Pi: A Path Identification Mechanism to Defend Against DDoS Attacks Abraham Yaar, Adrian Perrig, Dawn Song Carnegie Mellon University {ayaar, perrig, dawnsong}@cmu.edu Presented and Edited by Yongdae Kim

Outline DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion

DDoS Review Attackers compromise network hosts, flood victim with packets Overload packet processing capacity Saturate network bandwidth Spoofed source IP addresses evade network filters Victim RA RX RB RC RY RZ U U A A A A

RFC 3514 Security flag in IP header Challenge: deployment By Steven Bellovin Attackers must set evil bit in malicious packets Receivers can filter out evil packets Challenge: deployment April fools joke Pi achieves similar property!

IP Traceback Defense Victim reconstructs attack tree from address fragments Disadvantages: Slow reconstruction Multi-path reconstruction Assumes upstream ISP collaboration Victim x 1 2 Y Z A 2 B 1 C x 1 Z 1 x 2 Y 1 x 2 Y 2 x 1 Z 2 RA RX C 1 2 Z 1 2 Y 1 2 B 1 RB RC RY RZ U U A A A A

Other Strategies Source Path Isolation Engine (SPIE) Routers store packet hashes, recursive query to reconstruct path Disadvantage Per-packet state at routers Pushback Framework Routers identify attack packet characteristics, install upstream filter Difficult to distinguish attack/user packets

Outline DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion

Goals – Ideal DDoS Defense Fast Defense after single attack packet Victim filters traffic No dependency on upstream ISPs Overhead Minimal computation/state at routers and victims Interoperability Supports IP Fragmentation Incrementally deployable Additional deployment increases performance

Main Idea Path “fingerprints” Entire fingerprint in each packet Incrementally constructed by routers along path Victim rejects packets with attacker fingerprints (Pi-marks) Victim 3 1 2 4 7 6 RA RX i 1 i 2 i 4 i 6 i 3 i 4 i 7 i 3 i 4 i 6 i 3 i 4 i 7 i 1 i i 2 i 4 6 i 3 i 4 i 7 i 1 i 3 i 4 i 6 RB RC RY RZ U U A A A A 1 2 3 4 5 6 7

Main Idea Attacker Marks Path “fingerprints” Entire fingerprint in each packet Incrementally constructed by routers along path Victim rejects packets with attacker fingerprints (Pi-marks) Victim 3 1 2 4 7 6 Accepted Packets Attacker Marks Rejected Packets RA RX i 1 i 2 i 4 i 6 i 3 i 4 i 4 7 i i 3 i 4 6 i 3 i 4 i 7 i 1 i i 4 i 2 6 i 3 i 4 i 7 i 1 i 3 i 4 i 6 1 4 RB RC RY RZ 3 7 3 4 U U A A A A 1 2 3 4 5 6 7

Main Idea Attacker Marks Path “fingerprints” Entire fingerprint in each packet Incrementally constructed by routers along path Victim rejects packets with attacker fingerprints (Pi-marks) Victim 3 1 2 4 7 6 Accepted Packets Attacker Marks Rejected Packets RA RX C 1 2 Z 1 2 Y 1 2 4 1 4 7 3 B 1 3 7 RB RC RY RZ 3 4 U U A A A A 1 2 3 4 5 6 7

Main Idea Attacker Marks Path “fingerprints” 3 1 3 3 3 1 Path “fingerprints” Entire fingerprint in each packet Incrementally constructed by routers along path Victim rejects packets with attacker fingerprints (Pi-marks) Victim 3 1 2 4 7 6 Accepted Packets Attacker Marks Rejected Packets RA RX C 1 2 Z 1 2 Y 1 2 4 1 7 4 7 3 1 3 B 3 4 RB RC RY RZ U U A A A A 1 2 3 4 5 6 7

Outline DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion

Pi Marking Scheme Marking Scheme Marking Function Marking Aggregation Each router marks n bits into IP Identification field Marking Function Last n bits of hash (eg. MD5) of router IP address Marking Aggregation Router pushes marking into IP Identification field

Pi Marking A π π π V Queue-based marking Routers “push” marking into IP Identification field Note: Victim’s local routers (in general, 3, 4 hopes) do not mark. A π π π V xx 00 xx 00 11 00 xx 11 10

Legacy Routers A π L π V Legacy routers do not mark Extensions Detect upstream legacy router Mark for previous legacy router Write-ahead improvement A π L π V xx 00 xx 00 xx 00 10

