A Defense Framework for Flooding-Based DDoS Attacks

  • Published on
    30-May-2018

  • View
    215

  • Download
    0

Embed Size (px)

Transcript

  • 8/14/2019 A Defense Framework for Flooding-Based DDoS Attacks

    1/113

    A Defense Framework

    for Flooding-based DDoS Attacks

    by

    Yonghua You

    A thesis submitted to the

    School of Computing

    in conformity with the requirements for

    the degree of Master of Science

    Queens University

    Kingston, Ontario, Canada

    August 2007

    Copyright c Yonghua You, 2007

  • 8/14/2019 A Defense Framework for Flooding-Based DDoS Attacks

    2/113

    Abstract

    Distributed denial of service (DDoS) attacks are widely regarded as a major threatto the Internet. A flooding-based DDoS attack is a very common way to attack

    a victim machine by sending a large amount of malicious traffic. Existing network-

    level congestion control mechanisms are inadequate in preventing service quality from

    deteriorating because of these attacks. Although a number of techniques have been

    proposed to defeat DDoS attacks, it is still hard to detect and respond to flooding-

    based DDoS attacks due to a large number of attacking machines, the use of source-

    address spoofing, and the similarities between legitimate and attack traffic. In this

    thesis, we propose a distributed framework which will help to improve the quality of

    service of internet service providers (ISP) for legitimate traffic under DDoS attacks.

    The distributed nature of DDoS problem requires a distributed solution. In this

    thesis, we propose a distance-based distributed DDoS defense framework which de-

    fends against attacks by coordinating between the distance-based DDoS defense sys-

    tems of the source ends and the victim end. The proposed distance-based defense

    system has three major components: detection, traceback, and traffic control. In the

    detection component, two distance-based detection techniques are employed. The

    distance value of a packet indicates the number of hops the packet has traversed from

    i

  • 8/14/2019 A Defense Framework for Flooding-Based DDoS Attacks

    3/113

    an edge router to the victim. First, an average distance estimation DDoS detec-

    tion technique is used to detect attacks based on the average distance values of the

    packets received at the victim end. Second, a distance-based traffic separation DDoS

    detection technique applies a traffic rate forecasting technique for identifying attack

    traffic within traffic that is separated based on distance values. For the traceback

    component, the existing Fast Internet Traceback (FIT) technique is employed to find

    remote edge routers which forward attack traffic to the victim. Based on the proposed

    distance-based rate limit mechanism, the traffic control component at the victim end

    requests the source-end defense systems to set up rate limits on these routers in order

    to efficiently reduce the amount of attack traffic.

    We evaluate the DDoS defense framework on a network simulation platform called

    NS2. We also evaluate the effectiveness of the two DDoS detection techniques in-

    dependent of the proposed defense framework. The results demonstrate that both

    detection techniques are capable of detecting flooding-based DDoS attacks, and thedefense framework can effectively control attack traffic in order to sustain the quality

    of service for legitimate traffic. Moreover, the framework shows better performance in

    defeating flooding-based DDoS attacks compared to the pushback technique, which

    uses a local aggregate congestion control mechanism to detect and control traffic flows

    that create congestion in a network.

    ii

  • 8/14/2019 A Defense Framework for Flooding-Based DDoS Attacks

    4/113

    Acknowledgments

    I am highly thankful to my supervisor, Dr. Mohammad Zulkernine, for guiding methrough my research.

    I would also like to thank Dr. Scott Knight of the Royal Military College of

    Canada for his comments on the DDoS detection techniques.

    I am also grateful to my labmates for numerous discussions I have had with them.

    I am grateful to my wife, my two sons, and my parents for having faith in me and

    providing me the background motivation all through my life.

