Professional Documents
Culture Documents
Disclaimer
This presentation is
*not* meant to be
complete.
Introduction
Mitigation
Conclusion
NIST [Ols95]
CERT [CERT97]
Definition
The prevention of authorised access to
resources or the delaying of time of critical
operations.
Actions that prevent a network element
from functioning in accordance with its
intended purpose. Network elements may be
rendered partially or entirely unusable for
legitimate users. Denial of service may
cause operations which depend on
timeliness to be delayed.
A denial-of-service attack is characterised
by an explicit attempt by attackers to
prevent legitimate users of a service from
using that service
Introduction
Mitigation
Conclusion
Agenda
Introduction
DoS attacks taxonomy
Some figures.
Conclusion
Introduction
Mitigation
Conclusion
DoS taxonomy
Degree of indirection
Computer B
TCP SYN
TCP SYN
TCP SYN
Internet
TCP SYN
TCP SYN
TCP SYN
TCP SYN
TCP SYN
Computer A
Introduction
Mitigation
Conclusion
DoS taxonomy
Degree of indirection
Attacker
Master
Attack B
Attack C
Attack B
Internet
Attack B
Slave C
Attack B
Attack C
Slave A
Slave D
Slave B
Victim B
Victim C
Introduction
Mitigation
Conclusion
DoS taxonomy
Degree of reflection
Attacker (A)
Deflector (B)
Source Address: C
Dest. Address : B
Internet
Source Address: B
Dest. Address: C
Victim (C)
Introduction
Mitigation
Conclusion
Characterization
Characterizable.
Filterable.
Non Filterable.
Non characterizable
Introduction
Mitigation
Conclusion
Network
Exploited Vulnerability
Semantic
Design level
Implementation level
Brute force
Introduction
Mitigation
Conclusion
Decreasing.
Fluctuating.
Impact
Disruptive.
Self recoverable.
Human recoverable.
Non recoverable.
Degrading.
None.
Introduction
Mitigation
Conclusion
P2P based. Registers with cache servers. Use P2P protocol for
communication (eg: Phatbot: Gnutella + WASTE)
Degree of automation
Relates to the various phases in a DDoS attack:
scanning,
exploitation,
installation,
attack control
Introduction
Mitigation
Conclusion
DDoS Tools
Usually integrate several type of attacks
Slave-Master Model
Uses CAST-256 encryption between master and slaves.
Communication using a protocol (UDP, ICMP, TCP) chosen randomly.
Does not use acknowledgements.
Introduction
Mitigation
Conclusion
Introduction
Mitigation
Conclusion
An expending business ?
From NANOG mailing List:
Date: Thu, 3 Jun 2004 23:32:19 -0700
From: <NANOG Mailing list>
Dear sirs.
Introduction
Mitigation
Conclusion
Attacks figures
Size (Overall)
Size (Flooding)
Source: Craig Labovitz, Bots, DDoS and Ground Truth. NANOG 50, 2010.
Introduction
Mitigation
Conclusion
Attacks figures
Target
Source: Craig Labovitz, Bots, DDoS and Ground Truth. NANOG 50, 2010.
Introduction
Mitigation
Conclusion
Attacks figures
Duration
Source: Craig Labovitz, Bots, DDoS and Ground Truth. NANOG 50, 2010.
Introduction
Mitigation
Conclusion
Prevention
Detection
Tracking
Suppression
(Post Mortem)
Prevention
Detection
Tracking
Suppression
Introduction
Mitigation
Prevention
Conclusion
Detection
Prevention
Tracking
Suppression
Customer side
Design more resilient protocols.
Implement more resilient software.
Protect end hosts (patching, anti virus, firewall).
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
TCP cookies
SYN (S->R)
Source Port (SP_S)
Offset
SYN/ACK (R->S)
Acknowledgment Number = 0
Reserv.
Flags
Windows (W_S)
Checksum
Offset
Urgent Pointer
Reserv.
Flags
Urgent Pointer
Options(MSS_R)
ACK (S->R)
Source Port (SP_S)
Windows (W_R)
Checksum
Options(MSS_S)
Offset
ACK (R->S)
Reserv.
