Lecture 8 Page 1 CS 236, Spring 2008 Distributed Denial of Service Attacks CS 236 Advanced Computer Security Peter Reiher May 20, 2008.

Slides:



Advertisements
Similar presentations
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Advertisements

Quiz 1 Posted on DEN 8 multiple-choice questions
Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.
 Unlike other forms of computer attacks, goal isn’t access or theft of information or services  The goal is to stop the service from operating o.
You should worry if you are below this point.  Your projected and optimistically projected grades should be in the grade center soon o Projected:  Your.
15-441: Computer Networking Lecture 26: Networking Future.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Sample Research Defenses Packetscore Pushback Traceback SOS Proof-of-work systems Human behavior modeling SENSS.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
Lecture 18 Page 1 Advanced Network Security Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
GORAN OSIM AND TIM MYERS CPSC 424 DDOS AND THE SYSADMIN.
Lecture 12 Page 1 CS 236 Online Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite coasts.
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
Resilient Overlay Networks Robert Morris Frans Kaashoek and Hari Balakrishnan MIT LCS
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 1 Resource Limitations  Don’t allow an individual attack machine to.
Denial of Service Attack 발표자 : 전지훈. What is Denial of Service Attack?  Denial of Service Attack = DoS Attack  Service attacks on a Web server floods.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.
Lecture 6 Page 1 CS 236, Spring 2008 Privacy and Anonymity CS 236 Advanced Computer Security Peter Reiher May 6, 2008.
CIS 659 – Introduction to Network Security – Fall 2003 – Class 10 – 10/9/03 1 Simple Denial of Service.
Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method:
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
DoS/DDoS attack and defense
Lecture 17 Page 1 CS 236, Spring 2008 Advanced Topics in Network Security: IP Spoofing and DDoS CS 236 On-Line MS Program Networks and Systems Security.
Lecture 16 Page 1 CS 239, Spring 2007 Designing Performance Experiments: An Example CS 239 Experimental Methodologies for System Software Peter Reiher.
Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method:
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.
Matt Jennings.  What is DDoS?  Recent DDoS attacks  History of DDoS  Prevention Techniques.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
Lecture 18 Page 1 CS 236 Online Prolog to Lecture 18 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
DDoS In the Real World Do DDoS attacks really happen?
Distributed Denial of Service (DDoS) Attacks
Outline Basics of network security Definitions Sample attacks
Virtual Private Networks
DDoS In the Real World Do DDoS attacks really happen?
Introduction to Networking
Outline Basics of network security Definitions Sample attacks
DDoS Attack and Its Defense
Outline The spoofing problem Approaches to handle spoofing
Outline Basics of network security Definitions Sample attacks
Outline Why is DDoS hard to handle?
Distributed Denial of Service (DDoS) Attacks
Outline The concept of perimeter defense and networks Firewalls.
Presentation transcript:

Lecture 8 Page 1 CS 236, Spring 2008 Distributed Denial of Service Attacks CS 236 Advanced Computer Security Peter Reiher May 20, 2008

Lecture 8 Page 2 CS 236, Spring 2008 Groups for This Week 1.Golita Behnoodi, Andrew Castner, Yu-Yuan Chen 2.Darrel Carbajal, Chia-Wei Chang, Faraz Zahabian 3.Chien-Chia Chen, Michael Cohen, Mih-Hsieh Tsai 4.Jih-Chung Fan, Zhen Huang, Nikolay Laptev 5.Vishwa Goudar, Abishek Jain, Kuo-Yen Lo 6.Michael Hall, Chen-Kuei Lee, Peter Peterson 7.Chieh-Ning Lien, Hootan Nikbakht, Peter Wu 8.Jason Liu, Sean McIntyre, Ionnis Pefkianakis

Lecture 8 Page 3 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method: overwhelm the site with attack traffic Response: ?

