19. DDoS Mechanisms ENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park



Similar documents
Characterization and Analysis of NTP Amplification Based DDoS Attacks

How to launch and defend against a DDoS

The Coremelt Attack. Ahren Studer and Adrian Perrig. We ve Come to Rely on the Internet

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

How To Protect A Dns Authority Server From A Flood Attack

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

How To Attack Isc.Org.Org With A Dnet On A Network With A Pnet On The Same Day As A Dbus On A Pc Or Ipnet On An Ipnet.Org On A 2.5Th Gen.Net

DDoS attacks on electronic payment systems. Sean Rijs and Joris Claassen Supervisor: Stefan Dusée

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

/ Staminus Communications

DDoS Mitigation Solutions

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

CS 356 Lecture 16 Denial of Service. Spring 2013

Denial of Service Attacks

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

DDoS attacks in CESNET2

TDC s perspective on DDoS threats

ENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park

ENSC 427 Communications Network Spring 2015 Group 8 Samuel Chow <spc12 at sfu.ca> Tenzin Sherpa <tserpa at sfu.

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Check Point DDoS Protector

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

Distributed Denial of Service Attack Tools

Distributed Denial of Service Attacks & Defenses

CHARACTERIZATION AND ANALYSIS OF NTP AMPLIFIER TRAFFIC

Restorable Logical Topology using Cross-Layer Optimization

Denial of Service Attacks and Resilient Overlay Networks

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Mitigating DDoS Attacks at Layer 7

SECURING APACHE : DOS & DDOS ATTACKS - I

DoS/DDoS Attacks and Protection on VoIP/UC

SANE: A Protection Architecture For Enterprise Networks

NETNOD Autumn 2014 October 2, 2014

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Defending Computer Networks Lecture 10: Firewalls. Stuart Staniford Adjunct Professor of Computer Science

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

VALIDATING DDoS THREAT PROTECTION

DDoS Overview and Incident Response Guide. July 2014

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Network attack and defense

Surviving DNS DDoS Attacks. Introducing self-protecting servers

Reducing the impact of DoS attacks with MikroTik RouterOS

How To Protect Your Network From A Ddos Attack On A Network With Pip (Ipo) And Pipi (Ipnet) From A Network Attack On An Ip Address Or Ip Address (Ipa) On A Router Or Ipa

WAN OPTIMIZATION. Srinivasan Padmanabhan (Padhu) Network Architect Texas Instruments, Inc.

2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative

Kick starting science...

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

Effect of anycast on K-root

Deploying IP Anycast. Core DNS Services for University of Minnesota Introduction and General discussion

Automated Mitigation of the Largest and Smartest DDoS Attacks

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Don t get DDoSed and Confused. Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Firewalls and Intrusion Detection

Introduction about DDoS. Security Functional Requirements

DNS, DNSSEC and DDOS. Geoff Huston APNIC February 2014

Denial of Service. Tom Chen SMU

Quality Certificate for Kaspersky DDoS Prevention Software

Radware s Attack Mitigation Solution On-line Business Protection

PROFESSIONAL SECURITY SYSTEMS

Firewalls and Network Defence

Denial of Service and Anomaly Detection

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

Real Life DoS/DDOS Threats and Benefits of Deep DDOS Inspection. Oğuz YILMAZ CTO Labris Networks

TCP/IP Protocol Suite. Marshal Miller Chris Chase

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

CS5008: Internet Computing

A Primer for Distributed Denial of Service (DDoS) Attacks

Prolexic Quarterly Global DDoS Attack Report Q4 2012

Distributed Denial of Service

Network Measurement. Why Measure the Network? Types of Measurement. Traffic Measurement. Packet Monitoring. Monitoring a LAN Link. ScienLfic discovery

DDoS Protection on the Security Gateway

How To Understand A Network Attack

How To Mitigate A Ddos Attack

Next Generation IPv6 Network Security a Practical Approach Is Your Firewall Ready for Voice over IPv6?

