modelling and simulation of a defense strategy to face
play

Modelling and simulation of a defense strategy to face indirect DDoS - PowerPoint PPT Presentation

Modelling and simulation of a defense strategy to face indirect DDoS flooding attacks A. Furfaro, P. Pace, A. Parise, L. Molina Valdiviezo Universit` a della Calabria D.I.M.E.S 87036 Rende(CS) - Italy Email: a.furfaro@unical.it A. Furfaro


  1. Modelling and simulation of a defense strategy to face indirect DDoS flooding attacks A. Furfaro, P. Pace, A. Parise, L. Molina Valdiviezo Universit` a della Calabria D.I.M.E.S – 87036 Rende(CS) - Italy Email: a.furfaro@unical.it A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 1 / 18 September 24, 2014

  2. Objectives Development of a simulation model enabling the study and the analysis of defense techniques against Distributed Denial of Service (DDoS) Extension of the StopIt technique for widening its applicability to more complex DDoS attack scenarios, i.e. shared link congestion. Outline DDoS attacks Defense mechanisms StopIt DiffServ A ns-3 simulation model A novel defense technique exploiting StopIt and DiffServ Results Conclusions and future work A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 2 / 18

  3. Distributed Denial of Service (DDoS) Cyber Security has become a very hot issue due the large and ever increasing diffusion of Internet-connected devices DDoS is one of the most sophisticated attack technique Due to its distributed nature, it is not easily to be faced DoS attacks are carried out by a Botnet consisting of widely scattered and remotely controlled computers called zombies zombies send a big amount of service requests and data traffic to the target � Cisco Systems, Inc. c victim in order to exhaust its resources A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 3 / 18

  4. DDoS defence mechanisms Hybrid DDoS Defense Mechanisms Network-based DDoS Defense Mechanisms AS x Destination-based DDoS Source-based DDoS Defense Defense Mechanisms AS y Mechanisms AS z Access router Access router Source’s edge router Des�na�on’s edge router Source AS Des�na�on AS Zargar et al.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks IEEE Communications Surveys & Tutorials , 14(4):2046–2069, 2013 Hybrid defence mechanisms are the most effective! A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 4 / 18

  5. Hybrid mechanisms Throttling/filtering and Hybrid packet marking : installation, by the victim’s side, of a router throttle at upstream routers several hops away with the aim of limiting the forwarding packets data rate. It only limits the rate of malicious packets. Capability-based : short-term authorization from the receivers by adding specific stamps on their packets. The recipients explicitly authorize the traffic it would like to receive. Active Internet Traffic Filtering (AITF) : explicit refusal of traffic identified as undesirable. It needs a bounded amount of filtering resources from participating ISPs. StopIt : see next slides. A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 5 / 18

  6. StopIt operation H u AS s AS d (3) (4) (2) SS s SS d AS i R s R d (5) (1) SS i H d H s The victim H d detects the attack and send a blocking request to its 1 access router R d R d verifies that the source H s is really sending data to the server then, it 2 installs a local filter and it sends a request of flow blocking to the StopIt server SS d SS d forwards the request toward the StopIt server belonging to the 3 sourcing AS by using the BGP protocol. The StopIt server SS s within the sourcing AS, once received the request, 4 notifies the blocking request to its access router R s Finally, the access router of AS d installs the filter to block the flow for a 5 certain period. A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 6 / 18

  7. DiffServ DiffServ is a coarse-grained , class-based mechanism for traffic management and QoS differentiation. Traffic is first classified by taking into account a specific priority Then it is forwarded according to one of three per-hop behaviour (PHB) mechanisms PHBs Assured Forwarding (AF) : gives assurance of delivery under prescribed and stringent conditions (Premium Service) Expedited Forwarding (EF) : dedicated to low-loss, low-latency traffic Default Behaviour (BE) : typically used for best-effort traffic A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 7 / 18

