packet score: statistics-based overload control against distributed denial-of- service attacks:...
Post on 20-Dec-2015
214 views
TRANSCRIPT
Packet Score: Statistics-based Overload Packet Score: Statistics-based Overload Control against Distributed Denial-of-Control against Distributed Denial-of-service Attacks:service Attacks: Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan Chao H. Jonathan Chao
Presenter Name
Yatin Manjrekar
AgendaAgenda
IntroductionOverview of Packetscore approachPacketscore MethodologiesPerformance Evaluation Conclusion
IntroductionIntroduction
Denial-of-service attack
overload the server to bring it down
Distributed Denial-of-service attackEnd point attacks
Infrastructure attack Limitations of Manual detection
Introduction cont..Introduction cont..
• D-WARD approach– Statistical traffic profiling at the edge of the
network– Aims at stopping attack near source. – Viability hinges on cooperation of ingress
network administrator– Deployment issue. (backbone network ?)
• Available Commercial products do not fully automate packet differentiation , filter enforcement
Overview of Packetscore approachOverview of Packetscore approach
Three Phases (3D-R)– Detect the onset of an attack– Differentiate between legitimate/attack packets
using CLP– Discard packets selectively
• What is Packetscore ?
Score based filtering approach.
Packetscore methodologiesPacketscore methodologies
Packet differentiation via fine grain traffic profile comparison– Assumption: Some traffic
characteristics are stable during normal operation
– Increase in frequency of packet attribute indicate attacking packet
– Can One guess Distribution of attribute ?
Conditional Legitimate Probability Conditional Legitimate Probability (CLP)(CLP)The likelihood of suspicious packet
being legitimateEach packet carries a set of discrete-
valued attributes Joint distribution for strongly
correlated attributes Marginal distribution for other
attributes
Variation of Nominal profilesVariation of Nominal profiles
The nominal traffic profile is function of time – The traffic profile changes with day of
week, time of day – These profile changes could be handled
using periodic recalibration – Used 95 percentile to save storage
Managing Nominal traffic profiles.Managing Nominal traffic profiles.
Iceberg style histograms– Traffic profile of each target stored in
the form of normalized histograms– Iceberg Histograms only includes most
frequent entries –Missing entries assume relative upper
bound frequency– Per target profile is kept to manageable
size and saves on storage requirement
Real Time ProfilingReal Time Profiling
The packet attribute distributions are updated with packet arrival
Update is decoupled from computing CLP and done in parallel at different time scale
CLP is computed based on recent snapshot of measured histogram
Generate set of scorebooks which map to specific combination of attributes
Selective Packet discardingSelective Packet discarding
On arrival of suspicious packet– CLP as differentiating metric– The aggregate arrival rate is adjusted. Which
in turn changes load shedding algorithm– Packet attributes are used to update traffic
profile. – CLP based score is computed using frozen
/snapshot scorebooks – Discard packet if CLP is less than threshold– Immunity rules could be used for certain
minimum throughput requirement packets
Performance CriteriaPerformance Criteria Difference in score
distribution RA & RL
Score distribution has long/thin tail with outliers
MinL(MaxA) is 1st(99th) percentile used
Different evaluated attack typesDifferent evaluated attack types
Generic AttackTCP-SYN flood attackSQL Slammer Worm attackNominal attackMixed attackChanging attack
ConclusionConclusion
Collaboration of 3D-R and DCS defend against DDoS attacks
The proposed scheme leverages hardware implementation of data stream processing technique
We studied Performance and design tradeoffs of proposed packet scoring scheme
It can tackle never seen before DDoS attack (Weak claim ? Too many parameters?)