Transient Performance of PacketScore for blocking DDoS attacks

Transcription

1 Transient Perforance of PacketScore for blocking DDoS attacks Mooi Choo Chuah 1 Wing Cheong Lau Yoohwan Ki H. Jonathan Chao CSE Deartent Bell Laboratories EECS Deartent ECE Deartent Lehigh Univ. Lucent Technologies Case Western Reserve Univ. Polytechnic Univ. Bethlehe, PA Holdel, NJ Cleveland, OH Brooklyn, NY (chuah@cse.lehigh,edu) (lau@bell-labs.co) (yoohwan@ieee.org) (chao@oly.edu) Abstract--Distributed Denial of Service (DDoS) attack is a critical threat to the Internet. Recently we have roosed the PacketScore schee, a DDoS defense architecture that suorts autoated attack detection, on-line attack characterization and attack blocking. Its key idea is to use a statistics-based acket scoring echanis to distinguish between legitiate and nonlegitiate ackets and discard ackets based on the acket scores. In order for such an aroach to work, we need to erfor on-line traffic characterizations, and coare such characterizations with noinal rofiles (generated fro ast history or off-line analysis). The threshold used for the scorebased selective acket discard decision is dynaically adjusted based on the score distribution of recent incoing ackets. In our revious aer [Ki04], we discuss how our roosed syste erfors in different attack scenarios. In this aer, we first give a brief review of the PacketScore aroach and further elaborate on the transient erforance under varying attack tyes and intensities, which ay be exloited in ore sohisticated attacks. We then show that PacketScore is well caable of blocking such sohisticated attacks by sily adjusting the easureent window tie scale to closely track the attack rofile. I. INTRODUCTION One of the ajor threats to cyber security is Distributed Denial-of-Service (DDoS) attack in which the victi network eleent(s) are bobarded with high volue of fictitious, attacking ackets originated fro a large nuber of achines. The ai of DDoS attack is to overload the victi and render it incaable of erforing noral transactions. Recently, the DDoS roble has attracted uch attention fro the research counity. So far, the focus has been on the design of traffic arking and traceback rotocols [Be01, Pa01, Sa01, Sn01] which enable downstrea rers to deterine and notify the ustrea rers of the attacking ackets. Once the ustrea sources of the attack have been identified, roosed ushback echaniss [Io02, Ya02] are used to contain the daage of the attack. However, the effectiveness of such an aroach is contingent uon the ability to extract a recise characterization of the attacking ackets. While there has been recent work by the data-ining research counity to recognize intrusion atterns using offline achine-learning aroaches [Le98, Ma99], these schees are ostly offline-oriented. An excetion to this trend is the D-WARD aroach [Mi02], which does erfor liited statistical traffic rofiling at the edge of the networks to detect new tyes of DDoS attacks online. D-WARD ais at stoing DDoS attacks near their sources, i.e., the ingress rers. While such "source-side" tackling aroach is attractive in ters of having less deanding oerating-seed and scalability requireents, its viability hinges on the voluntary cooeration of ajority of ingress network adinistrators internet-wide. There are also a sall set of coercial roducts [Mazu, Rive] which advertise liited suort of statistics-based adative filtering techniques. However, ost of these solutions do not fully autoate acket differentiation or filter enforceent. Instead, they only recoend a set of binary filter rules to the network adinistrator to be installed in their rers or firewalls. Recently we have roosed a statistics-based schee, called PacketScore, for autoated on-line attack characterization and acket discarding [Ki04], where we rovided a detailed descrition of our PacketScore aroach and siulation results under different attack scenarios. However, we did not rovide any sensitivity analysis on how the score distribution changes with tie when different attack tyes occur. In this aer, we concentrate ore on the transient erforance of the PacketScore syste. In articular, we discuss how the erforance changes with different attack tyes, different attack intensities and different easureent window ties. The rest of this aer is organized as follows: in Section II, we rovide an overview of the PacketScore DDoS defense architecture. In Section III, we discuss how PacketScore erfors in different attack scenarios and show its transient behavior. We exaine the erforance under changing attack tyes coosed of four riary attack tyes (generic, TCP- SYN flooding, SQL Slaer wor, and noinal attack), and changing attack intensities. We conclude in Section IV with soe future work that we intend to exlore. II. PACKETSCORE OVERVIEW In PacketScore, we erfor online traffic rofiling of the incoing traffic and coare it with the noinal traffic rofile for abnorality detection. The key concet in rofiling is the notion of "Conditional Legitiate Probability" (CLP) which indicates the likelihood of a acket being a legitiate one given the attribute values it ossesses. Packets are selectively discarded by coaring the CLP of each acket with a dynaic threshold. The viability of this aroach is based on the reise that there are soe traffic characteristics that are inherently stable during noral network oerations of a network, in the absence of DDOS attacks. This "invariant" reise was suorted by recent traffic easureents and analysis reorted in [Fra03,Liu02,Ki04]. The PacketScore syste is coosed of two arts, the noinal rofile generation art (off-line) and the scoring/discarding art (on-line). We will review the in the following subsections. 1 This work was done while Professor Chuah was with Bell Labs.

