Modelling and simulation of a defense strategyto face indirect DDoS flooding attacks

A. Furfaro, P. Pace, A. Parise, L. Molina Valdiviezo

Universita della CalabriaD.I.M.E.S – 87036 Rende(CS) - Italy

Email: a.furfaro@unical.it

September 24, 2014A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 1 / 19

Objectives

Development of a simulation model enabling the study and the analysis ofdefense techniques against Distributed Denial of Service (DDoS)Extension of the StopIt technique for widening its applicability to morecomplex DDoS attack scenarios, i.e. shared link congestion.

OutlineDDoS attacksDefense mechanismsStopItDiffServA ns-3 simulation modelA novel defense technique exploiting StopIt and DiffServResultsConclusions and future work

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 2 / 19

Distributed Denial of Service (DDoS)

c©Cisco Systems, Inc.

Cyber Security has becomea very hot issue due thelarge and ever increasingdiffusion ofInternet-connected devices

DDoS is one of the mostsophisticated attacktechnique

Due to its distributed nature,it is not easily to be faced

DoS attacks are carried outby a Botnet consisting ofwidely scattered andremotely controlledcomputers called zombies

zombies send a big amountof service requests anddata traffic to the targetvictim in order to exhaust itsresources

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 3 / 19

DDoS defence mechanisms

ASx

Network-based DDoS Defense Mechanisms

Source AS Des na on AS

Source’s edge router

Access router

Des na on’s

edge router

Access router

Source-based DDoS Defense

Mechanisms ASy

ASz

Hybrid DDoS Defense Mechanisms

Destination-based DDoS

Defense Mechanisms

Zargar et al.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacksIEEE Communications Surveys & Tutorials, 14(4):2046–2069, 2013

Hybrid defence mechanisms are the most effective!

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 4 / 19

Hybrid mechanisms

Throttling/filtering and Hybrid packet marking: installation, by the victim’sside, of a router throttle at upstream routers several hops away with theaim of limiting the forwarding packets data rate. It only limits the rate ofmalicious packets.Capability-based: short-term authorization from the receivers by addingspecific stamps on their packets. The recipients explicitly authorize thetraffic it would like to receive.Active Internet Traffic Filtering (AITF): explicit refusal of traffic identifiedas undesirable. It needs a bounded amount of filtering resources fromparticipating ISPs.StopIt: see next slides.

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 5 / 19

StopIt operation

ASs

ASd

ASiR

s Rd

Hs

Hd

SSs

SSi

SSd

(1)

(2)

(3)

(4)

(5)

Hu

1 The victim Hd detects the attack and send a blocking request to itsaccess router Rd

2 Rd verifies that the source Hs is really sending data to the server then, itinstalls a local filter and it sends a request of flow blocking to the StopItserver SSd

3 SSd forwards the request toward the StopIt server belonging to thesourcing AS by using the BGP protocol.

4 The StopIt server SSs within the sourcing AS, once received the request,notifies the blocking request to its access router Rs

5 Finally, the access router of ASd installs the filter to block the flow for acertain period.

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 6 / 19

DiffServ

DiffServ is a coarse-grained, class-based mechanism for trafficmanagement and QoS differentiation.Traffic is first classified by taking into account a specific priorityThen it is forwarded according to one of three per-hop behaviour (PHB)mechanisms

PHBsAssured Forwarding (AF): gives assurance of delivery under prescribedand stringent conditions (Premium Service)Expedited Forwarding (EF): dedicated to low-loss, low-latency trafficDefault Behaviour (BE): typically used for best-effort traffic

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 7 / 19

Modelling with ns-3Class hierarchy

DNSServer models the behavior (see next slide) of a DNS server able toprocess up to n requests in parallelStopItServer reproduces the behavior of a StopIt serverAccessRouter implements the router application which is in charge ofpacket filtering, dispatching of StopIt requests and DiffServ policyenforcement.

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 8 / 19

DNS server behaviour

FSA model of the DNS server

Available Busy

DNSRequest [av==1] /

av--; process(request)

DNSRequest [av>1] /

av--; process(request)

DNSRequest[!bufferFull] /

enqueue(request)

endProcess / av++

endProcess [bufferEmpty] /

av++endProcess [!bufferEmpty] /

process(dequeue())

DNSRequest[bufferFull] /

drop(request)av=RN

The above FSA models the behavior of a general server having RNresources and a limited buffer capacity for storing pending requests.It has been implemented by exploiting the State design pattern.

