An Integrated Approach for Defending Against Distributed Denial-of-Service (DDoS) Attacks

Transcription

1 An Integrated Approach for Defending Against Distributed Denial-of-Service (DDoS) Attacks Krishan Kumar, R.C. Joshi, and Kuldip Singh Department of Electronics and Computer Engineering Indian Institute of Technology Roorkee {kksaldec, joshifcc, Abstract Distributed denial-of-service (DDoS) is an increasingly worrying threat to availability of Internet resources. The variety and number of both attacks and defense approaches are overwhelming. An overview of DDoS problem, Attack: Modus Operandi, Classification of DDoS attacks, Defense Principles and Challenges, and state of art research gaps are presented. Thus a better understanding of the problem, current solution space and future scope are provided. Moreover different defense approaches: Prevention, Detection and Characterization, Tracing, and Tolerance and Mitigation to tackle DDoS problem are revisited and an integrated comprehensive solution is proposed. Index Terms Distributed Denial-of-service, Internet Security, Attack Taxonomy, Integrated Approach. I. INTRODUCTION Distributed denial-of-service (DDoS), is a relatively simple, yet very powerful technique to attack Internet resources. With little or no advance warning, a DDoS attack can abruptly drain the computing and communication resources of its victim within a short time, until the attack is resolved or in some cases slowly eat up resources without being noticed. Thus these disruptive or degrading attack flows often lead to complete shutdowns of Internet resources or at least cause performance degradations. As per recent survey conducted by FBI/CSI, these attacks are second most dreadful attacks in terms of revenue losses after information thefts. Even some of the largest computer makers and web-based service providers are not immune from this problem [1]-[3]. Douligeris et al. [4], Chen et al. [5], and Mircovik et al. [6] have reviewed various DDoS attack, and defense methods. Douligeris et al. [4] have highlighted architecture of DDoS attack, Popular DDoS attacks & attack tools, and provided technical classification of attack defense methods. Chen et al. [5] compared different attack detection algorithms on the basis of Granularity of detection used, Network information monitored, specific characteristics of attack traffic, source of false positives and limitations. They also characterized various DDoS defenses in terms of response generation, response mechanism, decision locations, enforcement locations, topology dependence, communication protocol used, and overheads. Mircovik et al. [6] gave good direction for DDoS research by providing comprehensive taxonomies of attack and defense mechanisms. Moreover they critically brought forward weaknesses of various DDoS defense classes which are useful for future work in DDoS. The remainder of this paper is organized as follows. Section II gives overview of DDoS. Section III discusses defense principles and challenges. In Section IV Attack: Modus Operandi is presented. Section V provides classification of DDoS attacks. Section VI highlights research issues in DDoS defense approaches. Section VII proposes an integrated approach to solve DDoS problem. Section 9 finally concludes the paper. II. DDOS OVERVIEW Open and best effort architecture of Internet which made it so popular actually provides opportunity for dearth of attacks. Moreover intelligence asymmetry, IP spoofing, limited resources, and distributed control encourage attackers to launch attacks without being caught. Fig. 1. Packets drop under DDoS attack Zombies and are collectively called bots and the attack network is called botnet in hacker s community. The zombie machines under control of handlers as shown in Fig. 1 send attack packets which converge at victim or its network to exhaust either its communication or computational resources. DDoS is basically a resource overloading problem.the resource can be bandwidth, memory, CPU cycles, file descriptors and buffers etc. The attackers bombard scare resource either by flood of packets or a single logic packet which can activate a series of

