How To Make A Dstrbuted Ddos Attack More Successful

Transcription

1 PacketScore: Statstcs-based Overload Control aganst Dstrbuted Denal-of-Servce Attacks Yoohwan K * Wng Cheong Lau * Moo Choo Chuah ** H. Jonathan Chao EECS Departent Bell Labs CSE Departent ECE Departent Case Western Reserve Unversty Lucent Technologes Lehgh Unversty Polytechnc Unversty Cleveland, OH Holdel, NJ Bethlehe, PA Brooklyn, NY Abstract Dstrbuted Denal of Servce (DDoS) attack s a crtcal threat to the Internet. Currently, ost ISPs erely rely on anual detecton of DDoS attacks after whch offlne fnegran traffc analyss s perfored and new flterng rules are nstalled anually to the rers. The need of huan nterventon results n poor response te and fals to protect the vct before severe daages are realzed. The expressveness of exstng flterng rules s also too lted and rgd when copared to the ever-evolvng characterstcs of the attackng packets. Recently, we have proposed a DDoS defense archtecture that supports dstrbuted detecton and autoated on-lne attack characterzaton. In ths paper, we wll focus on the desgn and evaluaton of the autoated attack characterzaton, selectve packet dscardng and overload control porton of the proposed archtecture. Our key dea s to prortze packets based on a perpacket score whch estates the legtacy of a packet gven the attrbute values t carres. Specal consderatons are ade to ensure that the schee s aenable to hgh-speed hardware pleentaton. Once the score of a packet s coputed, we perfor score-based selectve packet dscardng where the droppng threshold s dynacally adjusted based on () the score dstrbuton of recent ncong packets and (2) the current level of overload of the syste. Keywords - Syste desgn, Sulatons, Denal-of-Servce Attack, Securty, Overload Control, Selectve Packet Dscardng, Traffc characterzaton I. MOTIVATION One of the ajor threats to cyber securty s Dstrbuted Denal-of-Servce (DDoS) attack n whch the vct network eleent(s) are bobarded wth hgh volue of fcttous, attackng packets orgnated fro a large nuber of achnes. The a of the attack s to overload the vct and render t ncapable of perforng noral transactons. DDoS attacks can be categorzed nto end-pont attacks and nfrastructure attacks. In an end-pont attack, the vct can be an ndvdual end-host or, ore typcally, an entre custoer stub-network served by an Internet Servce Provder (ISP). In an nfrastructure attack, hgh volue of attackng packets are forced through a port of an ISP rer to create one or ore choke-ponts wthn the ISP nfrastructure based on the knowledge of the rng pattern wthn the doan. Currently, ost ISPs erely rely on anual detecton of DDoS attacks. Once an attack s reported, an offlne fne-gran traffc analyss * Correspondng Authors: yoohwan@eee.org, lau@bell-labs.co ** The work was done whle Professor Chuah was wth Bell Labs. s perfored by a subject-atter expert to dentfy and characterze the attackng packets. New flterng rules/ access control lst are then constructed and nstalled anually to the rers accordng to the coe of attack characterzaton. The need of huan nterventon results n poor response te and fals to protect the vct before severe daages are realzed. Ths procedure also lacks adaptablty and renders the syste vulnerable towards fast-varyng DDoS attacks. Further, the expressveness of exstng rule-based flterng s too lted as t requres an explct specfcaton of all types of packets to be dscarded. As the dfference between legtate and attackng packets becoe ncreasngly subtle, the nuber of requred flterng rules as well as the nuber of packet attrbutes ncluded n each rule explode. Increase n rule-set coplexty also poses serous scalablty probles for hghspeed pleentaton of rule-based flterng. Recently, the DDoS proble has attracted uch attenton fro the research county. So far, the focus has been on the desgn of traffc arkng and traceback protocols [Be, Pa, Sa, Sn] whch enable downstrea rers to deterne and notfy the upstrea rers of the attackng packets. Most of the work ephaszes the backward copatblty of protocol support for traceback under the exstng Internet nfrastructure. Once the upstrea sources of the attack have been dentfed, proposed pushback echanss [Io2, Ya2] are used to contan the daage of the attack. However, the effectveness of such an approach s contngent upon the ablty to extract a precse characterzaton of the attackng packets. Wth such characterzaton, the legtate traffc wthn the suspcous flows wll be equally affected by the pushback echans. Whle there has been recent work by the data-nng research county to recognze ntruson patterns usng offlne achne-learnng approaches [Le98, Ma99], these schees are ostly offlneorented. An excepton to ths trend s the D-WARD approach [M2], whch does perfor lted statstcal traffc proflng at the edge of the networks to perfor onlne detecton of new types of DDoS attacks. By ontorng the nonal perdestnaton type traffc arrval and departure rate of TCP, UDP, ICMP packets, as well as any abnoral asyetrcal behavor of the two-way traffc at the edge rer connectng to a stub-network, D-WARD as at stoppng DDoS attacks near ther sources,.e., the ngress rers. Whle such "sourcesde" tacklng approach s attractve n ters of havng less deandng operatng-speed and scalablty requreents, ts

