Adaptive Distributed Traffic Control Service for DDoS Attack Mitigation By VIJAY CHAND UYYURU.

Adaptive Distributed Adaptive Distributed Traffic Control Service for DDoS Traffic Control Service for DDoS

Attack MitigationAttack Mitigation

ByBy

VIJAY CHAND UYYURUVIJAY CHAND UYYURU

Introduction and MotivationIntroduction and Motivation

Internet attacks are rising:Internet attacks are rising:• Frequency of reported security incidents Frequency of reported security incidents

grows exponentiallygrows exponentially1988: 6 incidents 1988: 6 incidents 2003: 137‘529 incidents 2003: 137‘529 incidents

reported by CERT/CCreported by CERT/CC• Organised crime is blackmailing owners of Organised crime is blackmailing owners of

e-commerce web sites e-commerce web sites („pay or you will go offline“): e.g. casino, („pay or you will go offline“): e.g. casino, ad distribution, sport bet sitesad distribution, sport bet sites

• New worms, viruses, trojans, and exploits New worms, viruses, trojans, and exploits announced almost dailyannounced almost daily

Introduction and MotivationIntroduction and Motivation

Why?Why?

• More and more computers operated by More and more computers operated by security unaware users get broadband security unaware users get broadband Internet accessInternet access

• Knowledge and tools for attackers aboundKnowledge and tools for attackers abound

• Attackers can use cheap resources Attackers can use cheap resources (bandwidth, CPU) of thousands of (bandwidth, CPU) of thousands of compromised Internet hostscompromised Internet hosts

Direct DDoS AttackDirect DDoS Attack

Attacker

Masters Mi

From:Xi (spoofed)To: Victim V…

attack packet

From: Xi (spoofed)To: Agent Ai

…control packet

From:Xi (spoofed)To: Master Mi

…control packet

Victim V

Agents Ai

Reflector DDoS AttackReflector DDoS Attack

• A new variant of DDoS attacks became A new variant of DDoS attacks became known as DDoS “reflector” attack.known as DDoS “reflector” attack.

• This attack form is especially difficult to This attack form is especially difficult to defense against as the victim is flooded with defense against as the victim is flooded with traffic from ordinary Internet servers that traffic from ordinary Internet servers that were not even compromised.were not even compromised.

• Any server that supports a protocol which Any server that supports a protocol which replies with a packet after it has received a replies with a packet after it has received a request packet can be misused as a reflector request packet can be misused as a reflector without the need for a server compromise.without the need for a server compromise.

How DDoS Reflector Attack WorksHow DDoS Reflector Attack Works

• The agents send their packets with the The agents send their packets with the spoofed address set to the victim’s address spoofed address set to the victim’s address to “innocent” servers, which act as reflectors.to “innocent” servers, which act as reflectors.

• The source addresses of the actual attack The source addresses of the actual attack packets received by the victim are not packets received by the victim are not spoofed. They belong to legitimate spoofed. They belong to legitimate uncompromised servers.uncompromised servers.

• Stopping traffic from these sources will also Stopping traffic from these sources will also terminate access to Internet services that the terminate access to Internet services that the victim might reply on.victim might reply on.

Reflector DDoS AttackReflector DDoS Attack

Reflectors Ri

Attacker Victim V

Agents Ai

From: V (spoofed)To: Reflector Ri

…

attack trigger packet

From: Xi (spoofed)To: Agent Ai

…control packet

From:Xi (spoofed)To: Master Mi

…control packet

From:Ri

To: Victim V…

attack packet

Masters Mi

Note: Reflectors are NOT compromised. They simply answer requests.

Analysis of Mitigation MechanismsAnalysis of Mitigation Mechanisms

• There are two basic mitigation There are two basic mitigation mechanisms:mechanisms:

1.1. Reactive Mitigation StrategiesReactive Mitigation Strategies

2.2. Proactive mitigation StrategiesProactive mitigation Strategies

Reactive Mitigation StrategiesReactive Mitigation Strategies

• Reactive schemes often proceed in three Reactive schemes often proceed in three phases:phases:

• In the first phase, distributed monitoring In the first phase, distributed monitoring components try to detect on-going DDoS components try to detect on-going DDoS attacks.attacks.

• Once an attack is detected, the detector Once an attack is detected, the detector triggers the second phase resulting in the triggers the second phase resulting in the deployment of countermeasures.deployment of countermeasures.

• In the third phase, when the DDoS attack In the third phase, when the DDoS attack subsides or stops, countermeasures are subsides or stops, countermeasures are relieved or removed. relieved or removed.

Some Examples of Reactive StrategiesSome Examples of Reactive Strategies

1.1. Traceback mechanismsTraceback mechanisms

2.2. Internet Indirection InfrastructureInternet Indirection Infrastructure

3.3. PushbackPushback

Traceback mechanismsTraceback mechanisms

• Traceback is very valuable in forensics to find the Traceback is very valuable in forensics to find the origins and may be the originator of the attack, it origins and may be the originator of the attack, it deals with neither detecting attacks not deploying deals with neither detecting attacks not deploying any dipositions against ongoing attacks.any dipositions against ongoing attacks.

