08/02/01 S. Felix Wu --UCCS Visit 1
Distributed Denial of Servicesthe Problem, its Solutions, and their Problems
Dr. S. Felix Wu
Computer Science Department
University of California, Davishttp://www.cs.ucdavis.edu/~wu/
08/02/01 S. Felix Wu --UCCS Visit 2
Denial of Service attackbeyond Authenticity, Authority, and Privacy
Computer system
finite resources--bandwidth, connections,buffer space….
attacker
victims
consume all or mostof the resources!
Services are Denied!
08/02/01 S. Felix Wu --UCCS Visit 3
Distributed DoSyahoo, ebay, msn,...
Slave
Master
Slave
Slave
Slave
SlaveSlave
Attack traffic aggregated!
Denial of Service!
Hundreds/thousands of Slaves simultaneously launch attacks!
no service ordegraded service
08/02/01 S. Felix Wu --UCCS Visit 4
The Plain DDoS Model (1999-2000)
Masters
Slaves
Victim
... ISP
.com::.
Attackerssrc: randomdst: victim
1,500 bytes per pkt~10K bits per pkt~100K pkts per second
2000 slaves50 pkts per second per slave0.5M bits per second
08/02/01 S. Felix Wu --UCCS Visit 5
Reflector
• Use a legitimate network server/client as the reflector to avoid being traced. (stepping stone).
Reflector
VictimSlave
Service Request Packetsrc: Victimdst: Reflector
Service Reply Packet src: Reflector dst: Victim
08/02/01 S. Felix Wu --UCCS Visit 6
The Reflective DDOS Model (2000)
Masters
Slaves
Victim
... ISP
.com::.
Reflectors
Attackerssrc: victim
dst: reflector
src: reflectordst: victim
08/02/01 S. Felix Wu --UCCS Visit 7
Internet Source Accountability
UCD
AOL
UUNet
Headersrc: AOLdst:UCD
Payload……………..
A
B
08/02/01 S. Felix Wu --UCCS Visit 8
Possible Solutions
• Stop it!!– egress/ingress filtering– aggregated-flow anomaly-based rate limiting
• ISP, dot-COM,...
• Trace it!!– where are the slaves and masters?
• Law enforcement agencies,...
08/02/01 S. Felix Wu --UCCS Visit 9
Ingress/egress filteringboosting source accountability
drop it or not??
Is the source IP address of this incoming IP packetvalid from this particular network interface???
1. Static configuration2. Routing table reverse look-up3. Routing information analysis (BGP/OSPF/RIP)
Net: 169.237.6.*
207.12.1.56
filtering policies
08/02/01 S. Felix Wu --UCCS Visit 10
Aggregate-Based Congestion Controlavoiding micro-flow management
RED buffer(Random Early Dropping)
50%80%
good for aggressivebut responsive TCP flows...
08/02/01 S. Felix Wu --UCCS Visit 11
Aggregate-Based Congestion Controlavoiding micro-flow management
50%80%
rate limiters
HighbandwidthAG-Flow?
yes
no
High-BandwidthAG-Flow Analyzer
E.g., all ICMP packetstoward dst: 169.237.6.*.
(1). How to determine the signature of an AG-Flow??(2). How to set the limited rate for an AG-Flow??
08/02/01 S. Felix Wu --UCCS Visit 12
Packet Tracing
• A transit router puts a mark in the data packets themselves. (like UPS/FedEx)– find the space in the packet to perform the
mark?
• A transit router puts a mark outside of the data packets. (I have seen it!!)– find the bandwidth in the Internet?
08/02/01 S. Felix Wu --UCCS Visit 13
Statistical Packet Marking
Masters
Slaves
Victim
... ISP
.com::.
