1. Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information Assurance and Security (ARIAS) Lab Virginia Tech Jung-Min Park

2. 2 Overview of DoS Attacks What is a DoS attack? An attack that disrupts network services to legitimate clients Large-scale Distributed DoS (DDoS) attack of Feb. 2000 A DDoS attack took down Yahoo, EBay, and Amazon.com Outage caused millions of dollars in lost revenue Hundreds of attacks are observed each day Global corporations lost over $1.39 trillion in revenue due to security breaches in 2000, and Over 60% are due to viruses and DoS attacks (http://www.captusnetworks.com/BeenDoSd.pdf) FBI reports indicate DoS attacks are on the rise

3. 3 Taxonomy of DoS Attacks Attacks that exploit system design weaknesses Teardrop attack Ping-of-death attack Land attack SYN flood attack Attacks that exploit the weakness of particular protocols Attacks against authentication protocols Attacks against key agreement protocols Attacks that exploit the asymmetry between “line rate” and throughput of hosts and routers Flooding-based DDoS attacks

4. 4 Flooding-based DDoS Attacks Exploits the asymmetry between “line rate” and throughput of hosts and routers Large volume of packets is sent toward a victim Consumes bandwidth and processing power of the victim DDoS attacks utilize attack handlers and zombies to hide the identity of the real attacker

5. 5 Lines of Defense Against DDoS Attacks Apply software patch SYN cookies, client puzzles Design DoS attack resistant systems Overlay networks Signature (misuse) detection Anomaly detection Client puzzles Aggregate filtering, pushback Overlay networks IP traceback: packet marking IP traceback: packet logging “Attack traceback” Prevention and preemption (before the attack) Detection (during the attack) Mitigation and filtering (during the attack) attack source traceback and identification (during and after the attack)

6. TRACK: A New Approach to IP Traceback

7. 7 The IP Traceback Problem IP traceback strategies:  Probabilistic Packet Marking (PPM)  Packet Logging Attack Detection Traceback to the zombie’s border router

8. 8 Limitations of Current IP Traceback Schemes Do not support last-hop traceback Packet logging schemes Significant computation overhead on routers Significant storage overhead on routers Packet marking Not scalable: Complexity of path reconstruction process increases rapidly as number of attackers increase Large number of packets need to be collected

9. 9 rouTer poRt mArking and paCKet filtering (TRACK)  Objective:  Reduce computation complexity of path reconstruction  Reduce number of packets that need to be collected  Support last-hop traceback  Support gradual deployment  Filter attack traffic using traceback information Attack Detection Router Port Marking for traceback Packet filtering at the border router of the zombies

10. 10 Basic Principles of TRACK A string composed of locally- unique router interface port numbers is a globally unique identifier of a path.

11. 11 Marking Traceback Information in the IP Header

12. 12 Router Port Marking Procedure Active Port Marking Mode (APMM) at probability of p : Distance XORPort Number Marking Flag 1 Port Number Last 5-digit of TTL Passive Port Marking Mode (PPMM) at probability of 1 – p : XOR If Marking Flag = 1 Port Number

13. 13 Path Reconstruction Process of TRACK Objective Recover the port number sequence of an attack path and convert them into a sequence of router IP addresses Approach Distribute the path reconstruction process among the victim’s upstream routers (victim  attacker’s border router) (similar to Pushback) Employ a trace table and trace packets Use same info. to filter attack traffic at the border router of the attacker Computational Complexity: O(N 2 )

14. 14 Path Reconstruction Process of TRACK MKF = 1, XOR = PN = 18, Distance = TTL5 (254) = 30 MKF = 1, PN = 18, Distance = 30, TTL5 = 27, XOR = 2 (=18  47  34  21); d = 30 – 27 = 3 Assume C3 is sending packets to V M is in APMM; F, B, and A are in PPMM

15. 15 Path Reconstruction Process of TRACK Router closest to V in APMM * Hop Count: dPort Number: PN(d) XOR: XOR(d) A021 [010101]**21 B134 [100010] 55 (  34 = 21) F247 [100111] 16 (  47 = 55) M318 [010010] 02 (  18 = 16) d = Distance – TTL5 XOR(d+1)  PN(d+1) = XOR(d) C3’s path: 21-34-47-18

16. 16 Number of Packets Needed for Path Reconstruction p = 0.04 p = 0.01

17. 17 False Positive Rate Skitter Internet map Complete tree topology model

18. 18 Gradual Deployment Complete tree topology model Skitter Internet map

19. Chained Puzzles: A Novel Approach to IP-Layer Puzzles

20. 20 Client Puzzle Protocols A technique used to mitigate DoS attacks that does not rely on distinguishing between attack traffic and legitimate client traffic Puzzles are typically based on difficult problems from cryptosystems Partial reversal of a hash function Exhaustive key search in a private key cryptosystem

