D-WARD: DDoS Network Attack Recognition and Defense by 2lROJe5M

VIEWS: 8 PAGES: 39

									      D-WARD:
 DDoS Network Attack
Recognition and Defense

        PhD Qualifying Exam

          Jelena Mirković
      PhD Advisor: Peter Reiher

             01/23/2002
Design and implement DDoS defense system
  – located at source network
  – autonomously detects and stops attacking flows
  – does not affect legitimate flows




                                                     2/39
                 Overview
•   Problem Statement
•   Related Work
•   Desirable Characteristics
•   D-WARD
•   Thesis Goals
•   Conclusion




                                3/39
                 What is a DoS Attack?




Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion   4/39
              What is a DDoS Attack?




Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion   5/39
               DDoS Defense Problem
 •   Large number of unwitting participants
 •   No common characteristics of DDoS streams
 •   No administrative domain cooperation
 •   Automated tools
 •   Hidden identity of participants
 •   Persistent security holes on the Internet



Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion   6/39
                        DDoS Prevention
• Compromise prevention
    – security patches
    – virus detection programs
    – intrusion detection systems (IDS)
    High deployment cannot be enforced




Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion   7/39
                            DDoS Defense
                                               INTERMEDIATE NETWORK




                                                                           VICTIM NETWORK




       SOURCE NETWORK
Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion   8/39
                           Victim Network
• Intrusion Detection Systems
• On-off control approach
• Router monitoring tools (CISCO)

      + Victim can successfully detect the attack
      - Victim is helpless if:
         attack consists of legitimate packets or
         attack is of large volume



Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion   9/39
                 Intermediate Network
•   WATCHERS
•   Traceback
•   Pushback
•   Spoofing prevention

     + Routers can effectively constrain/trace the attack
     - Possible performance degradation
     - Interdomain politics of isolation
     - Attack detection is hard
     - Communication has to be secured
Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 10/39
                          Source Network
• MULTOPS

     + Source routers can effectively
       constrain/trace the attack
     + Internet resources are preserved
     - Attack detection is hard
     - Many deployment points needed for high efficacy




Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 11/39
            Desirable Characteristics
• High security
• Reliable attack detection
• Independent detection and response
                                                                                          REQUIRED
• Low performance cost
• Incremental benefit with
  incremental deployment
• Handle recurring attacks
• Traceback                                                                               OPTIONAL


• Cooperation
Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion   12/39
                                   D-WARD
•   DDoS defense system in Source Network
•   Source Router detects attack and responds
•   Monitors the two-way traffic
•   Suspect flows are rate-limited
•   Further observations lead to
    decrease or increase of rate-limit




Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion   13/39
                    System Architecture
      OBSERVATION
      COMPONENT
              CLASSIFICATION
                                          TRAFFIC
                                         STATISTICS      SOURCE
                                                         ROUTER            INTERNET
        MODEL           STATISTICS
        CACHE             CACHE

      NORMAL
     TRANSIENT
      ATTACK
                                            RATE LIMIT
                                              RULES
             THROTTLING                                    SOURCE
             COMPONENT                                    NETWORK




Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 14/39
                    Statistics Gathering
•   Statistics help discover difficulties
•   Only IP header data is used
•   Statistics classified per peer IP address
•   Statistics cache size is limited
    and the cache is purged periodically:
    – Records for normal flows deleted
    – Records for transient and attack flows reset




Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 15/39
                           Traffic Models
 TCP requires proportional reverse flow
 Non-TCP traffic requires NO reverse flow
 Non-TCP servers usually send
  constant amount of packets/Bytes
  per second to a given peer




Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 16/39
                           Traffic Models
 Model of normal TCP traffic:
      – low ratio of number of sent/number of
        received packets
 Model of normal non-TCP traffic:
      – mean and standard deviation of number of sent
        packets/Bytes for certain destination
 Non-TCP models created in training phase




Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 17/39
                    Flow Classification
 Comparison with models of normal traffic
      – compliant - within limits of the model
      – attack - outside of model limits
 Well behaved or not
      – normal - well-behaved compliant flows
      – transient - non well-behaved compliant flows




Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 18/39
                 Throttling Component
 ATTACK: Exponential decrease
                                                                                        Bsent
       rateLimit  min( rateLimit , rateactual ) * DEC _ SPEED *
                                                                                    Bsent  Bdrop

 TRANSIENT: Slow recovery, linear increase
                                                     Bsent
            rateLimit  rateLimit  MIN _ RATE *
                                                 Bsent  Bdrop

 NORMAL: Fast recovery, exponential increase
                                                   Bsent      
                    rateLimit  rateLimit * 1                
                                             B B 
                                                sent     drop 

Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 19/39
                             Experiment 1
                                             CLIENT




          ATTACKER
                                               ROUTER                          VICTIM




                   ATTACKER




Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 20/39
                            Legitimate traffic to the victim

25000
            attack starts                                    attack stops

                                                                            Legitimate with response
                                                                            Legitimate no response
20000




15000
  Bps




10000




 5000




    0
        0   20         40   60       80      100       120       140         160      180      200
                                          Time (sec)                                              21/39
                                Attack traffic to the victim

25000
               attack starts                               attack stops



20000




15000
 Bps




10000




 5000
                                                                            With response
                                                                            Without response