Attackerssrc: randomdst: victim
08/02/01 S. Felix Wu --UCCS Visit 14
Marking procedure at router R: for each packet w let x be a random number from [0..1) if x < p then write R into w.start and 0 into w.distance else if w.distance == 0 then write R into w.end increment w.distance
A5A5 R9R9R8R8
R4R4
R7R7R6R6
R3R3 R 5R 5
R2R2
R1R1
A6A6
ver hlen TOS Total Length
Identification flags offset
Time to live Protocol Header checksum
Source IP address
Destination IP address
offset Distance Edge fragment
0 2 3 7 8 15
08/02/01 S. Felix Wu --UCCS Visit 15
Problems with Packet Marking
• 16 bits is unreliable and restrictive.– partial IP header information– weak authentication– inefficiency
• can not handle reflective DDoS.– require modification of TCP protocol stack
(and specification) -- not sure exactly how to do it completely and correctly.
08/02/01 S. Felix Wu --UCCS Visit 16
Masters
Slaves
Victim
... ISP
.com::.
Reflectors
Attackerssrc: victim
dst: reflector
src: reflectordst: victim
???
???
08/02/01 S. Felix Wu --UCCS Visit 17
ICMP Traceback• For a very small probability (about 1 in 20,000),
each router will send the destination a new ICMP message indicating the previous hop for that packet.
• Net traffic increase at endpoint is probably acceptable.
iTrace it or not??
08/02/01 S. Felix Wu --UCCS Visit 18
Original iTrace
Masters
Slaves
Victim
... ISP
.com::.
Attackerssrc: randomdst: victim
08/02/01 S. Felix Wu --UCCS Visit 19
iTrace in Reflective DDOS
Masters
Slaves
Victim
... ISP
.com::.
Reflectors
Attackerssrc: victim
dst: reflector
src: reflectordst: victim
08/02/01 S. Felix Wu --UCCS Visit 20
Improved ICMP Traceback
• For a very few packets (about 1 in 20,000), each router will send the destination and the source a new ICMP message indicating the previous hop for that packet.
• Net traffic increase at endpoint is probably acceptable.
08/02/01 S. Felix Wu --UCCS Visit 21
Reflector
VictimSlave
Service Request Packetsrc: Victimdst: Reflector
Service Reply Packet src: Reflector dst: Victim
sourceTracebackMessages
Who has spoofed me??
08/02/01 S. Felix Wu --UCCS Visit 22
Improved iTrace
Masters
Slaves
Victim
... ISP
.com::.
Reflectors
Attackerssrc: victim
dst: reflector
src: reflectordst: victim
08/02/01 S. Felix Wu --UCCS Visit 23
VictimISP
Service Request Packetsrc: Victimdst: www.yahoo.com
sourceTracebackMessages
Is that really me???
How can I tell??
08/02/01 S. Felix Wu --UCCS Visit 24
Maybe it is my friend...
Masters
Slaves
Victim
... ISP
.com::.
Attackerssrc: randomdst: victim
Are you sure that thisis from a slave or not?
customers
08/02/01 S. Felix Wu --UCCS Visit 25
Emitting a “relatively small” amount
Masters
Slaves
Victim
... ISP
.com::.
Attackerssrc: randomdst: victim
08/02/01 S. Felix Wu --UCCS Visit 26
iTrace Probability: 1/20,000
Attack traffic
Background traffic
For a router with “lots” of background traffic, it will takea long time before we really generate a “useful” iTrace.
08/02/01 S. Felix Wu --UCCS Visit 27
A Statistic Problem with iTrace
• Routers closer to the victims have higher probability to generate iTrace packets toward the true victims in the first N iTrace messages generated.
• Routers closer to the DDoS slaves might have relatively small probability (smaller than the routers around the victims) to generate “useful” iTrace packets fast enough.
08/02/01 S. Felix Wu --UCCS Visit 28
“Usefulness”
• Useful:– It carries attack packets.
• Valuable:– It carries attack packets from a router that is
very close to the original slaves.– We have not received the same “kind” of iTrace
messages before.– The iTrace messages are received fast.
