Network Resilience & DDoS attacks Paul Smith School of Computing and Communications Lancaster University p.smith@comp.lancs.ac.uk
The ResiliNets Group @ Lancaster http://www.comp.lancs.ac.uk/resilience 2
The EU-funded ResumeNet Project q Resilience and Survivability for Future Networking: Framework, Mechanisms, and Experimental Evaluation q 3 year project (currently in its final year) Eidgenössische Technische Hochschule Zürich Lancaster University Technische Universität München France Telecom NEC Europe Ltd Universität Passau Technical University Delft Uppsala Universitet Université de Liège Switzerland United Kingdom Germany France United Kingdom Germany Netherlands Sweden Belgium q Web: http://www.resumenet.eu 3
Outline q What is network resilience? q Challenges Classes of challenge and some examples Understanding challenges a risk assessment process q DDoS attacks and some trends q Mitigating DDoS attacks and a research perspective q Conclusions 4
What is network resilience? The ability of the network to provide and maintain an acceptable level of service in the face of various faults and challenges. J. P.G. Sterbenz, D. Hutchison, E. K. Cetinkaya, A. Jabbar, J. P. Rohrer, M. Schöller, and P. Smith, Resilience and survivability in communication networks: Strategies, principles, and survey of disciplines, Computer Networks: Special Issue on Resilient and Survivable Networks (COMNET), vol. 54, no. 8, pp. 1243 1342, June 2010. 5
Resilience Strategy: D 2 R 2 +DR q Real-time Control Loop Defend Detect Remediate Recover q System Enhancement Diagnose Refine 6
Challenges q We identified a number of challenge classes: 1. Component Faults 2. Hardware destruction 3. Communication environment 4. Human mistakes 5. Malicious attacks 6. Unusual but legitimate demand for service 7. Failure of a provider service 7
Hinsdale Fire q 1988 Hinsdale Illinois Bell central office fire 100K customers lose service for weeks also major disruptions in long distance 800 911 cellular ATC for O Hare q Fault tolerance by redundancy not sufficient q Resilience requires spatially diverse redundancy separation of infrastructures 8
Hurricane Katrina q Internet impact Little impact on national Internet service Significant impact on local Internet service [Renesys] q Power grid fails 2.6M people without power New Orleans power out for a month restoration crews unavailable 9
Hurricane Katrina q Communication and network infrastructure insufficient battery and generator backup backup not robust (time duration and spatial diversity) [http://www.oe.netl.doe.gov/hurricanes_emer/katrina.aspx] q Incompatible communications [http://www.livescience.com/technology/ap_050913_comm_breakdown.html] NO 1992 M/A-Com LA 1996 Motorola multiple incompatible federal systems MS national guard used sneakernet q New Orleans communication not survivable Energy Center tower lost power backup power transformer taken out by glass shard MA-Com repair crews denied entry for 3 days by state police q Amateur radio proved critical 10
YouTube hijack q YouTube announces on 208.65.152.0/22 q Pakistan s government orders Pakistan Telecom to block YouTube q Pakistan Telecom implements blocking by rogue BGP advertisement PT announces a more specific 208.65.153.0/24 of YouTube s /22 Rogue route also advertised to routing peers Within 2 minutes most of the DFZ carried the bad route Most of the Internet goes to Pakistan for YouTube and gets nothing! q YouTube recovers by announcing both the /24 and the two more specific /25s q Finally Pakistan Telecom was disconnected by PCCW 11
A Recent DDoS Attack in Burma q Attack on Burma s main ISP (MPT) q Connectivity to the country via T3 (45 Mbps) links disrupted for several days Source: http://asert.arbornetworks.com/2010/11/attac-severs-myanmar-internet/ 12
Understanding Challenges Inputs Outputs Focus groups Identify critical assets and cost of their compromise Prioritised list of assets Technical expertise Develop system understanding Service dependency graphs System analysis & historical data Identify challenges and system faults Vulnerability report Identify probability of failure Determine measure of exposure Prioritised list of challenges Similar approach to risk assessment as OCTAVE-S: http://www.cert.org/octave/octaves.html 13