• Traceback mechanisms play an important role in Traceback mechanisms play an important role in other reactive mitigation schemes to determine other reactive mitigation schemes to determine where countermeasures should be deployed and where countermeasures should be deployed and which filtering rules should be applied.which filtering rules should be applied.

• Reactive strategies involving traceback Reactive strategies involving traceback mechanisms, will yield a wrong “attack source”- mechanisms, will yield a wrong “attack source”- the reflectors – to be identified and possibly the reflectors – to be identified and possibly filtered, if DDoS attacks involve reflectors. filtered, if DDoS attacks involve reflectors.

Internet Indirection Infrastructure(i3)Internet Indirection Infrastructure(i3)

• i3 is implemented as an overlay that is used to i3 is implemented as an overlay that is used to route a client’s packets to a trigger and from route a client’s packets to a trigger and from there to the server. there to the server.

• Due to performance concerns, i3 would only be Due to performance concerns, i3 would only be used if a server were under attack. Otherwise used if a server were under attack. Otherwise communication could be established directly communication could be established directly between the client and server.between the client and server.

• To use i3 as a defense mechanisms, IP addresses To use i3 as a defense mechanisms, IP addresses of the attached servers are assumed to be hidden of the attached servers are assumed to be hidden from the attackers. It remains unclear how server from the attackers. It remains unclear how server IP addresses can be hidden under attack, when IP addresses can be hidden under attack, when they are known under normal operation.they are known under normal operation.

PushbackPushback

• Pushback performs monitoring by observing packet drop Pushback performs monitoring by observing packet drop statistics in individual routers. statistics in individual routers.

• Once a link becomes overloaded to a certain degree, the Once a link becomes overloaded to a certain degree, the pushback logic, which is co-located with routers, classifies pushback logic, which is co-located with routers, classifies dropped packets according to source addresses. The class dropped packets according to source addresses. The class of source addresses with the highest dropped packet count of source addresses with the highest dropped packet count is then considered to originate form the attacker.is then considered to originate form the attacker.

• Filter rules to rate limit packets from the identified source Filter rules to rate limit packets from the identified source address(es) are automatically installed on the concerned address(es) are automatically installed on the concerned router. Routers on the path towards the source(s) of attack router. Routers on the path towards the source(s) of attack are informed about the detected attacks and install the are informed about the detected attacks and install the same rules. In this way, the attack is pushed back and same rules. In this way, the attack is pushed back and confined.confined.

• In many cases, however, an attacked server’s resources are In many cases, however, an attacked server’s resources are exhausted before its uplink is overloaded.exhausted before its uplink is overloaded.

Proactive mitigation StrategiesProactive mitigation Strategies

• Proactive strategies intend to Proactive strategies intend to reduce the possibility of successful reduce the possibility of successful DDoS attacks by taking appropriate DDoS attacks by taking appropriate provisions prior to attack. Some of provisions prior to attack. Some of the strategies are:the strategies are:

1.1. Ingress FilteringIngress Filtering

2.2. Secure Overlay networksSecure Overlay networks

Ingress FilteringIngress Filtering

• Ingress filtering rejects packets with spoofed Ingress filtering rejects packets with spoofed source address at the ingress of a network. source address at the ingress of a network. (e.g. ISP’s backbone)(e.g. ISP’s backbone)

• Attacks involving reflectors with legitimate Attacks involving reflectors with legitimate source addresses, however, are only affected source addresses, however, are only affected if ingress routing is applied on paths between if ingress routing is applied on paths between agents and reflectors.agents and reflectors.

• Performing ingress filtering puts a Performing ingress filtering puts a management burden on ISPs, because they management burden on ISPs, because they must keep all filtering rules up to date and must keep all filtering rules up to date and defective rules will disgruntle their customers.defective rules will disgruntle their customers.

Secure Overlay networksSecure Overlay networks

• Secure overlay networks like SOS and Mayday Secure overlay networks like SOS and Mayday reduce the risk that a DDoS attack severely reduce the risk that a DDoS attack severely affects the communication among members affects the communication among members of the overlay network to a minimum.of the overlay network to a minimum.

• It requires each user of a group wanting to It requires each user of a group wanting to communicate to pre-establish a trust communicate to pre-establish a trust relationship with the other group members.relationship with the other group members.

• Keeping malicious users out of an overlay will Keeping malicious users out of an overlay will be a challenge for a large user base.be a challenge for a large user base.

Mitigation EffectivenessMitigation Effectiveness

• DDoS attacks are so hard to control because of the DDoS attacks are so hard to control because of the fact that attack traffic generally contains spoofed fact that attack traffic generally contains spoofed source addresses. source addresses.

• In DDoS reflector attacks this is even more In DDoS reflector attacks this is even more complex, because the victim does not receive traffic complex, because the victim does not receive traffic from the DDoS agents directly, but from legitimate from the DDoS agents directly, but from legitimate sources without spoofed source addresses.sources without spoofed source addresses.

