers globally?

• How to use the intention bits at each router?


0

16

48

32

20

36

28

24

40

44

52

56

60

232221

252627

293031

414243

535455

636261

373839

474645

595857

64

80

96

112

84

88

92858687

89 90 91

939495

100

104

108

116

120

124

101 102 103

105

106

107

109 110 111

117

118

119

121 122 123

125

126

127

Test-bed topology

133

49

17

6581

97113


packet-forwardingtable

DecisionModule

iTraceGeneration (1/20000)

BGP routingtable

packets

iTracegenerationbit, (1/20000)

intentionbits

iTrace/Intention-Driven iTrace architecture


Processing Overhead

Processing for each data packet:1. if the iTrace flag bit is 1,

(1). send an iTrace message for this data packet.(2). reset the iTrace bit to 0.

1/20K iTrace message trigger occurs:1. Select and Set one iTrace bit in the forwarding table.


152.1.23.0/24 0169.20.3.0/24 0192.1.0.0/16 0

207.3.4.183/20 0152.1.0.0/16 0155.0.0.0/16 0

152.1.23.0/24 0169.20.3.0/24 0192.1.0.0/16 0

207.3.4.183/20 0152.1.0.0/16 1155.0.0.0/16 0

(1).BeforeiTracetrigger:

(2).AfteriTracetrigger:

I(n) iTrace bit


152.1.23.0/24169.20.3.0/24192.1.0.0/16

207.3.4.183/20152.1.0.0/16155.0.0.0/16

(3).AfteriTracesent:

000000

I(n) iTrace bit


Usefulness in MSMV

0


How to distribute I(n)?• YABE: (Yet Another BGP Extension)

– For every BGP route update, we include I(n) as a new string in the community attribute:

• 0x[iTrace-Intention]:0x[0-1] (optional & transitive)

– These I(n) values will be forwarded or even aggregated by the routers who understand this new community attribute.

• aggregation: I(new) = max {I(n)}

– Rate-Limiting on Intention Update:• should not be more frequent than Keep-Alive messages.

• should not trigger any major route computation.


Signaling (BGP extension)

AS500

AS 120

AS200

AS300

AS250

AS600

AS800

AS900

AS700

AS 100

IDS

Intention-bitupdate request

BGP updateprefix: 900attribute: Intend to receive iTrace


Summary

• Improve the probability of “useful” iTrace.

• Require some “minor” changes to the router forwarding process.

• Require a new BGP community string.

• The amount of generated iTrace messages should be no more than the current iTrace proposal.


DECIDUOUS• Reliably identify the source(s) of attack

packets. (Tracing)– Intrusion Detection, Response, Source

Identification.

• Collaborating with Edge Routers or Security Gateways that support IPSEC or other types of Tunnels – Utilize the IPSEC framework– Requirements for IPSEC Policy System– Interacting with IDS and IRS/FW.


Spoofed IP Address

NCSU

AOL

UUNet

Headersrc: AOLdst:NCSU


A

B


IPSec Tunnel

NCSU

AOL

UUNet

Headersrc: AOLdst: NCSU


A

B

Header + IPSecsrc: A SPI=0x104dst: B


IPSEC/AH, tunnel mode

Router orSecurityGateway

IPSECModule

freeSWAN& Pluto

Depending on the results from both IDS andIPSEC modules as well as the nature of thedetected attack itself, the Deciduous daemonwill decide dynamically where to setup SAs.

Attacker’sTarget

Intrusion DetectionSystem

IPSECModule

IPsecPHIL/API

DeciduousDaemon

Every single SA that has beenor has not been used by the attackpacket will provide some locationinformation about the true source.


Collaboration

Internet Core

NCSUISP

Attacker’sTarget


IPSECModule

IPsecPHIL/API

DeciduousDaemon


Tunnel Path NCSUISP

Attacker’sTarget


IPSECModule

IPsecPHIL/API

DeciduousDaemon

DeciduousDaemon

Internet Core

Phase II-SA


DECIDUOUS Testbed at SHANG LAB

Stone163

Stone 4

Sun 2

Hychang23

Redwing164

Squeeze175

Bone 177

Norwork1661 1

eth0152,1.75.163

5

2

4

3

eth1 eth2 eth1

eth0192.168.1.4

152.1.75.177eth0

10.0.0.0255..0.0.0

eth0152.1.75.166

eth0152.1.75.164

eth1

172.16.0.0255.255.0.0

192.168.5.0255.255.255.0

eth0192.168.1.2

eth2eth1

192.168.4.0255.255.255.0

eth1

eth1

192.168.2.0255.255.255.0

eth0152.1.75.175

eth2 eth1

192.168.1.3eth0

192.168.3.0255.255.255.0

eth2

• Simple Single Source• Simple multiple Sources• Coordinated Multiple Sources


Results


Magic Marks: concept

src/dst IP addresses the rest…..

an outgoing packet

src/dst IP addresses 128 bit digest

HMACselector

16 bit mark

src/dst IP addresses the rest…..16 bit markiTracemessage

either a SRC itraceor DST itrace...

Privatekey


Magic Marks: design

src/dst IP addresses the rest…..

an outgoing packet

Src IP addressplus

N bits (N=8) ofthe dst IP address

128 bit digest

HMACselector

16 bit marks

Privatekey

Pre-compute theMarking tablewith 2N entries!

Mark Table look-up


A scenariosrc/dst IP addresses the rest…..16 bit mark

dst iTracemessage

src/dst IP addresses the rest…..16 bit markverifymessage 16 bit mark

src

response (Y/N)

distributed denial of services the problem, its solutions, and their problems

Documents