Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004
Why DDoS is hard to prevent Internet –Limited resources –Security highly interdependent
ISP? The problem with DDOS security is this: if you implement DDOS security, it does not protect your network, it merely prevents your network from harming others. Why would an ISP spend extra time and effort implementing a security protocol that was good for everyone else... but not for them? by simul, Kuro5hin.org (targeted by DDoS attacks), February 4, 2004
Defenses IP spoofing –Egress filtering –Keep routing state for each packet –New type of control message (ICMP) –Embed traceback information into IP header Bandwidth flooding –Use Overlay Networks to debug input –Push back to preserve bandwidth –Equip your host with gobs of bandwidth and the appliances can mitigate the effect
Problem Statement Use IP traceback to defend IP spoofing –Packets having the same routing path with the attacker packets will be dropped Challenges –The average Internet routing path length is around 15, so reconstruct the path will take 60 bytes –Where to put the traceback information?
PI Overview Model the Internet as a binary tree rooted at the victim node The router mark 0 or 1 in IP identification field based on past path information
IP Header Identification field (16 bits) –IP identification is only used for fragmentation, which constitutes less than 0.25% of the packets in Internet
Pi Marking - Basic Marking Scheme Marking Scheme –Each router marks n bits into IP Identification field Marking Location –TTL (mod 16/n) indexes location in field to mark Marking Function –Last n bits of hash (eg. MD5) of router IP address The following slides are adapted from Abraham Yaar’s Oakland 2003 slides
Pi Marking - Example
Pi Marking Scheme - TTL Attack Final TTL Pointer Final TTL Pointer Problem –Attacker shifts markings by modifying initial TTL Note - marking bits and order haven’t changed, just location in the marking field Solution –Victim uses final TTL to justify packet contents using bit rotation
Pi Marking - IP Fragmentation Problem –Mark values in IP Identification field breaks fragmentation Solution –Don’t mark packets that may ever get fragmented, or are fragments themselves –During DDoS attack, drop packets not satisfying this predicate
Pi Filtering – Basic Scheme Basic Scheme –Drop all packets with Pi marks matching that of any attack packets Assumption –Victim can identify attack packets Implementation Overhead –Memory: Bit vector of length 2 16 (8kB) if (BitVec[PiMark] == 0) then accept() else drop(); –Computation: O(1) per packet
Pi Filtering - Thresholds Problem –Single attacker causes multiple users’ rejections Solution –Assume, for a particular Pi mark, i: a i = number of attack packets u i = number of legitimate users’ packets –Victim chooses threshold, t, such that if: then all packets with Pi mark i are dropped
Experiment Results – Basic Filter DDoS protection –Accepted: 60% of user traffic 17% attacker traffic Downward slope due to “marking saturation” –All markings flagged as attacker
Experiment Results – Threshold Filter Thresholds Work! –Victim increases false positives to decrease false negatives Greater attack traffic requires greater threshold values
Comments Review of the goal –The same routing path yields the same marking –Different routing path has little probability to overlap Question –Why bother using rotated marking instead of a simple hash function?
DDoS Attacks IP spoofing Bandwidth flooding Back to Zhanxiang