  8. Modelling with ns-3 Class hierarchy DNSServer models the behavior (see next slide) of a DNS server able to process up to n requests in parallel StopItServer reproduces the behavior of a StopIt server AccessRouter implements the router application which is in charge of packet filtering, dispatching of StopIt requests and DiffServ policy enforcement. A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 8 / 18

  9. DNS server behaviour FSA model of the DNS server DNSRequest[!bufferFull] / DNSRequest [av>1] / enqueue(request) av--; process(request) DNSRequest [av==1] / av--; process(request) DNSRequest[bufferFull] / drop(request) av=RN Available Busy endProcess [bufferEmpty] / av++ endProcess / av++ endProcess [!bufferEmpty] / process(dequeue()) The above FSA models the behavior of a general server having RN resources and a limited buffer capacity for storing pending requests. It has been implemented by exploiting the State design pattern. A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 9 / 18

  10. Simulation Scenario Network topology ASs 0 ASs k SS 0 SS k ... ... Rs 0 Rs k ... ... SS d Rs j Rs n L d ... ... AS d SS j SS n ASs j ASs n R d H d H u First zone: 10 ASs, 50 hosts each, contains traffic sources (50% corrupted) Second zone: intermediate network Third zone: victim’s AS. A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 10 / 18

  11. Simulation Parameters Traffic sources 24 VoIP (ilbc mode 30 codec at 13.33kbps) [AF] 230 HTTP sources [BE] 230 DNS clients (50% malicious) [BE] Links DNS Service Bandwidth 10 Mbps Resources 8 Delay 1 ms Buffer size 200 Mean service time 5 ms Legal DNS traffic Malicious traffic Packet size 26 bytes Packet size 78 bytes Packet rate 1 pkt/s Packet rate 100 pkt/s A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 11 / 18

  12. Direct Flooding Attack total traffic HTTP DNS VoIP legal requests DDoS traffic (a) (b) (a) Direct DNS DDoS attack (b) Detail of legal and malicious DNS traffic The attack begins at t = 20 s and it is detected at t = 23 s After the filter are installed the botnet traffic is blocked VoIP traffic is unaffected due to Diffserv A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 12 / 18

  13. Shared Link Flooding Attack (StopIt only) StopIt total traffic HTTP VoIP DDoS DNS StopIt is not able to face the attack VoIP traffic is unaffected In this scenario the attack is achieved by flooding the host H u in the same AS the victim H d The bandwidth of link shared by H u , H d and the other hosts of the same AS is exhausted by the attack H d observes a drastic decrease in the number of received requests. A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 13 / 18

  14. StopIt and DiffServ cooperation (1) Assumptions At least one StopIt server is present within each AS; Each AS corresponds to a DiffServ domain; In each DiffServ domain, the packets coming from the StopIt server are managed throughout the highest priority Assured Forwarding (AF) queue; The DiffServ system is able to install new Service Level Agreements (SLAs) at run time; The server H d experiencing a performance degradation is able to detect anomalous traffic conditions by using a specific detection algorithm. A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 14 / 18

  15. StopIt and DiffServ cooperation (2) Once the server H d detects a decrease in its performance, mostly due to traffic anomalies, it starts the activation of the jointly StopIt - DiffServ defense mechanism by executing the following steps: H d sends a temporary DiffServ activation request toward the access 1 router R d within its AS R d forwards the request to the StopIt server after filling the packet with 2 the information about all the interfaces connected to the AS; The StopIt server installs the specific SLA for a certain time T b , then it 3 decreases by one the hop limit field and forwards the request to all the neighbour ASs The other StopIt servers, once received the request packet, repeat the 4 actions from point 2 until the hop limit field reaches zero. A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 15 / 18

  16. Shared Link Flooding Attack StopIt total traffic HTTP VoIP DDoS DNS StopIt is not able to face the attack VoIP traffic is unaffected StopIt + DiffServ VoIP total traffic HTTP DNS DDoS The necessary bandwidth for the DNS server is ensured HTTP traffic still remains affected by DoS A. Furfaro et al. A defense strategy against indirect DDoS flooding attacks September 24, 2014 16 / 18

Recommend


More recommend