Distributed Denial of Service Attacks & Defenses

Size: px

Start display at page:

Download "Distributed Denial of Service Attacks & Defenses"

Marylou Payne
10 years ago
Views:

1 Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall 2011

2 Distributed Denial of Service (DDoS) Exhaust resources of a target, or the resources it depends on Resources: CPU, Memory, Bandwidth Legitimate clients cannot access the target server Should we care? For researchers: interesting problem; difficult to solve. For others: monetary loss, infrastructure security.

cannot access the target server Should we care?

3 Example: Bandwidth Exhaustion DDoS Attack attacker congested router legitimate client attacker destination attacker packets dropped legitimate packets also dropped

4 Well-behaved and misbehaving flow at router congested router congestion at router rate pkts/sec Legitimate flow Attacker flow time

5 Well-behaved and misbehaving traffic at router misbehaving aggregate gains throughput congested router rate pkts/sec well-behaved aggregate looses throughput time

6 Well-behaved and misbehaving traffic at destination destination rate pkts/sec misbehaving traffic does not slow down when destination requests well-behaved traffic slows down when destination requests time

7 What is the problem? Well-behaved (i.e., legitimate) traffic follows protocol rules Misbehaving traffic does not follow protocol rules Internet lacks distributed enforcement of protocol rules

8 Defending DDoS Attacks Filtering Ingress filtering, Traceback, Pushback Network capabilities Stateless Internet flow filtering (SIFF) Traffic validation architecture (TVA) Proof of work Congestion puzzles, Defense by offense Location hiding Secure overlay services (SOS), i3

(SIFF) Traffic validation architecture (TVA) Proof of work

9 DDoS defense with traceback packet routers insert edge information destination constructs path from edge information destination

10 DDoS defense with pushback pushback to contributing router identify aggregate responsible for congestion contributing router congested router destination

11 Network Capabilities Fundamental change to the Internet, so that sender must have authorization from receiver to send traffic Receiver decides what traffic it wants to receive or not receive Network enforces receiver s decision

send traffic Receiver decides what traffic it wants to

12 Phase 1: Request Capabilities pre-capabilities SYN SYN SYN source destination

13 Pre-Capabilities Cryptographically generated at each router R Each router can independently verify its own precapability Timestamp + Hash(SrcIP, DstIP, time, R secret ) SrcIP, DstIP tie the capability to a flow R secret : secret key only known to the router (the same secret is used for all pre-capabilities) R secret changed twice per timestamp roll over

) SrcIP, DstIP tie the capability to a flow R secret : secret key only known to the

14 Phase 2: Authorizing a source attacker source destination SYN host-capability

15 Host-Capability Cryptographically generated at the destination using pre-capabilities Timestamp + Hash(pre-capabilities, N, T) N is the number of packets authorized per capability T is the time period for which the capability is valid Routers track N, and T

N is the number of packets authorized per capability T is the

16 Phase 3: Send Traffic attacker BOGUS source destination DATA verify pre-capability verify host-capability

17 Traffic Classes Traffic classes Request Request packets (such as TCP SYN) Regular Packets with capabilities Demoted Packets with invalid capabilities Legacy Separate bandwidth allocated to regular and request traffic at each router

Demoted Packets with invalid capabilities Legacy Separate

18 Denial of Capabilities (DoC) Attacker sends flood of request packets Legitimate requests get lost before reaching the destination TVA solution: Path identifiers (Pi)

19 Path Identifiers Routers insider Pi bits into request packets Kind of like pre-capabilities Next downstream router fair-queues on the Pi bits inserted at upstream routers Number of Pi queues = number of upstream routers

router fair-queues on the Pi bits inserted at upstream

20 Simulation Topology 10 legitimate clients destination 10Mbps, 10ms bottleneck link 10ms 10ms 1 ~ 100 attackers colluder

21 Simulation Results (1) Legitimate clients are unaffected As number of attackers increase, legitimate clients suffer Legacy traffic floods

22 Simulation Results (2) Request traffic floods

23 Summary DDoS attacks are a major threat to the Internet Capabilities make fundamental changes to the Internet to defend DDoS attacks Sender needs authorization from receiver to send traffic Capabilities setup is challenging Denial of Capability attacks

How To Protect Your Network From A Ddos Attack On A Network With Pip (Ipo) And Pipi (Ipnet) From A Network Attack On An Ip Address Or Ip Address (Ipa) On A Router Or Ipa

How To Protect Your Network From A Ddos Attack On A Network With Pip (Ipo) And Pipi (Ipnet) From A Network Attack On An Ip Address Or Ip Address (Ipa) On A Router Or Ipa Defenses against Distributed Denial of Service Attacks Adrian Perrig, Dawn Song, Avi Yaar CMU Internet Threat: DDoS Attacks Denial of Service (DoS) attack: consumption (exhaustion) of resources to deny