Midterm Score Distribution

You should worryif you are belowthis point

Your projected and optimistically projected grades should be in the grade center soono Projected:

Your current weighted score /30 * 100o Optimistic:

(Your current weighted score+70)/100o Just for your feedback

Quiz 1 is postedo Do it before your lab slot but after this week’s

lab lectureoOpen book open notes, unlimited timeoYou will do the same version again after your

lab – to be posted soon. Better score counts.

More Announcements

Don’t allow an individual attack machine to use many of a target’s resources

Requires:o Authentication, oro Making the sender do special work (puzzles)

Authentication schemes are often expensive for the receiver

Existing legitimate senders largely not set up to handle doing special work

Can still be overcome with a large enough army of zombies

Resource Limitations

Make it hard for anyone but legitimate clients to deliver messages at all

E.g., keep your machine’s identity obscureA possible solution for some potential

targetso But not for others, like public web servers

To the extent that approach relies on secrecy, it’s fragileo Some such approaches don’t require secrecy

Hiding From the Attacker

As attacker demands more resources, supply them

Essentially, never allow resources to be depleted

Not always possible, usually expensiveNot clear that defender can keep ahead of

the attackerBut still a good step against limited attacksMore advanced versions might use

Akamai-like techniques

Resource Multiplication

Figure out which machines attacks come fromGo to those machines (or near them) and stop

the attacksTracing is trivial if IP source addresses aren’t

spoofedo Tracing may be possible even if they are spoofed

May not have ability/authority to do anything once you’ve found the attack machines

Not too helpful if attacker has a vast supply of machines

Trace and Stop Attacks

The basis for most defensive approachesAddresses the core of the problem by

limiting the amount of work presented to target

Key question is: o What do you drop?

Good solutions drop all (and only) attack traffic

Less good solutions drop some (or all) of everything

Filtering Attack Streams

Filtering drops packets with particular characteristicso If you get the characteristics right, you do little

collateral damageo At odds with the desire to drop all attack traffic

Rate limiting drops packets on basis of amount of traffico Can thus assure target is not overwhelmedo But may drop some good traffic

Filtering Vs. Rate Limiting

Where Do You Filter?

Near the target?

Near the source?

In the network core?

In multiple places?

Near targetNear sourceIn core

Filtering Location Choices

Near targeto Easier to detect attacko Sees everythingo May be hard to prevent collateral damageo May be hard to handle attack volume

Near sourceIn core

Filtering Location Choices

Near targetNear source

o May be hard to detect attacko Doesn’t see everythingo Easier to prevent collateral damageo Easier to handle attack volume

In core

Filtering Location Choices

Near targetNear sourceIn core

o Easier to handle attack volumeo Sees everything (with sufficient deployment)o May be hard to prevent collateral damageo May be hard to detect attack

Filtering Location Choices

Have database of attack signaturesDetect anomalous behavior

o By measuring some parameters for a long time and setting a baseline Detecting when their values are abnormally

higho By defining which behavior must be obeyed

starting from some protocol specification

How Do You Detect Attacks?

Devise filters that encompass most of anomalous traffic

Drop everything but give priority to legitimate-looking traffico It has some parameter valueso It has certain behavior

How Do You Filter?

Need for a distributed response Economic and social factorsLack of detailed attack informationLack of defense system benchmarksDifficulty of large-scale testingMoving target

DDoS Defense Challenges

Attacker sends lots of TCP SYN packetsoVictim sends an ack, allocates space in memoryoAttacker never repliesoGoal is to fill up memory before entries time out

and get deletedUsually spoofed traffico Otherwise patterns may be used for filteringo OS at the attacker or spoofed address may

send RST and free up memory

TCP SYN Flood

Effective defense against TCP SYN floodoVictim encodes connection information and time

in ACK numberoMust be hard to craft values that get encoded

into the same ACK number – use crypto for encoding

oMemory is only reserved when final ACK comesOnly the server must changeoBut TCP options are not supportedoAnd lost SYN ACKs are not repeated

TCP SYN Cookies

Overwhelm routersoCreate a lot of ppsoExhaust CPUoMost routers can’t handle full bandwidth’s load

of small packetsNo real solution, must filter packets

somehow to reduce router load

Small-Packet Floods

Periodically slam the victim with short, high-volume pulsesoLead to congestion drops on client’s TCP trafficoTCP backs offoIf loss is large back off to 1 MSS per RTToAttacker slams again after a few RTTs

Solution requires TCP protocol changes oTough to implement since clients must be

changed

Shrew Attack

Generate legitimate application traffic to the victimoE.g., DNS requests, Web requestsoUsually not spoofedoIf enough bots are used no client appears too

aggressiveoReally hard to filter since both traffic and client

behavior seem identical between attackers and legitimate users

Flash-Crowd Attack

Generate service requests to public servers spoofing the victim’s IPoServers reply back to the victim overwhelming

itoUsually done for UDP and ICMP traffic (TCP SYN

flood would only overwhelm CPU if huge number of packets is generated)

oOften takes advantage of amplification effect – some service requests lead to huge replies; this lets attacker amplify his attack

