Upload
kathleen-rogers
View
212
Download
0
Embed Size (px)
Citation preview
Distributed Denial of Service
CRyptography Applications BistroPresented by Lingxuan Hu
April 15, 2004
Why DDoS is hard to prevent
• Internet – Limited resources– Security highly interdependent
ISP?
The problem with DDOS security is this: if you implement DDOS security, it does not protect your network, it merely prevents your network from harming others. Why would an ISP spend extra time and effort implementing a security protocol that was good for everyone else... but not for them?
by simul, Kuro5hin.org (targeted by DDoS attacks), February 4, 2004
Defenses• IP spoofing
– Egress filtering– Keep routing state for each packet– New type of control message (ICMP)– Embed traceback information into IP heade
r• Bandwidth flooding
– Use Overlay Networks to debug input– Push back to preserve bandwidth– Equip your host with gobs of bandwidth and t
he appliances can mitigate the effect
Problem Statement• Use IP traceback to defend IP spoofing
– Packets having the same routing path with the attacker packets will be dropped
• Challenges– The average Internet routing path length is
around 15, so reconstruct the path will take 60 bytes
– Where to put the traceback information?
PI Overview
• Model the Internet as a binary tree rooted at the victim node
• The router mark 0 or 1 in IP identification field based on past path information
IP Header
• Identification field (16 bits)– IP identification is only used for fragmentation,
which constitutes less than 0.25% of the packets in Internet
ECNversionheaderlength
DS total length (in bytes)
Identification Fragment offset
source IP address
destination IP address
options (0 to 40 bytes)
payload
4 bytes
time-to-live (TTL) protocol header checksum
bit # 0 15 23 248 317 16
0MF
DF
Pi Marking - Basic Marking Scheme
• Marking Scheme– Each router marks n bits into IP Identification fi
eld• Marking Location
– TTL (mod 16/n) indexes location in field to mark• Marking Function
– Last n bits of hash (eg. MD5) of router IP addressThe following slides are adapted from Abraham Yaar’s Oakland 2003 slides
Pi Marking - Example
Pi Marking Scheme - TTL Attack
Final TTLPointer
Final TTLPointer
• Problem– Attacker shifts markings by modifying initial TTL
• Note - marking bits and order haven’t changed, just location in the marking field
• Solution– Victim uses final TTL to justify packet contents
using bit rotation
Pi Marking - IP Fragmentation
• Problem– Mark values in IP Identification field breaks fr
agmentation• Solution
– Don’t mark packets that may ever get fragmented, or are fragments themselves
– During DDoS attack, drop packets not satisfying this predicate
Pi Filtering – Basic Scheme
• Basic Scheme– Drop all packets with Pi marks matching that
of any attack packets • Assumption
– Victim can identify attack packets• Implementation Overhead
– Memory: Bit vector of length 216 (8kB)• if (BitVec[PiMark] == 0) then accept() else drop();
– Computation: O(1) per packet
Pi Filtering - Thresholds• Problem
– Single attacker causes multiple users’ rejections
• Solution– Assume, for a particular Pi mark, i:
• ai= number of attack packets• ui= number of legitimate users’ packets
– Victim chooses threshold, t, such that if:
then all packets with Pi mark i are dropped
ii
i
ua
at
Experiment Results – Basic Filter
• DDoS protection– Accepted:
• 60% of user traffic• 17% attacker traffi
c
• Downward slope due to “marking saturation”– All markings flagg
ed as attacker
Experiment Results – Threshold Filter
• Thresholds Work!– Victim increases
false positives to decrease false negatives
• Greater attack traffic requires greater threshold values
Comments• Review of the goal
– The same routing path yields the same marking
– Different routing path has little probability to overlap
• Question– Why bother using rotated marking instead of a
simple hash function?
DDoS Attacks• IP spoofing• Bandwidth flooding
Back to Zhanxiang