21. 21 Basic Principles of Chained Puzzles Puzzle algorithm: Exhaustive key search of XTEA6 XTEA6: Truncated version of the XTEA encryption algorithm Puzzle Routers Puzzle distribution and verification is performed by the “first-hop” border router called a Puzzle Router Puzzles are enabled by downstream Puzzle Routers

22. 22 Message Exchange Between Puzzle Routers Downstream Puzzle Routers enable puzzles at the upstream Puzzle Routers

23. 23 Optimal Location for Detection and Mitigation Detection: DDoS attacks are detected easily near the server or the main victim of the attack (packet loss, heavy congestion, etc.) Mitigation: Preventing or mitigating an attack is best performed as close to the source of the attack as possible

24. 24 Puzzle Distribution How do we distribute puzzles? Easy in TCP  3-way handshake IP is connectionless and a client puzzle protocol is connection oriented 1.Client asks for a puzzle 2.Server sends the puzzle to the client 3.Client solves the puzzle, sends the solution back to the server Solution Puzzle solution chaining

25. 25 Puzzle Solution Chaining When Puzzles are enabled, “bootstrapping” procedure is needed to create the first puzzle Subsequent puzzles are created by the client independently Current solution becomes plaintext for the next puzzle

26. 26 Puzzle Solution Chaining – cont’d Client creates a chain of puzzles The Puzzle Router reissues the puzzle challenge periodically

27. 27 Probabilistic Verification Probabilistic verification Puzzle Routers verify incoming puzzles according to a given probability Increase performance and throughput of the Puzzle Routers

28. 28 Simulation Results: NPSR Normal Packet Survival Ratio (NPSR) Percentage of legitimate packets that can make their way to the victim in the midst of a DDoS attack

29. 29 Future Work IP Traceback Improve scalability Better support of gradual deployment Minimize the number of false positives Support IP fragments Support router degrees greater than 64 Client puzzle protocol Specification of a Puzzle Router’s functions Resolve protocol architecture issues Counter puzzle protocol circumvention Ensure fairness

30. Questions?

31. 31 Conclusion  Last-hop traceback capability: a step closer to attack traceback  Support of gradual deployment: more realistic solution  Using router port instead of router as the atomic unit for traceback: fewer packets and less computational complexity for path reconstruction, finer granularity, and less false positive  Attack detection at the victim and packet filtering at the zombies’ border routers: the optimal location for both modules

32. 32 Backup

33. 33 Path Reconstruction Process of TRACK Router closest to V in APMM Hop Count: d Port Number: PN(d) XOR: XOR(d) A021 [010101] A042 [101010] B134 [100010]55 [110111] ( 34 = 21) C162 [111110]20 [010100] ( 62 = 42) F247 [100111]16 [010000] ( 47 = 55) H208 [001000]28 [011100] ( 08 = 20) M318 [010010]02 [000010] ( 18 = 16) P332 [100000]60 [111100] ( 32 = 28)  Objective  Recover the port number sequence of an attack path and convert them into a sequence of router IP addresses  Approach  Distribute the path reconstruction process among the victim’s upstream routers (victim  attacker’s border router) (similar to Pushback)  Employ a trace table and trace packets  Use same info. to filter attack traffic at the border router of the attacker  Computational Complexity: O(N 2 )

34. 34 Limitation of Current Attack Mitigation Schemes Problem Conventional countermeasures attempt to detect and filter at the same location Fact Attack detection is easier closer to the victim, packet filtering is more effective closer to the attack source Solution Separate the two functions in separate modules

35. 35 Attack Mitigation (Packet Filtering)  Location of attack detection and packet filtering:  At the victim  In the network  At the attack source Attack Detection Packet Filtering

36. 36 Probabilistic Packet Marking (Basics)  Routers mark packets with fragments of its IP addresses probabilistically  Identification field in IP header is used (The probability of IP fragmentation is 0.25%)  The victim can collect IP fragments from many packets to reconstruct attacking path

37. 37 Overhead of Packet Logging For a OC-192 link:  TRACK: 50k destination IP address insertion or update per second; 900MB/hours storage, upper-bounded by 20GB  The scheme in [Snoe01]: 60 million hash operations per second; 44GB storage per hour, bounded by the maximum allowed traceback time  The scheme in [Li04]: 8 million hash operations per second; 5.2GB storage per hour, bounded by the maximum allowed traceback time

38. 38 False Positive Analysis

39. 39 Gradual Deployment  Neighbor-Discovery Handshake Protocol  Jump back to source during path reconstruction