pi: a path identification mechanism to defend against ddos attacks
DESCRIPTION
Pi: A Path Identification Mechanism to Defend Against DDoS Attacks. Abraham Yaar, Adrian Perrig, Dawn Song Carnegie Mellon University {ayaar, perrig, dawnsong}@cmu.edu Presented and Edited by Yongdae Kim. Outline. DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering - PowerPoint PPT PresentationTRANSCRIPT
Pi: A Path Identification Mechanism to Defend Against
DDoS Attacks
Abraham Yaar, Adrian Perrig, Dawn SongCarnegie Mellon University
{ayaar, perrig, dawnsong}@cmu.eduPresented and Edited by Yongdae Kim
Outline
DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion
DDoS Review Attackers compromise
network hosts, flood victim with packets• Overload packet
processing capacity
• Saturate network bandwidth
Spoofed source IP addresses evade network filters
RFC 3514
Security flag in IP header• By Steven Bellovin
• Attackers must set evil bit in malicious packets
• Receivers can filter out evil packets
Challenge: deployment April fools joke Pi achieves similar property!
IP Traceback Defense
Victim reconstructs attack tree from address fragments
Disadvantages:• Slow reconstruction
• Multi-path reconstruction
• Assumes upstream ISP collaboration
Other Strategies
Source Path Isolation Engine (SPIE)• Routers store packet hashes, recursive query to
reconstruct path
• Disadvantage–Per-packet state at routers
Pushback Framework• Routers identify attack packet characteristics,
install upstream filter
• Disadvantage–Difficult to distinguish attack/user packets
Outline
DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion
Goals – Ideal DDoS Defense Fast
• Defense after single attack packet Victim filters traffic
• No dependency on upstream ISPs Overhead
• Minimal computation/state at routers and victims Interoperability
• Supports IP Fragmentation Incrementally deployable
• Additional deployment increases performance
Main Idea
Path “fingerprints”• Entire fingerprint in
each packet
• Incrementally constructed by routers along path
Victim rejects packets with attacker fingerprints (Pi-marks)
Main Idea
Path “fingerprints”• Entire fingerprint in
each packet
• Incrementally constructed by routers along path
Victim rejects packets with attacker fingerprints (Pi-marks)
Main Idea
Path “fingerprints”• Entire fingerprint in
each packet
• Incrementally constructed by routers along path
Victim rejects packets with attacker fingerprints (Pi-marks)
Main Idea
Path “fingerprints”• Entire fingerprint in
each packet
• Incrementally constructed by routers along path
Victim rejects packets with attacker fingerprints (Pi-marks)
Outline
DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion
Pi Marking Scheme
Marking Scheme
• Each router marks n bits into IP Identification field
Marking Function
• Last n bits of hash (eg. MD5) of router IP address
Marking Aggregation
• Router pushes marking into IP Identification field
Queue-based marking• Routers “push” marking into IP Identification
field
• Note: Victim’s local routers (in general, 3, 4 hopes) do not mark.