2 processes to exhaust the limited resource. Here in the Fig.1 packets drop due to congested access link in victim network and buffer overflow at victim due to large number of requests are depicted. There are four approaches to combat with DDoS menace as proposed by Douligeris et al. [4]: Prevention, Detection and Characterization, Traceback, and Tolerance & Mitigation. Attack prevention aims to fix security holes, such as insecure protocols, weak authentication schemes and vulnerable computer systems, which can be used as stepping stones to launch a DoS attack. This approach aims to improve the global security level and is the best solution to DoS attacks in theory. Attack detection aims to detect DDoS attacks in the process of an attack and characterization helps to discriminate attack traffic from legitimate traffic. Traceback aims to locate the attack sources regardless of the spoofed source IP addresses in either process of attack (active) or after the attack (passive). Tolerance and mitigation aims to eliminate or curtail the effects of an attack and try to maximize the quality of services (QoS) under attack. provide hackers a lot of insecure machines on Internet. These insecure/unpatched machines are used by DDoS attackers as their army to launch attack as attacker gradually implants attack programs on these insecure machines. Depending upon sophistication in logic of implanted programs these compromised machines are called Handlers or Zombies and are collectively called bots and the attack network is called botnet in hacker s community. As shown in Fig. 2, the zombie machines under control of handlers send attack packets which converge at victim or its network to exhaust either its communication or computational resources. III. DEFENSE PRINCIPLES AND CHALLENGES Robinson et al. [7] have recommended five principles for designing effective DDoS defense mechanism. As DDoS is a distributed attack and because of high volume and rate of attack packets distributed instead of centralized defense is the first principle of DDoS defense. Secondly, High Normal Packet Survival Ratio (NPSR) hence less collateral damage is the prime requirement for a DDoS defense. Third, a DDoS defense method should provide secure communication for control messages in terms of confidentiality, authentication of sources, integrity and freshness of exchanged messages between defense nodes. Fourth, a partially and incrementally deployable defense model is successful as there is no centralized control for autonomous systems (AS) in Internet. Fifth, a defense system must take into account future compatibility issues such as interfacing with other systems and negotiating different defense policies. However with the present technology, development and implementation of a DDoS defense model which can satisfy all of these defense principles in general is very difficult in practice due to several challenges such as : a) Large number of unwitting participants b) No common characteristics of DDoS streams c) Use of legitimate traffic models by attackers d) No administrative domain cooperation e) Automated tools f) Hidden identity of participants g) Persistent security holes on the Internet h) Lack of attack information i)absence of standardized evaluation and testing approaches. IV. ATTACK: MODUS OPERANDI Operating systems and network protocols are developed without applying security engineering which in result Fig. 2. Modus Operandi of DDoS attacks V. CLASSIFICATIONS OF DDOS ATTACKS Although the attacks shown in Fig. 2 are already existing but their classification is not included in [4] & [6]. In order to defeat aggregate based defense, attackers try to distribute attack traffic uniformly throughout all ingress points of attacked autonomous system. This is called isotropic distribution of attack traffic whereas if attack traffic is aggregated in certain parts of Internet more then it called Non-isotropic distribution of attack traffic. On the other hand network protocols based classification of DDoS attacks basically divide DDoS attacks into TCP, UDP, and ICMP protocols as for semantic and brute force attacks either of these protocol packets are used. Third classification is on the basis of attack packets used. Semantic DDoS attacks are normally launched with control packets like TCP SYN, TCP FIN, ICMP echo packets whereas for launching brute force DDoS attacks control as well as data packets like HTTP, FTP (involving TCP), UDP, and ICMP bogus packets can be used. Lastly classification is done on the basis of change in open source code of congestion or flow control protocols by zombie machines for not obeying CONGWIN and RECWND setting at sending hosts.