2 vablty hnges on the voluntary cooperaton of ajorty of ngress network adnstrators Internet-wde. In theory, one can crcuvent ths deployent proble by applyng the D- WARD approach to the backbone network. However, n order to realze such a backbone approach, one ust address the key scalablty ssues such as the large nuber of s requred to be protected and the hgh operatng speed wthn the backbone network. Ths s ndeed the ephass of our proposed schee. There are also a sall set of coercal products [Mazu, Rve] whch advertse lted support of statstcs-based adaptve flterng technques. However, ost of these solutons do not fully autoate packet dfferentaton or flter enforceent. Instead, they only recoend a set of bnary flter rules to the network adnstrator to be nstalled n ther rers or frewalls. The recoended rule set s often too coplex to be coprehensble, let alone to be debugged or odfed. The techncal detals of ther statstcs-based adaptve flterng schees are not avalable to the publc. The perforance of the schees, especally n ters of scalablty and pact on legtate traffc s not clear ether. The stuaton s well suarzed by a quote fro a recent artcle on ant-dos devce revew [Fo]: "In the end, we felt as though we were left playng Russan roulette when t cae to nstallng the recoended flters." The rest of ths paper s organzed as follows: n Secton II, we provde an overvew of the entre PacketScore DDoS defense archtecture. In Secton III, we focus on the desgn and pleentaton of the ntellgent packet dfferentaton, selectve dscardng and overload control porton of our proposal, whch s the an subject of ths paper. In partcular, we wll concentrate on a standalone pleentaton of these schees, whch s drectly applcable for protectng nfrastructure DDoS attacks. Due to lted space, the detals of ther dstrbuted pleentaton are beyond the scope of ths paper, and wll be the subject of a sequel of ths paper. In Secton IV, we evaluate the perforance of the standalone packet dfferentaton/ dscardng schee. The paper s concluded n Secton V wth a lst of future nvestgaton drectons. II. OVERVIEW OF THE PACKETSCORE APPROACH Recently, we have proposed a defense schee based on dstrbuted detecton and autoated on-lne attack characterzaton [La3]. The proposed schee conssts of the followng 3 phases: Detect the onset of an attack and dentfy the vct by ontorng four key traffc statstcs of each protected whle keepng nu per- states. Dfferentate between legtate and attackng packets destned towards the vct based on a readlycoputed, Bayesan-theoretc etrc of each packet. The etrc s the so-called "Condtonal Legtate Probablty" (CLP). Dscard packets selectvely by coparng the CLP of each packet wth a dynac threshold. The threshold s adjusted accordng to () the dstrbuton of CLP of all suspcous packets and (2) the congeston level of the vct. We nae our schee the PacketScore approach because CLP can be vewed as a score whch estates the legtacy of a suspcous packet. By takng a score-based flterng approach, we avod the probles of conventonal bnary rulebased flterng dscussed n Secton I. The score-based approach also enables the prortzaton of dfferent types of suspcous packets. It s uch ore dffcult, f not possble, for rule-based flterng to support such prortzaton. The ablty to prortze becoes even ore portant when a full characterzaton of the attackng packets becoes nfeasble. By lnkng the CLP dscard threshold to the congeston level of the vct, our approach allows the vct syste to opportunstcally accept ore potentally legtate traffc as ts capacty perts. In contrast, once a rule-based flterng schee s confgured to dscard a specfc type of packets, t does so regardless of the vct utlzaton. For end-pont attacks, we eploy a scalable, dstrbuted attack detecton process usng Bloo flter/ leaky bucket arrays (BFLBA) slar to those proposed by [Fe, Es2] to ontor key traffc statstcs of each protected. The BFLBA's allow us to sultaneously ontor such statstcs for a large nuber of protected s whle keepng nal per- state nforaton. Dstrbuted attack detecton s realzed va a DDoS control server (DCS) whch correlates and consoldates possble ncdents reported by rers resdng along a securty pereter. We refer such rers as Detectng-Dfferentatng-Dscardng rers (3D-R). Once an attack vct s dentfed, the 3D-Rs collaborate wth the DCS to perfor a dstrbuted, onlne characterzaton of the attackng traffc by coparng the fne-gran characterstcs of the suspcous traffc wth a nonal traffc profle of the vct. The result enables each 3D-R to copute a "score",.e., the CLP, for each suspcous packet at wre-speed whch ranks the lkelhood of the packet beng an attackng packet, gven the attrbute values t carres, usng a Bayesan-theoretc approach. Based on a dynac thresholdng echans aganst such score, the 3D-Rs perfor selectve packet dscardng and overload control for the vct n a dstrbuted anner. The DCS coordnates ths dstrbuted overload control process by adjustng the threshold dynacally based on the arrval rate of suspcous traffc and score dstrbutons reported by dfferent 3D-Rs. Fg. depcts the support of dstrbuted detecton and overload control by a set of 3D-Rs and DCSs. Fro here onwards, we focus the desgn and pleentaton of the ntellgent packet dfferentaton, selectve dscardng and overload control porton of our proposal, whch s the an subject of ths paper. In partcular, we wll concentrate on a standalone pleentaton of these schees, whch s drectly applcable for protectng nfrastructure DDoS attacks.

3 DDoS Attack Stub Network AS 3D-R DDoS Control Inforaton Exchange 3D-R R R ISP Securty Pereter R R DDoS Attack 3D-R 3D-R AS 2 DCS VIct Vct's Stub Network DCS 3D-R : Detecton, Dfferencaton, Dscard Rer DCS : DDos Control Server R: Regular Rers Fgure : Deployent of 3D-Rs and DCSs to tackle DDoS Attacks III. DETAILED PACKETSCORE METHODOLOGIES In ths secton, we frst dscuss the desgn ssues as well as pleentaton detals related to the packet dfferentaton, selectve packet dscardng and overload control the proposed schee. A. Packet Dfferentaton va Fne-gran Traffc Profle Coparson Once a DDoS attack s detected, the next step s to dstngush the attackng packets fro the legtate ones aongst the suspcous traffc. Our approach s to perfor onlne proflng of the suspcous traffc and copare the fndngs wth the nonal traffc profle of the vct. The vablty of ths approach s based on the prese that there are soe traffc characterstcs that are nherently stable durng noral network operatons of a network, n the absence of DDoS attacks. A dsproportonal ncrease n the relatve frequency of a partcular packet attrbute value s an ndcaton that the attackng packets also share the sae value for that partcular attrbute. The greater the dsproportonal ncrease, the stronger the ndcaton. The ore "abnoral" attrbute values a packet possesses, the hgher the probablty