What is a DDoS attack? q A malicious attempt to saturate resources until it becomes unusable q Can include a large number of participants q Targeted at: Network resources E.g., ICMP or UDP jumbo datagram attack End-system (or server) resources E.g., TCP SYN attack 14
Trends in DDoS Attacks q Botnet controlled q Blackmail sites at critical times On-line betting So-called hacktivism is an increasing threat q Attacks impacting victim and ISP networks q From SYN/ICMP floods to UDP and HTTP Masquerade as normal traffic, e.g., flash crowds q From spoofed IP to non-spoofed Evade ingress filtering 15
An Example DDoS Tool: The Low Orbit Ion Cannon 16
Defending Against a DDoS Attack q Use routers and firewalls Can block (or blackhole) traffic (identified as being part of an attack) Do not forward nonessential protocols, e.g., ICMP Cons: Blackholing could lead to legitimate traffic being blocked Cannot typically mitigate more sophisticated HTTP attacks Can you get support from your network service provider? q Install an Intrusion Detection System (IDS) Can be used to detect anomalous traffic, which can then be blocked Cons: Can create high numbers of false positives Open source example is Snort: http://www.snort.org/ Inspired by: http://www.computerworld.com/s/article/94014/how_to_defend_against_ddos_attacks 17
Defending Against a DDoS Attack (2) q Correct configuration of servers Configure the resources services have on a server to minimise DDoS attack impact For example for Apache Server: http://httpd.apache.org/docs/2.3/misc/security_tips.html q Install DDoS mitigation appliances or services Cisco Guard XT 5650 q Over-provisioning Outsourcing to the Cloud could be used to enable rapid over provisioning 18
A Research Perspective 19
Multi-stage Challenge Analysis Approach q Incremental on-demand challenge analysis and remediation q Challenge analysis strategy tailored to the: Deployment context Mechanism capabilities (Type of) challenge q Use policies to define detection (and remediation) strategies Enables reusability and adaptation of approaches at run-time Less complete & Lightweight inform Challenge Analysis inform More complete & Heavier weight Coarse grain Remediation Challenge specific Time 20
ISP Scenario: High-traffic Volume Challenge Scenario 21
Mechanisms Overview Link Monitor IDS Classifier Less complete & Lightweight inform Challenge Analysis inform More complete & Heavier weight Coarse grain Remediation Challenge specific Limit (Link) Limit (Dest) Limit (Flow) Time 22
High Traffic Volume Challenge Detection and Remediation LinkMonitor IDS LocalManager RateLimiter Classifier FlowExporter setthreshold(t) load(link) start(link) limit(link) detect(dest) limit(dest) start(dest) classification(label, flow) classify(flow) limit(flow) 23
Policy-driven Resilience Simulator Policies Ponder2 Event on <event> if <condition> do <action> in/router N RPC obj in/router E RemediationInterface Managed objects (XMLRPC adaptors) RPC obj OMNeT++ Network Simulator RemediationInterface Adaptive actions 24
Initial Results Packets per second 4000 3500 3000 2500 2000 1500 1000 500 0 1 2 1. Attack starts 2. The LinkMonitor detects threshold breach 3 4 5 0 20 40 60 80 100 120 140 160 Time (secs) RateLimiter rate limits affected link (50%) 3. The IntrusionDetection identifies target IP address RateLimiter configured to limit to target (70%) and FlowExporter started 4. The Classifier identifies malicious flows RateLimiter blocks malicious flows 5. Final malicious flow classified and blocked 25
Conclusion q Challenges to the ICT that supports your business can transcend those normally considered for information security q Consider a broad range of challenges in the context of a risk assessment process q DDoS attacks are a credible threat to certain types of business 26