The Coremelt Attack. Ahren Studer and Adrian Perrig. We ve Come to Rely on the Internet

Similar documents
CS 356 Lecture 16 Denial of Service. Spring 2013

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Should the IETF do anything about DDoS attacks? Mark Handley

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Design and Experiments of small DDoS Defense System using Traffic Deflecting in Autonomous System

Denial of Service Attacks and Resilient Overlay Networks

How To Protect A Dns Authority Server From A Flood Attack

co Characterizing and Tracing Packet Floods Using Cisco R

How To Protect Your Network From A Ddos Attack On A Network With Pip (Ipo) And Pipi (Ipnet) From A Network Attack On An Ip Address Or Ip Address (Ipa) On A Router Or Ipa

Seminar Computer Security

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

SECURING APACHE : DOS & DDOS ATTACKS - I

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

Low-rate TCP-targeted Denial of Service Attack Defense

Reducing the impact of DoS attacks with MikroTik RouterOS

Denial of Service Attacks

Strategies to Protect Against Distributed Denial of Service (DD

Firewalls and Intrusion Detection

A Critical Investigation of Botnet

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Restorable Logical Topology using Cross-Layer Optimization

Packet Traceback Scheme for Detection IP Based Attack

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Distributed Denial of Service Attacks

Acquia Cloud Edge Protect Powered by CloudFlare

19. DDoS Mechanisms ENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park

CloudFlare advanced DDoS protection

Finding Network Security Breaches Using LiveAction Software to detect and analyze security issues in your network

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

Distributed Denial of Service Attack Tools

Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA DDoS and IP Traceback. Overview

Distributed Denial of Service Attacks & Defenses

Chapter 8 Security Pt 2

Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

How Cisco IT Protects Against Distributed Denial of Service Attacks

Second-generation (GenII) honeypots

Security Toolsets for ISP Defense

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Denial of Service. Tom Chen SMU

Modern Denial of Service Protection

Network attack and defense

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Index Terms: DDOS, Flash Crowds, Flow Correlation Coefficient, Packet Arrival Patterns, Information Distance, Probability Metrics.

Queuing Algorithms Performance against Buffer Size and Attack Intensities

Network Service, Systems and Data Communications Monitoring Policy

How To Block A Ddos Attack On A Network With A Firewall

Secure Software Programming and Vulnerability Analysis

Router Based Mechanism for Mitigation of DDoS Attack- A Survey

TDC s perspective on DDoS threats

DDoS Overview and Incident Response Guide. July 2014

Linux MDS Firewall Supplement

Distributed Denial of Service (DDoS)

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Stop DDoS Attacks in Minutes

Filtering Based Techniques for DDOS Mitigation

Configuring Allied Telesyn Equipment to Counter Nimda Attacks

Provider-Based Deterministic Packet Marking against Distributed DoS Attacks

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

DoS: Attack and Defense

A Defense Framework for Flooding-based DDoS Attacks

Complete Protection against Evolving DDoS Threats

Denial of Service Attacks, What They are and How to Combat Them

SECURING APACHE : DOS & DDOS ATTACKS - II

Detection and Controlling of DDoS Attacks by a Collaborative Protection Network

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

A Realistic Simulation of Internet-Scale Events

Overview. Firewall Security. Perimeter Security Devices. Routers

Network Threats and Vulnerabilities. Ed Crowley

Service Description DDoS Mitigation Service

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Malice Aforethought [D]DoS on Today's Internet

Preventing DDOS attack in Mobile Ad-hoc Network using a Secure Intrusion Detection System

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

Chapter 9 Firewalls and Intrusion Prevention Systems

Adaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow. Feedback

Introduction to Firewalls

Network Bandwidth Denial of Service (DoS)

CHAPTER 4 : CASE STUDY WEB APPLICATION DDOS ATTACK GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

Stop DDoS Attacks in Minutes

Survey on DDoS Attack Detection and Prevention in Cloud

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Comparing Two Models of Distributed Denial of Service (DDoS) Defences

Transcription:

The Coremelt Attack Ahren Studer and Adrian Perrig 1 We ve Come to Rely on the Internet Critical for businesses Up to date market information for trading Access to online stores One minute down time = loss of 13,000 Critical for utilities Networks relay usage information to producers Absence of communication may lead to permanent damage and potentially cascading faults 2 1

Crippling Internet Services: Denial of Service Attacks Application Level Attacks Packets prevent legitimate access at the server Network Level Flooding Attacks Network-level congestion prevents legitimate access at the network link 3 Preventing Denial of Service Attacks Initial defense attempt: Stop unwanted traffic Approaches Filter malicious packets, patch software Identify the source of unwanted traffic Provide desired traffic with network capabilities, routers will prioritize packets with capabilities 4 2

If Defenses are Deployed, Then: Independent of malicious parties resources Malicious packets stopped Server resources are available to legitimate traffic Legitimate traffic can reach the server What could malicious parties do once they are unable to attack the server or its link? 5 Road Networks Old flooding attacks are like protestors Limited capacity near the destination causes congestion 6 3

Road Networks Old flooding attacks are like protestors After identifying a single source of malicious traffic, an ISP can pull the plug 7 Road Networks Old flooding attacks are like protestors With capabilities, legitimate traffic is given preference 8 4

