DDoS Attacks and Defenses

Transcription

1 DDoS Attacks and Defenses Prof. Heejo Lee Computer & Communication Security Lab Div. of Computer & Communication Engineering Korea University, April 15, 2008

2 Overview 1. History of DDoS Attack 2. Types of DDoS Attack 3. DDoS Defenses 4. IP Spoofing Prevention 5. Attack Visualization 6. Botnet Detection

3 1. History of DDoS Attacks Distributed DoS DoS Spoofing 1996 SYN flooding attacks 1997 Smurf attacks 1999 Distributed attack tools 2000 Yahoo, CNN, ebay attacks 2001 CodeRed worms 2002 DNS root server attack 2003 Slammer worms 2004 Botnet attacks nd DNS root server attack 2008 Prevalence of ransom attacks Distributed Reflector DoS Botnet

4 DDoS Attacks Most significant threat to network operators Source: Worldwide Infrastructure Security Report, Arbor Networks, Sep. 2007

5 DNS Backbone DDoS Attacks Not-technical but political response implies the lack of proper countermeasures.

6 Ransom DDoS Attacks Ransom attacks Demand money to prevent the site being attacked Growing frequency Online-game item-trading sites, Oct M stock trading company, Mar Difficulty of incidence responses Lack of network security awareness Distributed attacks via a botnet Attacking from overseas, e.g. China Whoever sites, maybe yours? Shopping, portal, trading sites Game, chatting, adult sites

7 2. The Type of DDoS Attack 1 DoS attacks Denial of Service attack Attempt to prevent legitimate users from using a service Examples of DoS include Flooding a network, disrupting a service Disrupting connections between machines

8 2. The Type of DDoS Attack 2 DDoS attacks Distributed Denial of Service attack Many machines are involved in the attack against one or more victim(s)

9 2. The Type of DDoS Attack 3 DRDoS attacks Distributed Reflector Denial of Service attack DRDoS is much like a DDoS, but the attack source is spoofed Amplification attacks (broadcast ping, DNS queries) Web or name server reflection

10 2. The Type of DDoS Attack 4 Botnet A botnet is a large pool of compromised hosts, which is remotely controllable by a server and can be used for sending spam mails, stealing personal information, and launching DDoS attacks.

11 3. DDoS Defenses Prevention Detection Response IP spoofing prevention Attack detection & visualization Rate limiting & distributed filtering IP Spoofing Distributed Attacks Botnets

12 4. IP Spoofing Prevention 1 Ingress filtering [RFC 2827] S Here s packet from A to B I know my addresses and A is not one of them A B Ingress filtering drops packets before the packets leave their local networks. No benefits for early adopters, not suitable for multihomed networks

13 4. IP Spoofing Prevention 2 Unicast Reverse Path Forwarding (urpf) [Cisco 2003] IP packets are checked to ensure that the route back to the source uses the same interface. RPF-enabled routers forward only packets that have valid source addresses consistent with the IP routing table. Ingress filtering for multihomed networks [RFC 3704] Not suitable for asymmetric routing paths (over 50%)

14 4. IP Spoofing Prevention 3 Route-based Distributed Packet Filtering (DPF) [ACM SIGCOMM, 2001] It has been proposed for filtering spoofed packets using routing information, also works for routing asymmetry. DPF does not provide direct incentives to deployers everyone shares the benefits. DPF is difficult to maintain up-to-date routing information.

15 4. IP Spoofing Prevention 4 BGP Anti-Spoofing Extension (BASE) [ASIACCS, 2007] Incremental deployability Initial benefits for the early adopters Incremental benefits for the early majority Effectiveness under partial deployment Strong filtering performance 30% deployment can drop about 97% of attack packets 1 Distribution of marking values 2 Filter invocation 3 Packet marking & filtering 4 Filter revocation

16 5. DDoS Defense Location 3. Defense at sources 2. Defense at network 1. Defense at victim 16

17 Primary Attack Mitigation Techniques Attack packet dropping w/ ACLs, blackholing Source: Worldwide Infrastructure Security Report, Arbor Networks, Sep. 2007

18 Rate Limiting for DDoS Mitigation Unified rate limiting, ISPEC 2008 Works close to attack sources Deals with Internet worms and DDoS attacks

19 Anomaly Worm Detection ADUR, IEICE T COMM 2007 Anomaly Detection Using Randomness check ADUR classifies network states under four characteristics state Calm Flowing Ebbing Flooding Normal state Description Attacked by worm from other infected network Infected by worm on the monitoring network Both Flowing and Ebbing

