Filtering Based Techniques for DDOS Mitigation



Similar documents
Firewalls and Intrusion Detection

Queuing Algorithms Performance against Buffer Size and Attack Intensities

Strategies to Protect Against Distributed Denial of Service (DD

Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA DDoS and IP Traceback. Overview

A Novel Packet Marketing Method in DDoS Attack Detection

Distributed Denial of Service (DDoS)

How To Defend Against A Distributed Denial Of Service Attack (Ddos)

Security vulnerabilities in the Internet and possible solutions

International Journal of Emerging Technologies in Computational and Applied Sciences (IJETCAS)

Provider-Based Deterministic Packet Marking against Distributed DoS Attacks

Design and Experiments of small DDoS Defense System using Traffic Deflecting in Autonomous System

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Denial of Service. Tom Chen SMU

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

An Efficient Filter for Denial-of-Service Bandwidth Attacks

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Announcements. No question session this week

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

co Characterizing and Tracing Packet Floods Using Cisco R

Content Distribution Networks (CDN)

Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks

How To Provide Qos Based Routing In The Internet

Packet-Marking Scheme for DDoS Attack Prevention

DDoS Attack and Defense: Review of Some Traditional and Current Techniques

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

Proceedings of the UGC Sponsored National Conference on Advanced Networking and Applications, 27 th March 2015

DDoS Attack Defense against Source IP Address Spoofing Attacks

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

D-WARD: A Source-End Defense Against. Flooding Denial-of-Service Attacks

CONTROLLING IP SPOOFING THROUGH PACKET FILTERING

Port Hopping for Resilient Networks

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

Internet Protocol: IP packet headers. vendredi 18 octobre 13

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

How To Protect Your Network From A Ddos Attack On A Network With Pip (Ipo) And Pipi (Ipnet) From A Network Attack On An Ip Address Or Ip Address (Ipa) On A Router Or Ipa

Application of Netflow logs in Analysis and Detection of DDoS Attacks

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

Cisco IOS Flexible NetFlow Technology

Analysis and Detection of DDoS Attacks in the Internet Backbone using Netflow Logs

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

A Practical Method to Counteract Denial of Service Attacks

Unicast Reverse Path Forwarding

Survey on DDoS Attack Detection and Prevention in Cloud

Network Bandwidth Denial of Service (DoS)

CROSS LAYER BASED MULTIPATH ROUTING FOR LOAD BALANCING

Tracers Placement for IP Traceback against DDoS Attacks

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

A Novel Technique for Detecting DDoS Attacks at Its Early Stage

A Hybrid Approach for Detecting, Preventing, and Traceback DDoS Attacks

A Defense Framework for Flooding-based DDoS Attacks

OpenDaylight Project Proposal Dynamic Flow Management

TRILL for Data Center Networks

Analysis of Automated Model against DDoS Attacks

The Coremelt Attack. Ahren Studer and Adrian Perrig. We ve Come to Rely on the Internet

Multihoming and Multi-path Routing. CS 7260 Nick Feamster January

Acquia Cloud Edge Protect Powered by CloudFlare

Abstract. Introduction. Section I. What is Denial of Service Attack?

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

CloudFlare advanced DDoS protection

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Network Level Multihoming and BGP Challenges

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

Network Security Demonstration - Snort based IDS Integration -

Source-End DDoS Defense

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

A Survey of IP Traceback Mechanisms to overcome Denial-of-Service Attacks

Firewalls. Network Security. Firewalls Defined. Firewalls

Hunting down a DDOS attack

Attack Diagnosis: Throttling Distributed Denialof-Service Attacks Close to the Attack Sources

Cloud-based DDoS Attacks and Defenses

Security in Structured P2P Systems

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

MPLS Environment. To allow more complex routing capabilities, MPLS permits attaching a

packet retransmitting based on dynamic route table technology, as shown in fig. 2 and 3.

