Packet Score: Statistics-based Overload Packet Score: Statistics-based Overload Control against Distributed Denial-of-Control against Distributed Denial-of-service Attacks:service Attacks: Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan Chao H. Jonathan Chao

Presenter Name

Yatin Manjrekar

AgendaAgenda

IntroductionOverview of Packetscore approachPacketscore MethodologiesPerformance Evaluation Conclusion

IntroductionIntroduction

Denial-of-service attack

overload the server to bring it down

Distributed Denial-of-service attackEnd point attacks

Infrastructure attack Limitations of Manual detection

Introduction cont..Introduction cont..

• D-WARD approach– Statistical traffic profiling at the edge of the

network– Aims at stopping attack near source. – Viability hinges on cooperation of ingress

network administrator– Deployment issue. (backbone network ?)

• Available Commercial products do not fully automate packet differentiation , filter enforcement

Overview of Packetscore approachOverview of Packetscore approach

Three Phases (3D-R)– Detect the onset of an attack– Differentiate between legitimate/attack packets

using CLP– Discard packets selectively

• What is Packetscore ?

Score based filtering approach.

Packetscore methodologiesPacketscore methodologies

Packet differentiation via fine grain traffic profile comparison– Assumption: Some traffic

characteristics are stable during normal operation

– Increase in frequency of packet attribute indicate attacking packet

– Can One guess Distribution of attribute ?

Attribute value distributionAttribute value distribution

Attribute value distribution cont..Attribute value distribution cont..

Attribute value distribution cont.Attribute value distribution cont.

Conditional Legitimate Probability Conditional Legitimate Probability (CLP)(CLP)The likelihood of suspicious packet

being legitimateEach packet carries a set of discrete-

valued attributes Joint distribution for strongly

correlated attributes Marginal distribution for other

attributes

Conditional Legitimate Probability Conditional Legitimate Probability (CLP)(CLP)

CLP cont..CLP cont..

Variation of Nominal profilesVariation of Nominal profiles

The nominal traffic profile is function of time – The traffic profile changes with day of

week, time of day – These profile changes could be handled

using periodic recalibration – Used 95 percentile to save storage

Managing Nominal traffic profiles.Managing Nominal traffic profiles.

Iceberg style histograms– Traffic profile of each target stored in

the form of normalized histograms– Iceberg Histograms only includes most

frequent entries –Missing entries assume relative upper

bound frequency– Per target profile is kept to manageable

size and saves on storage requirement

Real Time ProfilingReal Time Profiling

The packet attribute distributions are updated with packet arrival

Update is decoupled from computing CLP and done in parallel at different time scale

CLP is computed based on recent snapshot of measured histogram

Generate set of scorebooks which map to specific combination of attributes

Real Time traffic profilingReal Time traffic profiling

Selective Packet discardingSelective Packet discarding

On arrival of suspicious packet– CLP as differentiating metric– The aggregate arrival rate is adjusted. Which

in turn changes load shedding algorithm– Packet attributes are used to update traffic

profile. – CLP based score is computed using frozen

/snapshot scorebooks – Discard packet if CLP is less than threshold– Immunity rules could be used for certain

minimum throughput requirement packets

Performance EvaluationPerformance Evaluation

Performance CriteriaPerformance Criteria Difference in score

distribution RA & RL

Score distribution has long/thin tail with outliers

MinL(MaxA) is 1st(99th) percentile used

Different evaluated attack typesDifferent evaluated attack types

Generic AttackTCP-SYN flood attackSQL Slammer Worm attackNominal attackMixed attackChanging attack

Effect of increasing Attack intensityEffect of increasing Attack intensity

Nominal Profile sensitivityNominal Profile sensitivity

Different options of scoring Different options of scoring StrategiesStrategies

Scoring strategyScoring strategy

Setting thresholdsSetting thresholds

ConclusionConclusion

Collaboration of 3D-R and DCS defend against DDoS attacks

The proposed scheme leverages hardware implementation of data stream processing technique

We studied Performance and design tradeoffs of proposed packet scoring scheme

It can tackle never seen before DDoS attack (Weak claim ? Too many parameters?)

Q & A

Comments ?