3 Isotropic Control Non Isotopic TCP UDP ICMP Fig. 3. Classification of DDoS Attacks DDoS Attack Types 4 3 VI. DISCUSSION Data Congestion control 1 Attack Traffic Distribution 2 Attack packets used 3 Protocol used 4 Protocol Modification 1 Flow control Preventing DDoS attacks to curb theirs devastating effect is always the first choice of commercial and research organizations as Prevention is a mechanism which stops the attacks before they are actually launched. There are three precautions against DDoS attacks. (a) The ISPs are strongly recommended to install ingress filters to stop IP address spoofing. (b) The end host should repair their security holes as soon as possible, especially for some well-known software and protocol bugs. (c) Third, the end hosts are encouraged to install the Intrusion Detection System (IDS) to prevent from being compromised by the adversary. Generally speaking, if all the schemes mentioned above can all be implemented effectively, the Internet could be much relieved from DDoS attacks. But, the approaches to stop IP spoofing [7]-[9] also filtering malicious IP addresses based on experience [10], repairing security holes by patches [11], and stopping intrusion [12] have lot of hurdles in terms of global deployment, host based incentives, installation of patches as soon as they are developed and released, overheads to check extra packet headers, new attack signatures and high rate of False positives and negatives of anomaly based techniques. Moreover non-spoofing, subnet spoofing, En-route and DRDoS based attacks have no reliable solution in prevention techniques. The next approach to deal with DDoS attacks is to find novel ways for detection and characterization of attacks so that they are completely filtered. The process of identifying that a network or server is under attack after launch of the attack is called detection. Detection can be passive, proactive, and On-time. Characterization means differentiating attack packets from legitimate packets by looking at some feature/header of packets which are derived from monitoring and analysis at various times and points of the Internet The special feature of current DDoS attack packets is that individually each packet is perfect legitimate packet but in combination, correlating these packets monitored at different points can give some signs of uniqueness from legitimate packets. The study in this area is totally disarrayed i.e. different detect and characterize methods are proposed using different topologies and different attacks. No benchmarks and evaluations criteria exist which can compare different approaches. Misuse based detection is normally applied in prevention techniques as in this case the packets which are intelligently crafted to exploit end point protocols and operating systems are easily identified by their unique header or payload values or in other terms attack signatures. Congestion based schemes [32] are normally used when we look for broad attack signatures however aggressive flows are also successfully identified in [19]. However congestion based schemes are found to be suitable only for high bandwidth attacks. The most common used DDoS detection and characterization schemes are anomaly based [12]-[18]. In almost all of these schemes the common challenge for DDoS detection system is that it is difficult or impossible for the training data to provide all types of normal traffic behavior. As a result, legitimate traffic can be classified as attack traffic (false positive). To minimize the false positive rate, a larger number of parameters are used to provide more accurate normal profiles. However, with the increase of the number of parameters, the computational overhead to detect attack increases. This becomes a bottleneck, especially for volume-oriented DDoS attacks that will be aggravated by the Computational overhead of the detection scheme. More importantly, unlike sophisticated network intrusions that depend on malformed packets or special packet sequences, DDoS attacks only need the massive traffic volume to be effective. Thus, different packet content or traffic patterns, will not affect the attack power. Unlike other attacks which are constrained to sending traffic that exploits a special vulnerability, DDoS attackers can mimic legitimate traffic to avoid anomaly-based detection. Tracing is one of the best strategies to not only curb the menace of DDoS attacks but also arranging enough evidence to prove the identity of attacker so that he should be punished in such a manner that next time nobody should dare doing these attacks. Once an attack has been detected, an ideal response would be to block the attack traffic at its source and identify complete Botnet. In best of the work done so far, reaching up to zombies and hence limiting the attack army and then thorough investigation of these zombies to find traces of communication with other part of botnet has been done with decreased overheads. Unfortunately, there is no easy way to track even IP traffic to Zombies and characterize the path used by packets to reach from zombies to victim. In order to address this limitation, many schemes based on enhanced router