Firewalking. A Traceroute-Like Analysis of IP Packet Responses to Determine Gateway Access Control Lists

IPv6 Hardening Guide for Windows Servers

Comparing Two Models of Distributed Denial of Service (DDoS) Defences

NEW TECHNIQUES FOR THE DETECTION AND TRACKING OF THE DDOS ATTACKS

Florian Liers, Thomas Volkert, Andreas Mitschele-Thiel

2004 Networks UK Publishers. Reprinted with permission.

Survey on DDoS Attack in Cloud Environment

Network layer: Overview. Network layer functions IP Routing and forwarding

Transcription:

Filtering Based Techniques for DDOS Mitigation Comp290: Network Intrusion Detection Manoj Ampalam DDOS Attacks: Target CPU / Bandwidth Attacker signals slaves to launch an attack on a specific target address (victim). Slaves then respond by initiating TCP, UDP, ICMP or Smurf attack on victim Spoofing root cause Approaches to solving this: Prevention through Apprehension Super Protection Prevent or Mitigate DDOS by Authorizing source IP Making spoofing difficult Deploying Filters: Ingress/Egress Managing Network Bandwidth Egress Router Internet Ingress Router Attacker Victim Brief overview of DDOS Detection/Mitigation Schemes: Source Identification: Link Testing: Tracing back hop-by-hop manually Multiple branch points, slow trace back, communication overhead Audit Trail: Via traffic logs at routers & gateways High storage, processing overhead Behavioral monitoring: Likely behavior of attacker monitored Requires logging of such events and activities Brief overview of DDOS Detection/Mitigation Schemes: Packet-based traceback: Packets marked with addresses of intermediate routers, later used to trace back Variable length marking fields growing with path length leading to traffic overhead Probabilistic Packet Marking: Tries to achieve best of space and processing efficiency Constant marking-field Minimal router support Introduces uncertainty due to probabilistic sampling of flow s path

Based on the location of deployment: Router Based Improve routing infrastructure Off-line analysis of flooding traffic traces Doesn t help sustain service availability during attack On-line filtering of spoofed packets Rely on IP-Router enhancements to detect abnormal patterns No incentive for ISPs to implement these services Administrative overhead Lack of immediate benefit to their customers End-System Based Provide sophisticated resource management to internet servers Doesn t required router support. Not so effective Topics for this presentation: Different Filtering Techniques Hop-Count Filtering End-System Based Uses Packet Header Information Distributed Packet Filtering Route-based Uses Routing Information D-WARD Source-end network based Uses Abnormal Traffic Flow information Ingress Filtering Specifies Internet Best Current Practices Hop-Count Filtering Cheng Jin, Haining Wang, Kang G. Shin, Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), October 2003 Motivation: Most spoofed IP packets when arriving at victims do not carry hop-count values that are consistent with those of legitimate ones. Hop-Count distribution of client IP addresses at a server take a range of values So, how s hop-count calculated? Computed based on the 8-bit TTL filed of IP header Introduced originally to specify maximum lifetime of IP packet During transit, each intermediate router decrements the TTL value of an IP packet before forwarding The difference between the final value and the initial value is thus the number of hops taken. What s the initial value of TTL field? Is it a constant? NO

TTL field: The basic algorithm follows: Varies with operating Systems. So do we have to know the type of Operating System before computing hop-count? Not Really required Most modern OSs use only few selected initial TTL values: 30,32,60,64,128 and 256 Its generally believed that few internet hosts are apart by more than 30 hops Hence, initial value of TTL is the smallest number in the standard list greater than the final TTL value The making of the HCF Tables: Objectives: Accurate IP2HC mapping Up-to-date IP2HC mapping Continuously monitory for legitimate hop-count changes Legitimate established TCP connections Moderate storage Concept of Aggregation with Hop-Count Clustering Aggregation with Hop-Count Clustering: IPs primarily mapped based on 24-bit prefix IP address further divided based on hop-count Nodes aggregated if hop-count value is same No two IPs with different hop-counts aggregated Not all IPs can be aggregated Aggregation with Hop-Count Clustering: Effectiveness Effectiveness: HCF removes nearly 90% of spoofed traffic Assessed from a mathematical standpoint Assumptions: Victim knows complete IP2HP mapping Attacker randomly selects source IP addresses Static Hop-Count Values Attackers evenly divide flooding traffic

