• No results found

DDoS Attack Traceback

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "DDoS Attack Traceback"

Copied!
26
0
0

Loading.... (view fulltext now)

Download now ( 26 Page )

Full text

(1)

DDoS Attack Traceback and Beyond

(2)

Outline



Existing DDoS attack traceback (or commonly called

IP traceback) schemes

*

 Probabilistic packet marking  Logging-based scheme

 ICMP-based scheme



Tweaking of DDoS attack traceback as a powerful



Tweaking of DDoS attack traceback as a powerful

DDoS remedy



Conclusion

(3)

Introduction to DDoS attack traceback



What DDoS attack traceback does mean?

 Determine the approximate origin of attack traffic



What DDoS attack traceback does not mean?

 Identifying attackers themselves requires forensic means



Why DDoS attack traceback is difficult

 IP address can be easily spoofed. Morris wrote, “The weakness in the

[Internet Protocol] is that the source host itself fills in the IP source

PAGE 3

[Internet Protocol] is that the source host itself fills in the IP source host ID, and there is no provision in… TCP/IP to discover the true origin of a packet.”

(4)
(5)

Probabilistic Packet Marking



Routers write their IP address in the IP packet header

probabilistically



Victim receives the marked packets and reconstructs the

attacking path from them



Use constant space in the packet header (e.g., IP identification

field) to carry traceback-related information

(6)
(7)

Research issues



Compressing traceback-related information to 16 bits of

packet identification field



Packet identification field is not usable under packet

fragmentation or IPv6



Traced packet authentication (MAC, time-released key chain,

etc.)

PAGE 7



Partial deployment with legacy routers



Time required for path reconstruction



DDoS attack path reconstruction

(8)

Logging-based scheme



Log packets at routers and use datamining techniques to

find path



An attack graph is constructed from a set of attack paths



Three entities to achieve traceback

 DGA (Data Generation Agent): Produces packet digests of each

departing packet and stores them in a digest table

 SCAR (SPIE* Collection and Reduction Agent): When attack is

detected, SCAR produces attack graph for it’s region detected, SCAR produces attack graph for it’s region

 STM (SPIE Traceback Manager): Interface to the intrusion detection

system. Gathers complete attack graph

(9)

Basic idea

(10)

Research issues



Privacy and storage size (Use hash and bloom filter)



Queries must be done very soon after the attack, unless the

routers have some way of offloading historical data



For packets transformed through tunnels, NATs,etc., keep TLT

(11)

ICMP-based scheme



Sample packet with low probability (1/20,000)



Copy packet data and path information (i.e., next and

previous hop information) into a ICMP packet



TTL field is set to 255, and is then used to identify the actual

path of the attack

(12)
(13)

Research issues



Large number of packets are required for path

reconstruction



Key distribution to authenticate ICMP packets



ICMP packets are differentiated and may be filtered or

rate-limited



Input debugging to generate ICMP packets is required

(14)

Existing schemes comparison

Router overhead Victim overhead Protocol change Bandwidth overhead ISP overhead Probabilistic Packet marking

High High Required N/A N/A

Logging Low Low N/A Low High

ICMP-based High High Required High N/A

CAVEAT: All the schemes require major infrastructure or

protocol change

(15)

Tweaking of DDoS Attack Traceback

for DDoS Remedy

(16)

Dilemma in DDoS defense and detection



Defense efficiency drops near victim

 Defense at the victim is too late to handle large volume  Intermediate link is already exhausted

 Hard to differentiate between legitimate and illegitimate traffic



Detection efficiency drops near source

 Not much clue to accurately detect far from victim

Misdetection is highly risky on legitimate traffic

 Misdetection is highly risky on legitimate traffic

High detection efficiency

High defense efficiency

(17)

Tweaking of DDoS attack traceback



DDoS attack traceback is

a key

to resolve the dilemma :

 Can take countermeasure near attack origin

 Can increase detection efficiency near attack origin. I.e., reduce

legitimate packet filtering



However, we need to tweak DDoS attack traceback to make it

practical and useful

Make traceback simple

PAGE 17

 Make traceback simple

 Use existing infrastructure for traceback  Add minimal overhead between ISP’s  Add defense with traceback information

(18)