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 9 / 19

Simulation ScenarioNetwork topology

ASs0

Rs0

Hd

ASsj

Rsj

ASsk

Rsk

ASsn

Rsn

ASd

...

...

...

...

...

...

Rd

SSd

SS0

SSj

SSk

SSn

Hu

Ld

First zone: 10 ASs, 50 hosts each, contains traffic sources (50%corrupted)Second zone: intermediate networkThird zone: victim’s AS.

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 10 / 19

Simulation Parameters

Traffic sources24 VoIP (ilbc mode 30 codec at 13.33kbps) [AF]230 HTTP sources [BE]230 DNS clients (50% malicious) [BE]

Links DNS ServiceBandwidth 10 Mbps Resources 8Delay 1 ms Buffer size 200

Mean service time 5 msLegal DNS traffic Malicious traffic

Packet size 26 bytes Packet size 78 bytesPacket rate 1 pkt/s Packet rate 100 pkt/s

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 11 / 19

Direct Flooding Attack

DNS VoIPHTTPtotal traffic DDoS trafficlegal requests

(a) (b)

(a) Direct DNS DDoS attack (b) Detail of legal and malicious DNS traffic

The attack begins at t = 20s and it is detected at t = 23sAfter the filter are installed the botnet traffic is blockedVoIP traffic is unaffected due to Diffserv

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 12 / 19

Shared Link Flooding Attack (StopIt only)StopIt

DNSVoIPHTTPtotal traffic DDoS

StopIt is not able to face theattackVoIP traffic is unaffected

In this scenario the attack is achieved by flooding the host Hu in the sameAS the victim Hd

The bandwidth of link shared by Hu, Hd and the other hosts of the sameAS is exhausted by the attackHd observes a drastic decrease in the number of received requests.

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 13 / 19

StopIt and DiffServ cooperation (1)

Assumptions

At least one StopIt server is present within each AS;Each AS corresponds to a DiffServ domain;In each DiffServ domain, the packets coming from the StopIt server aremanaged throughout the highest priority Assured Forwarding (AF) queue;The DiffServ system is able to install new Service Level Agreements(SLAs) at run time;The server Hd experiencing a performance degradation is able to detectanomalous traffic conditions by using a specific detection algorithm.

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 14 / 19

StopIt and DiffServ cooperation (2)

Once the server Hd detects a decrease in its performance, mostly due totraffic anomalies, it starts the activation of the jointly StopIt-DiffServ defensemechanism by executing the following steps:

1 Hd sends a temporary DiffServ activation request toward the accessrouter Rd within its AS

2 Rd forwards the request to the StopIt server after filling the packet withthe information about all the interfaces connected to the AS;

3 The StopIt server installs the specific SLA for a certain time Tb, then itdecreases by one the hop limit field and forwards the request to all theneighbour ASs

4 The other StopIt servers, once received the request packet, repeat theactions from point 2 until the hop limit field reaches zero.

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 15 / 19

Shared Link Flooding AttackStopIt

DNSVoIPHTTPtotal traffic DDoS

StopIt is not able to face theattackVoIP traffic is unaffected

StopIt + DiffServDNS VoIPHTTPtotal traffic DDoS

The necessary bandwidth forthe DNS server is ensuredHTTP traffic still remainsaffected by DoS

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 16 / 19

Conclusions

A ns-3 simulation model for the analysis of DDoS attack has beenimplementedA novel defense mechanism based on the cooperation of StopIt andDiffServ has been defined and evaluatedThe technique overcomes StopIt limitations in that it is able to cope withindirect DDoS flooding attacks.

Future workDevise a better technique for exploiting DiffServ capability (e.g bylowering the priority of flooding traffic)Design suitable detection algorithms able to cooperate with StopIt forblocking malicious source also in the case of indirect attacksRelaxing the constraint of the existence of a StopIt server for each AS.

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 17 / 19

Acknowledgments

This work has been partially supported by MIUR-PON under projectPON03PE 00032 2 02 within the framework of the

Technological District on Cyber Security

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 18 / 19

Questions?

A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 19 / 19