2 A. Conditional Legitiate Probability Let N n be the nuber of ackets arriving during a tie eriod T during noral oeration (n for noral). Let {A, B, C, } be the acket attributes, {a 1, a 2, a 3, } be the ossible values for attribute A, {b 1, b 2, b 3, } be the ossible values for attribute B, and so on. We denote P n (Aa i ) as the ratio of the ackets having value a i for attribute A, which is equivalent to the nuber of ackets having the value of a i for attribute A divided by N n. ( i P n ( A a i ) 1) Let us assue that during the sae eriod T, N a attack ackets are added. The total nuber of ackets during T is then N n + N a, which we denote by N (a for attack, for easured). Siilarly to P n (Aa i ), we define P a (Aa i ) and P (Aa i ) as following: P a (Aa i ): the ratio of ackets having value a i for attribute A aong N a attack ackets P (Aa i ): the ratio of ackets having value a i for attribute A aong N total ackets We define the conditional legitiate robability (CLP) as the conditional robability of a acket being legitiate given the set of attribute values it carries, that is, CLP (acket ) P (acket is legitiate attribute A a, attribute B b, ), where a, b, are the attribute values of a acket It can be rewritten as follows: P(( legitiate) ( A a, B b,...)) CLP( ) P( A a, B b,...)... Eq. (1) Nn Pn( A a, B b,...) N Nn Pn ( A a, B b,...) N P ( A a, B b,...) N N P ( A a, B b,...) If the attributes are indeendent, then P(Aa, Bb, ) P(Aa ) * P(Bb ) *, and the CLP can be further rewritten as, N n Pn ( A a ) Pn ( B b )... CLP ( ).. Eq. (2) N P ( A a ) P ( B b )... Consider one of the ters P n ( A a ) P ( A a ) in Eq.(2) during a DDoS attack. If the acket is one of the any attack ackets with attribute value a, then P a (A a ) is high during attack and P (A a ) becoes high. Since P n (A a ) is stable, the resulting CLP becoes low. On the other hand, for other attributes values that few attack ackets have, a, the ratio P a (A a ) is low even if the actual nuber of such attack ackets are greater than the nuber of noral ackets. This akes P (A a ) low and subsequently akes the CLP low. CLP is considered a score for indicating the legitiacy of a acket and the effectiveness is alified as we eloy ore acket attributes, including joint attributes of ultile attributes, and as the attack volue increases. The otential acket attributes are any field in the IP acket header that are exected to change substantially under DDoS attack, such as source IP refix, rotocol tye, acket size, server ort nuber (since the server bound traffic is ore stable), TTL, TCP flag atterns, and cobination of ultile attributes such as TTL + Source IP refix. B. Off-line Noinal Profile Generation Since the actual legitiate traffic distribution during attack is unknown, we need to establish a reference rofile, called noinal rofile, fro the ast traffic. This rofiling inforation is stored in the for of noralized histogras of one or higher diensions. Due to the large nuber of attributes and attribute values to be incororated in a rofile, an efficient data structure is required to ileent such histogras. Towards this end, we use iceberg-style histogras [Ba02], where the histogra only includes those entries in the oulation which aear ore frequently than a reset ercentage threshold, say x. For entries which are absent fro the iceberg-style histogra, we will use the uer bound, i.e., x as their relative frequency. Tradeoffs between icebergthreshold, histogra storage requireent and acket differentiation erforance are discussed in [Ki04]. C. On-line PacketScore Oeration While attack ackets arrive continuously and the true rofile changes as new ackets arrive, continuous rofile generation and scoring is very difficult. Instead we take ieline aroach where the tie is divided into fixed intervals, and each oeration is erfored based on the snashot of the revious eriod. In PacketScore, the following 3 stages are erfored in ieline, naely, incoing acket rofiling, scoring, and discarding. First, acket rofile is easured at eriod T 1, and a scorebook is generated at the end of the eriod. Using the scorebook, the subsequent ackets are scored at eriod T 2, and the score distribution grah is generated along with the cutoff threshold score at the end of eriod T 2. At eriod T 3, the incoing ackets are either acceted or discarded based on the threshold score. Incoing Packet Profiling Siilar to the off-line acket rofile, an on-line rofile is generated as ackets arrive. Rather than erforing exensive calculation of the CLP on the fly, we eloy a scorebook aroach. A frozen set of recent histogras in eriod T 1 is used along with the stored off-line noinal rofile to generate a set of "scorebooks" which as a secific cobination of attribute values to its corresonding "score". To accelerate the coutation, a logarithic version of Eq. (2) is used. Scoring and Selective Discarding The objective of PacketScore is to rioritize the ackets based on their CLP values and discarding the ost likely attack ackets. Since an exact rioritization would require offline, ultile-ass oerations, e.g., sorting, we take the following alternative aroach to realize an online, one-ass oeration. First, all the incoing ackets during T 2 are scored. Second, we construct a cuulative distribution function (CDF) with the CLP scores of the ackets. Then a loadshedding algorith [Ka01] is used to deterine the fraction ( Φ ) of arriving ackets to be discarded in order to control the utilization of the victi to be below a value. Once the required acket-discarding ercentage, Φ, is deterined, the corresonding CLP discarding threshold, Thd, is looked u fro the CDF of the CLP scores. We then discard a susicious acket if its CLP score is below the threshold, Thd. While

