A DoS-limiting Network Architecture

CSCE 715: Fall’06

Presentation by:

Amit Jain

Shantnu Chaturvedi

DoS (Denial of Service) Attacks

DoS (Denial of Service) Attacks

Goal: To prevent legitimate users from using some service Usually accomplished by exhausting some resources (ie, bandwidth, CPU,

memory) Intrinsic problem of Internet: any hosts can send packets to any other

hosts without first acquiring permission

Effects 2001 study shows 4000 attacks a week Can bring down DNS root servers Lost of business estimation are in the billions Online extortion

Possible Defenses

Ingress Filtering - Source address filtering To prevent spoofing IP address Need widespread deployment Ineffective with more sophisticated attack, ie DDoS

Traceback Locate the source of the disrupting packets Does not prevent DoS since an attacker can still use a short TTL

Pushback Signal upstream nodes to rate limit misbehaving nodes How do you distinguish good from bad traffic?

Possible Defenses

SIFF (Stateless Internet Flow Filter) Privileges & Unprivileged packet Routers Mark every packet Backward compatibility Marking space in the IP header. Routers mark every packet.

SIFF Packet Identifier Design

Flags field (3-bits). SF: Packet is non-legacy CU: Capability reply present or not

Capability: Marks modified by routers Capability-Reply: recipients to signal to sender a capability

Capabilities Senders obtain authorization from the receiver before sending the traffic

Anomaly detection Automated classification of “bad” flows Traffic flow and type information used

Possible Defenses

Problems with current approaches

Each solution addresses an aspect of problem and not the overall issue.

Do not provide a complete solution, either Lack scalability Require substantial change in hardware

Goal

Provide a “comprehensive” solution to DoS Receiver should also be able to control traffic

directed towards it Two legitimate nodes should be able to effectively

communicate even during attacks Bounded computation and memory Incrementally deployable Focus on lower-layer attacks (bandwidth, router

memory)

TVA

Traffic Validation Architecture Packet Capabilities Cut to the heart of DoS problems Destination control received packets Counters a broader set of attacks Automated validation of senders

Practical use of TVA

Can operate at Gigabit speed on inexpensive hardware

Incremental deployment. Backward Compatibility. Mix of spectrum of solutions. Fine-Grained access control.

Traffic Validation Architecture

1. Packets with Capabilities.

2. Bootstrapping Issues.

3. Destination Policies.

4. Unforgeable Capabilities.

5. Fine-Grained Capabilities.

6. Bounded Router State.

7. Efficient Capabilities.

8. Balancing Authorized Traffic.

9. Short, Slow and Asymmetric Flows.

1. Packets with Capabilities

Capability information present in each packets used by routers to provide preferential service.

Capabilities: Granted by destination . Unforgeable. Routers can trust packet capabilities without host authentication. Must be byte & time limited for destination cutoff. Add little overhead in computation and bandwidth.

2. Bootstrapping Issues

To avoid the attacks on request messages itself

Tags each request with a 16 bit value derived from the incoming hardware interface

Tags are used to queue the requests.

Connection request packets do not contain capabilities and are rate limited (5%) at all network locations.

Fair queuing of requests combined with path identifiers helps counter attacks from legitimate users.

3. Destination Policies

Client has only outgoing request. It accepts requests only if it relates to the previous request made by it.

Server grants the requests with initial number of bytes (N) and timeout (T).

Weak authentication of source address, so misbehaving senders are quickly contained by server.

Destination determines how to authorize request depending on role of destination in the network.

4. Unforgeable Capabilities

Should not be forgeable or usable if stolen.

Each Router generates own pre-capability and attaches it to the forwarded packet.

Each router changes it’s secret at twice the rate of timestamp rollover.

The destination receives a set of pre-capabilities that correspond to a specific network path with fixed source and destination addresses.

Once authorized, the destination sends a list of capabilities to the sender.

5. Fine Grained Capabilities

Routers perform the pre-capability hash check and capability hash check Check if their local time > original time stamp + T Check if N bytes have already been used for this connection To tackle this problem, limit the data flow rate (N) as well as the period

of validity (T) by returning these values to the sender. Router State is used to count the bytes sent so far.

6. Bounded Router State

The router state could be exhausted as it would be counting the number of bytes sent

Router state is only maintained for flows that send faster than N/T

When new packets arrive, a new state is created and a byte counter is initialized along with a time-to-live field that is decremented.

6. Bounded Router State

Consider the router creates a capability valid for t + T, then it allows data till the ttl field is decremented to zero, after which the router state is reclaimed

7. Efficient Capabilities

Capabilities should be efficient (Less overhead) as well as secure (long key length).

Long capabilities (64-bits) are used for security and then cached at routers for efficiency.

When a router receives a packet with a valid capability, it caches the capability relevant information and the flow nonce.

Subsequent packets then carry the flow nonce only and omit the list of capabilities.

Routers check the packets without capabilities using source & destination IP address and compare the cached nonce with the packet nonce.

Legacy packets are demoted by changing a bit in the capability header

8. Balancing Authorized Traffic

Authorized flows between attacker and colluder may be malicious.

Simply give each capability a reasonable share of the network bandwidth.

Users get decreasing share of network bandwidth as the network becomes busier.

A fair queuing policy is used where the queues are limited by a bounded policy. Queue only the flows that send faster then N/T.

The low rate flows are limited by FIFO service with drops depending on timing of arrivals.

9. Short, Slow and Asymmetric Flows

TVA experiences reduced efficiency only when the flows near the host are short; this can be countered by increasing the bandwidth

Effects on aggregate efficiency are small given that most bytes belong to long flows.

No overheads in exchanging handshakes.