Path marking vs. Edge Marking Collision in path marking path(AC) = mamc, path(BC) = mbmc With probability 1/2n, ma = mb Edge marking path(AC) = ma’mc1, path(BC) = mb’mc2 where mc1 = h(IPC || IPA), mc2 = h(IPC || IPB) Still probability of collision is 1/2n But, new probability of having identical marks for two paths joining at the same node becomes 1/22n

Pi Marking - IP Fragmentation Problem Using deterministic values in IP Identification field breaks fragmentation Solution (suggested by Vern Paxson) Don’t mark packets that may ever get fragmented, or are fragments themselves Packets with DFT bit set Packets smaller than smallest MTU During DDoS attack, drop packets that do not have DFT bit set

Outline DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion

Pi Filtering – Basic Scheme Drop all packets with Pi marks matching that of any attack packets Assumption Victim can identify attack packets Implementation Overhead Memory: Bit vector of length 216 (8kB) if (BitVec[PiMark] == 0) then accept() else drop(); Simple per packet lookup

Pi Filtering - Thresholds Problem Single attacker causes multiple users’ rejections Solution Assume, for a particular Pi mark, i: ai= number of attack packets ui= number of legitimate users’ packets Victim chooses threshold, t, such that if: then packets with Pi mark i are kept

Outline DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion

Exp. Results – Attack Model Two phase DDoS model Phase 1: Learning Phase Omniscient victim, Filter Bootstrapping Limited Length (3 packets per endhost) Phase 2: Attack Phase Pi filter deployed “Unlimited” Length (3 packets simulated) Results presented for phase 2

Exp. Results - Setup Two Internet Topologies Internet Map Project 81,953 unique endhosts CAIDA Skitter Map 171,472 unique endhosts 5,000 Legitimate Users, 100-10,000 Attackers n = 2 bits 4 router non-marking ISP perimeter Victim ISP marks unnecessary/undesirable

Exp. Results - Metrics Filter Errors Acceptance Ratio False Positive: User packet dropped False Negative: Attacker packet accepted Acceptance Ratio Percent packets accepted by victim of total packets sent Attacker Acceptance Ratio = false negative rate User Acceptance Ratio = (1 – false positive rate)

Exp. Results – Basic Filter DDoS protection Accepted (with 10,000 unique attack paths): 60% of user traffic 17% attacker traffic Downward slope due to “marking saturation” All markings flagged as attacker

Exp. Results – 50% Threshold Filter Performance Thresholds Work! Accepted (with 10,000 unique attack paths): 82% of user traffic 22% attacker traffic Increased attack severity requires increased threshold

Exp. Results – Legacy Routers 50% threshold used Performance degradation is gradual Some filtering accuracy even at 50% legacy routers 0 = random selection 1 = perfect filter

Exp. Results – Limited Capacity Constraint Limit maximum number of packets accepted. Strategy Accept lowest attack traffic Pi marks first. Performance 60% server capacity for legitimate packets when total attack traffic 170X of user traffic. *Note: Each Attacker sends 10X traffic over legitimate user.

Outline DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion

Other Applications Help other anti-DDoS techniques Pushback Filters that mask individual IP addresses can be very long Upstream path information improves filtering accuracy IP traceback path reconstruction IDS ISPs use Pi to detect IP address spoofing

Discussion: Deployment Incentives Lack of incentive for ingress filtering Pi provides incentive for ISP Customers benefit from Pi marking Attackers within ISP cause blocking of other ISP customers ISP has incentive to block attack Incentives for ingress filtering Market pressures drive Pi deployment Large-scale Internet sites > ISP > router manufacturer

Future Work Advanced marking schemes Advanced dynamic filters Use combination of exor and shift Advanced dynamic filters Problems: “Nearby” attackers always have attacker initialized bits in markings Route changes cause Pi mark variations Solution: Machine learning techniques identify marking commonalities (ie. Longest prefix matching for nearby attackers)

Related Work IP traceback itrace SPIE PEIP – Path Enhanced IP CS3-Inc. Adds 16 bytes path to each packet Router marks within 16 bytes path

Pi: Conclusions Disadvantages of current DDoS defenses Slow High overhead Assumes ISP collaboration Pi provides DDoS protection After first identified attack packet Minimal overhead at routers and endhosts Maintains IP Fragmentation No inter-ISP cooperation Great incremental deployment properties