1. Design and Operational Characteristics of a Distributed Cooperative Infrastructure against DDoS Attacks Georgios Koutepas, Fotis Stamatelopoulos, Vasilios Hatziyannakis, and Basil Maglaris National Technical University of Athens, Greece ECIW 2003 July 1, 2003

2. A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003 What is "Denial of Service"? An attack to suspend the availability of a service Until recently the "bad guys" tried to enter our systems. Now it’s: "If not us, then Nobody" No break-in attempts, no information stealing, although they can be combined with other attacks to confuse Intrusion Detection Systems. –DoS: single correctly made malicious packets against the target machine –Distributed DoS: traffic flows from various sources to exhaust network or computing resources No easy solutions! DoS is still mostly a research issue

3. A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003 Main Characteristics of DoS Variable targets: –Single hosts or whole domains –Computer systems or networks –Important –Important: Active network components (e.g. routers) also vulnerable and possible targets! Variable uses & effects: –Hacker "turf" wars –High profile commercial targets (or just competitors…). –Useful in cyber-warfare, terrorism etc. February 7-11 2000: Big commercial sites (CNN, Yahoo, E- Bay) are taken down by flooding of their networks. October 2002: attack against the Root DNS servers

4. A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003 1. Taking Control 2. Commanding the attack Distributed DoS Target domain "zombies" Pirated machines Domain A Pirated machines Domain B Attacker X

5. A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003 A DDoS Attack Domain-wise Sources of the attack Innocent Domains, but their connectivity is affected Attack Transit Domains Target Domain

6. A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003 Reaction to DDoS outsideIncoming traffic has to be controlled, outside the victim’s domain, at the upstream providers spoofedUsually source IPs spoofed on attack packets The malicious flows have to be determined. The attack characteristics have to be communicated upstream. This usually is done manually and is an uncertain and time-consuming procedure. Filters that will block attack traffic must be set up and maintained. Their effectiveness must be verified. The bandwidth penalty is still present throughout all the affected networks. Actions are required on all the networks along the attack path

7. Our Solution: An Inter-Domain Cooperative Infrastructure

8. A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003 Inter-Domain Cooperative Framework Cooperative Counter-DDoS Entity Non-participating Domain Participating Domain Notification Propagation (Multicast) Activation of filters and reaction according to local Policies The Cooperative Counter-DDoS Entities constitute an Overlay Network

9. A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003 The Entities The Entities compose the infrastructure –They are the trusted points for the domain to participate in the Infrastracture –They manage all communications and reaction within the domain –They are on the top of the local IDS hierarchy, thus combine the local picture with the one from peers –They are controlled locally according to the choices and policies of the administrator –Communications by multicast methods They can implement reaction filters to routers, BUT: –Their duration is controlled, the admin is aware of them and it’s possible to adjust to shifting attack patterns

10. A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003 Main Design Characteristics: Entity Implementation Lightweight and Modular software architecture, different components performing the various tasks Java Management Extensions (JMX) framework for control and configuration Using the Intrusion Detection Message Exchange Format (IDMEF) in all messages achieves compatibility with standards and inter-operability with installed IDS infrastructure Multicast advantages: –Stealthy presence –Independence from specific installation host –Possible parallel operation of backup Entities

11. A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003 Entity State Transition

12. A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003 Internal Entity Architecture

13. A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003 What happens during an Attack A B C E D W X Y Z Message DB of the Entity at domain B Path Cases for domain B Path CaseSituation 1B may be the source or on the attack path 2B is on the attack path 3B is the target of the attack 4B out of the attack path Alert Sender Source Domain Target Domain Next-Hop Domain Event Type 1AWDB(125) ICMP flood 2AXDB(125) 3CBDD 4CZDD 5DCDN/A(125) !

14. A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003 Policy Entries Match Event Characteristics with actions taken against the attack –Attack type –Attack destination (target domain) –Path positioning case Custom made actions to match the specific attack Reaction for a certain time Matching PartReaction Part DestinationAttack Type Path Case ActionDuration DDDoS packet type (*) 1&2a. Throttle traffic 25% b. Coming from source domain that gives Path Case 1 c. Packet Type the one derived from messages, Dest. D 600 sec *DDoS packet type (*) 1&2a. Throttle traffic 50% b. Outgoing to the direction of target domain c. Packet Type the one derived from messages, Dest. the target domain 200 sec

15. A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003 Additional Concepts Security –The messages are encrypted against eavesdropping BUT by symmetric cryptography –Additionally there are timestamps and digital signatures on the messages to avoid repetition attacks It is possible to create “communities” of Entities by multicast and distribute the notifications only within. –Geographically (by the TTL on the packets) –According to common interests etc. (by different multicast groups)

16. A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003 Current Status Finished prototype Putting a WAN emulation facility (Dummynet) between the Entities for testing behavior during attacks –Test the accuracy in setting up the right filters, at the right points –Determine the effects on non-attack traffic, thus choose the right configuration parameters, duration of filters Testing the effectiveness of a peer-2-peer communications scheme in addition to multicast Developing the Hot-Spare concepts Introducing the usage of advanced inference algorithms and/or expert systems Plans to deploy it in the Greek Academic Network

17. A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003 Conclusions It's not an IDS, but rather a “message management system” independent of the underlying detection technologies Distributed framework that uses a Cooperative Inter- Domain approach Trusted partners, each deploying a local software Entity Entities exchange security information so that positioning in the attack path is detected locally and without requiring traceback procedures Reaction is activated in parallel, controlled at each domain by local policies

18. Questions and Answers