Flags
Windows (W_S)
Checksum
Urgent Pointer
Offset
Reserv.
Flags
Windows (W_R)
Checksum
Urgent Pointer
/
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
TCP cookies
Store information in SN_R :
Co=counter%32
5 bits
T(MSS_S)
3 bits
Introduction
Mitigation
Prevention
Conclusion
Detection
Ingress Filtering
Tracking
Suppression
IETF BCP 38
Restrict the scope of addresses that can be used by the attacker.
Use ACL on routers.
Attacker
C
Network
R
I1
Filter
User
I2
A
Internet
Victim
B
Introduction
Mitigation
Prevention
Conclusion
Detection
Ingress Filtering
Tracking
Suppression
IETF BCP 38
High in the network. Increase
spoofing ability.
Low in the network. Increase
management burden.
Some protocol need to use
foreign address (e.g. Mobile IP)
Some other protocols need to use
special addresses (e.g. BOOTP)
Some performance issues.
Not widely implemented.
Attacker
C
Networ
k
R
User
A
I1
Filter
I2
Internet
Victim
B
Introduction
Mitigation
Prevention
Conclusion
Detection
uRPF
Tracking
Suppression
Other routers
Router
Routing
Routing RIB
Processor
Processor
FIB
FIB
FIB
FIB
FIB
Ports
Juniper M160
FIB
FIB
FIB
Line Cards
Introduction
Mitigation
Prevention
Conclusion
Detection
uRPF
Tracking
Suppression
Network
R
Outgoing Interface
I2
I1
I1
Filter
User
A
I2
Internet
Victim
B
Introduction
Mitigation
Prevention
Conclusion
Detection
uRPF
Tracking
Suppression
Loose mode.
Check that the receiving interface knows a path to the source.
Less secure (Source just needs to be routable).
Feasible mode.
Check that among the k paths to the source, that receiving interface is
among the n bests.
Security POV: Loose (n = k) < Feasible < Strict (n = 1).
Implementation varies.
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Current state
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Current state
2006
2011
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Attacker
C
Network
R
I1
Filter
TTL=255
User
A
I2
Internet
TTL=238
Victim
B
TTL=243
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Routes stability.
Not all existing sources have the same hop count.
Attacker
is not located close to the victim.
is not able to know hop count between arbitrary hosts and victim.
Implementation:
Use prefix based aggregation to limit size of HC[] table.
Similar work:
Generalized TTL Security Mechanism: RFC3682.
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Prevention
Detection
Tracking
Suppression
(Post Mortem)
Prevention
Detection
Tracking
Suppression
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Detection Taxonomy
Detection Model
Detection Location
Detection Co-operation
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Detection Taxonomy
Detection Model
Knowledge based
Know what an attack looks like.
Mainly applies to vulnerabilities oriented attacks
eg: Snort rule for malformed request DoS attack on REAL audio server:
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server
template.html"; flow:to_server,established;
content:"/viewsource/template.html?"; nocase;
reference:bugtraq,1288; reference:cve,2000-0474;
classtype:attempted-dos; sid:278; rev:5;)
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Detection Taxonomy
Detection Model
Knowledge based main challenges
Obfuscation
Speed:
Faster pattern matching algorithms (1Gb/s).
FPGA based implementations (~5Gb/s).
Signatures construction
Discover new attacks (Honeypots, Sinkholes, Network telescopes).
Build new signatures rapidly and automatically.
Network/Transport based methods (eg. Estan SIGCOMM 02)
Application level (eg. Singh & al. OSDI 04, Kim & al. USENIX SEC 04)
Implementation at UCSD ~200Mb/s.
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Detection Taxonomy
Detection Model
Behaviour based
Know how system usually behaves.
Changes in behaviour can only be explained by attack.
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Detection Taxonomy
Detection location
Close to victim.
Detection is easy but result comes to late.
Close to attacker.
Because of distribution, attack events may be scarce.
Intermediate networks.
Need to interact with existing devices.
High speed processing.
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Intermediate networks
Uncorrelated Data
Basic idea:
Normal operation yield fixed forward/backward traffic volume ratio.
DDoS generate variations of this ratio.