08/02/01 S. Felix Wu --UCCS Visit 29
Three Types of Nodes
• DDoS victim with the intention to trace the slaves.
• DDoS victim without the intention.
• non-DDoS victims (assuming they do not have the intention as well -- and very likely they hope they won’t receive ones).
08/02/01 S. Felix Wu --UCCS Visit 30
Intention-driven iTrace
• Different destination hosts, networks, domains/ASs have different “intention levels” in receiving iTrace packets.– We propose to add one “iTrace-intention” bit.
• Some of them might not care about iTrace, and some of them might not be under DDoS attacks, for example.
08/02/01 S. Felix Wu --UCCS Visit 31
Issues
• How to determine the intention bit
• How to distribute the intention bits to routers globally?
• How to use the intention bits at each router?
08/02/01 S. Felix Wu --UCCS Visit 32
0
16
48
32
20
36
28
24
40
44
52
56
60
232221
252627
293031
414243
535455
636261
373839
474645
595857
64
80
96
112
84
88
92858687
89 90 91
939495
100
104
108
116
120
124
101 102 103
105
106
107
109 110 111
117
118
119
121 122 123
125
126
127
Test-bed topology
133
49
17
6581
97113
08/02/01 S. Felix Wu --UCCS Visit 33
packet-forwardingtable
DecisionModule
iTraceGeneration (1/20000)
BGP routingtable
packets
iTracegenerationbit, (1/20000)
intentionbits
iTrace/Intention-Driven iTrace architecture
08/02/01 S. Felix Wu --UCCS Visit 34
Processing Overhead
Processing for each data packet:1. if the iTrace flag bit is 1,
(1). send an iTrace message for this data packet.(2). reset the iTrace bit to 0.
1/20K iTrace message trigger occurs:1. Select and Set one iTrace bit in the forwarding table.
08/02/01 S. Felix Wu --UCCS Visit 35
152.1.23.0/24 0169.20.3.0/24 0192.1.0.0/16 0
207.3.4.183/20 0152.1.0.0/16 0155.0.0.0/16 0
152.1.23.0/24 0169.20.3.0/24 0192.1.0.0/16 0
207.3.4.183/20 0152.1.0.0/16 1155.0.0.0/16 0
(1).BeforeiTracetrigger:
(2).AfteriTracetrigger:
I(n) iTrace bit
08/02/01 S. Felix Wu --UCCS Visit 36
152.1.23.0/24169.20.3.0/24192.1.0.0/16
207.3.4.183/20152.1.0.0/16155.0.0.0/16
(3).AfteriTracesent:
000000
I(n) iTrace bit
08/02/01 S. Felix Wu --UCCS Visit 37
08/02/01 S. Felix Wu --UCCS Visit 38
Usefulness in MSMV
0
08/02/01 S. Felix Wu --UCCS Visit 39
How to distribute I(n)?• YABE: (Yet Another BGP Extension)
– For every BGP route update, we include I(n) as a new string in the community attribute:
• 0x[iTrace-Intention]:0x[0-1] (optional & transitive)
– These I(n) values will be forwarded or even aggregated by the routers who understand this new community attribute.
• aggregation: I(new) = max {I(n)}
– Rate-Limiting on Intention Update:• should not be more frequent than Keep-Alive messages.
• should not trigger any major route computation.
08/02/01 S. Felix Wu --UCCS Visit 40
Signaling (BGP extension)
AS500
AS 120
AS200
AS300
AS250
AS600
AS800
AS900
AS700
AS 100
IDS
Intention-bitupdate request
BGP updateprefix: 900attribute: Intend to receive iTrace
08/02/01 S. Felix Wu --UCCS Visit 41
Summary
• Improve the probability of “useful” iTrace.
• Require some “minor” changes to the router forwarding process.
• Require a new BGP community string.
• The amount of generated iTrace messages should be no more than the current iTrace proposal.
