04/12/2001 ecs289k, spring 2001 1
ecs298kDistributed Denial of Serviceslecture #5
Dr. S. Felix Wu
Computer Science Department
University of California, Davishttp://www.cs.ucdavis.edu/~wu/
04/12/2001 ecs289k, spring 2001 2
Internet Source Accountability
NCSU
AOL
UUNet
Headersrc: AOLdst:NCSU
Payload……………..
A
B
Egress filtering???
04/12/2001 ecs289k, spring 2001 3
The Plain DDOS Model (1999-2000)
Masters
Slaves
Victim
... ISP
.com::.
Attackerssrc: randomdst: victim
04/12/2001 ecs289k, spring 2001 4
Reflector• Use a legitimate network server/client as the
reflector to avoid being traced. (stepping stone).
Reflector
VictimSlave
Service Request Packetsrc: Victimdst: Reflector
Service Reply Packet src: Reflector dst: Victim
04/12/2001 ecs289k, spring 2001 5
The Reflective DDOS Model (2000)
Masters
Slaves
Victim
... ISP
.com::.
Reflectors
Attackerssrc: victim
dst: reflector
src: reflectordst: victim
04/12/2001 ecs289k, spring 2001 6
What is the problem?• Egress/ingress filtering possible??
• Push-back Rate-Limiter
• Locating the slaves (compromized hosts in Universities, e.g.) is a good first step.
• Probably easiest to find.
• Cut them off to help.
• Further track down masters and “the attacker.”
04/12/2001 ecs289k, spring 2001 7
What have been proposed?• Egress filtering using routing information
– Lixia Zhang (UCLA), Van Jacobson (Packet Design),…
• Probabilistic Packet Marking– Steve Savage (UWa/UCSD), UCB, Purdue,
UCD…. DECIDUOUS.
• ICMP Traceback Messages– IETF
04/12/2001 ecs289k, spring 2001 8
Packet Marking in DDoS
Masters
Slaves
Victim
... ISP
.com::.
Attackerssrc: randomdst: victim
04/12/2001 ecs289k, spring 2001 9
Marking procedure at router R: for each packet w let x be a random number from [0..1) if x < p then write R into w.start and 0 into w.distance else if w.distance == 0 then write R into w.end increment w.distance
A5A5 R9R9R8R8
R4R4
R7R7R6R6
R3R3 R 5R 5
R2R2
R1R1
A6A6
ver hlen TOS Total Length
Identification flags offset
Time to live Protocol Header checksum
Source IP address
Destination IP address
offset Distance Edge fragment
0 2 3 7 8 15
04/12/2001 ecs289k, spring 2001 10
Masters
Slaves
Victim
... ISP
.com::.
Reflectors
Attackerssrc: victim
dst: reflector
src: reflectordst: victim
???
???Find a specialhoney-potreflectors???
04/12/2001 ecs289k, spring 2001 11
ICMP Traceback• For a very small probability or very few packets
(about 1 in 20,000), each router will send the destination a new ICMP message indicating the previous hop for that packet.
• Net traffic increase at endpoint is about 0.1% -- probably acceptable.
04/12/2001 ecs289k, spring 2001 12
Original iTrace
Masters
Slaves
Victim
... ISP
.com::.
Attackerssrc: randomdst: victim
04/12/2001 ecs289k, spring 2001 13
iTrace in Reflective DDOS
Masters
Slaves
Victim
... ISP
.com::.
Reflectors
Attackerssrc: victim
dst: reflector
src: reflectordst: victim
04/12/2001 ecs289k, spring 2001 14
Improved ICMP Traceback
• For a very few packets (about 1 in 20,000), each router will send the destination and the source a new ICMP message indicating the previous hop for that packet.
• Net traffic increase at endpoint is about 0.2% -- probably acceptable.
04/12/2001 ecs289k, spring 2001 15
Reflector
VictimSlave
Service Request Packetsrc: Victimdst: Reflector
Service Reply Packet src: Reflector dst: Victim
sourceTracebackMessages
Who has spoofed me??
04/12/2001 ecs289k, spring 2001 16
Improved iTrace
Masters
Slaves
Victim
... ISP
.com::.
Reflectors
Attackerssrc: victim
dst: reflector
src: reflectordst: victim
04/12/2001 ecs289k, spring 2001 17
What we believe….• Egress filtering is very important!!
– We need to develop technical solutions to filter packets efficiently and accurately!!
• Probabilistic Marking will not work!!– It can not handle “reflective DDoS”!
• iTrace-based solutions can complement egress filtering.– With a fixed probability, we might not be able to reliably
identify the final true sources/slaves.
– How do I know if this is my own packet or spoofed packet?
04/12/2001 ecs289k, spring 2001 18
Each slave emits a “relatively small” amount of attack packets
Masters
Slaves
Victim
... ISP
.com::.
Attackerssrc: randomdst: victim
This will be a problem forany “static” probabilistic schemes.
04/12/2001 ecs289k, spring 2001 19
Reflector
VictimSlave
Service Request Packetsrc: Victimdst: Reflector
Service Reply Packet src: Reflector dst: Victim
sourceTracebackMessages
Who has spoofed me??
04/12/2001 ecs289k, spring 2001 20
VictimISP
Service Request Packetsrc: Victimdst: www.yahoo.com
sourceTracebackMessages
Is that really me???
How can I tell??
04/12/2001 ecs289k, spring 2001 21
Maybe it is my friend...
Masters
Slaves
Victim
... ISP
.com::.
Attackerssrc: randomdst: victim
Are you sure that thisis from a slave or not?
customers
04/12/2001 ecs289k, spring 2001 22
iTrace Packet Analyzer• Are those problems (I just raised) realistic?• In today’s Internet, how likely I will receive
iTrace packets for “innocent” packets?• How to correlate the iTrace packets to determine:
– how many slaves?– where are they?– How reliable is the answer?
• If static, what should be the “best” prob?
04/12/2001 ecs289k, spring 2001 23
Magic Marks: concept
src/dst IP addresses the rest…..
an outgoing packet
src/dst IP addresses 128 bit digest
HMACselector
16 bit mark
src/dst IP addresses the rest…..16 bit markiTracemessage
either a SRC itraceor DST itrace...
Privatekey
04/12/2001 ecs289k, spring 2001 24
Magic Marks: design
src/dst IP addresses the rest…..
an outgoing packet
Src IP addressplus
N bits (N=8) ofthe dst IP address
128 bit digest
HMACselector
16 bit marks
Privatekey
Pre-compute theMarking tablewith 2N entries!
Mark Table look-up
04/12/2001 ecs289k, spring 2001 25
A scenariosrc/dst IP addresses the rest…..16 bit mark
dst iTracemessage
src/dst IP addresses the rest…..16 bit markverifymessage 16 bit mark
src
response (Y/N)