Reflector Attack

Sample Research DefensesPushbackTracebackSOSProof-of-work systems

Pushback1

Goal: Preferentially drop attack traffic to relieve congestion

Local ACC: Enable core routers to respond to congestion locally by:o Profiling traffic dropped by REDo Identifying high-bandwidth aggregateso Preferentially dropping aggregate traffic to

enforce desired bandwidth limit Pushback: A router identifies the

upstream neighbors that forward the aggregate traffic to it, requests that they deploy rate-limit

1”Controlling high bandwidth aggregates in the network,” Mahajan, Bellovin, Floyd, Paxson, Shenker, ACM CCR, July 2002

Can it Work?Even a few core routers are able to

control high-volume attacksSeparation of traffic aggregates

improves current situation o Only traffic for the victim is droppedo Drops affect a portion containing the attack

trafficLikely to successfully control the attack,

relieving congestion in the InternetWill inflict collateral damage on

legitimate traffic

26

Advantages and Limitations+ Routers can handle high traffic volumes+ Deployment at a few core routers can

affectmany traffic flows, due to core topology

+ Simple operation, no overhead for routers+ Pushback minimizes collateral damage by

placing response close to the sources– Pushback only works in contiguous

deployment– Collateral damage is inflicted by response,

whenever attack is not clearly separable– Requires modification of existing core

routers

Traceback1

Goal: locate the agent machinesEach packet header may carry a mark,

containing:o EdgeID (IP addresses of the routers) specifying an

edge it has traversed o The distance from the edge

Routers mark packets probabilisticallyIf a router detects half-marked packet

(containing only one IP address) it will complete the mark

Victim under attack reconstructs the path from the marked packets

1“Practical network support for IP Traceback,” Savage, Wetherall, Karlin, Anderson, ACM SIGCOMM 2000

Traceback and IP SpoofingTraceback does nothing to stop DDoS

attacksIt only identifies attackers’ true locations

o Comes to a vicinity of attackerIf IP spoofing were not possible in the

Internet, traceback would not be necessary

There are other approaches to filter out spoofed traffic

Can it Work?Incrementally deployable, a few disjoint

routers can provide beneficial informationModerate router overhead (packet

modification)A few thousand packets are needed even for

long path reconstructionDoes not work well for highly distributed

attacksPath reassembly is computationally

demanding, and is not 100% accurate:o Path information cannot be used for legal purposeso Routers close to the sources can efficiently block

attack traffic, minimizing collateral damage

Advantages and Limitations+ Incrementally deployable+ Effective for non-distributed attacks and

for highly overlapping attack paths+ Facilitates locating routers close to the

sources– Packet marking incurs overhead at

routers, must be performed at slow path– Path reassembly is complex and prone

to errors– Reassembly of distributed attack paths

is prohibitively expensive

31

SOS1

Goal: route only “verified user” traffic to the server, drop everything else

Clients use overlay network to reach the server

Clients are authenticated at the overlay entrance, their packets are routed to proxies

Small set of proxies are “approved” to reach the server, all other traffic is heavily filtered out

1“ SOS: Secure Overlay Services,” Keromytis, Misra, Rubensteain, ACM SIGCOMM 2002

32

SOSUser first contacts nodes that can check its

legitimacy and let him access the overlay – access points

An overlay node uses Chord overlay routing protocol to send user’s packets to a beacon

Beacon sends packets to a secret servletSecret servlets tunnel packets to the firewallFirewall only lets through packets with an IP

of a secret servleto Secret servlet’s identity has to be hidden, because

their source address is a passport for the realm beyond the firewall

o Beacons are nodes that know the identity of secret servlets

If a node fails, other nodes can take its role

33

Can It Work?SOS successfully protects

communication with a private server:o Access points can distinguish legitimate from

attack communications o Overlay protects traffic flowo Firewall drops attack packets

Redundancy in the overlay and secrecy of the path to the target provide security against DoS attacks on SOS

34

Advantages And Limitations+ Ensures communication of “verified user”

with the victim+ Resilient to overlay node failure+ Resilient to DoS on the defense system– Does not work for public service– Traffic routed through the overlay travels

on suboptimal path– Brute force attack on links leading to the

firewall still possible

35

Client Puzzles1

Goal: defend against connection depletion attacks

When under attack:o Server distributes small cryptographic puzzles to

clients requesting serviceo Clients spend resources to solve the puzzleso Correct solution, submitted on time, leads to

state allocation and connection establishmento Non-validated connection packets are dropped

Puzzle generation is statelessClient cannot reuse puzzle solutionsAttacker cannot make use of intercepted

packets

1“Client puzzles: A cryptographic countermeasure against connection depletion attacks,” Juels, Brainard, NDSS 1999

36

Can It Work?Client puzzles guarantee that each client

has spent a certain amount of resourcesServer determines the difficulty of the

puzzle according to its resource consumptiono Effectively server controls its resource

consumptionProtocol is safe against replay or

interception attacksOther flooding attacks will still work

37

Advantages And Limitations+ Forces the attacker to spend resources,

protects server resources from depletion+ Attacker can only generate a certain

number of successful connections from one agent machine

+ Low overhead on server– Requires client modification– Will not work against highly distributed

attacks– Will not work against bandwidth

consumption attacks (Defense By Offense paper changes this)