hop-count filtering: an effective defense against spoofed ddos traffic
DESCRIPTION
Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic . Presenter: Lei Wu March, 2009. Cheng Jin ( [email protected] ) Haining Wang ( [email protected] ) Kang G. Shin ( [email protected] ) CCS’03, Oct, 2003, Washington, DC, USA. Outline. Background - PowerPoint PPT PresentationTRANSCRIPT
1
P R E S E N T E R : L E I W U
M A R C H , 2 0 0 9
Presentation for CAP 6135
Hop-Count Filtering: An Effective Defense Against
Spoofed DDoS Traffic
Cheng Jin ([email protected])Haining Wang ([email protected])Kang G. Shin ([email protected])
CCS’03, Oct, 2003, Washington, DC, USA
2
Outline
Presentation for CAP 6135
Background
Mechanism and construction
Measurement
Conclusion
3
Outline
Presentation for CAP 6135
Background
Mechanism and construction
Measurement
Conclusion
4
Background
Presentation for CAP 6135
IP address spoofing
DDoS Attack
Two classes of defense approaches
5
IP address spoofing
Presentation for CAP 6135
In computer networking, the term IP address spoofing refers to the creation of IP packets with a forged (spoofed) source IP address with the purpose of concealing the identity of the sender or impersonating another computing system.
6
DDoS Attack
Presentation for CAP 6135
Distributed Denial Of Service (DDoS) Attack DDoS attack is one in which a multitude of
compromised systems attack a single target, thereby causing denial of service for users of the targeted system.
DDoS attacks on root nameservers October 21, 2002 February 6, 2007
7
Defense Approaches
Presentation for CAP 6135
Router-based Making improvements to the routing
infrastructure Off-line analysis of flooding traffic or on-line
filtering of DDoS traffic inside routers Require not only router support , but also
coordination among different routers and networks, and wide-spread deployment
Victim-based Enhancing the resilience of Internet servers
against attacks Easy to deploy
8
Weakness of conventional victim-based methods
Presentation for CAP 6135
Protection based on sophisticated resource management schemes No mechanism to detect and discard spoofed traffic Could confine the scope of damage to the service
under attack, but might not be able to sustain the availability of the service
Filtering spoofed traffic can help a lot TTL field of the IP header Assumption: attackers cannot sabotage routers to
alter TTL values of IP packets that traverse them
9
Outline
Presentation for CAP 6135
Background
Mechanism and construction
Measurement
Conclusion
10
Mechanism and construction
Presentation for CAP 6135
Introduction
Construction of IP2HC mapping table
Hop-Count Computation
Inspection Algorithm
Two running states of HCF
11
Introduction
Presentation for CAP 6135
Basic idea of Hop-Count Filtering (HCF) Building an accurate IP-to-hop-count (IP2HC) mapping
table Clustering address prefixes based on hop-count
Two running statesState Alert Action
Environment Under normal condition
Upon detection of an attack
Drop packets No Yes
12
Construction of IP2HC mapping table
Presentation for CAP 6135
Objectives in building an HCP table Accurate IP2HC mapping Up-to-date IP2HC mapping Moderate storage requirement
Two Issues Clustering address prefixes based on hop-counts
24-bits aggregation Divide IP addresses with each 24-bit prefix into smaller
clusters A pollution-proof update procedure to capture
legitimate hop-count changes while foiling attackers’ attempt to pollute HCF tables
13
Construction of IP2HC mapping table (cont)
Presentation for CAP 6135
An example of hop-count clustering
14
Construction of IP2HC mapping table (cont)
Presentation for CAP 6135
Accuracies of various filters
15
Construction of IP2HC mapping table (cont)
Presentation for CAP 6135
Sizes of various HCF tables
16
Construction of IP2HC mapping table (cont)
Presentation for CAP 6135
Pollution-Proof Initialization and Update Initialization
Collect traces of its clients that contain both IP addresses and the corresponding TTL values
Period depends on its traffic-load Update
HCF table should be updated only by those TCP connections in the established state
Provide a user-configurable parameter to adjust the frequency of update
Re-clustering is negligible
17
Hop-Count Computation
Presentation for CAP 6135
+ Bits 0–3 4–7 8–15 16–18 19–310 Version Header
lengthType of Service
Total Length
32 Identification Flags Fragment Offset
64 Time to Live Protocol Header Checksum96 Source Address128 Destination Address… …
Time To Live (TTL) IP Header
18
Hop-Count Computation (cont)
Presentation for CAP 6135
The challenge is that a destination only sees the final TTL value when receiving a packet. Most modern Oss use only a few selected initial TTL value
30, 32, 60, 64, 128 and 255 Few Internet hosts are apart by more than 30 hops
For example, if the final TTL value is 112, we can infer that its initial TTL value is 128
What about the ambiguities {30, 32}, {60, 64}, and {32, 60}? Compute a hop-count value for each of the possible initial
TTL value, and accept the packet if there is a match with one of the possible hop-counts.