Pi Marking
Legacy routers do not mark
Extensions• Detect upstream legacy router• Mark for previous legacy router• Write-ahead improvement
Legacy Routers
Path marking vs. Edge Marking Collision in path marking
• path(AC) = mamc, path(BC) = mbmc
• With probability 1/2n, ma = mb
Edge marking• path(AC) = ma’mc1, path(BC) = mb’mc2
• where mc1 = h(IPC || IPA), mc2 = h(IPC || IPB)
• Still probability of collision is 1/2n
• But, new probability of having identical marks for two paths joining at the same node becomes 1/22n
Pi Marking - IP Fragmentation
Problem• Using deterministic values in IP Identification
field breaks fragmentation
Solution (suggested by Vern Paxson)• Don’t mark packets that may ever get
fragmented, or are fragments themselves–Packets with DFT bit set
–Packets smaller than smallest MTU
• During DDoS attack, drop packets that do not have DFT bit set
Outline
DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion
Pi Filtering – Basic Scheme
Basic Scheme• Drop all packets with Pi marks matching that of
any attack packets
Assumption• Victim can identify attack packets
Implementation Overhead• Memory: Bit vector of length 216 (8kB)
– if (BitVec[PiMark] == 0) then accept() else drop();
• Simple per packet lookup
Pi Filtering - Thresholds Problem
• Single attacker causes multiple users’ rejections
Solution• Assume, for a particular Pi mark, i:
–ai= number of attack packets
–ui= number of legitimate users’ packets
• Victim chooses threshold, t, such that if:
then packets with Pi mark i are kept
ii
i
ua
at
Outline
DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion
Exp. Results – Attack Model
Two phase DDoS model• Phase 1: Learning Phase
–Omniscient victim, Filter Bootstrapping
–Limited Length (3 packets per endhost)
• Phase 2: Attack Phase–Pi filter deployed
–“Unlimited” Length (3 packets simulated)
Results presented for phase 2
Exp. Results - Setup
Two Internet Topologies• Internet Map Project
–81,953 unique endhosts
• CAIDA Skitter Map–171,472 unique endhosts
5,000 Legitimate Users, 100-10,000 Attackers n = 2 bits 4 router non-marking ISP perimeter
• Victim ISP marks unnecessary/undesirable
Exp. Results - Metrics
Filter Errors• False Positive: User packet dropped
• False Negative: Attacker packet accepted
Acceptance Ratio• Percent packets accepted by victim of total
packets sent
• Attacker Acceptance Ratio = false negative rate
• User Acceptance Ratio = (1 – false positive rate)
Exp. Results – Basic Filter
DDoS protection• Accepted (with
10,000 unique attack paths):
– 60% of user traffic
– 17% attacker traffic
Downward slope due to “marking saturation”• All markings
flagged as attacker
Exp. Results – 50% Threshold Filter Performance
Thresholds Work!• Accepted (with
10,000 unique attack paths):
– 82% of user traffic
– 22% attacker traffic
Increased attack severity requires increased threshold
Exp. Results – Legacy Routers
50% threshold used Performance
degradation is gradual
Some filtering accuracy even at 50% legacy routers• 0 = random selection
• 1 = perfect filter
Exp. Results – Limited Capacity Constraint
• Limit maximum number of packets accepted.
Strategy• Accept lowest attack
traffic Pi marks first.
Performance• 60% server capacity
for legitimate packets when total attack traffic 170X of user traffic. *Note: Each Attacker sends 10X
traffic over legitimate user.
Outline
DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion
Other Applications
Help other anti-DDoS techniques• Pushback
–Filters that mask individual IP addresses can be very long
–Upstream path information improves filtering accuracy
• IP traceback path reconstruction• IDS
ISPs use Pi to detect IP address spoofing
Discussion: Deployment Incentives
Lack of incentive for ingress filtering Pi provides incentive for ISP
• Customers benefit from Pi marking
Attackers within ISP cause blocking of other ISP customers• ISP has incentive to block attack
• Incentives for ingress filtering
Market pressures drive Pi deployment• Large-scale Internet sites > ISP > router manufacturer
Future Work Advanced marking schemes
• Use combination of exor and shift
Advanced dynamic filters
• Problems:–“Nearby” attackers always have attacker
initialized bits in markings
–Route changes cause Pi mark variations
• Solution: Machine learning techniques identify marking commonalities–(ie. Longest prefix matching for nearby attackers)
Related Work
IP traceback itrace SPIE PEIP – Path Enhanced IP CS3-Inc.
• Adds 16 bytes path to each packet
• Router marks within 16 bytes path
Pi: Conclusions Disadvantages of current DDoS defenses
• Slow
• High overhead
• Assumes ISP collaboration
Pi provides DDoS protection• After first identified attack packet
• Minimal overhead at routers and endhosts
• Maintains IP Fragmentation
• No inter-ISP cooperation
• Great incremental deployment properties