       0
           0    20         40   60     80      100       120      140     160       180        200
                                            Time (sec)                                          22/39
                             Experiment 2
          CLIENT




          ATTACKER
                                               ROUTER                          VICTIM




                   ATTACKER




Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 23/39
                                                                     Low volume of normal traffic
                                  1.2                                                                      Normal traffic
                                            legitimate traffic starts                                      Attack traffic
                                                                   attack starts      attack stops
                                   1
Percentage of forwarded traffic




                                  0.8



                                  0.6



                                  0.4



                                  0.2



                                   0
                                        0          100             200             300        400    500   600         700
                                                                                     Time (sec)                         24/39
                                                                 High volume of normal traffic
                                  1.2                                                                     Normal traffic
                                                                                                          Attack traffic
                                            Legitimate traffic starts
                                                      FTP starts attack starts       attack stops
                                   1
Percentage of forwarded traffic




                                  0.8



                                  0.6



                                  0.4



                                  0.2



                                   0
                                        0           100          200             300        400     500     600        700
                                                                                   Time (sec)                              25/39
                              Experiment 3
          CLIENT




          ATTACKER
                                                ROUTER                           VICTIM




                   ATTACKER




Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion   26/39
                                            Number of forwarded legitimate packets
                    200

                              Legitimate traffic starts
                    180
                                      FTP starts                attack stops
                                                   attack starts
                    160


                    140
                                                                                             Attack, no response
Number of packets




                    120                                                                      Attack, with response
                                                                                             No attack
                    100


                     80


                     60


                     40


                     20


                      0
                          0         100        200       300        400        500     600   700   800    900    1000
                                                                          Time (sec)                             27/39
                                     Number of forwarded attack packets

                    500
                                     attack starts attack stops
                                                                                     No response
                    450
                                                                                     With response
                    400

                    350
Number of packets




                    300

                    250

                    200

                    150

                    100

                     50

                      0
                          0   100   200      300      400         500    600   700   800   900   1000
                                                            Time (sec)
                                                                                                        28/39
                             Experiment 4
          CLIENT




          ATTACKER
                                               ROUTER                          VICTIM




                   ATTACKER




Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 29/39
                                                       Packet ratio threshold detection

                                  1.2
                                            attack starts     attack stops                Normal traffic
                                                                                          Attack traffic
                                   1
Percentage of forwarded traffic




                                  0.8



                                  0.6



                                  0.4



                                  0.2



                                   0
                                        0   100             200              300   400      500            600
                                                                      Time(sec)                             30/39
                                                  Non-TCP traffic model detection

                                  1.2
                                              attack starts                                 Normal traffic
                                                                    attack stops
                                                                                            Attack traffic
                                   1
Percentage of forwarded traffic




                                  0.8



                                  0.6



                                  0.4



                                  0.2



                                   0
                                        0   100               200             300     400   500          600
                                                                         Time (sec)                      31/39
                     Summary of Results
+ D-WARD successfully detects
  and stops attacks
+ Legitimate clients from other domains
  benefit greatly
+ System is friendly to non-TCP traffic
– Legitimate TCP connections from source
  network are slowed down
– There is no fairness guarantee
  to normal flows
Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion   32/39
                        Attack Detection
 Choice of monitored parameters:
       – reliability vs performance
       – separating legitimate from attack flows
     Creation and update of models
     Cooperation with other Source Routers
     Cooperation with the victim
     Recurring attacks



Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 33/39
                         Attack Response
 Effectiveness vs fairness of response
       – aggressiveness should depend on
         reliability of classification
       – design of feedback mechanism
 Traceback of the attack
 Interaction of multiple
  DDoS defense systems



Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 34/39
                                    Security
 Attackers follow developments in security
 Attackers could attempt to avoid detection:
      –     pulsing attacks
      –     generating reverse packets
      –     gradually use up victim’s resources
      –     mistrain models
 Attackers could attempt to misuse the system:
      – drop legitimate packets
 Attackers might DDoS Source Router

Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 35/39
                    Partial Deployment
 Effectiveness depends on
  degree of deployment
 Does not protect deploying network
  so motivation is low
 Legal factors could help
 Additional incentive:
      – minimal changes to existing routers
      – low cost
      – good performance

Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 36/39
        Deployment on Core Routers
 Large coverage with less deployment points
 Router performance must not be degraded
 Rate limit has impact on large portion of
  flows  few false positives a must




Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 37/39
                                     Timeline
                          Year1             Year2
               Jan    Apr     Jul       Oct     Jan       Apr       Jul     Oct


                1                          7                9       10
                                                                             12
                       3         5
                2                                     8
                                                                    11
                        4
                                           6

          1.Analysis of Internet traffic patterns
          2.Analysis of DDoS attacks
          3.Initial implementation of a software router
          4.Experimentation
          5.Investigation of monitoring strategies
          6.Investigation of response strategies
          7.Investigation of cooperation possibilities
          8.Security design
          9.Implementation in programmable router
              (joint work with other research group members)
          10. Investigation of partial deployment strategies
          11. Investigation of core router deployment
          12. Simulation (optional)
Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 38/39
                              Conclusions
 DDoS attacks are a serious threat
 A design of effective detection and response
  strategy is a must
 D-WARD successfully detects and constraints
  the attacks but has undesired impact on
  legitimate flows
 Further research needed to refine the system
  and devise deployment strategy


Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion 39/39

								
To top