Effectiveness: For single source simple attack Hop-count from flooding source to victim h Fraction of IP having h hop counts to victim h Effectiveness: For multiple (n) source simple attack Total Flood Packets F Each attacker generates F/n packets h i - hop count from attacker i to victim Fraction of spoofed IP Addresses that cannot be detected -- h Even when a attacker with Mean HC is considered, h is around 10% hi fraction of IPs with hopcount h i Fraction of spoofed IP Addresses that cannot be detected from i-- hi Fraction of non-identifiable spoofed packets = (1/n) hi Can this filter be outplayed? What if the attacker manufactures an appropriate initial TTL value for each spoofed packet? Should know hop-count between randomized IP and victim. Has to build a priori an IP2HC mapping table at victim. What if the hop-count mapping is found through an accurate router-level topology of internet? No such contemporary tools giving accurate topology information. Why choose random-ip? Choose to spoof an IP address from a set of compromised machines. Weakens the attacking capability. Will be defeated by currently existing practices. Sabotage router to alter TTL value? Don t know how far that s feasible. Distributed Packet Filtering Kihong Park, Heejo Lee, Proceedings of ACM SIGCOMM 2001, San Diego, California, August 2001 Route based distributed packet filtering Uses routing information to determine goodness of a arriving packet Similar to the limitation of firewalls whose filtering rules reflect access constraints local to the network system being guarded. Salient features: Proactively filters out a significant fraction of spoofed packet flows Reactively identifies source of spoofed IP flows Takes advantage of the power-law structure of the Internet AS topology. Filtering: Main Idea: Works on a graph of Internet Autonomous Systems (AS) Node 7 uses IP address belonging to node 2 when attacking node 4 What if a border router belonging AS 6 would recognize if its cognizant of route topology?

Filtering: Issues: Filtering done at granularity of AS node No filtering on attacks originating within a node An edge in AS graph between pair of nodes a set of peering point connections All border routers mush carry filtering tasks Two IPs belonging to the same node may lead to different paths on AS topology Incorporate multi-path routing Filtering: Terminology: Given G=(V,E) representing Internet AS topology (u,v) set of all loop-free paths from u to v R(u,v) set of computed routes using a routing algorithm R(u,v) is subset of (u,v) A Filter F e is a route based packet filter with respect to R if F e (s,t) = 0 for e belonging to R(s,t) F e is a maximal filter if it satisfies F e (s,t) = 0 iff there exists a path in R(s,t) with e as one of the links F e is a semi-maximal filter with respect to R if 0, if e R( s, v) Fe ( s, t) = 1, otherwise for some v V i Filtering: Terminology: S a,t set of nodes that an attacker at AS a can use as a spoofed address to reach t. DPF Effectiveness: With route based filtering at node 8 S 1,9 = {0,1,2,3,4,5} C s,t set of nodes that could have sent an IP packet M(s,t) with spoofed source IP s, which did not get filtered on its way With no filtering S 1,9 = {0,1,2,3,4,5,6,7,8} With route-based filtering at node 8 S 1,9 = {0,1,2,3,4,5} With route-based filtering at node 8 & 3 S 1,9 = {1,2} Performance Metrics: Proactive: Fraction of AS s from which no spoofed IP packet can reach its target. { } a : t V, Sa, t 1 = Reactive: Parameterized by n 1, denotes Fraction of AS s which upon receiving a spoofed IP packet can localize its true source within sites. ( ) = { t : s V, C } n s, t Evaluation: Study effectiveness of the Filtering process given: Topology Graph: G 1997-99 Internet AS topologies Artificially generated topologies Subset of nodes where filtering is performed: T Node Selection: Randomly Vertex cover Routing Algorithm: R Multipath Routing Loose R any of loop free paths taken Tight R only shortest one considered

