19. DDoS Mechanisms ENEE 757 CMSC 818V Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park http://ter.ps/757 https://www.facebook.com/sdsatumd Today s Lecture Where we ve been AuthenCcaCon and access control Network security Exploits Worms Where we re going today Denial of service Where we re going next More denial of service 2 1
Network Denial of Service (DoS) Goal: take out a large site with limle compucng work DoS can happen at any layer Link TCP/UDP ApplicaCon DoS solucons for one layer cannot always be replicated at other layers This means that DoS cannot be solved with end- to- end solucons Need cooperacon from the network Sad truth: Current Internet not designed to handle DDoS amacks 3 Types of DoS AOacks We ve seen TCP SYN Floods TCP Con Floods DoS by conneccon reset UDP flood DNS amplificacon Some common pamerns DoS by sending junk packets Hide amacker locacon by spoofing IP addresses Use a botnet to conduct Distributed Denial of Service (DDoS) Take advantage of protocols that reflect and amplify traffic (e.g. DNS, NTP) 4 2
Largest Recorded DoS AOack [Czyz, Kallitsis, Gharaibeh, Papadopoulos, Bailey, Karir, 2014] NTP: up to x1,000,000 amplificaxon monlist: Give me the addresses of the last 600 machines you talked to Spoofed SrcIP: DoS target 600 addresses DoS Source NTP (Network Time Protocol) server DoS Target 10 Feb 2014: 325 Gbps amack against French target hmp://www.arbornetworks.com/asert/2014/02/ntp- amacks- welcome- to- the- hockey- scck- era/ Several similar amacks between Dec 2013 Feb 2014 Exceeded previous peak throughputs by 200% NTP monlist amplifier populacon dropped by 93% between Jan Apr 2014 Likely a result of nocficacon campaign by researchers 5 TradiXonal DDoS Trade- Off DDoS AMacks are either Persistent or Scalable to N Servers N x traffic to 1 server => high- intensity traffic triggers network deteccon deteccon not triggered => low- intensity traffic is insufficient for N servers 6 3
Example: DDoS AOack on Spamhaus (2013) Adversary: DDoS - > 1 Spamhaus Server (3/16 3/18) persistent: ~ 2.5 days @ 10 Gpbs Spamhaus - > CloudFlare (3/19 3/22) non- scalable: - > 90-120 Gbps traffic is diffused over N > 20 servers in 4 hours Adversary... - 100K open DNS resolvers AOack traffic ` Anycast 7 7 Spamhaus AOack Second Stage Adversary - 100K open DNS resolvers Adversary: DDoS - > 4 IXPs (3/23) scalable: regionally degraded conneccvity some disconneccon - non- persistent: amack detected, pushed back & legicmate traffic re- routed in ~ 1-1.5 hours... AOack traffic IXP Anycast 8 8 4
Persistent and Scalable DDoS Through Link Flooding We ve seen: opcmiscc acknowledgment amack AMacker can saturate the return paths from legicmate servers In theory, can cause Internet- wide congescon collapse Coordinated link- flooding amacks can degrade conneccvity of N- server areas persistently N = small (e.g. 1 1000 servers) N = medium (e.g. all servers in Maryland) N = large (e.g. the West Coast of the US) 10000 "971108.out" exp(7.68585) * x ** ( -2.15632 ) 10000 "980410.out" exp(7.89793) * x ** ( -2.16356 ) 9 1000 1000 100 100 10 10 Power Laws of Internet Topology [Faloutsos 3, On Power- Law RelaConships of the Internet Topology ] Power law: y(x) = ax k 10000 1 1 10 100 80% of routes traverse 20% of routers 1000 100 "981205.out" exp(8.11393) * x ** ( -2.20288 ) 10 Leverage this empirical observacon to implement 1 persistent and scalable 1 10 100 link- flooding amacks AMack traffic is indiscnguishable from legicmate at target router AMack is moving target for same N- server area Changes target links before triggering alarms Count 10000 1000 1 1 10 100 100 10 "routes.out" exp(8.52124) * x ** ( -2.48626 ) 1 1 10 100 Router out- degree 10 5