08/02/01 S. Felix Wu --UCCS Visit 42
DECIDUOUS• Reliably identify the source(s) of attack
packets. (Tracing)– Intrusion Detection, Response, Source
Identification.
• Collaborating with Edge Routers or Security Gateways that support IPSEC or other types of Tunnels – Utilize the IPSEC framework– Requirements for IPSEC Policy System– Interacting with IDS and IRS/FW.
08/02/01 S. Felix Wu --UCCS Visit 43
Spoofed IP Address
NCSU
AOL
UUNet
Headersrc: AOLdst:NCSU
Payload……………..
A
B
08/02/01 S. Felix Wu --UCCS Visit 44
IPSec Tunnel
NCSU
AOL
UUNet
Headersrc: AOLdst: NCSU
Payload……………..
A
B
Header + IPSecsrc: A SPI=0x104dst: B
08/02/01 S. Felix Wu --UCCS Visit 45
IPSEC/AH, tunnel mode
Router orSecurityGateway
IPSECModule
freeSWAN& Pluto
Depending on the results from both IDS andIPSEC modules as well as the nature of thedetected attack itself, the Deciduous daemonwill decide dynamically where to setup SAs.
Attacker’sTarget
Intrusion DetectionSystem
IPSECModule
IPsecPHIL/API
DeciduousDaemon
Every single SA that has beenor has not been used by the attackpacket will provide some locationinformation about the true source.
08/02/01 S. Felix Wu --UCCS Visit 46
Collaboration
Internet Core
NCSUISP
Attacker’sTarget
Intrusion DetectionSystem
IPSECModule
IPsecPHIL/API
DeciduousDaemon
08/02/01 S. Felix Wu --UCCS Visit 47
Tunnel Path NCSUISP
Attacker’sTarget
Intrusion DetectionSystem
IPSECModule
IPsecPHIL/API
DeciduousDaemon
DeciduousDaemon
Internet Core
Phase II-SA
08/02/01 S. Felix Wu --UCCS Visit 48
DECIDUOUS Testbed at SHANG LAB
Stone163
Stone 4
Sun 2
Hychang23
Redwing164
Squeeze175
Bone 177
Norwork1661 1
eth0152,1.75.163
5
2
4
3
eth1 eth2 eth1
eth0192.168.1.4
152.1.75.177eth0
10.0.0.0255..0.0.0
eth0152.1.75.166
eth0152.1.75.164
eth1
172.16.0.0255.255.0.0
192.168.5.0255.255.255.0
eth0192.168.1.2
eth2eth1
192.168.4.0255.255.255.0
eth1
eth1
192.168.2.0255.255.255.0
eth0152.1.75.175
eth2 eth1
192.168.1.3eth0
192.168.3.0255.255.255.0
eth2
• Simple Single Source• Simple multiple Sources• Coordinated Multiple Sources
08/02/01 S. Felix Wu --UCCS Visit 49
Results
08/02/01 S. Felix Wu --UCCS Visit 50
Magic Marks: concept
src/dst IP addresses the rest…..
an outgoing packet
src/dst IP addresses 128 bit digest
HMACselector
16 bit mark
src/dst IP addresses the rest…..16 bit markiTracemessage
either a SRC itraceor DST itrace...
Privatekey
08/02/01 S. Felix Wu --UCCS Visit 51
Magic Marks: design
src/dst IP addresses the rest…..
an outgoing packet
Src IP addressplus
N bits (N=8) ofthe dst IP address
128 bit digest
HMACselector
16 bit marks
Privatekey
Pre-compute theMarking tablewith 2N entries!
Mark Table look-up
08/02/01 S. Felix Wu --UCCS Visit 52
A scenariosrc/dst IP addresses the rest…..16 bit mark
dst iTracemessage
src/dst IP addresses the rest…..16 bit markverifymessage 16 bit mark
src
response (Y/N)