• No results found

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address"

Copied!
14
0
0

Loading.... (view fulltext now)

Download now ( 14 Page )

Full text

(1)

Inter-provider Coordination for Real-Time

Tracebacks

Kathleen M. Moriarty

MIT Lincoln Laboratory

2 June 2003

This work was sponsored by the Air Force Contract number F19628-00-C-002.

(2)

Real-time Inter-network Defense (RID)

Proposed Internet Draft Standard to provide framework for ISPs to communicate and trace attacks to source

Standardization of inter-provider coordination by leveraging existing relationships between operators

Use existing standards to facilitate acceptance by router and Network Management System vendors

Integration of existing tracing mechanisms across network borders

Address need for policy on communication issues to coordinate traces between networks

(3)

Goals

Real time method to mitigate effects of DoS or DDoS attack

Capability to continue traces through upstream networks

– Addresses inter-Network communication issues

Social Technical

– Respect network boundaries

Integrate existing trace implementations

– Ability to trace attack back to valid/spoofed source address

Use existing infrastructure for attack detection and trace

Network statistics used to detect variations in traffic typesCompensate for network events to reduce false positivesBackbone outage or network event

Flexible

(4)

Communication via RID-DoS

Target of Attack Client ofPink

Network ISP Network ofAttack Target ISP Network ofAttack Source

Source of Attack Client on Blue Network

RID-DoS

RID-DoS

Intermediate

Network RID-DoS RID-DoS

Trace takes place across the network

Trace takes place across the network

(5)

Trace Mechanism

ISPs and researchers have been working on trace solutions since the beginning of the DoS attacks in the 90s

Difficult problem to solve

– Network resources limited, especially during attack

Network equipment resources close to capacity Promiscuous listening devices as an alternative

– Privacy issues and concerns must be addressed

Tracing Internet traffic

Saving data of established Internet connections

– Potentially thousands of hosts involved in an attack

Small streams of traffic from a particular host Multiple types of traffic

Source addresses may be spoofed

Possible solutions across a single network

– Network flow analysis – Hash-based IP Traceback – ICMP Traceback

(6)

Parameters for Trace Approaches

Many solutions require IP header information as parameters to trace request

Time range of attack

RID-DoS would need to incorporate the following parameters for Flow analysis or filter approaches

– Non-changing fields of IP header – IP protocol

– IP source address and port

– IP destination address and port – TCP flags

– Packet size

– Start and stop time traffic detected

Hash based IP Traceback also requires 1st 8 bytes of the

(7)
(8)

Communication Between Networks

Establish trusted communications with border networks

Established through peering relationships

Legal issues addressed in ISP peering agreementMay be a value added service to clients

Contact information for peers established as peering points are enabled (ASNs)

Messaging and Communication methods must be secure

Consider an out of band network linking these systems between ISPs Link Layer connections to prevent access from Internet

IPSec tunnels established between border network management systems

Authentication of requestPrivacy considerations

Trusted NMS systems must be secure at each ISP

Physical Access Control, Authorization, Access Controls, Authentication

Must ensure the RID-DoS messages reach their destination

Must not cause a Denial of Service

(9)

RID-DoS Notification / Attack Mitigation

Proposal provides Inter-ISP communication to support continued trace to attack source

RID-DoS messages are text

– Parsed at receiving host

– Trace continuance must be authorized

– Trace continuance may be automated based on confidence

rating

Notification of the status of the trace is sent back to the originator of the trace as it traverses multiple networks

– Must be passed through each NMS in path

Notification sent to trace originator upon completion

– Source of attack found

– Action taken included in communication

Blocked at source assists in mitigating or stopping the DoS or DDoS attack

(10)

RID-DoS Traces

DDoS Attack

– Multiple traces initiated

– Initiating management system must queue requests and limit

to a reasonable number of traces

– Management systems in path can defer traces if large number

of requests received

Capacity of network and RID-DoS system may determine limit

Types of attacks

– Distributed Denial of Service

Reflection

Fragmented packets

Multiple identical packets from various sources

– Security incident

(11)

