modelling and simulation of a defense strategy to face ... · modelling and simulation of a defense...
TRANSCRIPT
Modelling and simulation of a defense strategyto face indirect DDoS flooding attacks
A. Furfaro, P. Pace, A. Parise, L. Molina Valdiviezo
Universita della CalabriaD.I.M.E.S – 87036 Rende(CS) - Italy
Email: [email protected]
September 24, 2014A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 1 / 19
Objectives
Development of a simulation model enabling the study and the analysis ofdefense techniques against Distributed Denial of Service (DDoS)Extension of the StopIt technique for widening its applicability to morecomplex DDoS attack scenarios, i.e. shared link congestion.
OutlineDDoS attacksDefense mechanismsStopItDiffServA ns-3 simulation modelA novel defense technique exploiting StopIt and DiffServResultsConclusions and future work
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 2 / 19
Distributed Denial of Service (DDoS)
c©Cisco Systems, Inc.
Cyber Security has becomea very hot issue due thelarge and ever increasingdiffusion ofInternet-connected devices
DDoS is one of the mostsophisticated attacktechnique
Due to its distributed nature,it is not easily to be faced
DoS attacks are carried outby a Botnet consisting ofwidely scattered andremotely controlledcomputers called zombies
zombies send a big amountof service requests anddata traffic to the targetvictim in order to exhaust itsresources
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 3 / 19
DDoS defence mechanisms
ASx
Network-based DDoS Defense Mechanisms
Source AS Des na on AS
Source’s edge router
Access router
Des na on’s
edge router
Access router
Source-based DDoS Defense
Mechanisms ASy
ASz
Hybrid DDoS Defense Mechanisms
Destination-based DDoS
Defense Mechanisms
Zargar et al.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacksIEEE Communications Surveys & Tutorials, 14(4):2046–2069, 2013
Hybrid defence mechanisms are the most effective!
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 4 / 19
Hybrid mechanisms
Throttling/filtering and Hybrid packet marking: installation, by the victim’sside, of a router throttle at upstream routers several hops away with theaim of limiting the forwarding packets data rate. It only limits the rate ofmalicious packets.Capability-based: short-term authorization from the receivers by addingspecific stamps on their packets. The recipients explicitly authorize thetraffic it would like to receive.Active Internet Traffic Filtering (AITF): explicit refusal of traffic identifiedas undesirable. It needs a bounded amount of filtering resources fromparticipating ISPs.StopIt: see next slides.
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 5 / 19
StopIt operation
ASs
ASd
ASiR
s Rd
Hs
Hd
SSs
SSi
SSd
(1)
(2)
(3)
(4)
(5)
Hu
1 The victim Hd detects the attack and send a blocking request to itsaccess router Rd
2 Rd verifies that the source Hs is really sending data to the server then, itinstalls a local filter and it sends a request of flow blocking to the StopItserver SSd
3 SSd forwards the request toward the StopIt server belonging to thesourcing AS by using the BGP protocol.
4 The StopIt server SSs within the sourcing AS, once received the request,notifies the blocking request to its access router Rs
5 Finally, the access router of ASd installs the filter to block the flow for acertain period.
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 6 / 19
DiffServ
DiffServ is a coarse-grained, class-based mechanism for trafficmanagement and QoS differentiation.Traffic is first classified by taking into account a specific priorityThen it is forwarded according to one of three per-hop behaviour (PHB)mechanisms
PHBsAssured Forwarding (AF): gives assurance of delivery under prescribedand stringent conditions (Premium Service)Expedited Forwarding (EF): dedicated to low-loss, low-latency trafficDefault Behaviour (BE): typically used for best-effort traffic
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 7 / 19
Modelling with ns-3Class hierarchy
DNSServer models the behavior (see next slide) of a DNS server able toprocess up to n requests in parallelStopItServer reproduces the behavior of a StopIt serverAccessRouter implements the router application which is in charge ofpacket filtering, dispatching of StopIt requests and DiffServ policyenforcement.
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 8 / 19
DNS server behaviour
FSA model of the DNS server
Available Busy
DNSRequest [av==1] /
av--; process(request)
DNSRequest [av>1] /
av--; process(request)
DNSRequest[!bufferFull] /
enqueue(request)
endProcess / av++
endProcess [bufferEmpty] /
av++endProcess [!bufferEmpty] /
process(dequeue())
DNSRequest[bufferFull] /
drop(request)av=RN
The above FSA models the behavior of a general server having RNresources and a limited buffer capacity for storing pending requests.It has been implemented by exploiting the State design pattern.