The Coremelt AOack [Studer and Perrig, 2009] N bots and O(N 2 ) legi(mate flows flood core routers 10 Mbps Core Flooding Ex. N = 10 4 => 10 8 flows x 10 Kbps / flow => exhausts 100 x 10 Gbps links 11 Crossfire AOack [Kang, Lee & Gligor, 2013] N bots 1 Mbps Link Flooding M servers @ chosen IP addresses NxM legi(mate- looking flows Ex. N = 10 4, M = 100 => 10 6 flows x 10Kbps/flow => exhausts a 10 Gbps link 12 6
1- Link Crossfire AOack Flows => IndisXnguishable from LegiXmate low- rate flows 40 Gbps Bots (4 Kbps x 10K bots x 1K decoys) Decoy Servers Use same links as real DDoS target 13 1- Link Crossfire AOack Flows => IndisXnguishable from LegiXmate changing sets of flows Bots Decoy Servers 14 7
1- Link Crossfire AOack Flows => Alarms Not Triggered suspend flows in t < T det sec & resume later Bots Decoy Servers link- failure deteccon latency, T det IGP routers: 217 sec/80 Gbps 608 sec/60 Gbps BGP routers: 1,076 sec/80gbps 11,119 sec/60 Gbps t = 40 180 sec => Alarms are Not Triggered 15 n- Link Crossfire n links traversed by a large number of persistent paths to a target area. small n; e.g., 5-15 Narrow Path Waist (observed power law for Internet route paths) N servers RelaXvely Alternate Good good target link set moving targets, same N servers = suspend- resume flooding of different link sets 16 8
11/19/14 AOack Step 1: Link- Map ConstrucXon trace results traceroute routers persistent vs. transient links Internet servers target area Only persistent links are targeted 17 AOack Step 2: Target- Link SelecXon Select n Target Links Goal: Find n links whose failure maximizes degradacon raco (DR) Internet servers => maximum coverage problem target area 18 9
11/19/14 AOack Step 3: Bot CoordinaXon Commands AOack Flows Low send/receive rates ~ 1 Mbps Internet decoy server servers target area 19 Degradation Ratio 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 Degraded ConnecXvity DegradaCon Degradation Ratio raco 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0 5 10 15 20 25 30 35 40 45 50 Number of target links n target links 0 0 5 10 15 20 25 30 35 40 45 50 Number of target links DR = # degraded bot- to- target area paths / # all bot- to- target area Flooding a few target links causes high degradacon (DR) 10 links => DR: 74 90% for Univ1 and Univ2 15 links => DR: 53% (33%) for Virginia (West Coast) Univ1 Univ2 New York Pennsylvania Massachusetts MassachuseMs Virginia East Coast (US) West Coast (US) Univ1 Univ2 New York Pennsylvania Massachusetts Virginia East Coast (US) West Coast (US) 20 10
EffecXve Independence of Bot DistribuXon Se ng: Experiments using 6 different bot distribucons < Bot distribucon on the map > 14 56 23 Result: No significant difference in amack performance DegradaCon raco Univ1 Pennsylvania East Cost (US) Baseline Distr1 Distr2 Distr3 Distr4 Distr5 Distr6 n target links 21 Fundamental Causes of DoS AOacks Asymmetric state allocacon Receiver must do more work than sender (e.g. TCP SYN flood) Persistent rate gap Max network line rate >> max server rate This gap has not changed much over Cme Allows an army of bots to flood public servers with junk traffic Power laws of the Internet topology Result in a narrow path waist to any potencal target Enables crossfire amack 22 11
Sources Various slides from Vitaly ShmaCkov and Virgil Gligor 23 Review of Lecture What did we learn? Trade- offs and causes of DDoS amacks The coremelt amack The crossfire amack Paper discussion: Inferring Internet Denial- of- Service AcCvity Discussion lead: Ahmed Scribe: Wei What s next? More DDoS 24 12