Lecture 8 Page 4 CS 236, Spring 2008 The Problem

Lecture 8 Page 5 CS 236, Spring 2008 Characterizing the Problem An attacker compromises many hosts –Usually spread across Internet He orders them to send garbage traffic to a target site The combined packet flow overwhelms the target –Perhaps his machine –Perhaps his network link –Perhaps his ISP’s network link

Lecture 8 Page 6 CS 236, Spring 2008 Why Are These Attacks Made? Generally to annoy Sometimes for extortion If directed at infrastructure, might cripple parts of Internet –So who wants to do that...?

Lecture 8 Page 7 CS 236, Spring 2008 Attack Methods Pure flooding –Of network connection –Or of upstream network Overwhelm some other resource –SYN flood –CPU resources –Memory resources –Application level resource Direct or reflection

Lecture 8 Page 8 CS 236, Spring 2008 Why “Distributed”? Targets are often highly provisioned servers A single machine usually cannot overwhelm such a server So harness multiple machines to do so Also makes defenses harder

Lecture 8 Page 9 CS 236, Spring 2008 Yahoo Attack Occurred in February 2000 Resulted in intermittent outages for nearly three hours Attacker caught and successfully prosecuted Other companies (eBay, CNN, Microsoft) attacked in the same way at around the same time

Lecture 8 Page 10 CS 236, Spring 2008 DDoS Attack on DNS Root Servers Concerted ping flood attack on all 13 of the DNS root servers in October 2002 Successfully halted operations on 9 of them Lasted for 1 hour –Turned itself off, was not defeated Did not cause major impact on Internet –DNS uses caching aggressively Another (less effective) attack in February 2007

Lecture 8 Page 11 CS 236, Spring 2008 DDoS Attack on Estonia Occurred April-May 2007 Estonia moved a statue that Russians liked Then somebody launched large DDoS attack on Estonian gov’t sites Took much of Estonia off-line for ~ 3 weeks Recently, DDoS attack on Radio Free Europe sites in Belarus

Lecture 8 Page 12 CS 236, Spring 2008 How to Defend? A vital characteristic: –Don’t just stop a flood –ENSURE SERVICE TO LEGITIMATE CLIENTS!!! If you deliver a manageable amount of garbage, you haven’t solved the problem

Lecture 8 Page 13 CS 236, Spring 2008 Complicating Factors High availability of compromised machines –At least tens of thousands of zombie machines out there Internet is designed to deliver traffic –Regardless of its value IP spoofing allows easy hiding Distributed nature makes legal approaches hard Attacker can choose all aspects of his attack packets –Can be a lot like good ones

Lecture 8 Page 14 CS 236, Spring 2008 Basic Defense Approaches Overprovisioning Dynamic increases in provisioning Hiding Tracking attackers Legal approaches Reducing volume of attack

Lecture 8 Page 15 CS 236, Spring 2008 Overprovisioning Be able to handle more traffic than attacker can generate Works pretty well for Microsoft and Google Not a suitable solution for Mom and Pop Internet stores

Lecture 8 Page 16 CS 236, Spring 2008 Dynamic Increases in Provisioning As attack volume increases, increase your resources Dynamically replicate servers Obtain more bandwidth Not always feasible Probably expensive Might be easy for attacker to outpace you

Lecture 8 Page 17 CS 236, Spring 2008 Hiding Don’t let most people know where your server is If they can’t find it, they can’t overwhelm it Possible to direct your traffic through other sites first –Can they be overwhelmed...? Not feasible for sites that serve everyone

Lecture 8 Page 18 CS 236, Spring 2008 Tracking Attackers Almost trivial without IP spoofing With IP spoofing, more challenging Big issue: –Once you’ve found them, what do you do? Not clear tracking actually does much good Loads of fun for algorithmic designers, though

Lecture 8 Page 19 CS 236, Spring 2008 Legal Approaches Sic the FBI on them and throw them in jail Usually hard to do FBI might not be interested in “small fry” Slow, at best Very hard in international situations Generally only feasible if extortion is involved –By following the money