4 functions or modification of the current protocols has been proposed to support IP traceability. Overall in all of these traceback solutions input debugging [20], state keeping [21], permissions and extra bandwidth for controlled flooding [21], extra resources for overlay network [22], ICMP messages [23] and IP packet marking overheads [24]-[27] are involved. Moreover security of this communication so that these control messages should not be forged in terms of Confidentiality, Authentication, Integrity, and freshness is a big hurdle to tackle. Solution proposed in [28] and [29] are good in terms of number of packets required to trace ingress edges of attack for an ISP but the assumption that victim under attack will send control messages to controller/coordinator look impractical in real time attack detection scenario. Global co -operation between ISPs is always bump to bear with. Overall research direction in this field has been limited mostly to finding Zombies and path characterization up to Zombies. However some passive approaches also worked for separating communication between attacker/master and master/zombies. The last but mostly used strategy assumes that because of limitations of prevention, detection and characterization, and finally tracing it is almost impossible to prevent, accurately detect and characterize without false positives and negatives, and trace back to ultimate attacker when attack is in progress or passive when attack is over. So in Tolerance and mitigation, we try to rate limit traffic from the sources mostly ingress edges of ISPs from where we suspect more attack traffic to enter. Schemes for Network based attacks are reviewed as under: Though SFQ [30], QoS based techniques [31][38], and RED-PD reviewed in [32] are good solutions, but excessive state monitoring, calculating proper rate limits and testing for defaulters cause appreciable overheads considering rich resource based Internet of present age used for launching flood based attacks. So better monitoring policies (local or distributed), dynamic rate limits as per legitimate traffic models and algorithms for classifying defaulters to test only suspicious clients are main challenges upfront. Computational burden on core routers are decreased [30][38] but still more ways can help the cause. Router based solutions like ACC, Pushback based ACC reviewed in [32], are available for detecting high bandwidth aggregates based on destination address. If somehow we can find source characteristics to narrow down these attack/congestion signatures then normal packet survival ratio can improve in leaps and bounds. Degrading ISP network performance attacks which do not cause congestion at links cannot be grouped in any congestion aggregates without high number of false positives and false negatives. Isotropic (Highly distributed), slow rate attacks which even cause congestion at links are not identified in congestion signature without high number of false positives and false negatives. Aggregates based on transport layer used in [33] however give better performance but still slow rate and pulsing DDoS attacks have no reliable solution. Finding efficiently without false positives unresponsive,tcp unfriendly flows is in itself is a big challenge because Round Trip Time (RTT),Timeout time, route changes and normal congestion packet drops at other router on the path also affect response from legitimate clients. Attack agents (Zombies) which keep on regularly changing their source addresses without wrapping randomly are not identified. Schemes for server based attacks are reviewed as under: Resource accounting [34] and QoS [38] based solutions available so for result in high delays because of scheduling and queuing approaches to handle traffic. Moreover slow rate attacks where large number of attackers consume lot of bandwidth has no proper answer available so for. Client based programs required to be loaded for proactive server roaming [36][37] has really hampered its popularity. However in limited attack scenario in terms of topology, number of attackers and different server based applications, its performance still need to be evaluated. Throttling techniques [39] have assumed that web servers are attached to backbone routers so bandwidth of path links to server is not a concern in evaluating rate limits at k hops away which in recent literature is assumed to depend only on arriving rate of traffic at server/victim. Slow rate attacks using isotropic distribution yield very low NPSR in throttle techniques [39]. Still proper secure messaging system for control messages need to be found which has perfect blend of security (confidentiality, authentication, integrity, freshness) and lesser data overheads. Even for server based attacks aggregate based scheme recently proposed [40] is unable to defend against slow