Security Toolsets for ISP Defense

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

How Cisco IT Protects Against Distributed Denial of Service Attacks

Kaspersky Lab. Contents

SURE 5 Zone DDoS PROTECTION SERVICE

Web Application Level Approach against the HTTP Flood Attacks IOSEC HTTP Anti Flood/DoS Security Gateway Module

Arbor s Solution for ISP

FortiDDos Size isn t everything

DNS amplification attacks

Survey on DDoS Attack in Cloud Environment

The XenoService A Distributed Defeat for Distributed Denial of Service

Transcription:

19. DDoS Mechanisms ENEE 757 CMSC 818V Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park http://ter.ps/757 https://www.facebook.com/sdsatumd Today s Lecture Where we ve been AuthenCcaCon and access control Network security Exploits Worms Where we re going today Denial of service Where we re going next More denial of service 2 1

Network Denial of Service (DoS) Goal: take out a large site with limle compucng work DoS can happen at any layer Link TCP/UDP ApplicaCon DoS solucons for one layer cannot always be replicated at other layers This means that DoS cannot be solved with end- to- end solucons Need cooperacon from the network Sad truth: Current Internet not designed to handle DDoS amacks 3 Types of DoS AOacks We ve seen TCP SYN Floods TCP Con Floods DoS by conneccon reset UDP flood DNS amplificacon Some common pamerns DoS by sending junk packets Hide amacker locacon by spoofing IP addresses Use a botnet to conduct Distributed Denial of Service (DDoS) Take advantage of protocols that reflect and amplify traffic (e.g. DNS, NTP) 4 2

Largest Recorded DoS AOack [Czyz, Kallitsis, Gharaibeh, Papadopoulos, Bailey, Karir, 2014] NTP: up to x1,000,000 amplificaxon monlist: Give me the addresses of the last 600 machines you talked to Spoofed SrcIP: DoS target 600 addresses DoS Source NTP (Network Time Protocol) server DoS Target 10 Feb 2014: 325 Gbps amack against French target hmp://www.arbornetworks.com/asert/2014/02/ntp- amacks- welcome- to- the- hockey- scck- era/ Several similar amacks between Dec 2013 Feb 2014 Exceeded previous peak throughputs by 200% NTP monlist amplifier populacon dropped by 93% between Jan Apr 2014 Likely a result of nocficacon campaign by researchers 5 TradiXonal DDoS Trade- Off DDoS AMacks are either Persistent or Scalable to N Servers N x traffic to 1 server => high- intensity traffic triggers network deteccon deteccon not triggered => low- intensity traffic is insufficient for N servers 6 3

Example: DDoS AOack on Spamhaus (2013) Adversary: DDoS - > 1 Spamhaus Server (3/16 3/18) persistent: ~ 2.5 days @ 10 Gpbs Spamhaus - > CloudFlare (3/19 3/22) non- scalable: - > 90-120 Gbps traffic is diffused over N > 20 servers in 4 hours Adversary... - 100K open DNS resolvers AOack traffic ` Anycast 7 7 Spamhaus AOack Second Stage Adversary - 100K open DNS resolvers Adversary: DDoS - > 4 IXPs (3/23) scalable: regionally degraded conneccvity some disconneccon - non- persistent: amack detected, pushed back & legicmate traffic re- routed in ~ 1-1.5 hours... AOack traffic IXP Anycast 8 8 4

Persistent and Scalable DDoS Through Link Flooding We ve seen: opcmiscc acknowledgment amack AMacker can saturate the return paths from legicmate servers In theory, can cause Internet- wide congescon collapse Coordinated link- flooding amacks can degrade conneccvity of N- server areas persistently N = small (e.g. 1 1000 servers) N = medium (e.g. all servers in Maryland) N = large (e.g. the West Coast of the US) 10000 "971108.out" exp(7.68585) * x ** ( -2.15632 ) 10000 "980410.out" exp(7.89793) * x ** ( -2.16356 ) 9 1000 1000 100 100 10 10 Power Laws of Internet Topology [Faloutsos 3, On Power- Law RelaConships of the Internet Topology ] Power law: y(x) = ax k 10000 1 1 10 100 80% of routes traverse 20% of routers 1000 100 "981205.out" exp(8.11393) * x ** ( -2.20288 ) 10 Leverage this empirical observacon to implement 1 persistent and scalable 1 10 100 link- flooding amacks AMack traffic is indiscnguishable from legicmate at target router AMack is moving target for same N- server area Changes target links before triggering alarms Count 10000 1000 1 1 10 100 100 10 "routes.out" exp(8.52124) * x ** ( -2.48626 ) 1 1 10 100 Router out- degree 10 5

