08/02/01S. Felix Wu --UCCS Visit1 Distributed Denial of Services the Problem, its Solutions, and their Problems Dr. S. Felix Wu Computer Science Department University of California, Davis

08/02/01S. Felix Wu --UCCS Visit2 Denial of Service attack beyond Authenticity, Authority, and Privacy Computer system finite resources-- bandwidth, connections, buffer space…. attacker victims consume all or most of the resources! Services are Denied!

08/02/01S. Felix Wu --UCCS Visit3 Distributed DoS yahoo, ebay, msn,... Slave Master Slave Attack traffic aggregated! Denial of Service! Hundreds/thousands of Slaves simultaneously launch attacks! no service or degraded service

08/02/01S. Felix Wu --UCCS Visit4 The Plain DDoS Model ( ) Masters Slaves Victim... ISP.com ::::. Attackers src: random dst: victim 1,500 bytes per pkt ~10K bits per pkt ~100K pkts per second 2000 slaves 50 pkts per second per slave 0.5M bits per second

08/02/01S. Felix Wu --UCCS Visit5 Reflector Use a legitimate network server/client as the reflector to avoid being traced. (stepping stone). Reflector VictimSlave Service Request Packet src: Victim dst: Reflector Service Reply Packet src: Reflector dst: Victim

08/02/01S. Felix Wu --UCCS Visit6 The Reflective DDOS Model (2000) Masters Slaves Victim... ISP.com ::::. Reflectors Attackers src: victim dst: reflector src: reflector dst: victim

08/02/01S. Felix Wu --UCCS Visit7 Internet Source Accountability UCD AOL UUNet Header src: AOL dst:UCD Payload …………….. A B

08/02/01S. Felix Wu --UCCS Visit8 Possible Solutions Stop it!! –egress/ingress filtering –aggregated-flow anomaly-based rate limiting ISP, dot-COM,... Trace it!! –where are the slaves and masters? Law enforcement agencies,...

08/02/01S. Felix Wu --UCCS Visit9 Ingress/egress filtering boosting source accountability drop it or not?? Is the source IP address of this incoming IP packet valid from this particular network interface??? 1. Static configuration 2. Routing table reverse look-up 3. Routing information analysis (BGP/OSPF/RIP) Net: * filtering policies

08/02/01S. Felix Wu --UCCS Visit10 Aggregate-Based Congestion Control avoiding micro-flow management RED buffer (Random Early Dropping) 50%80% good for aggressive but responsive TCP flows...

08/02/01S. Felix Wu --UCCS Visit11 Aggregate-Based Congestion Control avoiding micro-flow management 50%80% rate limiters High bandwidth AG-Flow? yes no High-Bandwidth AG-Flow Analyzer E.g., all ICMP packets toward dst: *. (1). How to determine the signature of an AG-Flow?? (2). How to set the limited rate for an AG-Flow??

08/02/01S. Felix Wu --UCCS Visit12 Packet Tracing A transit router puts a mark in the data packets themselves. (like UPS/FedEx) –find the space in the packet to perform the mark? A transit router puts a mark outside of the data packets. (I have seen it!!) –find the bandwidth in the Internet?

08/02/01S. Felix Wu --UCCS Visit13 Statistical Packet Marking Masters Slaves Victim... ISP.com ::::. Attackers src: random dst: victim

08/02/01S. Felix Wu --UCCS Visit14 Marking procedure at router R: for each packet w let x be a random number from [0..1) if x < p then write R into w.start and 0 into w.distance else if w.distance == 0 then write R into w.end increment w.distance A5R9 R8 R4 R7 R6 R3 R 5 R2 R1 A6 verhlenTOSTotal Length Identificationflagsoffset Time to liveProtocol Header checksum Source IP address Destination IP address offsetDistanceEdge fragment

08/02/01S. Felix Wu --UCCS Visit15 Problems with Packet Marking 16 bits is unreliable and restrictive. –partial IP header information –weak authentication –inefficiency can not handle reflective DDoS. –require modification of TCP protocol stack (and specification) -- not sure exactly how to do it completely and correctly.

08/02/01S. Felix Wu --UCCS Visit16 Masters Slaves Victim... ISP.com ::::. Reflectors Attackers src: victim dst: reflector src: reflector dst: victim ???