    This research is partially supported by Bell Canada and MITACS (Mathematics of

    Information Technology and Complex Systems), Canada. Mr. Anwar Haque and his

    colleagues in Bell Canada provided very valuable advices in designing this framework.

    iii

  • 8/14/2019 A Defense Framework for Flooding-Based DDoS Attacks

    5/113

    Table of Contents

    Abstract i

    Acknowledgments iii

    Table of Contents iv

    List of Tables vii

    List of Figures viii

    Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Objective and Scope of the Research . . . . . . . . . . . . . . . . . . 31.3 Overview of the Defense Framework . . . . . . . . . . . . . . . . . . . 41.4 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.5 Organization of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . 6

    Chapter 2: Distributed Denial-of-Service Attacks . . . . . . . . . . 72.1 Distributed Cooperative Architecture of DDoS . . . . . . . . . . . . . 82.2 IP Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.3 Flooding DDoS Attack Mechanisms . . . . . . . . . . . . . . . . . . . 11

    2.3.1 Smurf: ICMP Flooding-based Attack . . . . . . . . . . . . . . 142.3.2 TCP SYN Flooding-based Attack . . . . . . . . . . . . . . . . 152.3.3 Trinoo: UDP Flooding-based Attack . . . . . . . . . . . . . . 16

    2.3.4 DNS Amplification Attack . . . . . . . . . . . . . . . . . . . . 172.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

    Chapter 3: Related Work . . . . . . . . . . . . . . . . . . . . . . . . . 203.1 DDoS Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

    3.1.1 IP Attributes-based DDoS Detection . . . . . . . . . . . . . . 223.1.2 Traffic Volume-based DDoS Detection . . . . . . . . . . . . . 23

    3.2 DDoS Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

    iv

  • 8/14/2019 A Defense Framework for Flooding-Based DDoS Attacks

    6/113

    3.2.1 Packet Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . 25

    3.2.2 Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . 283.3 DDoS Defense Framework . . . . . . . . . . . . . . . . . . . . . . . . 313.3.1 Victim-end Defense . . . . . . . . . . . . . . . . . . . . . . . . 313.3.2 Source-end Defense . . . . . . . . . . . . . . . . . . . . . . . . 343.3.3 Distributed Defense . . . . . . . . . . . . . . . . . . . . . . . . 36

    3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

    Chapter 4: Distance-based Defense Framework . . . . . . . . . . . . 424.1 Overview of Defense Framework . . . . . . . . . . . . . . . . . . . . 424.2 Detection Component . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

    4.2.1 Calculating Distance Using a Single-Bit Field . . . . . . . . . 47

    4.2.2 Average Distance Estimation DDoS Detection . . . . . . . . . 49Estimating Mean Distance . . . . . . . . . . . . . . . . . . . . 49Estimating Mean Absolute Deviation (MAD) . . . . . . . . . 50DDoS Detection Algorithm . . . . . . . . . . . . . . . . . . . 51

    4.2.3 Distance-Based Traffic Separation DDoS Detection . . . . . . 52Estimating Arrival Rate . . . . . . . . . . . . . . . . . . . . . 53Estimating Deviation . . . . . . . . . . . . . . . . . . . . . . . 53DDoS Detection Algorithm . . . . . . . . . . . . . . . . . . . 54

    4.2.4 Integration of Two Detection Techniques . . . . . . . . . . . . 554.3 Traceback Component . . . . . . . . . . . . . . . . . . . . . . . . . . 56

    4.4 Traffic Control Component . . . . . . . . . . . . . . . . . . . . . . . . 574.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

    Chapter 5: Experiments and Results . . . . . . . . . . . . . . . . . . 625.1 Overview of the Pushback Technique . . . . . . . . . . . . . . . . . . 635.2 Simulation Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

    5.2.1 Simulating Internet Topology . . . . . . . . . . . . . . . . . . 66Topology for Detection Evaluation . . . . . . . . . . . . . . . 66Topology for Framework Evaluation . . . . . . . . . . . . . . . 67

    5.2.2 Simulating Internet Data Traffic . . . . . . . . . . . . . . . . . 67HTTP Traffic for Detection Evaluation . . . . . . . . . . . . . 68HTTP Traffic for Framework Evaluation . . . . . . . . . . . . 68

    5.2.3 Simulating Attack Traffic . . . . . . . . . . . . . . . . . . . . . 68Attack Traffic for Detection Evaluation . . . . . . . . . . . . . 68Attack Traffic for Framework Evaluation . . . . . . . . . . . . 69