Lecture 8 Page 20 CS 236, Spring 2008 Reducing the Volume of Traffic Addresses the core problem: –Too much traffic coming in, so get rid of some of it Vital to separate the sheep from the goats Unless you have good discrimination techniques, not much help Most DDoS defense proposals are variants of this

Lecture 8 Page 21 CS 236, Spring 2008 Approaches to Reducing the Volume Give preference to your “friends” Require “proof of work” from submitters Detect difference between good and bad traffic –Drop the bad –Easier said than done

Lecture 8 Page 22 CS 236, Spring 2008 Some Sample Defenses D-Ward Pushback DefCOM SOS

Lecture 8 Page 23 CS 236, Spring 2008 D-WARD Core idea is to leverage a difference between DDoS traffic and good traffic Good traffic responds to congestion by backing off DDoS traffic responds to congestion by piling on Look for the sites that are piling on, not backing of

Lecture 8 Page 24 CS 236, Spring 2008 The D-Ward Approach Deploy D-Ward defense boxes at exit points of networks –Use ingress filtering here to stop most spoofing Observe two-way traffic to different destinations Throttle “poorly behaved” traffic If it continues to behave badly, throttle it more If it behaves well under throttling, back off and give it more bandwidth

Lecture 8 Page 25 CS 236, Spring 2008 D-WARD in Action requests replies D-WARD attacks

Lecture 8 Page 26 CS 236, Spring 2008 A Sample of D-Ward’s Effectiveness

Lecture 8 Page 27 CS 236, Spring 2008 The Problem With D-Ward D-Ward defends other people from your network’s DDoS attacks It doesn’t defend your network from other people’s DDoS attacks So why would anyone deploy it? No one did, even though, if fully deployed, it could stop DDoS attacks

Lecture 8 Page 28 CS 236, Spring 2008 Pushback Goal: Drop attack traffic to relieve congestion Detect congestion locally –Drop traffic from high-bandwidth aggregates Push back the rate limits to the routers sending those aggregates –Who will then iterate Rate limits pushed towards attack sites –Or other sites with high volume

Lecture 8 Page 29 CS 236, Spring 2008 Can Pushback Work? Even a few core routers are able to control high-volume attacks –But issues of partial deployment Only traffic for the victim is dropped Drops affect a portion of traffic that contains the attack traffic But will inflict collateral damage on legitimate traffic –Traffic sharing controlled links with attack traffic likely to be harmed

Lecture 8 Page 30 CS 236, Spring 2008 DefCOM Different network locations are better for different elements Near source good for characterizing traffic Core nodes can filter effectively with small deployments Near target it’s easier to detect and characterize an attack DefCOM combines defense in all locations

Lecture 8 Page 31 CS 236, Spring 2008 DefCOM in Action alert generator classifier core DefCOM instructs core nodes to apply rate limits Core nodes use information from classifiers to prioritize traffic Classifiers can assure priority for good traffic

Lecture 8 Page 32 CS 236, Spring 2008 Benefits of DefCOM Provides effective DDoS defense Without ubiquitous deployment Able to handle higher volume attacks than target end defenses Offers deployment incentives for those who need to deploy things

Lecture 8 Page 33 CS 236, Spring 2008 DefCOM Performance

Lecture 8 Page 34 CS 236, Spring 2008 SOS A hiding approach Don’t let the attackers send packets to the possible target Use an overlay network to deliver traffic to the destination Filter out bad stuff in the overlay –Which can be highly provisioned

Lecture 8 Page 35 CS 236, Spring 2008 How SOS Defends Clients are authenticated at the overlay entrance A few source addresses are allowed to reach the protected node –All other traffic is filtered out Several overlay nodes designated as “approved” –Nobody else can route traffic to protected node Good traffic tunneled to “approved” nodes – They forward it to the server

Lecture 8 Page 36 CS 236, Spring Can SOS Work? Should successfully protect communication with a private server: –Access points distinguish legitimate from attack communications –Overlay protects traffic flow –Firewall drops attack packets What about attacking overlay? –Redundancy and secrecy might help

Lecture 8 Page 37 CS 236, Spring 2008 SOS Advantages and Limitations +Ensures communication of “confirmed” user with the victim +Resilient to overlay node failure +Resilient to DoS –Does not work for public service –Clients must be aware of overlay and use it to access the victim –Traffic routed through suboptimal path –Still allows brute force attack on links entering the filtering router in front of client –If the attacker can find it

Lecture 8 Page 38 CS 236, Spring 2008 How Do We Test DDoS Defense? What are the core claims about each defense? Which of those are least plausible or most risky? How do we prioritize among many things we could test?

