Distributed Denial of Service

CRyptography Applications BistroPresented by Lingxuan Hu

April 15, 2004

Why DDoS is hard to prevent

• Internet – Limited resources– Security highly interdependent

ISP?

The problem with DDOS security is this: if you implement DDOS security, it does not protect your network, it merely prevents your network from harming others. Why would an ISP spend extra time and effort implementing a security protocol that was good for everyone else... but not for them?

by simul, Kuro5hin.org (targeted by DDoS attacks), February 4, 2004

Defenses• IP spoofing

– Egress filtering– Keep routing state for each packet– New type of control message (ICMP)– Embed traceback information into IP heade

r• Bandwidth flooding

– Use Overlay Networks to debug input– Push back to preserve bandwidth– Equip your host with gobs of bandwidth and t

he appliances can mitigate the effect

Problem Statement• Use IP traceback to defend IP spoofing

– Packets having the same routing path with the attacker packets will be dropped

• Challenges– The average Internet routing path length is

around 15, so reconstruct the path will take 60 bytes

– Where to put the traceback information?

PI Overview

• Model the Internet as a binary tree rooted at the victim node

• The router mark 0 or 1 in IP identification field based on past path information

IP Header

• Identification field (16 bits)– IP identification is only used for fragmentation,

which constitutes less than 0.25% of the packets in Internet

ECNversionheaderlength

DS total length (in bytes)

Identification Fragment offset

source IP address

destination IP address

options (0 to 40 bytes)

payload

4 bytes

time-to-live (TTL) protocol header checksum

bit # 0 15 23 248 317 16

0MF

DF

Pi Marking - Basic Marking Scheme

• Marking Scheme– Each router marks n bits into IP Identification fi

eld• Marking Location

– TTL (mod 16/n) indexes location in field to mark• Marking Function

– Last n bits of hash (eg. MD5) of router IP addressThe following slides are adapted from Abraham Yaar’s Oakland 2003 slides

Pi Marking - Example

Pi Marking Scheme - TTL Attack

Final TTLPointer

Final TTLPointer

• Problem– Attacker shifts markings by modifying initial TTL

• Note - marking bits and order haven’t changed, just location in the marking field

• Solution– Victim uses final TTL to justify packet contents

using bit rotation

Pi Marking - IP Fragmentation

• Problem– Mark values in IP Identification field breaks fr

agmentation• Solution

– Don’t mark packets that may ever get fragmented, or are fragments themselves

– During DDoS attack, drop packets not satisfying this predicate

Pi Filtering – Basic Scheme

• Basic Scheme– Drop all packets with Pi marks matching that

of any attack packets • Assumption

– Victim can identify attack packets• Implementation Overhead

– Memory: Bit vector of length 216 (8kB)• if (BitVec[PiMark] == 0) then accept() else drop();

– Computation: O(1) per packet

Pi Filtering - Thresholds• Problem

– Single attacker causes multiple users’ rejections

• Solution– Assume, for a particular Pi mark, i:

• ai= number of attack packets• ui= number of legitimate users’ packets

– Victim chooses threshold, t, such that if:

then all packets with Pi mark i are dropped

ii

i

ua

at

Experiment Results – Basic Filter

• DDoS protection– Accepted:

• 60% of user traffic• 17% attacker traffi

c

• Downward slope due to “marking saturation”– All markings flagg

ed as attacker

Experiment Results – Threshold Filter

• Thresholds Work!– Victim increases

false positives to decrease false negatives

• Greater attack traffic requires greater threshold values

Comments• Review of the goal

– The same routing path yields the same marking

– Different routing path has little probability to overlap

• Question– Why bother using rotated marking instead of a

simple hash function?

DDoS Attacks• IP spoofing• Bandwidth flooding

Back to Zhanxiang