08/02/01S. Felix Wu --UCCS Visit17 ICMP Traceback For a very small probability (about 1 in 20,000), each router will send the destination a new ICMP message indicating the previous hop for that packet. Net traffic increase at endpoint is probably acceptable. iTrace it or not??

08/02/01S. Felix Wu --UCCS Visit18 Original iTrace Masters Slaves Victim... ISP.com ::::. Attackers src: random dst: victim

08/02/01S. Felix Wu --UCCS Visit19 iTrace in Reflective DDOS Masters Slaves Victim... ISP.com ::::. Reflectors Attackers src: victim dst: reflector src: reflector dst: victim

08/02/01S. Felix Wu --UCCS Visit20 Improved ICMP Traceback For a very few packets (about 1 in 20,000), each router will send the destination and the source a new ICMP message indicating the previous hop for that packet. Net traffic increase at endpoint is probably acceptable.

08/02/01S. Felix Wu --UCCS Visit21 Reflector VictimSlave Service Request Packet src: Victim dst: Reflector Service Reply Packet src: Reflector dst: Victim source Traceback Messages Who has spoofed me??

08/02/01S. Felix Wu --UCCS Visit22 Improved iTrace Masters Slaves Victim... ISP.com ::::. Reflectors Attackers src: victim dst: reflector src: reflector dst: victim

08/02/01S. Felix Wu --UCCS Visit23 VictimISP Service Request Packet src: Victim dst: source Traceback Messages Is that really me??? How can I tell??

08/02/01S. Felix Wu --UCCS Visit24 Maybe it is my friend... Masters Slaves Victim... ISP.com ::::. Attackers src: random dst: victim Are you sure that this is from a slave or not? customers

08/02/01S. Felix Wu --UCCS Visit25 Emitting a “relatively small” amount Masters Slaves Victim... ISP.com ::::. Attackers src: random dst: victim

08/02/01S. Felix Wu --UCCS Visit26 iTrace Probability: 1/20,000 Attack traffic Background traffic For a router with “lots” of background traffic, it will take a long time before we really generate a “useful” iTrace.

08/02/01S. Felix Wu --UCCS Visit27 A Statistic Problem with iTrace Routers closer to the victims have higher probability to generate iTrace packets toward the true victims in the first N iTrace messages generated. Routers closer to the DDoS slaves might have relatively small probability (smaller than the routers around the victims) to generate “useful” iTrace packets fast enough.

08/02/01S. Felix Wu --UCCS Visit28 “Usefulness” Useful: –It carries attack packets. Valuable: –It carries attack packets from a router that is very close to the original slaves. –We have not received the same “kind” of iTrace messages before. –The iTrace messages are received fast.

08/02/01S. Felix Wu --UCCS Visit29 Three Types of Nodes DDoS victim with the intention to trace the slaves. DDoS victim without the intention. non-DDoS victims (assuming they do not have the intention as well -- and very likely they hope they won’t receive ones).

08/02/01S. Felix Wu --UCCS Visit30 Intention-driven iTrace Different destination hosts, networks, domains/ASs have different “intention levels” in receiving iTrace packets. –We propose to add one “iTrace-intention” bit. Some of them might not care about iTrace, and some of them might not be under DDoS attacks, for example.

08/02/01S. Felix Wu --UCCS Visit31 Issues How to determine the intention bit How to distribute the intention bits to routers globally? How to use the intention bits at each router?

08/02/01S. Felix Wu --UCCS Visit32

08/02/01S. Felix Wu --UCCS Visit33 packet- forwarding table Decision Module iTrace Generation (1/20000) BGP routing table packets iTrace generation bit, (1/20000) intention bits iTrace/Intention-Driven iTrace architecture

08/02/01S. Felix Wu --UCCS Visit34 Processing Overhead Processing for each data packet: 1. if the iTrace flag bit is 1, (1). send an iTrace message for this data packet. (2). reset the iTrace bit to 0. 1/20K iTrace message trigger occurs: 1. Select and Set one iTrace bit in the forwarding table.