Email Based Test

Email system implemented for initial testing

Test between several systems sending trace requests, trace authorization, and trace completed messages

Next step would be to test system across real network boundaries using various trace mechanisms on the respective networks

Comma delimited email message parsed via perl script

Fields used match that of the three message types

Contact Information Table for Border Networks, ASN also used

Encrypt, decrypt, and sign messages

S/MIME via PKI, or PGP

Digital signatures used in packet implementation can be implemented through S/MIME for simplicity in testing

Information Exchanged when Establishing Peer Relationship

Obtain contact information for peers

Tracking mechanism used to ensure traces are not duplicated

(12)

RID Testing

Two trace types of single

network traces used in testing

Libpcap data

Search on stored data

Dynamic implementation of

filters to match packet in trace request

Netflow

Search on stored data

Dynamic implementation of

filters to match packet in trace request

Communication via email

Located packet using data contained in trace requests

Originate Trace Request

Send notification messages to originating server

Trace Authorization Source Found

(13)

Current Issues

Involves entire Internet community, ISPs internationally

Additional motivation needed for ISPs to work on solution

Funding needed for resources

– People, Equipment, etc.

Consensus needed from ISPs and vendors on RID-DoS messaging formats and capabilities of trace continuance

– Support needed in trace management systems used by ISPs – Information passed between networks

– Ability to decide if a trace will continue on your network

Additional feedback needed on current draft revision

Have received some input from a few ISPs that would be interested in working on this

(14)

Summary

Uses existing network infrastructure, routers and switches, to perform traces

– Could use promiscuous sniffers as an alternative for

monitoring devices

Various Trace implementations must be considered to carry the appropriate trace information in RID-DoS messages

RID-DoS messaging used to communicate with systems on border networks to enable inter-network tracing capability

Social issues need to be addressed

– Motivation to use system

References

Download now ( PDF - 14 Page - 301.80 KB )

Related documents

Understanding the dual perspectives on workforce diversity in a British police service.

A limited number of studies have focussed on what employees think about diversity and the possibility that the level of shared perspectives on diversity could influence work relations

Competencies for community psychology practice in Spain: Standards, quality and challenges in social intervention

supervised practice refer to activities such as assessment of social needs, analysis of community readiness, social skills training, initiatives for community prevention and

Quality Model for Massive Open Online Course (MOOC) Web Content

From the extensive study on MOOC literature and content providers' testimony, the 7C’s model categories are modified and customized to adjust the context of

Improving Outcomes for Infants with Single Ventricle Physiology through Standardized Feeding during the Interstage

The purpose of this quality improvement project was to im- plement an evidence-based standardized feeding approach, as recommended by the JCCHD-NPCQIC, for infants with single

GLOBAL PV MARKETS AND PERSPECTIVES

Primer loloquio para el fromento de energia fotovoltaica en Mexico 18 oil coal gas nuclear power hydroelectricity biomass (traditional) biomass (advanced) solar power (PV

Unlocking cancer glycomes from histopathological formalin-fixed and paraffin-embedded (FFPE) tissue microdissections

PGC nanoLC-ESI MS/MS glycom- ics performed on mounted FFPE preserved hepatic tissue sec- tions (both, H&E stained and unstained) resulted in the detection of 77 N-glycan and

Collaborative relationships between logistics service providers and humanitarian organizations during disaster relief operations

Purpose – The purpose of this paper is to explore barriers and benefits of establishing relationships between humanitarian organizations (HOs) and logistics service providers (LSPs)

Bronchiectasis and other chronic lung diseases in adolescents living with HIV

This is the first study to: 1) report a high prevalence of chronic respiratory symptoms, hypoxia and abnormal spirometry among adolescents with delayed diagnosis