Download presentation
Presentation is loading. Please wait.
1
The Crossfire Attack MIN SUK KANG, SOO BUM LEE, VIRGIL D. GLIGOR ECE DEPARTMENT AND CYLAB CARNEGIE MELLON UNIVERSITY 2013 IEEE Symposium on Security and Privacy
2
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION 2
3
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION 3
4
INTRODUCTION – Old DDoS Typical attack: floods server with HTTP, UDP, SYN, ICMP…… packets Persistence: Maximum: 2.5 days Average: 1.5days Adversary’s Challenge: DDoS Attacks are either Persistent or Scalable to N Servers N traffic to 1 server => high-intensity traffic triggers network detection Detection not triggered => low-intensity traffic is insufficient for N srevers 4
5
INTRODUCTION – Crossfire Attack Link flooding by botnets cannot be easily countered Spoofed IP addresses. Can flood links without using unwanted traffic. Launch an attack with low-intensity traffic flows that cross a targeted link at roughly the same time and flood it. 5
6
A link-flooding attack that degrades/cuts off network connections of scalable N-server area persistently. Scalable N-Server areas N = small(e.g., 1-1000 servers), medium(e.g., all servers in a US state), large(e.g., the West Coast of the US) Persistent: Attack traffic is indistinguishable from legitimate Low-rate, changing sets of flows Attack is “ moving target ” for same N-server area Changing target links before triggering alarms INTRODUCTION – Crossfire Attack 6
7
INTRODUCTION – Definitions 7
8
Attack flows => Indistinguishable from legitimate INTRODUCTION – 1 link crossfire 8
9
Attack flows => Alarms not triggered INTRODUCTION – 1 link crossfire link-failure detection latency, Interior Gateway Protocol(IGP) routers (OSPF) Default waiting time: 40sec, Failure detection: 217 sec Exterior Gateway Protocol(EGP) routers(BGP) Default waiting time: 180sec, Failure detection : 1,076 sec 9
10
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION 10
11
THE CROSSFIRE ATTACK 11
12
Public servers : To construct an attack topology centered at target area Decoy servers: To create attack flow THE CROSSFIRE ATTACK 12
13
ATTACK - Step 1 : Link Map Construction ( 72% ) (1) Traceroute ( B->S ) (2) Link-Persistence 13
14
ATTACK - Step 2 : Attack setup (1) Flow-Density Computation (2) Target-Link Selection DR: Degradation Ratio 14
15
ATTACK - Step 3 : Bot Coordination (1) Attack-Flow Assignment (2) Target-Link Flooding 15
16
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION 16
17
ATTACK PERSISTENCE AND COST Data-Plane-Only Attack : Indefinite Duration Link failure detection Traffic engineering Proactive Attack Techniques : Rolling Attack Maintaining the same target links Changes bot and decoy servers Maintaining the same target area Changes target links 17
18
Attack bots available from Pay-per Install (PPI) markets [2011] ATTACK PERSISTENCE AND COST In experiments : 49% in US or UK, 37% in Europe, 14% rest of the world 10 target links : can be as low as 107,200 bots. Cost approximately $9K 18
![ Attack bots available from Pay-per Install (PPI) markets [2011] ATTACK PERSISTENCE AND COST In experiments : 49% in US or UK, 37% in Europe, 14% rest of the world 10 target links : can be as low as 107,200 bots.](http://images.slideplayer.com./25/7981403/slides/slide_18.jpg "Cost approximately $9K 18.")
19
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION 19
20
EXPERIMENT SETUP AND RESULTS Bots: 1,072 traceroute nodes 620 PlanetLab nodes, 452 LG(Looking Glass) servers 20
21
EXPERIMENT SETUP AND RESULTS Decoy servers: 552 institutions (i.e., universities and colleges ) on both the East Coast (10 states) and West Coast (7 states) of the US 2737 public web servers within Univ1 in Pennsylvania 7411 public web servers within Univ2 in Massachusetts 21
22
EXPERIMENT SETUP AND RESULTS Target Areas: 22
23
EXPERIMENT SETUP AND RESULTS 23
24
EXPERIMENT SETUP AND RESULTS Link map Run a traceroute six times to diagnose link persistence 24
25
EXPERIMENT SETUP AND RESULTS 25
26
EXPERIMENT SETUP AND RESULTS Average rate when flooding 10 Target Links against Pennsylvania 26
27
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION 27
28
The Coremelt Attack 28
29
“Spamhaus” Attack 29
30
RELATED WORK 30
31
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS CONCLUSION 31
32
CONCLUSION Attack Characteristics Undetectability at the Target Area. Indistinguishability of Flows in Routers Persistence Flexibility New DDoS Attack: The Crossfire Attack Scalable & Persistent Internet-scale experiment Feasibility of the attack High impact with low cost 32
33
Q&A 33
Similar presentations
![Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.](/19/5721949/big_thumb.jpg "Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.>")