3 CLP-coutation is always erfored for each incoing acket, selective acket discarding only haens when the syste is oerating beyond its safe () utilization level. Otherwise, the overload control schee will set Φ to zero. D. Sale score distribution Figure 1 shows a tyical score distribution under a constant DDoS attack. The attack ackets (red) are concentrated in the lower scored region while legitiate ackets (blue) have higher scores. The black bar reresents the cutoff threshold scores for discard decision, which reoves the ajority of the attack traffic. Packet nubers in log Score High Figure 1. ic acket score distribution III. PERFORMANCE ANALYSIS A. Perforance Metrics We quantify the erforance of PacketScore in the following three asects: First, we exaine the differences in the score distribution for attack and legitiate ackets. Such differences are quantified using 2 etrics, naely, R A and R L. Let Min L (Max A ) be the lowest (highest) score observed for the incoing legitiate (attacking) ackets. Define R A (R L ) to be the fraction of attacking (legitiate) ackets which have a score below Min L (above Max A ). The closer of the values of R A and R L to 100, the better the score-differentiation ower. To avoid the asking effect of isolated lier ackets having extree scores, we take Min L (Max A ) to be the 1 st (99 th ) ercentile of the score distribution of legitiate (attacking) ackets. Second, we easure the false ositive (i.e., fraction of legitiate ackets got falsely discarded), and false negative (i.e., fraction of attacking ackets got falsely aditted) ratios of PacketScore. While R A and R L can quantify the score differentiation ower, the final coe of selective discarding also deends on the dynaics of the threshold udate echaniss. Third, we observe whether the aount of assing traffic after discarding is within an accetable range for the destination. To easure the effectiveness of the overload control, we coare the actual ut utilization against the axiu utilization ( t arg et set by the schee ). In our siulations is read fro the noinal traffic rofile. We review the erforance of PacketScore under constant attack, and then observe the erforance under varying attacks. We study three tyes of changing attacks, i.e., attack tye change, attack intensity change, and both attack tye and intensity change. The default attack intensity is 10 ties of noinal traffic, and the easureent window tie is 10 seconds. For all attack scenarios, the siulation is erfored for 300 seconds. For the traffic data, the acket trace data fro WIDE roject is used [WIDE]. B. Attack Tyes Table 1 shows the erforance of PacketScore under constant attack with four riary attack tyes and ixed attack as defined as following. (All attack ackets have randoized source IP address and source ort nuber) Generic attack: All attribute values of the attack ackets are uniforly randoized over their corresonding allowable ranges. TCP-SYN flooding attack: All attack ackets are TCP SYN ackets SQL Slaer Wor attack: All attack ackets are UDP ackets to ort 1434 with the size between 371 to 400 bytes Noinal attack: All attacking ackets reseble the ost doinant tye of legitiate ackets observed in Internet, i.e byte TCP ackets with server-ort 80 and TCP-flag set to ACK. Mixed attack: above 4 attacks are equally ixed PacketScore shows rearkable effectiveness in discarding attack ackets under constant attack, including ixed attack. After PacketScore rocessing, 1100 of noinal traffic volue is reduced down to ab 100 of noinal traffic. Attack Tye Searation - ve R A R L Generic TCP-SYN flooding SQL Slaer Wor Noinal Mixed Table 1: PacketScore erforance under consistent attack tye (Measureent window 10 seconds) We now observe the effect of a changing attack where an attack tye randoly selected fro the four riary attack tyes continues for an exonentially distributed eriod before another attack tye is icked. Table 2 tabulates the siulation results for changing attacks. attacks are ore challenging to block due to their colex/ tie-varying attacking acket characteristics. When a change occurs, it takes two easureent eriods for PacketScore to establish new rofiles and scorebooks due to the nature of ieline rocessing. During this adjustent eriods, PacketScore schee can be isled to defend against soe no-longerexisting attack ackets. This situation is described in Figure 2, showing the sudden divergence uon change occurrences. The effect becoes worse if the attack tye changes raidly coared to the easureent eriod tie scale.