Tweaked traceback

R5 R6 R7

R3 R4

R1 R2 A

R8 R9 STEP 1: Abnormality Detection

STEP 2: Abnormality Characterization STEP 4: Defense with help

of traceback information R10 V STEP 3: Abnormality searching

Utilize already available engines for step 1, 2, 4

Adding step 3 is trivial

(19)

Tweak I: Detection-assisted traceback



Monitoring sensor (e.g., traffic monitoring system) is

readily

available in most networks



Use spatio-temporal relation of abnormality

from monitoring

sensor for traceback



Abnormality can be

as simple as abnormal traffic pattern

destined to victim at given time slots

PAGE 19



Traceback can help distributed detection sensors to reduce

(20)

Cont’d

Destination addr Abnormality V ψ(t1, t2) … … … … Comparison between ξ(t1, t2) and ψ (t1, t2) ξ(t1, t2)

(21)

Tweak II: Traceback-assisted defense



Traceback allows attack source identification



Defense can be taken near attack sources after traceback

 Intermediate link is not exhausted

 Attack traffic is filtered out in distributed source networks



Traceback can help reduce negative impact on legitimate

traffic

Packets are filtered only when those are from traced routers

PAGE 21

(22)
(23)

Tweak III: Traceback-assisted countermeasure



Packet filtering

 Attack packets are filtered out and dropped at the ingress point

 How to distinguish between good packets and bad packet?



Rate-limiting

 Allows a relay node to control the transmission rate of specific traffic

flows

Rate-limiting mechanisms are deployed when attack detection has a

PAGE 23

 Rate-limiting mechanisms are deployed when attack detection has a

high false positive or cannot precisely characterize

 How much rate-limiting we need to apply?

(24)

Cont’d

Low matching level High matching level



Apply countermeasure based on

abnormality matching level

between victim and source networks



Apply packet filtering in good matching. Otherwise apply rate

limiting. By doing so, we can

reduce negative impact on legitimate

traffic and increase attack packet filtering

P(drop) Matching_level 1.0 MaxP MinThresh MaxThresh Packet filtering Rate-limiting P = MaxP • MaxThresh - MinTresh Matching_level - MinThresh

(25)
(26)

Conclusion



DDoS attack traceback provides

key information

for effective

DDoS remedy

 Can take defense near attack origin

 Can reduce legitimate packet filtering by misdetection  Can take effective countermeasure



Make traceback simple and plug it into existing DDoS

detection and defense mechanism

detection and defense mechanism



Inter-ISP cooperation is minimal but worth doing since it can

References

Download now ( PDF - 26 Page - 487.86 KB )

Related documents

The Legal Side of Evaluating Performance

Overhead 1: Performance Appraisals Should Be Based On Overhead 2: Communicate Expectations and Standards Overhead 3: Steps In The Legal Performance Evaluation2. Overhead

The Translation of Puns

This horizontal pun is based on the phonemic similarities between ‘vague’ and ‘vogue’. In the TT, the subtitler has rendered both meanings, but in a non-punning manner. In

Caseyev teorem

Po Caseyevom teoremu zakljuˇ cujemo da pripisane kruˇ znice trokuta i upisana kruˇ znica dodiruju kruˇ znicu devet toˇ caka.. 4.2

Diagnostic accuracy of chest X-ray dose-equivalent CT for assessing calcified atherosclerotic burden of the thoracic aorta

Advances in knowledge: Our findings suggest that ultralow-dose CT is an excellent tool for assessing the calcified atherosclerotic burden of the thoracic aorta with higher

Continued. Overhead 1. Overhead 2. Overhead 3. Chap 11 - Principle 7: Record-Keeping Procedures. Notes:

All product time bymonitoredperform theproduced during•Process validation study•Recording timing thehourly.hourly checks.the deviationof time and temperaturecharts movement ofwill

REDUCING PACKET OVERHEAD IN MOBILE IPV6

Although both route optimization and proposed mechanisms construct a tunnel to reduce delay and overhead regarded to communicate two mobile nodes, different overheads are used to

Protocol Overhead in IP/ATM Networks

It shows that an application is limited to 87% or less of the line speed in an IP-over-ATM environment, that most of the protocol overhead is due to the lower levels of the

VoIP Bandwidth Considerations - design decisions

Calculating bandwidth consumption for VoIP As seen above, the bandwidth required for VoIP will depend on several factors: the compression technology CODEC, packet