Road Networks Rush hour Everyone is going to a legitimate destination and the major roads just aren t big enough 9 Back to Networks How to cause rush hour on the Internet? Overwhelm backbone link 1. Collect a large number of machines Rent a botnet or two 2. Send enough traffic to a router to cause congestion Not so simple 10 5

How to Flood a Core Router Send traffic to the next router after the target Problem: Filters can drop traffic destined for a router Send traffic to a server past the target Problem:, attack traffic will lack capabilities while legitimate traffic will proceed unimpeded 11 The Coremelt Attack Bots sending traffic to each other Such that traffic traverses the target link Bypasses existing DoS defenses Traffic is wanted so capabilities are acquired No obvious reason to filter, looks legitimate Each bot contributes a small amount of traffic 12 6

The Coremelt Attack 13 The Coremelt Attack 14 7

Launching a Coremelt Attack 1. Rent a well distributed botnet With a dense botnet, smaller tributary links will congest first 2. Discover routes that traverse the target Discreet use of traceroute 3. Send unfriendly traffic TCP will back off ISPs throttle UDP Send traffic labeled as TCP 15 Is Coremelt a Threat? Can the attack overload core links? Can the attack work without clogging other links? Clogging the whole path is unrealistic Collateral damage makes the attack less stealthy Easier to find source of the attack 16 8

Simulating Coremelt Implementation is expensive & illegal Simulation AS level network topology Realistic distributions of subverted machines Varying number of machines Conservative traffic generation capabilities 17 Network Model Graph based on the CAIDA AS dataset Treat each AS as a router Packets use the shortest route that follows AS routing policies AS has limited traffic capacity (internal link) When AS reaches capacity, packets are dropped Target AS dropping packets = Successful attack Other AS dropping packets = Collateral damage 18 9

AS Capacity Model capacity as a function of AS degree If AS X connects to more networks than AS Y, X should support more traffic than Y Often over provision a link since 100% is rare Step model assumes ASes fall into categories Degree 1 OC-12 601 Mb/s Degree 2-9 OC-48 2,405 Mb/s Degree 10-999 OC-192 9,621 Mb/s Degree 1000 OC-768 39,813 Mb/s See paper for other models 19 Attacker Model Fixed botnet distributions based on GT-DDoS: flooding attack witnessed at GT Thanks to Chris Lee and Wenke Lee CodeRed: machines seen scanning Vary botnet size while maintaining the original botnet distribution # bots in AS = % of botnet in AS botnet size Each bot sends packets at 14 or 128 Kb/s 20 10

Discrete Simulation of Network During Interval i: AS sends packets received during interval i-1 based on the next hop in the path 7 123 32 Outgoing AS 123 Incoming 21 Discrete Simulation of Network During Interval i: Each bot in the AS picks a random destination for a meta packet that represents 14 or 128 Kb Outgoing AS 123 1401 12 Incoming 22 11

Discrete Simulation of Network During Interval i: Other ASes forward traffic to this AS Outgoing AS 123 32 7 1401 312 12 Incoming 23 Discrete Simulation of Network At the end of Interval i: Buffers switch roles for the next interval Outgoing AS 123 32 7 312 12 Incoming 24 12

Our Metrics Destructiveness Fraction of 10 largest ASes that a given attacker can congest Stealthiness 10 i=1 0.1 congestas(i) Number of collateral ASes congested while attacking the 10 largest ASes 10 i=1 j i congestas( j) 25 Network and Attacker Numbers 30,610 total ASes 11,042 of degree 1: OC-12 (601 Mb/s) 18,083 of degree 2-9: OC-48 (2,405 Mb/s) 1475 of degree 10-999: OC-192 (9,621Mb/s) 10 of degree 1000: OC-768 (39,813 Mb/s) GT-DDoS: bots in 720 ASes CodeRed: bots in 4746 ASes 26 13

Destructiveness: 14 kbps Greater dispersion of bots in CodeRed improves success of Coremelt 27 Destructiveness: 128 kbps More bandwidth per attacker requires fewer bots to provide the same destructiveness 28 14

Destructiveness: 128 kbps More bandwidth per attacker requires fewer bots to provide the same destructiveness 29 Stealthiness: 14 kbps Greater dispersion causes congestion to fewer collateral ASes 30 15

Stealthiness: 128 kbps Greater dispersion causes congestion to fewer collateral ASes 31 Stealthiness Bandwidth generation has little impact on the shape of the curves 32 16

Simulation vs. Real Attack ASes have multiple core links Our topology is a simplification Greater bandwidth available Compromised computers have greater resources Simulation paths are fixed Facing high loss, paths can change Load balance or shift congestion elsewhere? P2P as real life unintentional flooding 33 Coremelt and DoS Defenses Trace back Each bot generates a fraction of the problem Capabilities Bots will give each other permissions Puzzles Computation becomes the bottleneck Fair BW allocation based on src/dst pair Distributed botnet means a fair share (O(N -2 )) is much less than users typically experience 34 17

Should we be scared? Large enough botnets exist Storm worm infected millions of hosts What is the motivation? Previously DoS was part of extortion Untargeted attack: disables a portion of the web Extortion on that scale is infeasible Cyberwar/terror 35 Conclusion The Coremelt attack presents a new threat to the Internet Realistic simulations have shown the attack can succeed Requires new defenses to mitigate the threat 36 18

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information