19
Inspection Algorithm
Presentation for CAP 6135
20
Two running states of HCF
Presentation for CAP 6135
HCF causes delay in the critical path of packet processing, it should not be active at all time
Two running states Alert: detect the presence of spoofed packets
By default, HCF stays in alert state and monitors the trend of hop-count changes without discarding packets
Action: discard spoofed packets Upon detection of a flux of spoofed packets, HCF
switches to action state to examine each packet and discards spoofed IP packets
21
Two running states of HCF (cont)
Presentation for CAP 6135
Operations in two HCP states
22
Two running states of HCF (cont)
Presentation for CAP 6135
Extra benefits of two running states Against Distributed Reflected Denial of Service (DRDoS) attack Blocking Bandwidth Attacks
23
Outline
Presentation for CAP 6135
Background
Mechanism and construction
Measurement Feasibility Effectiveness Resource Savings
Conclusion
24
Feasibility of HCF
Presentation for CAP 6135
The feasibility of HCF hinges on three factors Stability of hop-counts
The Internet paths were found to be dominated by a few prevalent routes
About two thirds of the Internet paths studied were observed to have routes persisting for either days or weeks
Diversity of hop-count distribution More standard deviation, more effective
Robustness against possible evasion Without compromising, it is very difficulty to get the IP2HC
mapping table for the whole random address space Spoofing from compromised machines makes detection and
removal much easier
25
Diversity of hop-count distribution
Presentation for CAP 6135
The largest percentage of IP addresses that have a common hop-count value is only 10%
26
Effectiveness of HCF
Presentation for CAP 6135
Simple Attacks: always using the default initial TTL value
27
Effectiveness of HCF (cont)
Presentation for CAP 6135
Sophisticated Attackers: randomly choose TTL value
28
Resource Savings
Presentation for CAP 6135
This part gives some practical skills to implement HCF, which reduces the resource consumption Insert into Linux Kernel Hash table for the organization of hop-count mapping
Please read the paper for details
29
Outline
Presentation for CAP 6135
Background
Mechanism and construction
Measurement
Conclusion Contribution Weakness Improvement
30
Contribution
Presentation for CAP 6135
Propose a hop-count based filtering scheme that detects and discards spoofed IP packets to conserve system resources
Give some analytical measurement on feasibility and effectiveness
Give the details description on how to make the whole system perform efficient, and also give the evaluation
31
Weakness
Presentation for CAP 6135
TTL-based Hop-Count Computation Assume that most OSs use only a few selected initial TTL values The solution to the ambiguities {30, 32}, {60, 64}, and {32, 60}
No explicit way to assign and adjust values of parameters
Feasibility of HCF No definitive claim of whether hop-count distributions are Gaussian
or notEffectiveness of HCF, Sophisticated Attackers
No analysis on multiple flooding sourceNo comparison with other methodsNo consideration on more realistic and complex network
environment
32
Improvement
Presentation for CAP 6135
Use some machine learning methods to assign and adjust values of parameters
Find out the distributions of hop-count Give the analysis on multiple flooding source
of the sophisticated attackersCompare HCF with other methodsConsider more realistic and complex network
environment
33
Extra References
Presentation for CAP 6135
http://en.wikipedia.org/wiki/Internet_Protocol http://en.wikipedia.org/wiki/Distributed_Reflection_Denial_of_Servic
e
34
THANK YOU!
Presentation for CAP 6135
Questions?