• If source spoofing was impossible, reflector attacks If source spoofing was impossible, reflector attacks could be prevented.could be prevented.

• Also complex traceback mechanisms would not be Also complex traceback mechanisms would not be needed, because the originator could be identified needed, because the originator could be identified by the source address in those packets.by the source address in those packets.

Mitigation EffectivenessMitigation Effectiveness

• Making source address spoofing impossible Making source address spoofing impossible requires proactive mechanisms, since requires proactive mechanisms, since measures have to be taken before an attack.measures have to be taken before an attack.

• They may be implemented directly in the IP They may be implemented directly in the IP network or as an overlay network. More network or as an overlay network. More effective defense strategies are possible effective defense strategies are possible within the IP network.within the IP network.

• Performing Ingress Filtering, a single router is Performing Ingress Filtering, a single router is capable of blocking traffic from a big number capable of blocking traffic from a big number of malicious nodes.of malicious nodes.

• ISPs currently lack any incentive to implement ISPs currently lack any incentive to implement proactive mechanisms.proactive mechanisms.

Distributed Traffic Control: Distributed Traffic Control: Concepts and ApproachConcepts and Approach

DefinitionDefinition of of traffic ownership:traffic ownership:A network data packet is „owned“ by the network user who is A network data packet is „owned“ by the network user who is officially registered to hold either the source or destination IP officially registered to hold either the source or destination IP address or both.address or both.

The server operator „owns“ the traffic his server S will finally receive The server operator „owns“ the traffic his server S will finally receive (to: S)(to: S)

The user of client C „owns“ the traffic sent until it reaches its The user of client C „owns“ the traffic sent until it reaches its destinationdestination (from : C) (from : C)

ApproachApproach:: We We extend the network user‘s control over „his traffic“ to extend the network user‘s control over „his traffic“ to

the Internetthe Internet core (and right to the attacker‘s uplink) by a novel core (and right to the attacker‘s uplink) by a novel distributed distributed Internet traffic control serviceInternet traffic control service..

payloadto:

server Sfrom:

client CIP packet:

Adaptive Device for Traffic ControlAdaptive Device for Traffic Control

This path only taken by user‘s own packets

Idea: Let each IP address owner control his/her Internet trafficImplementation: Adaptive devices to filter/process IP owner’s traffic Premium service mostly for e-business companies; few packets are rerouted through adaptive device

Deployment of Traffic Control ServiceDeployment of Traffic Control Service

Network management

ISP N

Network management

ISP 1

ISP 1

Network user

Internet numberauthority

ISP N

Adapt. Device

Traffic control service provider

registrationdeploy/controlevent/log

ServersInternet

Adapt. Device

Adapt. Device

Adapt. Device

ISP … Internet/Backbone Service Provider

Incremental deployment:First at border/edge routers of major ISPs, later at most major routers

Service RegistrationService Registration

Service DeploymentService Deployment

Node ArchitectureNode Architecture

Actions for DDoS Attack MitigationActions for DDoS Attack Mitigation

Traffic processing triggered by matching IP packet header fields Traffic processing triggered by matching IP packet header fields (source/dest (source/dest

address, ports etc.), payload, timing and link load conditions etc.:address, ports etc.), payload, timing and link load conditions etc.:• Packet droppingPacket dropping• Payload deletionPayload deletion• Source blacklistingSource blacklisting• Traffic rate controlTraffic rate control• Ingress filtering for owned IP addressesIngress filtering for owned IP addresses: :

Stops DDoS reflector attacks immediately Stops DDoS reflector attacks immediately

Reactive and proactiveReactive and proactive Filtering close to source of attack trafficFiltering close to source of attack traffic Coordinated Internet wide attack defenceCoordinated Internet wide attack defence

Internet

IP packetfrom: S

IP packet„from: S“

IP packet„from: S“

S

B

A

Ruling Out Misuse of Traffic ControlRuling Out Misuse of Traffic Control

Restrictions on Traffic Control Service prevent misuse:Restrictions on Traffic Control Service prevent misuse:• Traffic OwnershipTraffic Ownership: Acts only on packets owned by network : Acts only on packets owned by network

useruserOthers:Others:• Addressing/RoutingAddressing/Routing: No modification of source or : No modification of source or

destination addressesdestination addresses• Resource UsageResource Usage: No change of time to live (TTL): No change of time to live (TTL)• Traffic AmplificationTraffic Amplification: No increase of packet rate and/or size: No increase of packet rate and/or size• Traffic Processing:Traffic Processing: U User-defined functionality checked atser-defined functionality checked at

installation or run time installation or run time

Prevention of collateral damagePrevention of collateral damage ISPs/BSPs don‘t lose control over their networkISPs/BSPs don‘t lose control over their network

Other Enabled Traffic Control ServicesOther Enabled Traffic Control Services

TracebackTraceback• Proactively collect packet hashesProactively collect packet hashes• