Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pi: A Path Identification Mechanism to Defend Against DDoS Attacks

Published byNicholas Hood Modified over 6 years ago

Similar presentations

Presentation on theme: "Pi: A Path Identification Mechanism to Defend Against DDoS Attacks"— Presentation transcript:

1 Pi: A Path Identification Mechanism to Defend Against DDoS Attacks
Abraham Yaar, Adrian Perrig, Dawn Song Carnegie Mellon University {ayaar, perrig, Presented and Edited by Yongdae Kim

2 Outline DDoS Attack/Defense Review Goals/Main Idea Pi Marking
Pi Filtering Experimental Results Discussion Conclusion

3 DDoS Review Attackers compromise network hosts, flood victim with packets Overload packet processing capacity Saturate network bandwidth Spoofed source IP addresses evade network filters Victim RA RX RB RC RY RZ U U A A A A

4 RFC 3514 Security flag in IP header Challenge: deployment
By Steven Bellovin Attackers must set evil bit in malicious packets Receivers can filter out evil packets Challenge: deployment April fools joke Pi achieves similar property!

5 IP Traceback Defense Victim reconstructs attack tree from address fragments Disadvantages: Slow reconstruction Multi-path reconstruction Assumes upstream ISP collaboration Victim x 1 2 Y Z A 2 B 1 C x 1 Z 1 x 2 Y 1 x 2 Y 2 x 1 Z 2 RA RX C 1 2 Z 1 2 Y 1 2 B 1 RB RC RY RZ U U A A A A

6 Other Strategies Source Path Isolation Engine (SPIE)
Routers store packet hashes, recursive query to reconstruct path Disadvantage Per-packet state at routers Pushback Framework Routers identify attack packet characteristics, install upstream filter Difficult to distinguish attack/user packets

7 Outline DDoS Attack/Defense Review Goals/Main Idea Pi Marking
Pi Filtering Experimental Results Discussion Conclusion

8 Goals – Ideal DDoS Defense
Fast Defense after single attack packet Victim filters traffic No dependency on upstream ISPs Overhead Minimal computation/state at routers and victims Interoperability Supports IP Fragmentation Incrementally deployable Additional deployment increases performance

9 Main Idea Path “fingerprints”
Entire fingerprint in each packet Incrementally constructed by routers along path Victim rejects packets with attacker fingerprints (Pi-marks) Victim 3 1 2 4 7 6 RA RX i 1 i 2 i 4 i 6 i 3 i 4 i 7 i 3 i 4 i 6 i 3 i 4 i 7 i 1 i i 2 i 4 6 i 3 i 4 i 7 i 1 i 3 i 4 i 6 RB RC RY RZ U U A A A A 1 2 3 4 5 6 7

10 Main Idea Attacker Marks Path “fingerprints”
Entire fingerprint in each packet Incrementally constructed by routers along path Victim rejects packets with attacker fingerprints (Pi-marks) Victim 3 1 2 4 7 6 Accepted Packets Attacker Marks Rejected Packets RA RX i 1 i 2 i 4 i 6 i 3 i 4 i 4 7 i i 3 i 4 6 i 3 i 4 i 7 i 1 i i 4 i 2 6 i 3 i 4 i 7 i 1 i 3 i 4 i 6 1 4 RB RC RY RZ 3 7 3 4 U U A A A A 1 2 3 4 5 6 7

11 Main Idea Attacker Marks Path “fingerprints”
Entire fingerprint in each packet Incrementally constructed by routers along path Victim rejects packets with attacker fingerprints (Pi-marks) Victim 3 1 2 4 7 6 Accepted Packets Attacker Marks Rejected Packets RA RX C 1 2 Z 1 2 Y 1 2 4 1 4 7 3 B 1 3 7 RB RC RY RZ 3 4 U U A A A A 1 2 3 4 5 6 7

12 Main Idea Attacker Marks Path “fingerprints”
3 1 3 3 3 1 Path “fingerprints” Entire fingerprint in each packet Incrementally constructed by routers along path Victim rejects packets with attacker fingerprints (Pi-marks) Victim 3 1 2 4 7 6 Accepted Packets Attacker Marks Rejected Packets RA RX C 1 2 Z 1 2 Y 1 2 4 1 7 4 7 3 1 3 B 3 4 RB RC RY RZ U U A A A A 1 2 3 4 5 6 7

13 Outline DDoS Attack/Defense Review Goals/Main Idea Pi Marking
Pi Filtering Experimental Results Discussion Conclusion

14 Pi Marking Scheme Marking Scheme Marking Function Marking Aggregation
Each router marks n bits into IP Identification field Marking Function Last n bits of hash (eg. MD5) of router IP address Marking Aggregation Router pushes marking into IP Identification field

15 Pi Marking A π π π V Queue-based marking
Routers “push” marking into IP Identification field Note: Victim’s local routers (in general, 3, 4 hopes) do not mark. A π π π V xx 00 xx 00 11 00 xx 11 10

16 Legacy Routers A π L π V Legacy routers do not mark Extensions
Detect upstream legacy router Mark for previous legacy router Write-ahead improvement A π L π V xx 00 xx 00 xx 00 10

17 Path marking vs. Edge Marking
Collision in path marking path(AC) = mamc, path(BC) = mbmc With probability 1/2n, ma = mb Edge marking path(AC) = ma’mc1, path(BC) = mb’mc2 where mc1 = h(IPC || IPA), mc2 = h(IPC || IPB) Still probability of collision is 1/2n But, new probability of having identical marks for two paths joining at the same node becomes 1/22n

18 Pi Marking - IP Fragmentation
Problem Using deterministic values in IP Identification field breaks fragmentation Solution (suggested by Vern Paxson) Don’t mark packets that may ever get fragmented, or are fragments themselves Packets with DFT bit set Packets smaller than smallest MTU During DDoS attack, drop packets that do not have DFT bit set

19 Outline DDoS Attack/Defense Review Goals/Main Idea Pi Marking
Pi Filtering Experimental Results Discussion Conclusion

20 Pi Filtering – Basic Scheme
Drop all packets with Pi marks matching that of any attack packets Assumption Victim can identify attack packets Implementation Overhead Memory: Bit vector of length 216 (8kB) if (BitVec[PiMark] == 0) then accept() else drop(); Simple per packet lookup

21 Pi Filtering - Thresholds
Problem Single attacker causes multiple users’ rejections Solution Assume, for a particular Pi mark, i: ai= number of attack packets ui= number of legitimate users’ packets Victim chooses threshold, t, such that if: then packets with Pi mark i are kept

22 Outline DDoS Attack/Defense Review Goals/Main Idea Pi Marking
Pi Filtering Experimental Results Discussion Conclusion

23 Exp. Results – Attack Model
Two phase DDoS model Phase 1: Learning Phase Omniscient victim, Filter Bootstrapping Limited Length (3 packets per endhost) Phase 2: Attack Phase Pi filter deployed “Unlimited” Length (3 packets simulated) Results presented for phase 2

24 Exp. Results - Setup Two Internet Topologies
Internet Map Project 81,953 unique endhosts CAIDA Skitter Map 171,472 unique endhosts 5,000 Legitimate Users, ,000 Attackers n = 2 bits 4 router non-marking ISP perimeter Victim ISP marks unnecessary/undesirable

25 Exp. Results - Metrics Filter Errors Acceptance Ratio
False Positive: User packet dropped False Negative: Attacker packet accepted Acceptance Ratio Percent packets accepted by victim of total packets sent Attacker Acceptance Ratio = false negative rate User Acceptance Ratio = (1 – false positive rate)

26 Exp. Results – Basic Filter
DDoS protection Accepted (with 10,000 unique attack paths): 60% of user traffic 17% attacker traffic Downward slope due to “marking saturation” All markings flagged as attacker

27 Exp. Results – 50% Threshold Filter Performance
Thresholds Work! Accepted (with 10,000 unique attack paths): 82% of user traffic 22% attacker traffic Increased attack severity requires increased threshold

28 Exp. Results – Legacy Routers
50% threshold used Performance degradation is gradual Some filtering accuracy even at 50% legacy routers 0 = random selection 1 = perfect filter

29 Exp. Results – Limited Capacity
Constraint Limit maximum number of packets accepted. Strategy Accept lowest attack traffic Pi marks first. Performance 60% server capacity for legitimate packets when total attack traffic 170X of user traffic. *Note: Each Attacker sends 10X traffic over legitimate user.

30 Outline DDoS Attack/Defense Review Goals/Main Idea Pi Marking
Pi Filtering Experimental Results Discussion Conclusion

31 Other Applications Help other anti-DDoS techniques
Pushback Filters that mask individual IP addresses can be very long Upstream path information improves filtering accuracy IP traceback path reconstruction IDS ISPs use Pi to detect IP address spoofing

32 Discussion: Deployment Incentives
Lack of incentive for ingress filtering Pi provides incentive for ISP Customers benefit from Pi marking Attackers within ISP cause blocking of other ISP customers ISP has incentive to block attack Incentives for ingress filtering Market pressures drive Pi deployment Large-scale Internet sites > ISP > router manufacturer

33 Future Work Advanced marking schemes Advanced dynamic filters
Use combination of exor and shift Advanced dynamic filters Problems: “Nearby” attackers always have attacker initialized bits in markings Route changes cause Pi mark variations Solution: Machine learning techniques identify marking commonalities (ie. Longest prefix matching for nearby attackers)

34 Related Work IP traceback itrace SPIE PEIP – Path Enhanced IP CS3-Inc.
Adds 16 bytes path to each packet Router marks within 16 bytes path

35 Pi: Conclusions Disadvantages of current DDoS defenses
Slow High overhead Assumes ISP collaboration Pi provides DDoS protection After first identified attack packet Minimal overhead at routers and endhosts Maintains IP Fragmentation No inter-ISP cooperation Great incremental deployment properties

Download ppt "Pi: A Path Identification Mechanism to Defend Against DDoS Attacks"

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Random Flow Network Modeling and Simulations for DDoS Attack Mitigation Jiejun Kong, Mansoor Mirza, James Shu, Christian Yoedhana, Mario Gerla, Songwu.

Random Flow Network Modeling and Simulations for DDoS Attack Mitigation Jiejun Kong, Mansoor Mirza, James Shu, Christian Yoedhana, Mario Gerla, Songwu.
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.

Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Internet Indirection Infrastructure Ion Stoica UC Berkeley.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.
Oct 26, 2004CS573: Network Protocols and Standards1 IP: Routing and Subnetting Network Protocols and Standards Autumn 2004-2005.

Oct 26, 2004CS573: Network Protocols and Standards1 IP: Routing and Subnetting Network Protocols and Standards Autumn
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.

IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)
Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.

Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.
Hash-Based IP Traceback Alex C. Snoeren, Craig Partidge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer.

Hash-Based IP Traceback Alex C. Snoeren, Craig Partidge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.

Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
Towards a More Functional and Secure Network Infrastructure Dan Adkins, Karthik Lakshminarayanan, Adrian Perrig (CMU), and Ion Stoica.

Towards a More Functional and Secure Network Infrastructure Dan Adkins, Karthik Lakshminarayanan, Adrian Perrig (CMU), and Ion Stoica.

Similar presentations

Ads by Google