The Coremelt AOack [Studer and Perrig, 2009] N bots and O(N 2 ) legi(mate flows flood core routers 10 Mbps Core Flooding Ex. N = 10 4 => 10 8 flows x 10 Kbps / flow => exhausts 100 x 10 Gbps links 11 Crossfire AOack [Kang, Lee & Gligor, 2013] N bots 1 Mbps Link Flooding M servers @ chosen IP addresses NxM legi(mate- looking flows Ex. N = 10 4, M = 100 => 10 6 flows x 10Kbps/flow => exhausts a 10 Gbps link 12 6

1- Link Crossfire AOack Flows => IndisXnguishable from LegiXmate low- rate flows 40 Gbps Bots (4 Kbps x 10K bots x 1K decoys) Decoy Servers Use same links as real DDoS target 13 1- Link Crossfire AOack Flows => IndisXnguishable from LegiXmate changing sets of flows Bots Decoy Servers 14 7

1- Link Crossfire AOack Flows => Alarms Not Triggered suspend flows in t < T det sec & resume later Bots Decoy Servers link- failure deteccon latency, T det IGP routers: 217 sec/80 Gbps 608 sec/60 Gbps BGP routers: 1,076 sec/80gbps 11,119 sec/60 Gbps t = 40 180 sec => Alarms are Not Triggered 15 n- Link Crossfire n links traversed by a large number of persistent paths to a target area. small n; e.g., 5-15 Narrow Path Waist (observed power law for Internet route paths) N servers RelaXvely Alternate Good good target link set moving targets, same N servers = suspend- resume flooding of different link sets 16 8

11/19/14 AOack Step 1: Link- Map ConstrucXon trace results traceroute routers persistent vs. transient links Internet servers target area Only persistent links are targeted 17 AOack Step 2: Target- Link SelecXon Select n Target Links Goal: Find n links whose failure maximizes degradacon raco (DR) Internet servers => maximum coverage problem target area 18 9

11/19/14 AOack Step 3: Bot CoordinaXon Commands AOack Flows Low send/receive rates ~ 1 Mbps Internet decoy server servers target area 19 Degradation Ratio 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 Degraded ConnecXvity DegradaCon Degradation Ratio raco 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0 5 10 15 20 25 30 35 40 45 50 Number of target links n target links 0 0 5 10 15 20 25 30 35 40 45 50 Number of target links DR = # degraded bot- to- target area paths / # all bot- to- target area Flooding a few target links causes high degradacon (DR) 10 links => DR: 74 90% for Univ1 and Univ2 15 links => DR: 53% (33%) for Virginia (West Coast) Univ1 Univ2 New York Pennsylvania Massachusetts MassachuseMs Virginia East Coast (US) West Coast (US) Univ1 Univ2 New York Pennsylvania Massachusetts Virginia East Coast (US) West Coast (US) 20 10

EffecXve Independence of Bot DistribuXon Se ng: Experiments using 6 different bot distribucons < Bot distribucon on the map > 14 56 23 Result: No significant difference in amack performance DegradaCon raco Univ1 Pennsylvania East Cost (US) Baseline Distr1 Distr2 Distr3 Distr4 Distr5 Distr6 n target links 21 Fundamental Causes of DoS AOacks Asymmetric state allocacon Receiver must do more work than sender (e.g. TCP SYN flood) Persistent rate gap Max network line rate >> max server rate This gap has not changed much over Cme Allows an army of bots to flood public servers with junk traffic Power laws of the Internet topology Result in a narrow path waist to any potencal target Enables crossfire amack 22 11

Sources Various slides from Vitaly ShmaCkov and Virgil Gligor 23 Review of Lecture What did we learn? Trade- offs and causes of DDoS amacks The coremelt amack The crossfire amack Paper discussion: Inferring Internet Denial- of- Service AcCvity Discussion lead: Ahmed Scribe: Wei What s next? More DDoS 24 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information