that the packet s an attackng packet. For exaple, f t s found va that the suspcous packets contan abnorally hgh percentage of () UDP packets and (2) packets of sze S and (3) packets wth TTL value T, then UDP packets of sze S and TTL value T destned to the DDoS vct should be treated as pre suspects and gven lower prorty upon selectve packet dscardng durng overload. Canddate packet attrbutes consdered to be used for traffc proflng nclude: the argnal dstrbutons of the fracton of recently arrved packets havng varous () IP Proflng aganst relatve frequency of dfferent attrbute values (nstead of absolute packet arrval rates) helps to allevate the dffcultes caused by the expected fluctuaton of nonal traffc arrval rates due to te-of-the-day and day-of-the-week behavor. protocol-type values, (2) packet sze, (3) server 2 port nubers, (4) source/ destnaton IP prefxes 3, (5) Te-to-Lve (TTL) values, (6) IP/TCP header length 4, (7) TCP flag patterns. We are also nterested n the fracton of packets whch (8) use IP fragentaton and (9) bear ncorrect IP/TCP/UDP checksus. It s worthwhle to consder the jont dstrbuton of the fracton of packets havng varous cobnatons of () packet-sze and protocol-type, () server port nuber and protocol-type, as well as (2) source IP prefx and TTL value. To valdate our cla of the relatvely nvarant nature of the dstrbuton of the above packet attrbutes, we have conducted extensve statstcal analyss on real-lfe Internet traces collected fro the traffc archve of the WIDE-project [WIDE]. Fg. 2(a)-(d) show the te varaton of the dstrbuton of varous packet attrbutes values observed fro a oderately loaded wde area network lnk. For each attrbute, the relatve frequency of ts values are coputed every nutes for the perod between May, 999 8:p and May, 2:p for a total of 8 non-overlappng perods. Fg. 2(a) shows the te-varaton of the dstrbuton of TTL values. In partcular, the ends of the error-bar correspond to the axu and nu fracton observed for the gven TTL value over the aforeentoned 8-hour nterval and the black-dot represents the average. The correspondng te-varyng dstrbutons for protocol-type, packet-sze, TCP-flag pattern, server port nuber and 6-bt source IP prefx are shown n Fg. 2 (b)-(f) respectvely. Notce fro Fg. 2 that whle the fracton of an attrbute value does vary over the 8-hour perod, the varaton s always wthn a few percentage of the total nuber of packets arrved over a -nute wndow. Due to the overwhelng volue of DDoS attack packets copared to noral ones, the forers are expected to ncrease the fracton of partcular attrbute values they carry by ore than a few percentage and change the overall dstrbuton substantally. Furtherore, the varablty of nonal attrbute value dstrbuton can be substantally reduced f hourly te-of-theday profles are used. One ay argue that t s relatvely straghtforward for a sophstcated attacker to learn the approxated dstrbuton of soe attrbutes, e.g. protocol-type, TCP-flag pattern and packet-sze, based on publcly avalable data on Internet traffc characterstcs, and thus be able to generate the attrbute dstrbutons for the attackng packets accordngly to crcuvent our profle-based dfferentaton schee. 2 We eploy the heurstcs of takng the server port nuber to be the nu of the source and destnaton port nubers carred by the packet. Ths elnate the need of dentfyng whether the packet s clent-bound or server-bound. Also, snce clent port nuber s usually selected n rando by the clent operatng syste, t does not eet the nvarant crtera to be used for proflng. 3 In our study, we have used the 6-bt IP prefx as an approxaton of the IP subnet. In practce, we can extract the actual prefx-length of the subnet fro rng tables and/or re-server databases. 4 Ths s to detect possble abuse of IP/TCP optons.

4 Fracton Fracton TTL Server Port Fgure 2 (a): Te varaton of TTL value dstrbuton Fgure 2 (e): Server Port dstrbuton.4 Fracton Fracton Fracton Protocol Type Fgure 2 (b): Te varaton of Protocol Type dstrbuton Packet Sze/ (bytes) Fgure 2 (c): Te varaton of Packet-sze dstrbuton Value of 6-bt TCP flag pattern Fgure 2 (d): Te varaton of 6-bt TCP flag pattern dstrbuton (e.g. SYN = = 2 ; ACK = = 6) Fracton bt IP prefx Fgure 2 (f): Source IP prefx dstrbuton Fgure 2: Te Varaton of Packet Attrbute Values Dstrbuton Note however that dstrbutons of other attrbutes such as TTL and source IP-prefxes, and to a lesser extent, server-port dstrbuton, are expected to be ste-dependent (or lnk/port dependent) and thus ore dffcult for an sde attacker to collect such nforaton. For nstance, t s qute dffcult for an sder to deterne the jont-dstrbuton of source-ipprefx and the TTL value for a gven ste. As long as there exsts proflng nforaton whch s known only to the ste/network-operator but not to the attacker, our schee can use t as the nforaton edge to dfferentate aong attackng and legtate packets. ) Condtonal Legtate Probablty In ths secton, we foralze the noton of condtonal legtate probablty of a suspcous packet whch easures the lkelhood of the packet beng a legtate (nstead of an attackng) one gven the attrbute values t possesses. Consder all the packets destned towards a DDoS attack. Each packet carres a set of dscrete-valued attrbutes A, B, C,... For exaple, A can be the protocol-type, B can be the packet-sze, C can be the TTL values etc. Let JPn ( A, B, C, L ) be the jont probablty ass functon of attrbute values under noral operatons. The probablty of a