20 Anomaly DDoS Detection FDD (FE and DDoS Distinguisher) Distinguishing between flash events and DDoS attacks using randomness check

21 VoIP Malformed & Flooding Detection Internet telephony attack detection, IFIP SEC 08 Rule matching + state transition models Detects malformed msg and flooding attacks

22 6. Attack Visualization Benefits of Visualization Intuitive B Deal large noisy data easily A C Come up with new hypotheses Visualization Higher degree of confidence E D Faster

23 Visualization Methods <NSFNET T1 backbone in 1991 > <City Scape: SDM (Chuah et al., 1995) > <H-h Chi et al., IEEE InfoVis'97 A Spreadsheet Approach > <Parallel coordinates>

24 Visualization in Security < J. McPherson et.al., PortVis, ACM CCS 2004> <S.Kim et.al.,ieee INFOCOM 2005> <CAIDA skitter project> <I-V Ounut et.al. Svision, Computers & Security 2007>

25 Parallel Coordinate Attack Visualization 1. Worm Graph - Slammer 2. DDoS attack 3. Hostscan 4. Portscan

26 Application Program of PCAV PCAV 2.0 demonstration

27 What is a bot? Bot A bot is a servant process on a compromised system Communicate with a handler or controller often running public or other compromised systems A botmaster or botherder commands bots to perform any kinds of malicious activities Botnet A network of bots and controller(s) is referred to as a botnet or zombie network

28 Malicious Activities of Botnet Most of recent incidents are related with botnets

29 Botnet Group Activity Group Activity (inherent property), IEEE CIT 2007 A large number of bots always act as a group Botnet Activity Group Activity DNS Queries Connection & Command Execution Botnet

30 Experimental Results Similarity of botnet and normal DNS traffic Similarity of botnet exceeds a given threshold Botnet domain name detection

31 Coordinated Defense Approach DDoS attack information sharing Fingerprint Sharing Alliance by Arbor Networks Blocking attack traffic ISP A DDoS attack detection Sending fingerprint to upstream IPS s

32 Proposal: DDoS Coordination Center Motivation Who can help corporate urgency? Including small and medium enterprises ISP s roles are becoming crucial Roles for the DDoS coordination center Systematic monitoring Coordination of responses to DDoS attacks Protocol development and implementation Technical supports

33 DDoS Defenses at Corporate Networks DDoS-resilient network design Distribution of gateways, and servers Name server placements for robust DNS Developments of secure applications Human-robot identification Mitigating abnormal resource consumptions Security teams for planning and responses Monitoring DDoS attacks for quicker responses Preparing response plans, including ISP contacts On-demand filtering for attack traffic

34 7. Concluding Remarks Prevalence of DDoS attacks Increasing ransom attacks Hard to find a proper countermeasure Mitigating botnet attacks Botnet monitoring (IRC/HTTP/P2P bots) Blacklisting and punishment Responding to DDoS attacks Need good incident response plan, including ISP contacts Identify type of attack and filter attack traffic upstream

35 References K. Park, D. Seo, J. Yoo, H. Lee, H. Kim, Unified Rate Limiting in Broadband Access Networks for Defeating Internet Worms and DDoS Attacks, ISPEC, Apr H. Choi, H. Lee, H. Lee, H. Kim, Botnet Detection by Monitoring Group Activities in DNS Traffic, IEEE CIT, Oct H. Park, H. Lee, H. Kim, "Detecting Unknown Worms using Randomness Check", IEICE Trans. Comm., Vol. E90-B, No. 4, pp , Apr H. Lee, M. Kwon, G. Hasker, A. Perrig, "BASE: An Incrementally Deployable Mechanism for Viable IP Spoofing Prevention", ACM Symp. on Information, Computer and Communications Security (ASIACCS), Mar H. Lee, J. Kim, W. Lee, "Resiliency of Network Topologies under Path-Based Attacks", IEICE Trans. Comm., Vol. E89-B, No. 10, pp , Oct H. Choi, H. Lee, "PCAV: Internet Attack Visualization on Parallel Coordinates", Int'l Conf. on Information and Communications Security (ICICS), LNCS 3783, pp , Dec K. Park, H. Lee, "On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets", ACM SIGCOMM, pp , Aug K. Park, H. Lee, "On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack", IEEE INFOCOM, Apr Further information is available at

36 Computer and Communication Security Laboratory