4 Attack Tye Searation - ve R A R L attack duration 10 sec) attack duration 30 sec) attack duration 60 sec) Table 2: PacketScore erforance under changing attack tye (Measureent window 10 sec., with fine-grain overload control) Packets er Second (s) Attack incoing Attack going Legitiate incoing Legitiate going Figure 2: Incoing vs. going traffic under changing attack tye (Ave. attack duration 10 sec., Measureent window 10 sec.) One way to irove the effectiveness of the PacketScore schee is to aly fine-grain overload control within a easureent window as in our earlier study [Ki04] where 0.1-second fine-grain control is used in a 60-sec easureent window case. Figure 3 shows that the fine-grain overload control achieves soe iroveent. However, its effectiveness ay be liited because the scorebook and CDF reains the sae through the easureent window eriod even after the attack traffic rofile changes. Attack Tye Searation - ve R A R L (fine-grain OC window 1 sec) (fine-grain OC window 0.1 sec) Table 3: PacketScore erforance under changing attack tye (Measureent window 10 sec., ave. attack duration 10 sec. with fine-grain overload control) Another way is to shorten the easureent window tie to seed u scorebooks/ CDF udates with fine-grain overload control. When the easureent window tie is reduced to 1 second (Table 4), PacketScore can track the attack change very closely and show very good erforance. The overloading is reduced fro 202 to 111 of the utilization rate where the easureent window is the sae as the average attack-changing rate. (10 seconds for both) Fro Tables 2 and 3, we observe that shortening the easureent eriod works better than fine-grain overload control. Figure 3 shows the resulting incoing/going traffic er eriod using 1-second easureent window. Soe attack ackets are still being aditted, but their volue is uch saller coared to the 10-second window case. As a result, the going rate is ore accurately controlled. Attack Tye Searation - ve R A R L attack duration 10 sec) attack duration 30 sec) attack duration 60 sec) Table 4: PacketScore erforance under changing attack tye (Measureent window 1 seconds) Packets er Second (s) Attack Incoing Attack Outgoing Legitiate Incoing Legitiate Outgoing Figure 3: Incoing vs. going traffic under changing attack tye (Ave. attack duration 10 sec., Measureent window 1 sec) C. Attack Intensities The attack intensity exresses the volue of attack ackets in ters of ultiles of the noinal acket volue. We easure the erforance with varying attack intensity using generic attack. As a baseline, Table 4 shows the erforance using constant attack intensity. By design, the differentiation ower of PacketScore iroves as the DDoS attack intensifies. This is because as attack traffic volue increases, the difference between the current traffic rofile and the noinal one also increases. Attack intensity - Searation ve R A R L X X X X X X Table 5: PacketScore erforance under changing attack intensities (Measureent window 10 seconds) In varying attack, the attack intensity changes randoly aong 1,2,4,8, 16 and 32 ties of noinal traffic volue. Table 6 shows the results where the attack intensity change interval is 10 seconds and 30 seconds. Attack intensity Searation - ve R A R L Randoly every 10 seconds randoly every 30 seconds Table 6: PacketScore erforance under changing attack intensities (Measureent window 10 second) Siilar to the changing attack tye case, when the attack intensity change interval is the sae as the easureent window eriod, the erforance of PacketScore degrades. However, as we reduce the easureent window tie to 1 second (Table 7), the erforance of PacketScore stabilizes and the going rate is controlled to 125 of the rate.