5 legtate (attackng) packet havng values a, b, c,... for attrbutes A, B, C,..., s gven by JPn( A = a, B = b, C = c, L ) (and JPa ( A = a, B = b, C = c, L ) respectvely). Slarly, we use JP ( ABCL,,, ) to denote the jont probablty ass functon of packet attrbutes easured durng an attack. Defne the condtonal legtate probablty (CLP) of packet p as: CLP( p) = Pr ob( p s a legtate packet Attrbutes A, B, C,... of packet p are equal to a, b, c, L,respectvely) p p p Assue that there are N packets n total wthn a easureent nterval aong whch N are fro legtate n ones, and N are attackng ones. Usng standard Bayesan a arguent, we have: CLP( p) = Nn JPn( A= ap, B= bp, C= cp, L) Nn JPn( A= ap, B= bp, C= cp, L) + Na JPa( A= ap, B= bp, C= cp, L) Nn JPn( A= ap, B= bp, C= cp, L) = N JP( A= ap, B= bp, C= cp, L) JP ( A = a, B = b, C = c, L)... Eq.() n n p p p =... JP( A = ap, B = bp, C = cp, L) where ( n ) s the nonal (currently easured) utlzaton of the syste, respectvely. Here we have used n / to estate Nn / N. Observe that, snce n / s constant for all packets wthn the sae observaton perod, one can even gnore ts contrbuton when coparng and prortzng packets based on ther CLP values as long as the packets arrve wthn the sae observaton perod. If we assue the attrbutes to be ndependent of each other, Eq.() can be rewrtten as, Pn( A= ap) Pn( B = bp) Pn( C = cp) n CLP( p) = L, P( A= ap) P( B= bp) P( C = cp)... Eq.(2) where Pn ( X ) ( P ( X )) s the argnal probablty ass functon of packet attrbute X under nonal (currently easured) traffc condtons, respectvely. To acheve a coprose between profle storage requreent and the need to capture portant nter-attrbute dependency, we use jont dstrbuton(s) for the strongly-correlated attrbutes whle usng argnal dstrbuton(s) for the reanng ones. The CLP s therefore expressed n the for of a product of argnal and jont probablty ass functon values. In Secton IV, we wll copare the perforance pact and storage requreents for dfferent cobnatons of argnal/ jont dstrbutons. 2) Varaton of Nonal Profles In the above forulaton, we have assued that the nonal profles,.e., JPn ( A, B, C, L ) and Pn ( X )'s are constant for ease of llustraton. In general, the nonal traffc profle s a functon of te whch exhbts perodcal te-ofthe-day, e.g., durnal, day-of-the-week varatons as well as long ter trend changes. Whle long-ter profle changes can be handled va perodcal re-calbraton usng standard teseres forecast and extrapolaton technques [Br], the daly or weekly varaton between successve re-calbraton ay requre te-of-the-day, day-of-the-week specfc traffc profles. To reduce storage and antenance requreent of a large set of te-specfc nonal profles, our approach s to use a hgh percentle, say 95-percentle, of the fracton of each attrbute value observed aongst the ultple te-of-the-day nonal profles as the correspondng reference value. In Secton IV, we wll nvestgate the perforance pact due to nherent varaton of nonal traffc profle. 3) Managng Nonal Traffc Profles usng Iceberg-style Hstogras We expect that a nonal traffc profle of each to be conssted of a set of argnal and jont dstrbutons of varous packet attrbutes. Ths proflng nforaton wll be stored n the for of noralzed hstogras of one or hgher densons. Due to the nuber of attrbutes to be ncorporated n profle (n the order of ten or ore) and the large nuber of possble values of each attrbute (as uch as tens of thousands or ore, e.g., n the case of possble source IP prefxes), an effcent data structure s requred to pleent such hstogras. Ths s partcularly portant for the case of dstrbuted overload control because traffc profles have to be exchanged between the 3D-Rs and the DCS. Towards ths end, we propose to use ceberg-style hstogras [Ba2]. By "ceberg-style", t eans that the hstogra only ncludes those entres n the populaton whch appear ore frequently than a preset percentage threshold, say x. Ths guarantees that there are no ore than /x entres n the hstogra. For entres whch are absent fro the ceberg-style hstogra, we wll use the upper bound,.e., x as ther relatve frequency. Due to the vast densons of jont dstrbuton functons, an ceberg-style pleentaton s partcularly portant. Wth ceberg-style hstogras, a fnegran per- profle can be kept to a anageable sze. As we wll deonstrate n Secton IV, n practce, ost packet attrbutes are donated by a sall set of attrbute values. As such, the actual nuber of non-null values, the so-called nuber of cebergs, n the correspondng ceberg hstogras are uch saller than the axu bound gven above. More portantly, one-pass ceberg-style hstogra antanance/ updates can be pleented effcently n hardware, e.g. by applyng a two-stage ppelned approxaton of the schee proposed n [Ka3]. Tradeoffs between ceberg-threshold, hstogra storage requreent and packet dfferentaton perforance are dscussed Secton IV.

6 To handle nfrastructure attacks, each 3D-R stores and antans the nonal traffc profle of each of ts egress ports. Snce there s a lted nuber of ports per 3D-R, ths should not be an excessve burden. For the case of end-pont attacks, a large nuber of nonal profles, naely, one per protected, has to be stored and antaned. By havng a DCS to coordnate dstrbuted fne-gran traffc proflng, the antenance of per- nonal profles s offloaded to the DCS. Upon the detecton of an end-pont attack, each 3D-R sply easures the fne-gran profle of traffc destned towards the vct and forwards the local easureents to the DCS for aggregaton and coparson wth ther nonal counterparts. In fact, the sae dstrbuted easureent and aggregaton echans s used to establsh the nonal traffc profle of each end-pont at durng ntal and perodcal calbratons 5. The anageent of nonal profles of dfferent end-ponts wthn a doan can be further parttoned aong ultple DCSs for enhanced scalablty. 