All TCP connections between a pair of hosts are using a single capability. So, short flows are less likely.

The TVA protocol – Design Elements

Three Elements in protocol: Packets with capability information. Hosts as senders & destinations. Routers processing capability.

The TVA protocol

Packets with capability information: IP packet header extended with capability header. Request packets:-

Carry blank list of capabilities. Contain path identifiers filled by routers. Share an identifying pre-capability header.

Regular packets:- Packets that carry flow nonce and list of valid capabilities. Packets that carry only the nonce.

Renewal packets: A regular packet, used to establish new capabilities.

Demoted packets: A packet that does not pass the capability test, treated as legacy packet

The TVA protocol

Packets with capability information: Type field bits used to identify the type and format

Type and capability. Return information. Demoted packet.

The TVA protocol

Packets with capability information:

The TVA protocol

Hosts as senders & destinations:

Sender sends request as part of TCP SYN.

If destination chooses to authorize, it sends response with TCP SYN/ACK.

To refuse transfer, destination sends empty capability list with TCP RST.

The TVA protocol

Routers processing capability:

Processing of packets by capability information. Sharing capacity of outgoing link between three classes of

traffic: Request packets. Regular packets. Legacy traffic.

The TVA protocol

Routers processing capability:

Request packets – processed after router adds path identifier and pre-capabilities.

Regular packets – forwarded after checking authorization information, updating cached information (Nonce and capability).

The packet is demoted to be a legacy packet if neither its capability nor it’s nonce is valid.

Simulation Results

Use of ns (network simulator) to simulate TVA, SIFF, pushback and legacy internet.

TVA is changed to rate limit the capability requests to 1% of link capacity.

Fixed length transfers between destination and legitimate users and destination under various attacks.

Measure average fraction of completed transfers. Measure average time of transfers that complete.

Change in attack intensity – Vary number of attackers. Timeouts of TCP SYN’s is fixed at 1 sec with up to 8 transmissions

being performed. TCP aborts connection if retransmission timeout > 64 sec for regular

packet or packet transmitted > 10 times.

Simulation Results

Based on Dumb bell topology.

Simulation Results - Legacy packet floods

TVA: Legacy packets have lower priority than request traffic. So, average completion time remains small with attack intensity.

SIFF: Equal priority to legacy and request packets. When intensity of traffic exceeds the bottleneck bandwidth, it suffers losses.

Pushback: Performs well until large number of attackers distribute traffic on all links and attacks are harder to identify.

Legacy internet: Here the legitimate and attack traffic are treated alike and the probability of completed transfers approaches 0 as the number of attackers increase.

Simulation Results - Legacy packet floods

Simulation Results - Request packet floods

TVA: Request packets are rate limited and don’t reduce capacity for authorized packets. Packets separately queued.

SIFF: Both request and authorized packets are low priority. Results same as for legacy packets.

Pushback: Results same as for legacy packets.

Legacy internet: Results same as for legacy packets.

Simulation Results - Request packet floods

Simulation Results - Authorized packet floods

TVA: Destinations use fine grained capability to allocate bandwidth to senders. So, bandwidth between colluder and destination is rate limited.

SIFF: Request packets are dropped against authorized packets. So, request completion rate drops sharply when attack reaches bottleneck bandwidth.

Pushback: Treat request and authorized traffic as regular traffic. Results same as for legacy packets.

Legacy internet: Treat request and authorized traffic as regular traffic. Results same as for legacy packets.

Simulation Results - Authorized packet floods

Simulation Results – Imprecise authorization

TVA: Implements capabilities that expire after timeout and can be revoked by destination after finding misbehaving destinations.

SIFF: The expiration of a capability depends on changing the router secret, leaving the destination powerless in case of a misbehaving sender.

Simulation Results – Imprecise authorization

Implementation

TVA prototype using Linux netfilter on commodity hardware.

Legacy applications run without modification.

Router capability as kernel module, using: AES = first hash function. SHA-1 = second hash function.

Kernel packet generator to generate different types of packets.

Recording of the average number of instruction cycles for the router to process each type of packet.

Testing of Linux router forwarding speed for capability packets.

Implementation handles 100Mbps interface with off-the-shelf hardware.

Implementation

Processing overhead for different packet types

Security Analysis

Security based on inability of attacker to gain capabilities for routers along path to destination.

Hashing scheme uses a sufficiently small key that changes every 128 sec. Breaking the key is practically impossible.

Attacker may observe pre-capabilities in requests by routers.

Stolen capabilities belonging to sender cannot be reused as this is included in the hashed value.

Masquerade as a receiver.

Attacker and colluder spoof the authorized traffic as sent by different sender S. This is thwarted by the fact that the per-destination queuing is used. Per-source queuing is not used as the sources cannot be trusted.

Deployment

Needs routers and hosts to be upgraded.

Incremental deployment.

Routers up gradation: At trust boundaries. At locations of congestion. Placement of inline processing box next to legacy router. No inter-router arrangements and alteration of routing. Deployment working back from destination for better attack localization.

Host up gradation: Occurring with proxies at edges of customer networks in form of NAT

boxes. Not needed to upgrade individual hosts separately.

Conclusion

TVA limits DoS despite a large number of attackers.

Architecture is based on capabilities that enable destinations to authorize senders, in combination with routers to send authorized traffic.

Complete design to handle packet capabilities, initial request exchanges, destination policies, computation state requirements and router states.

With the TVA architecture; Legacy, Request and other authorized packets have little or limited impact on the performance of the legitimate users.

Practical design that runs at Gigabit speeds on commodity PC’s.

Design with easy transition and deployment on legacy network.

Thank you !!!!