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 9 / 19
Simulation ScenarioNetwork topology
ASs0
Rs0
Hd
ASsj
Rsj
ASsk
Rsk
ASsn
Rsn
ASd
...
...
...
...
...
...
Rd
SSd
SS0
SSj
SSk
SSn
Hu
Ld
First zone: 10 ASs, 50 hosts each, contains traffic sources (50%corrupted)Second zone: intermediate networkThird zone: victim’s AS.
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 10 / 19
Simulation Parameters
Traffic sources24 VoIP (ilbc mode 30 codec at 13.33kbps) [AF]230 HTTP sources [BE]230 DNS clients (50% malicious) [BE]
Links DNS ServiceBandwidth 10 Mbps Resources 8Delay 1 ms Buffer size 200
Mean service time 5 msLegal DNS traffic Malicious traffic
Packet size 26 bytes Packet size 78 bytesPacket rate 1 pkt/s Packet rate 100 pkt/s
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 11 / 19
Direct Flooding Attack
DNS VoIPHTTPtotal traffic DDoS trafficlegal requests
(a) (b)
(a) Direct DNS DDoS attack (b) Detail of legal and malicious DNS traffic
The attack begins at t = 20s and it is detected at t = 23sAfter the filter are installed the botnet traffic is blockedVoIP traffic is unaffected due to Diffserv
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 12 / 19
Shared Link Flooding Attack (StopIt only)StopIt
DNSVoIPHTTPtotal traffic DDoS
StopIt is not able to face theattackVoIP traffic is unaffected
In this scenario the attack is achieved by flooding the host Hu in the sameAS the victim Hd
The bandwidth of link shared by Hu, Hd and the other hosts of the sameAS is exhausted by the attackHd observes a drastic decrease in the number of received requests.
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 13 / 19
StopIt and DiffServ cooperation (1)
Assumptions
At least one StopIt server is present within each AS;Each AS corresponds to a DiffServ domain;In each DiffServ domain, the packets coming from the StopIt server aremanaged throughout the highest priority Assured Forwarding (AF) queue;The DiffServ system is able to install new Service Level Agreements(SLAs) at run time;The server Hd experiencing a performance degradation is able to detectanomalous traffic conditions by using a specific detection algorithm.
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 14 / 19
StopIt and DiffServ cooperation (2)
Once the server Hd detects a decrease in its performance, mostly due totraffic anomalies, it starts the activation of the jointly StopIt-DiffServ defensemechanism by executing the following steps:
1 Hd sends a temporary DiffServ activation request toward the accessrouter Rd within its AS
2 Rd forwards the request to the StopIt server after filling the packet withthe information about all the interfaces connected to the AS;
3 The StopIt server installs the specific SLA for a certain time Tb, then itdecreases by one the hop limit field and forwards the request to all theneighbour ASs
4 The other StopIt servers, once received the request packet, repeat theactions from point 2 until the hop limit field reaches zero.
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 15 / 19
Shared Link Flooding AttackStopIt
DNSVoIPHTTPtotal traffic DDoS
StopIt is not able to face theattackVoIP traffic is unaffected
StopIt + DiffServDNS VoIPHTTPtotal traffic DDoS
The necessary bandwidth forthe DNS server is ensuredHTTP traffic still remainsaffected by DoS
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 16 / 19
Conclusions
A ns-3 simulation model for the analysis of DDoS attack has beenimplementedA novel defense mechanism based on the cooperation of StopIt andDiffServ has been defined and evaluatedThe technique overcomes StopIt limitations in that it is able to cope withindirect DDoS flooding attacks.
Future workDevise a better technique for exploiting DiffServ capability (e.g bylowering the priority of flooding traffic)Design suitable detection algorithms able to cooperate with StopIt forblocking malicious source also in the case of indirect attacksRelaxing the constraint of the existence of a StopIt server for each AS.
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 17 / 19
Acknowledgments
This work has been partially supported by MIUR-PON under projectPON03PE 00032 2 02 within the framework of the
Technological District on Cyber Security
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 18 / 19
Questions?
A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 19 / 19