5 Attack intensity randoly Searation - ve R A R L every 10 seconds randoly every 30 seconds Table 7: PacketScore erforance by changing attack intensities (Measureent window 1 second) D. Attack Tyes and Intensities A clever attacker ay try to vary both attack tyes and intensity. We cobine the varying attack tye and varying attack intensity, and exaine the results. Using a 10 second easureent window, PacketScore only anages to throttle attack traffic such that going rate is 1.5 to 3.5 ties of rate. But by reducing the easureent window tie, PacketScore detects the changes in traffic attern quickly and adats to it. Table 8 shows the results under cobined attack using 1-second window. The going rate is controlled within 119 of the rate. Attack Tye 10 sec) 10 sec) 30 sec) 30 sec) Attack intensity - ve Searation RA RL randoly every 10 sec randoly every 30 sec randoly every 10 sec randoly every 30 sec Table 8: PacketScore erforance under changing attack tyes and intensities (Measureent window 1 second) Although the false ositive, negative ratios and the going rates are slightly higher than in the constant attack cases, the results are well within accetable range for ractical use. Any cobination of changing attacks can be effectively blocked by PacketScore schee if the easureent window scale is shorter than the attack change granularity, e.g., 1:10 in our case. PacketScore schee is effective with very short easureent windows e.g. 0.l-10 seconds as long as the nuber of ackets within a window is sufficient for statistical rocessing. A few hundred ackets or ore within a easureent window is sufficient for rofiling. It is difficult for an attacker to launch a recisely tie-coordinated attack below the resolution of seconds due to the nature of Internet. This allows PacketScore schee to block ractically all tyes of changing attacks. IV. CONCLUSIONS We have reviewed the architecture of the PacketScore schee that defends against DDoS attacks and studied its transient erforance under changing attacks. PacketScore can tackle never-seen-before DDoS attack tyes by roviding a statistics-based adative differentiation between attacking and legitiate ackets. It is caable of blocking virtually all kinds of attacks as long as the attackers can t recisely iic the sites traffic characteristics. The ackets following the noinal traffic rofile have higher score while others have lower score. The ore different the attack rofile is fro the noinal rofile, the wider the score searation is. By exloiting the rofile/scorebook generation rocess, a clever attacker ay try to islead PacketScore by changing the attack tyes and/or intensities. PacketScore can easily overcoe such an attack by using shorter easureent window to track the attack traffic attern ore closely. There are other interesting issues on how different tyes of noinal rofile affect the erforance and how PacketScore erfors under different iceberg coverage. They are discussed in [Ki04]. We lan to investigate the erforance with acket nuber-based window rather than tie intervals and other overloading control algoriths. REFERENCES [Ba02] B. Babcock et al, Models and Issues in DataStrea Systes, ACM Sy. on Princiles of Database Sys., Jun [Be01] S. Bellovin, M. Leech, T. Taylor, ICMP Traceback Messages, draft-ietf-itrace-01.txt, Internet draft, Oct [Fra03] C. Fraleigh et al, Packet Level Traffic Measureents fro the Srint IP backbone, IEEE Network, Noveber, 2003 [Io02] J. Ioannidis, S.M. Bellovin, "Ileenting Pushback: Rer- Based Defense Against DDoS Attacks", Network and Distributed Syste Security Sy., Feb [Ka01] S. Kasera et al, Fast and Robust Signaling Overload Control, ICNP, Nov [Ki04] Y. Ki, W.C. Lau, M. Chuah, J. Chao, PacketScore: Statistics-based Overload Control against Distributed Denial-of- Service attack, IEEE Infoco, March 2004 [Lau03] W. Lau, M. Chuah, J. Chao, Y. Ki, PacketScore - A roactive defense schee against distributed denial-of-service attacks, NSF Proosal under subission [Le98] W. Lee, S.J. Stolfo, Data Mining Aroaches for Intrusion Detection," the 7th USENIX Security Sy., Jan [Liu02] D. Liu, F. Huebner, Alication Profiling of IP Trafic," LCN 2002 [Ma99] D. Marchette, A Statistical Method for Profiling Network Traffic, the 1st USENIX Worksho on Intrusion Detection and Network Monitoring, Ar [Mazu] Mazu Networks Inc. htt:// [Mi02] J. Mirkovic, G. Prier, P. Reiher, Attacking DDoS at the Source, ICNP, Nov [Pa01] K. Park and H. Lee, On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack, Infoco, [Rive] Riverhead Networks Inc. htt:// [Sa01] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, Network Suort for IP Traceback, IEEE/ACM TON, Vol. 9, no. 3, June [Sn01] A. Snoeren et al, Hash-based IP Traceback, SIGCOMM, Aug [WIDE] MAWI Traffic Archive, htt://tracer.csl.sony.co.j/awi/ [Ya02] D.K.Y. Yau, J.C.S. Lui, F. Liang, Defending Against Distributed Denial-of-Service Attacks with Max-in Fair Servercentric Rer Throttles," IWQoS, 2002.