4) Real-te Traffc Proflng and Per-packet CLP Coputaton Accordng to Eqs. () and (2), the real-te per-packet processng of a nave pleentaton of the CLP coputaton sees fordable: The current packet attrbute dstrbutons have to be updated as a result of the arrvng packet. The CLP for the ncong packet can be coputed only after the packet attrbute dstrbutons have been updated. To ake wre-speed per-packet CLP coputaton possble, we decouple the update of packet attrbute dstrbuton fro that of CLP coputaton to allow CLP coputaton and packet attrbute dstrbuton to be conducted n parallel, but at dfferent te-scales. Wth such decouplng, the CLP coputaton s based on a snapshot of "recently" easured hstogras whle every packet arrval (unless addtonal saplng s eployed) wll ncur changes to the current packet attrbute hstogras. To be ore specfc, a frozen set of recent hstogras s used to generate a set of "scorebooks" whch aps a specfc cobnaton of attrbute values to ts correspondng "score". The scorebooks are updated perodcally n a te-scale longer than the per-packet arrval te-scale, or upon detecton of sgnfcant change of the easured traffc profle. By assung attrbute ndependence and usng the logarthc verson of Eq. (2) as shown below, log[ CLP( p)] = [ log( ) log( )] n [ log( Pn ( A = ap)) log( P ( A = ap)) ] [ log( Pn ( B = bp)) log( P ( B = bp)) ] [ log( P ( C = c )) log( P ( C = c ))] n p +... Eq(3) In practce, an ISP ay choose to perfor coprehensve nonal traffc proflng for the set of "preu-payng" stubnetworks only. For the rest of the end-ponts, the ISP ay choose ther profles fro a set of standard teplates based on ther busness nature, ngress access speed as well as ther sze. + p we can construct a scorebook for each attrbute that aps dfferent values of the attrbute to a specfc partal score. For nstance, the partal score of a packet wth attrbute A equal to a s gven by [log( P ( A= a ) log( P ( A= a )]. p n p p Accordng to Eq.(3), we can su up the partal scores of dfferent attrbutes to yeld the logarth of the overall CLP of the packet. Ths scorebook approach enables hardware-based coputaton of per-packet CLP by replacng nuerous floatng-pont ultplcatons and dvsons n Eq.(2) wth sple addtons and table lookups. Ths scorebook approach can be readly extended to handle nonal profles whch contan of a xture of argnal and jont packet attrbute dstrbutons. Of course, the scorebook for a ultple-attrbute jont-dstrbuton wll be larger. The sze of the scorebook can be further reduced by adjustng () the ceberg threshold and (2) quantzaton steps of the score. B. Selectve Packet Dscardng and Overload Control Once the CLP s coputed for each suspcous packet va fne-gran real-te traffc proflng, selectve packet dscardng and overload control can be conducted usng CLP as the dfferentatng etrc. The key dea s to prortze packets based on ther CLP values. Snce an exact prortzaton would requre offlne, ultple-pass operatons, e.g., sortng, we take the followng alternatve approach to realze an onlne, one-pass operaton: Frst, we antan the cuulatve dstrbuton functon (CDF) of the CLP of all ncong suspcous packets usng one-pass quantle coputaton technques descrbed n [Ch,Gr] 6. We then dscard a suspcous packet f ts CLP value s below a dynacally adjusted threshold 7. If there s a need to guarantee certan nu throughput for partcular types of packets, we can ncorporate such "unty" rules by artfcally boostng the scores of a gven porton of these specfc types of packets. Fg. 3 depcts the ntegrated operaton between CLP coputaton and the deternaton of dynac dscardng threshold for CLP. Frst, a load-sheddng algorth, such as those descrbed n [Ka], s used to deterne the fracton ( Φ ) of arrvng suspcous packets requred to be dscarded n order to control the utlzaton of the vct to be below a value. Typcal nputs to a load-sheddng algorth nclude: current utlzaton of the vct, axu () utlzaton allowed for the vct as well as the current aggregated arrval rate of suspcous traffc. (See Appendx I for a descrpton of the actual load-sheddng algorth used n PacketScore.) 6 Coparng to a score CDF representaton usng constant wdth score-buckets, a -quantle score CDF representaton works uch better due to the unpredctable spacng of packet scores n advance. Also, a resoluton n syste utlzaton s already fne enough for overload control purpose. 7 For practcal pleentaton, we actually keep the CDF of log (CLP) of all suspcous packets and apply the dscardng threshold aganst log (CLP). Ths s to elnate the need of perforng realte nverse logarth after the partal scores of varous attrbutes are sued up accordng to Eq. (3).

7 Data Path Current Vct Utlzaton Target Vct Utlzaton Current Aggregate Arrval Rate of Suspcous Packets Control Path Arrvng Packet (p) Destned to a Vct Subnet Optonal Saplng Per-attrbute Scorebooks Load- Sheddng Algorth Update CDF of Scores Score Assgnent for the Packet p (based on log(clp)) Attr TCP UDP... Attr 2 port 2 port 8... score score Real-Te Traffc Proflng Update Iceberg-style Hstogras (for suspcous traffc profle) Φ (= Fracton of suspcous packets to be dscarded)... Update perodcally or upon substantal CDF changes + per-packet score Generate Scorebooks (perodcally or upon substantal profle changes). Φ Update upon scorebook changes Nonal Traffc Profle CDF of Scores Thd score of packet Thd? If yes, dscard the packet Fgure 3: Packet Dfferentaton and Overload Control score If no, pass the packet Once the requred packet-dscardng percentage, Φ, s deterned, the correspondng CLP dscardng threshold, Thd, s looked up fro a recent snapshot of the CDF of the CLP values of all suspcous packets. The use of a snapshot verson of the CDF (nstead of the ost up-to-date one) elnates possble race-condtons between dscardng threshold updates and CDF changes upon new packet arrvals. The snapshot s updated perodcally or upon sgnfcant changes of the packet score dstrbuton. The adjustent of the CLP dscardng threshold, as well as the load-sheddng algorth, are expected to operate at a te-scale whch s consderably longer than the packet arrval te-scale. When a suspcous packet 8 arrves, the followng tasks are perfored n parallel: () The aggregate arrval rate towards the vct s adjusted. Ths, n turn, changes the nput of the loadsheddng algorth. (2) The packet attrbute values are used for updatng the fne-gran traffc profle,.e. easured hstogras, of the suspcous traffc. (3) The CLP-based score s coputed for the arrvng packet usng frozen scorebooks generated fro a recent snapshot of suspcous traffc profle. Once the score of an arrvng packet s coputed, the score CDF s updated. The packet s then dscarded f ts score s below the current dscardng threshold, Thd. Notce that the use of frozen scorebooks s essental for the parallelzaton of 8 For endpont attacks, the suspcous packets are the ones whch destnate to the vct subnet. For nfrastructure attacks, all the packets passng through the