rate attacks. Moreover collateral damage is more if legitimate traffic is also coming from customer networks that contain compromised hosts and send attack traffic. Accurate Characterization of Flash Crowds from DDoS attack traffic for better NPSR is still a pending issue. VII. AN INTEGRATED APPROACH TO COMBAT DDOS Already work done in DDoS defense has concentrated either individually on Prevention, Detection & Characterization, Tracing, and Filtering /Rate limiting or in groups like Detection & Characterization with filtering, and tracing with filtering/ rate limiting. So there is no technique where integration of all the four approaches is available. However if we see issues and challenges as well as NPSR of current defense techniques under varied attacks, we can say that only a well thought integrated solution can completely eliminate this problem in the long run for safer and QoS based E-business on Internet. We propose to give an ISP level integrated solution consisting of four modules: (a) Prevent (b) Detect & Characterize (c) Traceback (d) Filter or Rate limit. A high level function diagram is given below:

5 For tracing, detection, and rate limiting secure control messages are to be exchanged which have perfect blend of security and minimum possible overheads. As an ISP level solution is proposed that will protect a single autonomous system so any ISP can install this solution any time. Controller can send request to edge routers of cooperative ISP and ask for rate limiting by joining to a separate multicast group with other ISP routers. Attack signature generated will be as per standard signature notification protocols so that our model can interact will others. Fig. 4. Higher Level functional diagram for DDoS defense As shown in Fig. 4, prevention is first module that interacts with attack as well as legitimate traffic. All well known signatures based and broadcast based attacks can be stopped at edges of an ISP using higher layer headers to help preserve bandwidth wasted in the core as traditionally firewalls are placed near victim. Then our detection nodes after finding signs of attack try to characterize the attack packets. Once characterization is done then depending upon network/server based attack, an appropriate controller is chosen which can send secured control messages to edge routers even under attack. Control messages include attack signatures and rate limits for particular attack signatures. Attack signatures help to traceback ingress edges of ISP from where attack traffic enters and rate limits attack at edges. An adaptive rate limiting after considering amount of attack traffic filtered at edges, arrival rate of traffic, processing capacity left of server and strength of attack detection amd characterization provided by detect and characterization module time to time decides appropriate values of rate limits to apply at edges of an ISP. So by this initially if we are not able to properly characterize then also minimal NPSR will be maintained and after sufficient collection of attack traffic for better characterization, adaptive rate limiting can fully protect our ISP and servers. Various defense principles being satisfied by our proposed approach are explained below: Prevention, detection and tracing modules are to be loaded at edges routers so a distributed defense and not centralized. Initially when attack is detected but not characterized properly in that stage tolerance module help in providing some service to legitimate clients. As strength of characterization increases with time more limiting of attack traffic hence better NPSR is made possible. VIII. CONCLUSION An overview of DDoS problem, Attack: Modus Operandi, classification of DDoS attacks, defense principles and challenges are presented in this paper. Potential research issues are also highlighted. We propose an ISP level integrated approach to combat DDoS menace. References [1] DDoS attacks block Microsoft web sites, CNN Headline News, Jan. 26, [2] DDoS attacks on Yahoo, Buy.com, ebay, Amazon, Datek, E*Trade, CNN Headline News, Feb. 7 11, [3] L. Garber, Denial-of-service attacks rip the internet, IEEE Comput., vol. 33, Apr [4] C. Douligeris, and A. Mitrokotsa, DDoS attacks and defense mechanisms: classification and state-of-the-art, Computer Networks, 2004, pp , [5] Li-Chiou Chen, Thomas A. Longstaff, and Kathieen M. Carley, Charterization of defense mechanisms against distributed denial of service attacks, Computer & Security 23, 2004, pp [6] J. Mirkovic, and P. Reiher, A Taxonomy of DDoS Attack and DDoS defense Mechanisms, ACM SIGCOMM Computer Communications Review, Volume 34, Number 2, April [7] P. Ferguson, and D. Senie, Network ingress filtering: Defeating denial of ser-vice attacks which employ IP source address spoofing, RFC 2267, the Internet Engineering Task Force (IETF), [8] K. Park, and H. Lee, On the effectiveness of router-based packet filtering for distributed DoS attack prevention in power-law Internets," Proceedings of the 2001 ACM SIGCOMM