Univariate
Requests served
Server capacity
Requests received
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Intermediate networks
Supports Aggregation
Basic idea:
It is not feasible nor effective to keep a state for each destination.
Create a data structure that allows asymmetry to be kept.
Large Variations
Structure represents
forward/backward ratio.
w.*.*.*
w.x.*.*
w.x.y.*
w.x.y.z
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Challenges:
Instant variations sometimes do not provide enough information to
detect attacks.
Variations are small.
Attack diluted over time.
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
1.4
1.2
0
0
10
12
14
-1
0.8
0.6
-2
0.4
-3
0.2
-4
0
0
10
12
14
16
Random(x)
Expected mean: 0.5
18
20
-5
Random(x)+0.1
Expected mean: 0.5
16
18
20
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Uncorrelated Data
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Univariate
# 0<=Xn<=1
# c is the mean for Xn
# Xn < 0 when normal
# yn > 0
Detection:
Dn = 1 iff yn > T
Dn = 0 otherwise.
Results:
Traffic: 1500-4000 SYN packets/s.
Detects attacks as low as 35 SYN per second.
# T attack threshold
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
EWMA techniques
Measurable parameters.
Bits/s. EWMA for autocorrelated data (Ye & al, IEEE Transactions on
Reliability 03)
Bits/s. Holt-Winters Forecasting (Jake Brutlag, USENIX LISA 00).
Introduction
Mitigation
Prevention
Conclusion
Detection
Detection on the
operator side
Tracking
Suppression
Conclusion
Some products now implement similar techniques.
However:
Detection is today mostly performed on customer side.
Or close to customer.
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Link between
customer and operator
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Link between
customer and operator
Remote Triggered
Blackhole Capability
(Sprint, UUnet)
Triggers blackhole
creation inside ISP
network.
By sending a new
route advertisement
through BGP.
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Link between
customer and operator
Attack signature
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Prevention
Detection
Tracking
Suppression
(Post Mortem)
Prevention
Detection
Tracking
Suppression
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Tracking
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Tracking
Existing approaches
Extend flow information.
On each network device, send some identifying information to the
destination along with the flow.
Destination recovers identification information to guess the path to
packets sources.
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Extend Flow
Suppression
Traceback
Trace back
flows
Basics
Attacker 2
Routeur 0
Packet 2
Where is Packet
R1 coming from ?
Routeur 4
Packet 1
Packet 2
Packet 1
Routeur 1
Attacker 1
Packet 1
Where is Packet
R1 coming from ? Routeur 2
Packet 1
Victim
Packet 1
Routeur 3
Where is Packet
R1 coming from ?
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Extend Flow
Suppression
Traceback
Trace back
flows
Automated
Without pattern re-evaluation:
Dostrack, (MCI 1997).
Widely used
in practice
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Extend Flow
Suppression
Traceback
Trace back
flows
Preventive
Sample packet capture
Trajectory sampling (Duffield & al. 2001)
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Extend Flow
Suppression
Traceback
Reactive approaches
Router
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Extend Flow
Suppression
Traceback
Reactive approaches
dst_ip
194.yyy.yyy.2
194.yyy.yyy.2
194.yyy.yyy.2
194.yyy.yyy.2
194.yyy.yyy.2
in_if
29
29
29
29
29
out_if
49
49
49
49
49
s_port
1308
1774
1869
1050
2018
d_port
77
1243
1076
903
730
pkts
1
1
1
1
1
bytes
40
40
40
40
40
prot
6
6
6
6
6
src_as
xxx
xxx
xxx
xxx
xxx
dst_as
ddd
ddd
ddd
ddd
ddd
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Redirection
Suppression
Tracking
Reactive approaches
Advantages
Performance penalty very limited in any
situation.
Limited performance penalty in the best
case, Available on all versions.
ACL log
ACL debug
Largely available.
ACL log-input
Drawbacks
Limited availability (Version support),
Information not very synthetic.
Limited information, Performance penalty
without ACL speedup mechanisms,
Unpractical
Strong performance penalty without ACL
speedup mechanisms. Information not very
synthetic.
Strong performance penalty in any situation.
Information not synthetic.
