Source-End Defense System again st DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security Lab. Department of Computer Science and Information Engineering National Chiao Tung University WADIS‘03
28
Embed
Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Source-End Defense System against DDoS attacks
Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan WangDistributed System and Network Security Lab.
Department of Computer Science and Information EngineeringNational Chiao Tung University
WADIS‘03
2
Outline
Introduction to DDoS attacks. Current DDoS defense strategies Review of D-WARD Proposed DDoS defense scheme Evaluation Conclusions and future work
3
DDoS attacks
What is a Denial-of-Service (DoS) attack Degrade the service quality or com
pletely disable the target service by overloading critical resources of the target system or by exploiting software bugs.
What is a Distributed DoS (DDoS) attack The objective is the same with DoS
attacks but is accomplished by a of compromised hosts distributed over the Internet.
4
Mechanisms against DDoS attacks (1)
Victim-end Most existing Intrusion detection systems and DoS/DDoS tolerant syst
em design fall in this category. Used to protect a set of hosts from being attacked. Advantages and disadvantages
DDoS attacks are easily detected due to the aggregate of huge traffic volume.
From a network’s perspective, protecting is consider ineffective. Attack flows can still incur congestion along the attack path.
5
Mechanisms against DDoS attacks (2)
Infrastructure-based DDoS defense lines are constructed towards attack sources to reduce n
etwork congestion. Attack packets are filtered out by Internet core routers. Advantages and disadvantages
The effectiveness of filtering is improved. An Internet-wide authentication framework is required. Internet core routers must be upgrade to filter out attack packets in high sp
eeds
6
Mechanisms against DDoS attacks (3)
Source-end DDoS defense mechanism are used to prevent monitored hosts from particip
ating in DDoS attacks. Attack packets are dropped at sources. It allows preventing attack traffic fro
m entering the Internet. Advantages and disadvantages
The effectiveness of packet filter is the best. It is very hard to identify DDoS attack flows at sources since the traffic is not so
aggregate. It require the support of all edge routers.
In summary, source-end DDoS defense strategy is the most effective and with moderate deployment cost.
7
D-WARD: A Source-End DDoS defense scheme
J. Mickovic et al. “Attacking DDoS at the Source,” IEEE ICNP’02
Ideas behind D-WARD: DDoS attack flows can be identified by comparing flow statistics against normal flow models. Signals of DDoS attacks: High Packet loss rate:
The level of network congestion (or say packet loss rate) reflects on the ratio of number of packets sent to and received from the peer.
High packet sending rate: This may also indicate a DDoS attack A large number of connections to the peer
8
D-WARD: Architecture
Internet
Intranet/Sourcenetwork
ObservationComponent
Throttling Component
Classification
Statistics
Preprocessing
Cache table
Rate limiting rulesDestination A | limiting rate | timestamp
…………………….…………………….
Destination N | limiting rate | timestamp
9
D-WARD: Observation Component Gather per flow statistics
Flow: The aggregate traffic between monitored IP addresses and a foreign IP address.
Observation interval: A basic time frame for one observation The number of packet and bytes sent to and received from the peer The number of active connections
Legitimate flow model TCP flows:
Psent/Prcv < TCPrto (set to 3) ICMP flows:
Psent/Prcv < ICMPrto (set to 1.1) UDP flows:
nconn < MAXconn (set to 100) pconn > MINpkts (set to 1) Bsent < UDPrate (set to 10MBps)
10
Motivations
Using a global threshold of Psent/Prcv for TCP flows would result in high false positive and high false negative. In the following context, this ratio is denoted as O/I High false positive
flows with O/I greater than 3 in its normal operation would be classified as attack flows
High false negative low-rate attacks will not be detected. Consider a flow with O/I =1, then O/I
only reaches 2 when the packet loss rate is 50%.
In one word, using a single O/I threshold for
different flows is problematic.
11
Basic Idea Ideas behind the proposed scheme
Focus: detecting DDoS attacks based on TCP 96% of current attacks are based on TCP. Only 2% use UDP and 2% use I
CMP
The level of “congestion” should be determined according previous behavior of the each monitored flow.
Two more DDoS characteristics are utilized for detecting attacks Distribution: the number of hosts sending packets to the destination in eac
h observation period Continuity: reflect to the observation that a DDoS attack always lasts for a
n extended period of time.
12
Observations on normal traffics (1) Observation: Average O/I of different
flows rage from 3.68 to 0.5 Flows with highest ratio:
Contains one ftp data connection. The flow last for 227 second. Total 86685 packet (68158 packet send out, 18527 packet send in) The average O/I is 3.68. Standard deviation=0.16. Packet loss rate is 0%.
Standard deviation of the monitored flow are low (usually smaller 1). It indicates that the O/I value of flows tend to be stable in their normal operation.
13
Observations on normal traffics (2)
Number of sources in each flow In each observation interval, most of flows have only one source host
sending packets to the peer.
14
Proposed DDoS detection scheme
There are two phases in our scheme. Learning phase: Define legitimate flow model Detection phase: Detect malicious flows and apply rate limit
Learning phase contains two steps. Step 1: determine the following thresholds
Tf: the maximum allowed O/I.
Nf: the mini-threshold of O/I.
c: a parameter used to quantify the level of distribution. Steps 2: derive other configuration parameters
α: a value indicating the possibility that the flow is malicious. It is generated according to the level of congestion and the level of distribution
αf : the maximum allowed value ofα
tf : the maximum allowed number of the times that αcan continually breaches αf
15
Flow Classification
Four types of traffic flows: Normal, Suspicious, Attack, and Transient.
Normal Flow
Suspicious Flow
Attack Flow
Transient Flow
tf
α f
less then α f
greater than α f
great than tfsamll than tf
Compliant for penaltyperiod
recovery phase
α greater α f
Derive α
Increase counter for tf
16
Generation of α
Generating α in an observation interval
Sf: : the number of source in the flow.
nf: : the O/I of the current interval.
λ: a magic number used to restrict α between 0 and 1. λ is a number between 0 and 1.
Characteristics of α It is between 0 and 1 It increases with nf . If nf approaches Tf, α approaches to 1
α increases with the number of sources in the flow.
Level of congestion
The impact of distribution
i
cS
i ff
fff
NT
Nn
/
1
1
17
Rate limiting and recovery Rate-Limiting
rl: imposed rate limit rate: realized sending rate Mini-rate: The lowest limited rate which can be imposed on network fl
ows. Recovery
If the attack flow show compliance with normal flow model for consecutive penalty observation periods, it is classified as transient, the recovery process begins.
Max-rate: Once the rate limit reaches Max-rate, it is classified as normal
dropsent
sent
PP
Praterlrl
)1(),min(
dropsent
sent
PP
Prlrl
1
18
Thresholds Configuring thresholds and other parameters:
Observation period = 1 second Tf: The maximum of the observed O/I * 2 Nf: the average O/I c: the maximum number of sources in a flow in the monitored network. αf: the averageαin the learning process. tf: the maximum consecutive number of time that αexceeds αf
λ= 0.5 Parameters learned from a monitored flow
Sending rate 10 pkts to the destination host per second. Maximum O/I is 1.25, Average O/I is 1.25