vct choke-pont are consdered to be suspcous. tasks (2) and (3). It s also portant to re-ephasze that, whle CLP-coputaton s always perfored for each ncong packet, selectve packet dscardng only happens when the syste s operatng beyond ts safe () utlzaton level. Otherwse, the overload control schee wll set Φ to zero. IV. PERFORMANCE EVALUATION In ths secton, we wll evaluate the perforance of the proposed CLP-based packet-dscardng schee n a standalone settng va sulaton. Unless stated otherwse, the default settngs for the sulaton s suarzed n Table. Attack Type Scorebook/ CDF Update Interval Baselne Profle Target Max. Load ( ) Legtate traffc Attack Intensty Scorng Strategy Iceberg Thd Generc attack n Secton IV A Every 6 seconds Fve -nute wndows of traffc, collected between 8:p to 8:p, Monday through Frday, n the week of May, 999, by the WIDE project [WIDE]. Set to the axu ncong load of the baselne profle observed over any -nute perod. Ths corresponds to 66 pps for the default baselne profle. Use a trace of the sae lnk, collected between 8:p to :p, Tue, May, 999. Its average arrval rate s 9pps. tes the nonal arrval rate Opton 5 n Secton IV D 9-adaptve-coverage schee n Secton IV E Table : Default Sulaton Settngs Perforance Crtera: Frst, we exane the dfferences n the score dstrbuton for attack and legtate packets. Such dfferences are quantfed usng 2 etrcs, naely, R A and R L as llustrated n Fg. 4. PDF Attack Packet Score Dstrbuton R A Mn L Max A Legt ate Packet Score Dstrbuton R L Packet Score Fgure 4: Characterzng dfference n Score Dstrbuton between legtate and attackng packets Let Mn L (Max A ) be the lowest (hghest) score observed for the ncong legtate (attackng) packets. Defne R A (R L ) to be the fracton of attackng (legtate) packets whch have a score below Mn L (above Max A ). The closer of the values of R A and R L to, the better the scoredfferentaton power. In practce, the score dstrbutons usually have long but thn tals due to very few lner packets wth extree scores. To avod the askng effect of such lers, we have taken Mn L (Max A ) to be the st (99 th ) percentle of the score dstrbuton of legtate (attackng) packets. A typcal set of score dstrbutons for the attackng and legtate packets are shown n Fg 5.

8 Fracton.E+.E-.E-2.E-3.E-4.E-5.E-6 Mn Score Attack PDF Score Fgure 5: Saple Score Dstrbutons Legtate PDF Max Score Whle R A and R L can quantfy the score dfferentaton power, the fnal coe of selectve dscardng also depends on the dynacs of the threshold update echanss. We therefore also easure the false postve (.e., fracton of legtate packets got falsely dscarded), and false negatve (.e., fracton of attackng packets got falsely adtted) ratos of the proposed schee. To check the effectveness of the overload control schee, we copare the actual put utlzaton aganst the axu utlzaton set by the schee. A. Dfferent Attack Types We have evaluated the perforance of PacketScore n defendng aganst the followng types of attacks: Generc attack: all attrbute values of the attackng packets are unforly randozed over ther correspondng allowable ranges. TCP-SYN Flood attack SQL Slaer Wor attack Nonal attack: all attackng packets reseble the ost donant type of legtate packets observed n practce,.e. 5-byte TCP packets wth server-port 8 and TCP-flag set to ACK, wth unforly rando source IP addresses. Mxed attack: equally cobnes the above 4 types of attacks whle keepng the overall attack rate to the tes of that of the rate Changng attack: Slar to the Mxed attack except that the dfferent types of attacks take turns. An attack type s randoly selected and contnues for an exponentally dstrbuted perod. The correspondng results are depcted n Table 2. In general, the proposed packet scorng schee can successfully dstngush between attackng and legtate packets. In all cases except the Changng attacks, R A and R L are above 99. It s noteworthy that the false postve probablty for the TCP- SYN flood attack s kept at a very low level ( and.39). Although the sgnature of the TCP-SYN flood packets can easly be derved by the PacketScore schee, the ablty of PacketScore to prortze legtate TCP-SYN packets over attackng ones based on other packet attrbutes, e.g. source IP prefx and TTL, s an essental feature. Wth such prorzaton, e.g. n the case of stateless rule/sgnature-based flterng, all TCP-SYN packets would have been dscarded and thus ensure the success of the DDoS attack towards the vct. Changng attacks are ore challengng due to ther coplex/ te-varyng attackng packet characterstcs. When the average change-perod of the attack s uch longer than the easureent/ scorebook generaton nterval (3 sec vs. 6 sec n our case), the change n attackng packet characterstcs can readly be tracked. However, when such changes occur at the sae (or shorter) te-scale of the easureent update nterval, the PacketScore schee can be sled to defend aganst soe no-longer-exst attack packets. A possble reedy s to shorten the easureent update nterval or apply ore sophstcated change-detecton technques [Ke93] on the current profle easureents to trgger and speed up scorebooks/ CDF updates 9. However, even n the worst case, the proposed schee can stll successfully dscard ore than 94 of the attackng packets (together wth ab legtate ones). Ths s substantally better than rando packet droppng as the aggregate arrval rate s ore than tes of the load of the syste. Furtherore, s successfully kept close to ts value n all cases. Attack Type + ve PDF Separaton - ve R A R L Generc SYN flood SQL Wor Nonal Mxed Changng (Ave. ON perod = 6 sec) Changng (Ave. ON perod = 3 sec) Table 2a: / legtate = 66 / 9 = 85, based on the default settng Attack Type + ve PDF Separaton - ve R A R L Generc SYN flood SQL Wor Nonal Mxed Changng (Ave. ON perod = 6 sec) Changng (Ave. ON perod = 3 sec) Table 2b: / legtate = / 9 =, based on a lower settng Table 2: Perforance aganst varous Attack Types under dfferent axu syste utlzaton 9 However, there s a lt on the nu nuber of packets to be observed before vald hstogra statstcs can be derved.

