Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitigating Distributed Denial of Service Attacks Using a Proportional- Integral-Derivative Controller Marcus Tylutki.

Published byBertram Thomas Modified over 8 years ago

Similar presentations

Presentation on theme: "Mitigating Distributed Denial of Service Attacks Using a Proportional- Integral-Derivative Controller Marcus Tylutki."— Presentation transcript:

1 Mitigating Distributed Denial of Service Attacks Using a Proportional- Integral-Derivative Controller Marcus Tylutki

2 Outline Response to DDoS (Overview) Control Theory Background PID Control Law DDoS response model utilizing PID Control Experimental Results Comparison to existing DDoS response models

3 Response to DDoS DDoS Examples: –Stacheldraht –Trinoo –Tribal Flood Network Current response utilizes 2 main methods: –IP Traceback –Bandwidth pushback

4 Classic Control Theory Controller System Desired Value, v d System Changes, s c (Unknown and Known) Disturbances Observed Value, v o

5 PID Control Law The control signal has 3 components: –Proportional Mode c(t) = K C e(t) + c b –Integral Mode – Compensates error buildup over time c(t) = (K C /  I )  e(t) dt + c b –Derivative Mode – Attempts to match rate change c(t) = K C  D d/dt ( e(t) ) + c b

6 Using PID Control Law to mitigate DDoS effects Network A Network B Network C Border Router B Border Router A Border Router C Dropped Packets destined for Network C Figure 4.1

7 Using PID Control Law to mitigate DDoS effects Network A Network B Network C Border Router B Border Router A Border Router C Dropped Packets destined for Network C Figure 4.1

8 Necessary Assumptions A sensor exists which can determine whether a packet is part of a DDoS attack or legitimate. (probabilistic) –Webscreen WS100 claims to do this for web servers. The flow of packets through any border router headed towards the protected network can be detected. (iTrace) A technique exists for dropping packets heading towards the protected network at the border router. (Traffic shaping) The border router that forwarded a particular DDoS attack packet can be identified. (CEF)

9 Goals of the Approach Bound the total amount of traffic passing through to the protected network Maximize the percentage of legitimate packets in the flow reaching the protected network Minimize the overall impact of overhead produced by this method

10 Calculation of PID Control Variables Percent legitimate traffic –x(t) = 1 – (Attack Flow/Total Flow) Error used for future predictions –e(t) = z ideal (t-1) – z(t-1) –e(t) = ( 1 – (Limit / Flow(t-1) ) – z(t-1) Predicted block percentage –z(t) = c(t) + z(t-1)

11 Calculation of c(t) Proportional Control (P) –c(t) = K C [e(t)] Proportional Derivative Control (PD) –c(t) = K C [e(t) +  D d/dt( e(t) )] –d/dt( e(t) )  ( e(t-1) – e(t-2) ) /  t Proportional Integral Derivative Control (PID) –c(t) = K C [e(t) +  D d/dt( e(t) ) + (1/  I )  e(t) dt ] –  e(t) dt   t  e(i) {i = 1, t}

12 PID Simulation Results

13 PID Sim. Results (Cont’d)

14

15

16

17 Experiment Setup comm. server comm. client PID controller xenobaruntseizzy attacker firewall server

18 Assumptions of the Experiment Uniform packet weights –Equal impact on protected services One DDoS target Firewall servers in place Limited types of spoofed packets –Can not spoof across foreign networks All DDoS traffic is over TCP/IP*

19 Assumptions of the Experiment (cont’d) PID control parameters are static Attack packets are easily distinguished. –All packets are examined –100% accuracy All connections* are authenticated using SSL Attacks do not originate from inside the protected network Attacks do not bypass the TCP stack

20 Experiment Configurations Border router firewall –dummynet –ipfw ipfw pipe 1 config plr.50 Comm. Client, Attacker –Uses a Poisson probability distribution to calculate delay –Transmissions are single characters (SCTs) ‘ A’ for attack packet ‘B’ for legitimate packet –izzy had a majority of attack traffic with some legitimate traffic –baruntse had a majority of legitimate traffic with some attack traffic

21 PID Control within the Experiment  t = 20 seconds z(t) does not translate from packets to transmissions –z(t) =.60 dropped 95% of connections –z(t) =.05 dropped 39% of connections –z(t) =.01 dropped 8% of connections Maximum block z(t) set to 99%

22 Results of the Experiment P, PI, and PD Control 0 50 100 150 200 250 300 350 400 0 4186 127167207247296339380423 Time (sec) Results of Proportional, Proportional Integral, and Proportional Derivative Control Traffic (SCTs / second) Limit Baseline Pushback Kc = 1.2 Kc = 1.3, Td =.2 Kc = 1.5, Ti = 10

23 Results of the Experiment (cont’d)

24 Benefits of each PID control mode Proportional –Traffic is truly random, yet stabilizes around an average Proportional-Integral –As above, yet includes undetermined errors that can be compensated Proportional-Derivative –Traffic contains some non-linear patterns that shift from time to time Proportional-Integral-Derivative –Traffic that contains patterns and undetermined errors

25 Future Work Chaotic maps Multidimensional PID control Packet weights Support for non-border routers Commercial PID Controllers Faster, more accurate PID parameter tuning

Download ppt "Mitigating Distributed Denial of Service Attacks Using a Proportional- Integral-Derivative Controller Marcus Tylutki."

Similar presentations

Energy-Efficient Congestion Control Opportunistically reduce link capacity to save energy Lingwen Gan 1, Anwar Walid 2, Steven Low 1 1 Caltech, 2 Bell.

Energy-Efficient Congestion Control Opportunistically reduce link capacity to save energy Lingwen Gan 1, Anwar Walid 2, Steven Low 1 1 Caltech, 2 Bell.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
SCTP v/s TCP – A Comparison of Transport Protocols for Web Traffic CS740 Project Presentation by N. Gupta, S. Kumar, R. Rajamani.

SCTP v/s TCP – A Comparison of Transport Protocols for Web Traffic CS740 Project Presentation by N. Gupta, S. Kumar, R. Rajamani.
Cloud Control with Distributed Rate Limiting Raghaven et all Presented by: Brian Card CS 577 - Fall 2014 - Kinicki 1.

Cloud Control with Distributed Rate Limiting Raghaven et all Presented by: Brian Card CS Fall Kinicki 1.
FLAME: A Flow-level Anomaly Modeling Engine

FLAME: A Flow-level Anomaly Modeling Engine
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,

PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
AQM for Congestion Control1 A Study of Active Queue Management for Congestion Control Victor Firoiu Marty Borden.

AQM for Congestion Control1 A Study of Active Queue Management for Congestion Control Victor Firoiu Marty Borden.
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
A Poisoning-Resilient TCP Stack Amit Mondal Aleksandar Kuzmanovic Northwestern University

A Poisoning-Resilient TCP Stack Amit Mondal Aleksandar Kuzmanovic Northwestern University
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
1 Emulating AQM from End Hosts Presenters: Syed Zaidi Ivor Rodrigues.

1 Emulating AQM from End Hosts Presenters: Syed Zaidi Ivor Rodrigues.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Random Early Detection Gateways for Congestion Avoidance

Random Early Detection Gateways for Congestion Avoidance
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.

Similar presentations

Ads by Google