Distributed Denial of Service Attacks and Coutntermeasures - PowerPoint PPT Presentation

�������฀฀���฀฀�������� ��������������฀�������� � � �������฀���฀��������฀��������฀������ ����������฀��฀��������฀�������฀���฀����������� ������������฀�����฀�����������฀����������฀����฀฀�� Distributed Denial of Service Attacks and Coutntermeasures CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring 2008 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 1

DDoS • Denial of Service attack - intentionally preventing access to some valued resource. • Distributed DoS - attack launched from multiple sources, e.g., compromised computers • Attacks ‣ overload - sending more traffic than the system can handle causing backlogs, thrashing, e.g., congestion ‣ confusion - forcing the system into a state that is does not know how to progress, e.g., process death • Concept: indirect DOS via reflection CSE598K/CSE545 - Advanced Network Security - McDaniel Page 2

Open vs. Closed Systems • Open systems provide functionality to all who would access the service as needed ‣ Often harder to secure against DoS • Closed systems restrict access based ‣ Generally predicate access on authentication ‣ Often more complex (leading to more DoS?) • Key DoS concepts/realities ‣ E2E : intel at edges, making hard to protect upstream ‣ Byzantine failures : if a system can act in any manner, then it can arbitrarily consume resources (threat model?) CSE598K/CSE545 - Advanced Network Security - McDaniel Page 3

Root causes and targets • Causes (Mirkovic) • Targets (examples) ‣ Interdependencies ‣ Applications (Gnutella) between services ‣ Hosts (CSE webserver) ‣ Limited resources ‣ Resources (home dirs.) ‣ Intelligence distributed ‣ Networks (IBM) (and not near ‣ Infrastructure (routing) resources) ‣ No accountability Systems and Internet Infrastructure Security Laboratory (SIIS) Page 4

The attack • Launching an attack Recruit ‣ Identify some hosts (find) ‣ Infect them ‣ Use them • Issues: Infect ‣ How do I find them? ‣ How do I communicate with them? ‣ What is the effect? Use CSE598K/CSE545 - Advanced Network Security - McDaniel Page 5

Scanning • 1$ question: What is the best strategy for finding vulnerable hosts on the Internet? ‣ Random scanning ‣ Hitlist scanning ‣ Signpost scanning ‣ Permutation scanning ‣ Local subnet scanning • Concept: horizontal vs. vertical scanning • Concept: “low and slow” scanning CSE598K/CSE545 - Advanced Network Security - McDaniel Page 6

Infection • 0.01$ question: what is the best strategy for distributing the malware ‣ Central source ‣ Back-chaining ‣ Autonomous (in-band) ‣ External (peer-to-peer) • Open question: is it possible to detect what is malware simply by looking at the payload of a packet? CSE598K/CSE545 - Advanced Network Security - McDaniel Page 7

Modeling Infection • Assume f ( t, n, s ) =? ‣ n hosts in network. ‣ Pr(host is vulnerable) = k ‣ s hosts are initially seeded ‣ Uniform distribution of vulnerable host ‣ Random scanning ‣ One host can test/infect one other host in a single “round” • Give psuedo-code for a recursive function for the infection of the network at round t ‣ Think of the simplest model possible. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 8

An approx. model function f( t, n, s, k ) { if ( t == 0 ) return( s ); hosts = f(t-1, n, s, k); return( hosts + (hosts*k) ); } Q: what happens as t approaches inf ? Q: what about collisions? (how do you model them?) CSE598K/CSE545 - Advanced Network Security - McDaniel Page 9

Simulated Infection Simple Infection Model (s=1, n=1*10^7, k=0.001) 1e+06 Infected hosts 900000 800000 700000 600000 500000 400000 300000 200000 100000 0 0 2000 4000 6000 8000 10000 12000 14000 Time (in rounds) Q: why does it take so long to reach the POC? CSE598K/CSE545 - Advanced Network Security - McDaniel Page 10

The attacks (redux) • Semantic/confusion - exploiting a characteristic of the environment to force into bad state • Overload - brute force traffic toward some service ‣ Overload rates: constant, pulse, variable ‣ Q: what are the consequences of each of these patterns • Enabling factor : IP address spoofing ‣ Source address spoofing is common, mostly random ‣ Plausible address spoofing is less common ‣ Fixed address is used in reflection more often ‣ Note: this makes use of backscatter effective CSE598K/CSE545 - Advanced Network Security - McDaniel Page 11