9 The dfferences between Table 2a and 2b llustrate the tradeoffs of acceptng ore suspcous packets opportunstcally by rasng beyond the legtate traffc load : When legtate s ncreased fro to 85 of, the fracton of falsely dscarded legtate legtate packets s reduced at the expense of the adsson of ore attackng traffc. Conversely, ths ndcates that the 4-5 false negatve rate n Table 2a s anly due to the gap between and,.e. the extra syste capacty left over by legtate the legtate packets allows soe attackng packets to slp through. B. Increasng Attack Intensty Fg. 6 shows the proposed schee can effectvely provde overload control as attack ntensfes. Even when the volue of attackng packets ncreases fro one te to 25 tes of the nonal load, the schee stll consstently allow ore than 99.5 of legtate packets to pass through unaffected. The attackng packets are adtted only due to the gap between and as dscussed before. legtate By desgn, the dfferentaton power of PacketScore proves as the DDoS attack ntensfes. Ths s because as attack traffc volue ncreases, the dfference between the current traffc profle and the nonal one also ncreases. packets per second Out gong Legtat e PPS Outgong Attack PPS x x 25 x 3 x 42 x 525 Attack Intensty Incong Attack PPS Fgure 6: Effect of Increasng Attack Intensty Conversely, ths reveals a ltaton of the PacketScore approach: t s desgned to protect aganst DDoS attacks whch create ther daage by overloadng the vct wth ther sheervolue of traffc. PacketScore s not effectve aganst attacks whch are based on very-low traffc volue, e.g. n Tear-Drop or Png-of-Death attacks where a sngle carefully crafted packet s used to crash the entre syste. Sgnature-based flterng would be ore approprate for such types of attacks. C. Nonal Profle Senstvty In ths subsecton, we study the effect of the choce of nonal profle. +ve PDF Separaton -ve R A R L Mon Tue Wed Thu Fr Table 3: Mon -hour profle appled to other days of the week +ve PDF Separaton -ve R A R L Mon Tue Wed Thu Fr Table 4: Weekly profle appled to weekdays of the week In the frst case, we buld the nonal profle based on an hourly trace collected n durng Monday, May, 8:PM 9: p, 999. Ths s then used as the baselne for scorng 5 dfferent 2-hour long traces (ncludng tself), wth attackng packets added, collected at the sae hours but dfferent days of the sae week. The results are depcted n Table 3. Observed fro Table 3 that whle the false negatve probablty s always antaned at a very low level (at ost.65), the false postve probablty for Thursday and Frday -hour traces usng the Monday profle s unacceptably hgh (> 38). Upon further exanaton of the data, we fnd that ths s an artfact of our default settng of accordng to the axu traffc rate of the baselne profle observed over any -nute wndow (whch s ab pps for the Monday trace). Snce the ncong traffc rate for the Thursday and Frday traces are sgnfcantly greater than the Monday one, such default choce of nadvertently forces the syste to dscard a sgnfcant porton of legtate packets. As shown n Table 4, the poor perforance due to the satch aong dfferent daly legtate traffc profle and can be overcoe by usng the default weekly profle as descrbed n Table. D. Dfferent Scorng Strateges In ths subsecton, we explore the trade-offs of usng dfferent cobnatons of argnal and jont attrbute dstrbutons n establshng the nonal profle. Table 5 descrbes the optons for baselne profle/scorebook generaton. Fg. 7 shows the dfferentaton perforance and storage requreents of these fve scorng optons. As expected, aong the fve optons, (5) yelds the best scorng/ dfferentaton perforance at the expense of ncreased storage sze for baselne-profle and scorebook, whle () has the sallest baselne-profle/ scorebook footprnt. The perforance proveent of (2) over (), (as well as (4) over (3)) s due to the explot of dependency aong packet-sze, protocol-type and server-port nuber.

10 Scorng Descrpton Strategy Assue ndependence between each attrbute and nclude the argnal dstrbutons of packet-sze, protocol-type, server-port nuber, TCP-flag pattern, TTL value n the nonal profle generaton whle excludng the source IP prefx dstrbuton. 2 Sae as () except usng the 3-densonal jontdstrbuton of packet-sze, protocol-type and serverport nuber to replace ther correspondng argnal dstrbutons. 3 Sae as () except ncludng the argnal dstrbuton of 6-bt source IP prefxes durng baselne proflng. 4 Sae as (2) except ncludng the argnal dstrbuton of 6-bt source IP prefxes durng baselne proflng. 5 Sae as (4) except usng the 2-densonal jontdstrbuton of 6-bt source IP prefxe and TTL value to replace ther correspondng argnal dstrbutons. Table 5: Dfferent Optons of Scorng Strateges Score PDF Separaton (n ) RaR A Rl L Storage Requreents Scorng Strateges Fgure 7: Coparson of scorng strateges Noralzed. Storage Requreent The proveent of (3) over () (as well as (4) over (2)) reflects the nforaton value of source IP prefxes, even at a very coarse 6-bt granularty. The advantage of (5) over (4) llustrates the value of dependency nforaton between source IP prefx and TTL value, whch, to a large extent, captures the nonal dstance between the source and the ste/port/lnk to be protected. E. Settng the Iceberg Thresholds In ths subsecton, we nvestgate the pact of ceberg threshold value on packet dfferentaton perforance and profle/ scorebook storage requreents. We have consdered two dfferent ceberg threshold settng strateges. Under the statc strategy, we fx the ceberg thresholds for all sngle attrbute argnal dstrbutons, 2-densonal and 3- densonal jont dstrbutons at.,. and. respectvely. Under the adaptve strategy, the ceberg threshold value s deterned separately for each argnal/ jont dstrbuton of nterest so that 9, 95 or 99 of the overall entres observed n the baselne trace are covered by the correspondng ceberg hstogras. +ve PDF Separaton -ve R A R L Statc Adaptve Adaptve