    5.2.4 Performance Metrics . . . . . . . . . . . . . . . . . . . . . . . 69Metrics for Detection Evaluation . . . . . . . . . . . . . . . . 70Metrics for Framework Evaluation . . . . . . . . . . . . . . . . 70

    v

  • 8/14/2019 A Defense Framework for Flooding-Based DDoS Attacks

    7/113

    5.3 Detection Performance . . . . . . . . . . . . . . . . . . . . . . . . . . 71

    5.3.1 Adjustment of the Parameters . . . . . . . . . . . . . . . . . . 725.3.2 Results: Average Distance Estimation DDoS Detection . . . . 725.3.3 Results: Distance-based Traffic Separation DDoS Detection . . 74

    5.4 Defense Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 765.4.1 Average Latency of HTTP Transactions . . . . . . . . . . . . 775.4.2 Failure Rate of HTTP Transaction . . . . . . . . . . . . . . . 785.4.3 Throughput of Legitimate Traffic . . . . . . . . . . . . . . . . 795.4.4 Bandwidth Allocation of Traffic . . . . . . . . . . . . . . . . . 835.4.5 Drop Rate of Attack Traffic . . . . . . . . . . . . . . . . . . . 855.4.6 Drop Rate of Legitimate Traffic . . . . . . . . . . . . . . . . . 86

    5.5 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

    5.5.1 Different DDoS Attacks . . . . . . . . . . . . . . . . . . . . . 885.5.2 IP Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

    5.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

    Chapter 6: Conclusion and Future Work . . . . . . . . . . . . . . . . 906.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

    Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

    vi

  • 8/14/2019 A Defense Framework for Flooding-Based DDoS Attacks

    8/113

    List of Tables

    4.1 Symbols used in the listing are . . . . . . . . . . . . . . . . . . . . . . 514.2 Symbols used in the distance-based traffic separation DDoS detection

    algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

    4.3 Symbols used in the rate limit algorithm . . . . . . . . . . . . . . . . 58

    5.1 Performance of The Average Distance Estimation DDoS Detection . . 745.2 Performance of The Distance-based Traffic Separation DDoS Detection 765.3 Average Latency of HTTP Transactions . . . . . . . . . . . . . . . . 775.4 Failure Rates of HTTP Transactions . . . . . . . . . . . . . . . . . . 795.5 Drop Rate of Attack Traffic . . . . . . . . . . . . . . . . . . . . . . . 855.6 Drop Rate of Legitimate Traffic . . . . . . . . . . . . . . . . . . . . . 87

    vii

  • 8/14/2019 A Defense Framework for Flooding-Based DDoS Attacks

    9/113

    List of Figures

    2.1 Typical architecture of a DDoS attack . . . . . . . . . . . . . . . . . 92.2 Architecture of a DDoS attack using reflectors . . . . . . . . . . . . . 102.3 A direct flooding-based DDoS attack . . . . . . . . . . . . . . . . . . 12

    2.4 A reflector flooding-based DDoS attack . . . . . . . . . . . . . . . . . 132.5 Comparison between Smurf broadcast amplification and DNS amplifi-

    cation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.6 A DNS amplification DDoS attack . . . . . . . . . . . . . . . . . . . 18

    4.1 Distance-based distributed DDoS defense framework . . . . . . . . . . 434.2 Illustration of distance-based distributed DDoS defense operation . . 454.3 Conceptual architecture of the defense system . . . . . . . . . . . . . 464.4 IP header [83] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484.5 FIT marking field diagram. Frag# is the fragment number field. [15] 48

    5.1 A DDoS attack in progress [79] . . . . . . . . . . . . . . . . . . . . . 635.2 DDoS detection based on average distance estimation when thr = 7.0,

    w= 0.7, and r = 0.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . 735.3 ROC curves of the average distance estimation DDoS detection technique 755.4 DDoS detection based on the traffic separation for distance = 2 . . . 755.5 No DDoS defense with ratio (9:1) . . . . . . . . . . . . . . . . . . . . 805.6 Pushback with ratio (9:1) . . . . . . . . . . . . . . . . . . . . . . . . 805.7 Distance-based DDoS defense with ratio (9:1) . . . . . . . . . . . . . 805.8 No DDoS defense with ratio (5:5) . . . . . . . . . . . . . . . . . . . . 815.9 Pushback with ratio (5:5) . . . . . . . . . . . . . . . . . . . . . . . . 81

    5.10 Distance-based DDoS defense with ratio (5:5) . . . . . . . . . . . . . 815.11 No DDoS defense with 1 attacker . . . . ....