Limited availability (Version support).
Limited availability (Version and device
support). Some performance penalty.
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Redirection
Suppression
Tracking
Reactive approaches
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Redirection
Suppression
Tracking
Reactive approaches
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Extend Flow
Suppression
Traceback
Reactive approaches
Detection.
Monitors line-card output queues (output queue recover traffics from several
incoming line-cards).
When packet loss bypass a given level, we recover rejected packets.
Rejected packets are the cause of the problem (independently from number
of packets).
Small flows may cause high rejection rate.
Packets recovered constitute a fair representation of rejected packets.
From recovered packets we can generate patterns describing aggregates.
Select the aggregate generating most of the packet loss.
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Extend Flow
Suppression
Traceback
Reactive approaches
Suppression:
Select interface with the largest contribution I1Ik.
Rate limit the aggregate matching the pattern on each contributing interface
Ij to pi.
Note that the rate limit does not alter conditions for sender/receiver !
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Extend Flow
Suppression
Traceback
Reactive approaches
A1
A2
R1
R2
R4
R6
A3
V1
R5
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Extend Flow
Suppression
Traceback
Reactive approaches
A1
A2
A3
Problems:
When do you stop tracking?
R1
R2
R3
R4
R5
R6
V1
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Prevention
Detection
Tracking
Suppression
(Post Mortem)
Prevention
Detection
Tracking
Suppression
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
Suppression
Suppressing
attacks
At Victim premises
Filtering routers.
TCP_Intercept (Cisco)
Firewalls filtering well known DoS attack signatures.
On operator network
Redirection.
Ingress filtering/rate limiting.
ACLs, CAR.
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
At victim
Suppression
Operator
TCP Intercept
Basic idea:
Limit the number of TCP SYN requests directed to a host.
Queue TCP SYN request
Initial window
TCP SYN
Specific
Destination
TCP SYN ACK
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
At victim
Suppression
Operator
Redirection
Steps
Choose a not so important
blackhole router.
Modify address-name
mapping on customer side.
DNS update.
Blackhole
Operator
Network
Slave C
Slave A
Slave D
Victim B
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
At victim
Suppression
Operator
Redirection
Steps
Choose a not so important
blackhole router.
Modify address-name
mapping on customer side.
DNS update.
Blackhole
Operator
Network
Slave C
Slave A
Slave D
Victim B
Introduction
Mitigation
Prevention
Conclusion
Detection
Tracking
At victim
Suppression
Operator
Dropping/Rate limiting
Rate limiting
Use ACL to specify traffic. Actions more elaborate (drop, mark, permit).
Token Bucket (Burst Size, Mean Rate) to decide if flow is too aggressive.
No buffers involved.
Can be distributed using BGP.
Introduction
Mitigation
Conclusion
Existing products
Usually combine several mitigation phases.
Distributed in nature.
Some are used by network operators
Eg: AT&T (Riverhead), Qwest (Arbor), TELUS (Arbor).
Some operators develop in house products (eg: Sprint, France Telecom).
Main companies:
Introduction
Mitigation
Conclusion
Existing products
Riverhead networks (bought by Cisco).
Currently named Cisco Anomaly Guard/Anomaly Detector Modules.
Cisco
Cisco
Introduction
Mitigation
Conclusion
Existing products
Sprint cleaning center (Agarwal &al., Sprint lab TR, 2004)
Introduction
Mitigation
Conclusion
Mitigations means
From DDoS protection devices manufacturer.
Source: Craig Labovitz, Bots, DDoS and Ground Truth. NANOG 50, 2010.
Introduction
Mitigation
Conclusion
Introduction
Mitigation
Conclusion
Final words
Will we see DoS mitigation measures implemented in routers?
Technical perspective:
A lot of tools are already there.
ACLs, Netflow, NBar, QoS services, uRPF ...
Introduction
Mitigation
Conclusion
Final words
Will we see DoS mitigation measures implemented in routers?
Technical perspective:
1200
1000
Internet
traffic x2/yr
800
5x
600
400
Router capacity
x2.2/18 months
200
Source:
Mckeown, HPSR 2002
2002
2004
2006
2008
2010
2012