Streaming Algorithms for Robust, Real-Time Detection of DDoS Attacks S. Ganguly M. Garofalakis R. Rastogi K.Sabnani Indian Inst. Of Tech. India Yahoo! Research USA Bell Labs India Bell Labs USA ICDCS’07 27th international Conference on Distributed Computing Systems

Introduction Distributed Denial-of-Service (DDoS): A DDoS attack directs hundreds or even thousands of “zombie” hosts against a single victim

Introduction (cont.) TCP-SYN flooding attack 1. SYN 2. SYN-Ack 3. Ack IPtimeTTL Fake IP Out of Memory Crash! ×

Problem Formulation A stream of flow updates: (source, dest, ±1) Bad guy: Occur(u, v, +1) > Occur(u, v, -1) 1. SYN 2. SYN-Ack 3. Ack +1 Distinct source frequency f v = # of bad guys to v Continuously track the top-k distinct source frequency destinations over the stream of flow updates

Main idea of the solution: Sampling Directly sample from the stream? – For estimating the counts of an item: OK – For counting the number of distinct items: NO Construct the synopsis for the stream and then sample from the synopsis a, a, a, a, a, a, a, a, a, a, b (a, 10), (b, 1)

Distinct-Count Sketch: structure Domain of IP: [m] = {0, m-1} (source, dest) pairs: [m 2 ] First level hash function h: [m 2 ] → {0, …, Θ( logm)} with Pr[h(x) = l] = 1/2 l+1 – ½ of the distinct values in [m 2 ] mapping to bucket 0 – ¼ of the distinct values in [m 2 ] mapping to bucket 1 – 1/8 of the distinct values in [m 2 ] mapping to bucket 2 Second level hash function g i : [m 2 ] → [s] uniformly

Distinct-Count Sketch: structure (cont.) 0 Θ(logm) h(u, v) = b r hash tables 1 s g 1 (u, v) g 2 (u, v) g r (u, v) … … … … … … … 01 2logm Total element count Bit location counts Total element count: the total number of the tuples hashed into the bucket Bit location counts: the total number of the tuples hashed into the bucket with BIT j (u, v) = … Binary representation of (u, v): ☆☆ ☆☆ ☆ χ[i, j, k, l]: the i th first level bucket, the j th hash table, the k th second level bucket, the l th count- signature location

Distinct-Count Sketch: maintenance For each incoming update/tuple (u, v, ±1), update its corresponding count-signatures For all j = 1 to r – χ[h(u, v), j, g j (u, v), 0] = χ[h(u, v), j, g j (u, v), 0] ±1 – For each l = 1 to 2logm If BIT l (u, v) = 1 – χ[h(u, v), j, g j (u, v), l] = χ[h(u, v), j, g j (u, v), l] ±1

Top-k Frequency Estimation Generate distinct sample from the distinct-count sketch Scan the first level hash table until |dSample| < (1+ ε)s/16 or b ≥ 0 Check the count-signatures – For all l = 1 to 2logm Either Χ[b, j, k, l] = Χ[b, j, k, 0] or Χ[b, j, k, l] = 0 Add the (u, v) to dSample 0 Θ(logm) r hash tables 1 s g 1 (u, v) g 2 (u, v) g r (u, v) … … … … … … … … → (u, v) bit 1 bit Collision (u,v) = 1010

Top-k Frequency Estimation (cont.) After obtaining the dSample – (a, v), (u, v), (m, v), (a, w), (b, w), (c, w), (d, w), …. – f w in dS = 4, f v in dS= 3, …

Error guaranteed Input: Flow-update stream, k, error ε, and confidence δ Output: continuously track a list L of k destination IP addresses and guaranteed that with probability of at least 1-δ – 1. Any destination address v in L has frequency f v ≥ (1-ε)f vk – 2. For any destination address v in L, n = the upper bound on the number of update tuples in the streams

Conclusion Seem to combine the FM sketch and the Count-Min sketch to reduce the collisions and then using BIT operations to identify the destination addresses