Network Backscatter • A network telescope is a virtual device that listens to the traffic on “dark” (unused) address space. • Observation: during DDoS attacks, most tools fake their source IP address randomly-the victim responds to the random IP, e.g., SYN ACK, ICMP port unreach. • Consequence: if you monitor the dark space you can ‣ Detect attacks by looking at source addresses of responses ‣ Approximate intensity by looking and inter-arrival time • In principle, you can monitor the DDoS activity on the Internet without tapping any particular network CSE598K/CSE545 - Advanced Network Security - McDaniel Page 12

Analysis • Attack of m packets, observing n IP addresses • Probability of receiving at least one packet: 1 − (1 − n 2 32 ) m • Expected number of responses seen for attack: E ( X ) = nm 2 32 • Intensity of attack (in packets per second): R ≥ R ′ 2 32 n • where R’ is average measured inter-arrival time CSE598K/CSE545 - Advanced Network Security - McDaniel Page 13

[Moore et. al] 2004 • /8 (2 24 IP addresses monitored) Victims CSE598K/CSE545 - Advanced Network Security - McDaniel Page 14

How long/intense? Intensity Duration CSE598K/CSE545 - Advanced Network Security - McDaniel Page 15

Backscatter Limitations • Addresses really randomly selected? • What is the effect of ingress/egress filtering? • Reflector attacks not caught • Do all attack packets really cause response? • Q: what do you really learn (that the victim could not have told you)? CSE598K/CSE545 - Advanced Network Security - McDaniel Page 16

DDoS Solutions (prevention) • Hardening : at the host, making them less vulnerable ‣ Yeah, right. • Protocols or service countermeasures : design for security ‣ Computational asymmetries (puzzles), credentialed functionality, • Filtering : dropping traffic as DoS is detected ‣ Source identification ‣ Rate limiting ‣ Reconfiguration CSE598K/CSE545 - Advanced Network Security - McDaniel Page 17

IP Traceback • Idea: probabilistically (1/20,000) mark packets as they are flowing toward source. ‣ Mark with router’s IP address ‣ Edges traversed ‣ Reconstruct the attack path ‣ Filter as needed • Issues: ‣ Not much space to collect data, thus probabilistically need to mark paths ‣ Work has focused on how to build good reconstruction algorithms that allow accurate reconstruction of attack paths CSE598K/CSE545 - Advanced Network Security - McDaniel Page 18

Algorithm 1: total marking • Marking : append each router IP address to packet • Reconstruction : any attacker packet has the path on it • Comments : IP HDR ‣ Single packet convergence A ‣ Problem: not enough space to mark B C D User Data CSE598K/CSE545 - Advanced Network Security - McDaniel Page 19

Algorithm 2: Node Sampling • Marking : with probability p (often p>0.5), write router IP address into packet (or overwrite) • Reconstruction : arrange all routers by frequency count in received packets ‣ over enough packets, converges to attack path because reporting at victim inversely proportional to distance p (1 − p ) d − 1 • Comments : ‣ Problem: Not robust against multiple attackers ‣ Problem: slow convergence CSE598K/CSE545 - Advanced Network Security - McDaniel Page 20

Algorithm 3: Edge Sampling • Marking : If packet is marked with a distance of 0 ‣ Mark packet with router IP address as ‣ If not with probability p write router IP address into packet ‣ Increment distance by one • Reconstruction : recover path by reconstructing by hop paths, possibly slowly • Comments : ‣ Problem: finding enough space is sometimes hard • XORing IP addresses provide some relief ‣ Convergence dominated by probability that hop received CSE598K/CSE545 - Advanced Network Security - McDaniel Page 21

IP Pushback • Idea: identify attack traffic at victim and push route filters upstream toward the potential source ‣ Review the “drop tables” for discernible aggregations of most frequently dropped kinds of traffic. ‣ Aggregates are pushed upstream ‣ One approach: aggregating by dest • Compute aggregated downstream sigs ‣ IPs dropped, by longest matching route • [Ioannidis, Bellovin 02] • Pushback computed filters toward source CSE598K/CSE545 - Advanced Network Security - McDaniel Page 22