Conference, pp , [9] J. Li, J. Mirkovic, M. Wang, and P. Reither, L. Zhang. Save: Source address validity enforcement protocol," Proceedings of IEEE INFOCOM 2002, pp , [10] T. Peng, C. Leckie, and K. Ramamohanarao, Protection from Distributed Denial of Service attack using history-based IP filtering, Proceedings of IEEE International Conference on Communications (ICC 2003), Anchorage, AL, USA, [11] X. Geng, and A.B. Whinston, Defeating Distributed Denial of Service attacks, IEEE IT Professional,pp 36 42, [12] Y. Bai, and H. Kobayashi, Intrusion Detection Systems: Technology and development, Proceedings of AINA 03, 2003 [13] T. M. Gil, and M. Poletto, Multops: a data-structure for bandwidth attack detection," Proceedings of the 10th USENIX Security Symposium, [14] C.M. Cheng, H.T. Kung, and K.S. Tan, Use of spectral analysis in defense against DoS attacks," Proceedings of IEEE GLOBECOM 2002, pp , [15] J. Mirkovic, G. Prier, and P. Reiher, Attacking DDoS at the source, Proceedings of ICNP 2002, Paris, France, pp , [16] L. Feinstein, and D. Schnackenberg, Statistical Approaches to DDoS Attack Detection and Response, Proceedings of the DARPA

6 Information Survivability Conference and Expostion(DISCEX 03), April [17] C. Manikopoulos, and S. Papavassiliou, Network Intrusion and Fault Detection: A Statistical Anomaly Approach, IEEE Communications Magazine, October [18] S. Jin, and D. S. Yeung, A Covariance Analysis Model for DDoS Attack Detection, IEEE Communications Society, 2004 [19] B. Bencsath, and I. Vajda, Protection against DDoS attacks based on traffic level measurements., Western Simulation MultiConference. San Diego, California, USA, January [20] [21] H. Burch, and B. Cheswick, Tracing anonymous packets to their approximate source, Proceedings 2000 USENIX LISA Conference, pp , Dec [22] R. Stone, CenterTrack: An IP overlay network for tracking DoS floods, Proceedings 2000 USENIX Security Symposium, pp , July [23] S. Bellovin, The ICMP traceback message, IETF Internet Draft, 2000, att.com/~smb/papers/draft-bellovin-itrace- 00.txt. [24] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, Practical network support for IP traceback," Proceedings of the 2000 ACM SIGCOMM Conference, pp [25] D. X. Song, and A. Perrig, Advanced and authenticated marking schemes for IP traceback," Proceedings of IEEE INFOCOM 2001, pp , [26] D. Dean, M. Franklin, and A. Stubblefield, An algebraic approach to IP traceback," ACM Transactions on Information and System Security 5(2), , [27] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer, Hash-based IP traceback," Proceedings of the 2001 ACM SIGCOMM Conference, pp. 3-14, [28] U.K. Tupakula, and V. Varadharajan, A practical method to counteract Denial of Service Attacks, Proceedings of the 26th Australian Computer Conference in Research and Practice in Information Technology, ACM International Conference Proceeding Series, pp , [29] J. Lee, and G. D. Veciana, Scalable multicaste based filtering and tracing framework for defeating distributed DoS attacks, International Journal of Network Management, [30] P. Mckenny, Stochastic Fairness Queuing, Proceeding of IEEE Infocom, IEEE Press, Piscataway, N.J., pp , [31] S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang, and W. Weiss, An architecture for differentiated services, IETF, RFC 2475, [32] Y. Xu, and R. Guerin, On the Robustness of Router-based Denialof-Service Defense Systems, ACM SIGCOMM, 2005 [33] H. Wang, Transport-Aware IP routers: a built-in protection mechanism to counter DDoS attacks, IEEE Transactions on Parallel and Distributed Systems. Vol. 14, No. 9, September [34] F. Kargl, J. Maier, and M. Weber, Protecting web servers from Distributed Denial of Service attacks, Proceedings of the Tenth International Conference on World Wide Web, Hong Kong, pp , May 1 5, [35] J. Brustoloni, Protecting electronic commerce from Distributed Denial of Service attacks, Proceedings of the 11th International World Wide Web Conference, ACM, pp , [36] S.M. Khattab, C. Sangpachatanaruk, R. Melhem, D. Mosse, and T. Znati, Proactive server roaming for mitigating Denial of Service attacks, Proceedings of the 1 st International Conference on International Technology: Research and Education (ITRE 03), Newark, NJ, pp , August [37] C. Sangpachatanaruk, S.M. Khattab, R. Melhem, D. Mosse, and T. Znati, Design and anaylsis of a replicated elusive server scheme for mitigating denial of service attacks, Journal of System and software, [38] A. Garg, and A.L.N. Reddy, Mitigating Denial of service Attacks using QoS regulation, Proceedings of the Tenth IEEE International Workshop on Quality of Service, pp , [39] D.K.Y.Yau, J.C.S.Lui, F. Liang, and Y Yam, Defending against distributed denial of service attacks with Max-Min fair server-centric router throttles, IEEE Transactions on Networking, Vol. 13. No. 1, February 2005 [40] S. Chen, and Q. Song, Perimeter-based Defense against High Bandwidth DDoS Attacks, IEEE Transactions on Parallel and Distributed Systems, Vol. 16, No. 6, June 2005.