Adaptve Noralzed Storage Req. (absolute sze). (3.6 Kbyte) 5.6 (76 Kbyte) 9.4 (27.8 Kbyte) 2.2 (288.3 Kbyte) Table 6: Perforance results aganst dfferent thresholdng ethods Table 6 suarzes the results of these varous approaches. As shown n Table 6, there s no sgnfcant dfference n the dfferentaton power of all the approaches. However, snce the adaptve ceberg-threshold settng strategy should be ore robust aganst possble changes n nonal profle traces, t s recoended over the statc strategy. Aong dfferent coverage of the adaptve strategy, the 9-coverage produces the best balance between storage requreent and dfferentaton perforance. It also shows that wth ceberg hstogras, each nonal profle (as well as ts correspondng set of scorebooks) requres less than Kbyte of eory. V. CONCLUSIONS AND FUTURE WORK In ths paper, we have lned an archtecture usng a set of collaboratng 3D-Rs and DCSs to defend aganst DDoS attacks. The proposed schee leverages hardware pleentaton of advanced data-strea processng technques, ncludng onepass operatons of ceberg-style hstogras and quantle (CDF) coputatons, to enable scalable, hgh-speed fne-gran traffc proflng and per-packet scorng. We have studed the perforance and desgn tradeoffs of the proposed packet scorng schee n the context of a stand-alone pleentaton. Such schee can tackle never-seen-before DDoS attack types by provdng a statstcal-based adaptve dfferentaton between attackng and legtate packets to drve selectve packet dscardng and overload control at hgh-speed. In a sequel of ths paper, we wll study the perforance of a dstrbuted pleentaton of the proposed schee. In partcular, we wll nvestgate the effects of update and feedback delays, as well as the pact of profle and score CDF resolutons on the perforance of the dstrbuted pleentaton. We wll also study the ablty and possble enhanceents of the proposed schee for defendng aganst ore sophstcated DDoS attacks. Another nvestgaton topc s on how the te-scale of updates of the scorebooks, score CDF, and dynac dscardng threshold, wll pact the response te and decson error of the proposed selectve packet dscardng schee when subject to ore orchestrated synchronzed DDoS attacks. Whle the current CLP-based packet dfferentaton s theoretcally attractve due to ts Bayesan roots, t s concevable to use a surrogate packet dfferentatng etrc to replace CLP and desgn an even ore hardware-aenable schee based on a rudentary perattrbute scorng echans, e.g. usng an array of leakybuckets. We ntend to study the perforance and coplexty

11 trade-offs of such alternatves for hardware pleentaton purpose. REFERENCES [Ba2] B. Babcock et al, Models and Issues n DataStrea Systes, ACM Syp. on Prncples of Database Sys., Jun 22. [Be] S. Bellovn, M. Leech, T. Taylor, ICMP Traceback Messages, draftetf-trace-.txt, Internet draft, Oct 2. [Br] J.D. Brutlag, Aberrant Behavor Detecton n Te Seres for Network Montorng," the 4 th USENIX.Conf., Dec 2. [Ch] F. Chen, D. Labert, J.C. Pnhero, Increental Quantle Estaton for Massve Trackng, the 6th Internatonal Conf. n Knowledge Dscovery and Data Mnng, Aug 2. [Es2] C. Estan, G. Varghese, New Drectons n Traffc Measureent and Accountng, SIGCOMM, Aug 22. [Fe] W. Feng, D.D. Kandlur, D. Saha, K.G. Shn, Stochastc Far Blue: A Queue Manageent Algorth for Enforcng Farness, Infoco, Mar 2. [Fo] J. Forrstal, "Freproofng aganst DoS Attack,"Network Coputng, Dec, 2. [Gr] M. Greenwald, S. Khanna, "Space-Effcent Onlne Coputaton of Quantle Suares", SIGMOD, May 2. [Io2] J. Ioannds, S.M. Bellovn, "Ipleentng Pushback: Rer-Based Defense Aganst DDoS Attacks", Network and Dstrbuted Syste Securty Syp., Feb. 22. [Ka3] R.M. Karp, C.H. Papadtrou, S. Shenker, A Sple Algorth for Fndng Frequent Eleents n Streas and Bags", ACM Trans. on Database Systes, to appear. [Ka] S. Kasera et al, Fast and Robust Sgnalng Overload Control, ICNP, Nov. 2. [Ke93] F. Kerestecoglu, Change detecton and nput desgn n dynacal systes, John Wley 993. [La3] W.C. Lau, M.C. Chuah, H.J. Chao, Y. K, PacketScore a proactve defense schee aganst Dstrbuted Denal of Servce Attacks, NSF proposal under subsson. [Le98] W. Lee, S.J. Stolfo, Data Mnng Approaches for Intruson Detecton," the 7th USENIX Securty Syp., Jan 998. [Ma99] D. Marchette, A Statstcal Method for Proflng Network Traffc, the st USENIX Workshop on Intruson Detecton and Network Montorng, Apr 999. [Mazu] Mazu Networks Inc. [M2] J. Mrkovc, G. Prer, P. Reher, Attackng DDoS at the Source, ICNP, Nov. 22. [Pa] K. Park and H. Lee, On the Effectveness of Probablstc Packet Markng for IP Traceback under Denal of Servce Attack, Infoco, 2. [Rve] Rverhead Networks Inc. [Sa] S. Savage, D. Wetherall, A. Karln, and T. Anderson, Network Support for IP Traceback, IEEE/ACM TON, Vol. 9, no. 3, June 2. [Sn] A. Snoeren et al, Hash-based IP Traceback, SIGCOMM, Aug. 2. [WIDE] MAWI Traffc Archve, [Ya2] D.K.Y. Yau, J.C.S. Lu, F. Lang, "Defendng Aganst Dstrbuted Denal-of-Servce Attacks wth Max-n Far Server-centrc Rer Throttles," IWQoS, 22. Appendx I Here, we descrbe the load-sheddng algorth by Kaufan [Ka], whch s used as a sub-odule n the PacketScore schee. Let Ψ = ( Φ ) denote the fracton of packets pertted to pass the throttle pont durng the ( + ) th nterval. Let Ψ = and Ψ be always constraned wthn the nterval [ Ψ n,], where Ψ s a sall but non-zero n nuber whch prevents the throttle fro shuttng off all ncong packets. At the end of the th easureent nterval, the load estate s avalable and we calculate φ / =, where s the axu utlzaton allowed by the server (or port) whch s chosen to pert the server to antan a reasonable delay for all ncong packets. If =, we set φ = φax where φ ax s a large nuber whose precse value s unportant. After φ has been coputed, the throttle rato for n the next nterval, denoted by Ψ s gven by: Ψ =Ψ φ. Snce Ψ ust be truncated to le n the nterval [ Ψ n,], we can rewrte the above as: { φ j } j= ax Ψ = n Ψ,, Ψ n.