Evaluation: Maximal Vs Semi-Maximal Filters Evaluation: Loose Vs Tight Routing I997 Internet Topology: Reactive Metric Proactive Metric I997 Internet Topology: Loose Tight Evaluation: Impact of Network Topology Evaluation: Results on a generated Topology Performance difference between Inet and Internet AS graphs: Reactive Metric Proactive Metric Using Brite Topology Generator with Preferential Connectivity (PC) parameter: Different PC s Different probability density functions Reactive Metric Proactive Metric Evaluation: Results without Ingress Filtering Evaluation: Effect of Multi Path Routing Using 1997-1999 topologies with trusted set T allowing local DoS attacks including those targeted to other domains Reactive Metric Proactive Metric Based on a routing options. R=loose - any loop-free path can be used R=tight - shortest path to be used Reactive Metric Proactive Metric

D-WARD Jelena Mirkovic, Gregory Prier, Peter Reiher, 10th IEEE International Conference on Network Protocols, Paris, France, November 2002 Attacking DDOS at source. Attack flows can be stopped before they enter Internet core Facilitate easier trace back and investigation of attack Basic Idea Monitor incoming and outgoing traffic Detect attack by observing abnormalities Respond to attack by rate limiting Architecture: Monitoring and attack detection: Configured with a set of police addresses (PA) Monitors two-way traffic at flow granularity Flow aggregate traffic between PA set foreign host Monitors traffic at connection level Connection aggregate traffic between 2 IPs (PA and foreign host) and port numbers Identify legitimate connections Monitoring and attack detection: Flow Classification Flow statistics kept in a limited-size hash table as flow records Stored at granularity of IP address of host Statistics on three types of traffic: TCP, UDP & ICMP Number of packets sent Bytes sent / received Active Connections Monitoring and attack detection: Normal Traffic Modes TCP: defines TCP rto maximum allowed ratio of number of packets sent and received in the aggregate TCP flow to the peer. ICMP: defines ICMP rto maximum allowed ratio of number of echo, time stamp and information request and reply packets sent and received in the aggregate flow to the peer. UCP: defines n conn an upper bound on number of allowed connections per destination p conn a lower bound on number of allowed connections per destination UDP rate maximum allowed sending rate per connection Connection Classification Good if compliant: receive guaranteed good service Bad

Attack Response: Throttling component defines the allowed sending rate for a particular flow based on the current flow characterization and its aggressiveness. Borrows ideas from TCP congestion control - Multiplicative Decrease Uses following equations: sending rate rl = min( rl, rate)* fdec * B for this Bsent rl = rl + rateinc * observation Bsent + B Bsent rl = rl *(1 + finc * B + B sent sent dropped dropped Bsent + B ) dropped f dec - fraction of offending rate realized sending rate flow in previous rl current rate limit rate inc - speed of slow-recovery f inc - speed of fast-recovery Evaluation: Implemented on a linux software router Simulated different types of attacks Customized traffic mixture Constant rate attack Pulsing attack Increasing rate attack Gradual pulse attack Test Network: Attacker and legitimate client belong to source network and are part of police address set Foreign host playing role of victim Evaluation: Attack Bandwidth passed to Victim Evaluation: Attack Bandwidth passed to Victim Evaluation: Total attack traffic forwarded with respect to attack rate Evaluation: Attack Detection Time to Maximum attack rate

Ingress Filtering Network Ingress Filtering An RFC document intending to increase security practices and awareness for internet community Discusses a simple, effective and straightforward ingress traffic filter P. Ferguson, D. Senie, RFC 2827, May 2000 Ingress Filtering Ingress Filtering Restricting forged Traffic: Idea is to eliminate spoofing by restricting downstream network traffic to known, and intentionally advertised prefixes through an ingress filter Example: Router 3 12.0.0.0/8 Router 1 11.0.0.0/8 204.69.207.0/24 Router 2 attacker Filter on ingress link of router 2 allows only traffic originating from within 204.69.207.0/24 prefix Further possible capabilities for networking equipment: Automatic filtering on remote access servers Check every packet on ingress to ensure user not spoofing Liabilities Filtering can break some types of special services Example: Mobile IP Traffic from a mobile node not tunneled source address do not match with attached network. This RFC suggests considering alternate methods for implementing these services Mobile IP Working Group developed reverse tunnels to accommodate ingress filtering Thank You!!!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information