08/02/01S. Felix Wu --UCCS Visit / / / / / / / / / / / /160 (1). Before iTrace trigger: (2). After iTrace trigger: I(n) iTrace bit

08/02/01S. Felix Wu --UCCS Visit / / / / / /16 (3). After iTrace sent: I(n) iTrace bit

08/02/01S. Felix Wu --UCCS Visit37

08/02/01S. Felix Wu --UCCS Visit38 Usefulness in MSMV 0

08/02/01S. Felix Wu --UCCS Visit39 How to distribute I(n)? YABE: (Yet Another BGP Extension) –For every BGP route update, we include I(n) as a new string in the community attribute: 0x[iTrace-Intention]:0x[0-1] (optional & transitive) –These I(n) values will be forwarded or even aggregated by the routers who understand this new community attribute. aggregation: I(new) = max {I(n)} –Rate-Limiting on Intention Update: should not be more frequent than Keep-Alive messages. should not trigger any major route computation.

08/02/01S. Felix Wu --UCCS Visit40 Signaling (BGP extension) AS500 AS 120 AS200 AS300 AS250 AS600 AS800 AS900 AS700 AS 100 IDS Intention-bit update request BGP update prefix: 900 attribute: Intend to receive iTrace

08/02/01S. Felix Wu --UCCS Visit41 Summary Improve the probability of “useful” iTrace. Require some “minor” changes to the router forwarding process. Require a new BGP community string. The amount of generated iTrace messages should be no more than the current iTrace proposal.

08/02/01S. Felix Wu --UCCS Visit42 DECIDUOUS Reliably identify the source(s) of attack packets. (Tracing) –Intrusion Detection, Response, Source Identification. Collaborating with Edge Routers or Security Gateways that support IPSEC or other types of Tunnels –Utilize the IPSEC framework –Requirements for IPSEC Policy System –Interacting with IDS and IRS/FW.

08/02/01S. Felix Wu --UCCS Visit43 Spoofed IP Address NCSU AOL UUNet Header src: AOL dst:NCSU Payload …………….. A B

08/02/01S. Felix Wu --UCCS Visit44 IPSec Tunnel NCSU AOL UUNet Header src: AOL dst: NCSU Payload …………….. A B Header + IPSec src: A SPI=0x104 dst: B

08/02/01S. Felix Wu --UCCS Visit45 IPSEC/AH, tunnel mode Router or Security Gateway IPSEC Module freeSWAN & Pluto Depending on the results from both IDS and IPSEC modules as well as the nature of the detected attack itself, the Deciduous daemon will decide dynamically where to setup SAs. Attacker’s Target Intrusion Detection System IPSEC Module IPsec PHIL/API Deciduous Daemon Every single SA that has been or has not been used by the attack packet will provide some location information about the true source.

08/02/01S. Felix Wu --UCCS Visit46 Collaboration Internet Core NCSU ISP Attacker’s Target Intrusion Detection System IPSEC Module IPsec PHIL/API Deciduous Daemon

08/02/01S. Felix Wu --UCCS Visit47 Tunnel Path NCSU ISP Attacker’s Target Intrusion Detection System IPSEC Module IPsec PHIL/API Deciduous Daemon Deciduous Daemon Internet Core Phase II-SA

08/02/01S. Felix Wu --UCCS Visit48 DECIDUOUS Testbed at SHANG LAB Stone 163 Stone 4 Sun 2 Hychang2 3 Redwing 164 Squeeze 175 Bone 177 Norwork eth0 152, eth1eth2eth1 eth eth eth eth eth eth eth2 eth eth eth eth2eth eth eth2 Simple Single Source Simple multiple Sources Coordinated Multiple Sources

08/02/01S. Felix Wu --UCCS Visit49 Results

08/02/01S. Felix Wu --UCCS Visit50 Magic Marks: concept src/dst IP addresses the rest….. an outgoing packet src/dst IP addresses 128 bit digest HMAC selector 16 bit mark src/dst IP addresses the rest….. 16 bit mark iTrace message either a SRC itrace or DST itrace... Private key

08/02/01S. Felix Wu --UCCS Visit51 Magic Marks: design src/dst IP addresses the rest….. an outgoing packet Src IP address plus N bits (N=8) of the dst IP address 128 bit digest HMAC selector 16 bit marks Private key Pre-compute the Marking table with 2 N entries! Mark Table look-up

08/02/01S. Felix Wu --UCCS Visit52 A scenario src/dst IP addresses the rest….. 16 bit mark dst iTrace message src/dst IP addresses the rest….. 16 bit mark verify message 16 bit mark src response (Y/N)