Lecture 8 Page 39 CS 236, Spring 2008 Performance Questions How well does each defend against attacks? Does it damage performance of normal traffic? Can it run fast enough for realistic cases? How much does partial deployment pattern matter? Does regular traffic pattern matter? Does attack traffic pattern matter? Can the defense be used as an attack tool?

Lecture 8 Page 40 CS 236, Spring 2008 How Do We Test? Let’s concentrate first on the core issue of whether the system defends –Using DefCOM as an example How do we propose to test that?

Lecture 8 Page 41 CS 236, Spring 2008 Basic Approach What is our basic testing approach? Set up a four machine testbed like so: TargetRate limiter ClassifierTraffic source

Lecture 8 Page 42 CS 236, Spring 2008 Or One Like This? alert generator classifier core

Lecture 8 Page 43 CS 236, Spring 2008 Or One Like This?

Lecture 8 Page 44 CS 236, Spring 2008 If It’s Not the Simple One... What is the topology? How many edge nodes? Organized into how many subnets? How many core nodes? Connected how? And how do we arrange the routing?

Lecture 8 Page 45 CS 236, Spring 2008 Is the Base Case Full Deployment? And what does that mean in terms of where we put classifiers and filtering nodes? If it’s not full deployment, what is the partial deployment pattern? –A single pattern? –Or treat that as a factor in experiment?

Lecture 8 Page 46 CS 236, Spring 2008 Metrics What metric or metric should we use to decide if DefCOM successfully defends against DDoS attacks? Utilization of the bottleneck link? Percentage of dropped attack packets? Percentage of legitimate packets delivered? Something else?

Lecture 8 Page 47 CS 236, Spring 2008 Workload Probably two components: –Legitimate traffic –Attack traffic Where do we get them from? If we’re not using the simple topology, where do we apply them?

Lecture 8 Page 48 CS 236, Spring 2008 The Attack Workload Basically, something generating a lot of packets But is there more to it? Do we care about kind of packets? Pattern of their creation? Contents? –Header? –Payload? Do attack dynamics change during attack? Which nodes generate attack packets?

Lecture 8 Page 49 CS 236, Spring 2008 The Legitimate Workload What is it? How realistic must it be? How do we get it? Where is it applied? Is it responsive to what happens at the target? Cross-traffic?

Lecture 8 Page 50 CS 236, Spring 2008 How Much Work Must We Do? Do we just define one set of conditions and test DefCOM there? If not, what gets varied? –Deployment pattern? –Attack size in packets? –Number of attacking nodes? –Legitimate traffic patterns? –Size of target’s bottleneck link? –Accuracy of classification? –Something else?

Lecture 8 Page 51 CS 236, Spring 2008 Generalizing If we get a test right for DefCOM, can we just swap in another defense? Or do we need to customize the experiment for each defense? –To what extent? –In what ways?

Lecture 8 Page 52 CS 236, Spring 2008 Other DDoS Research Issues DDoS is a largely unsolved problem Are there fundamentally different approaches to solutions? Will small changes to existing approaches make them work? Or is it motivation? –If we cared enough, we’d deploy a working system

Lecture 8 Page 53 CS 236, Spring 2008 One More Big Issue Design choices of today’s Internet favor DDoS –Tries to deliver all traffic –Doesn’t verify source addresses –Doesn’t allow receiver control Would the problem be easier in a redesigned Internet? –Always consider the redesign alternative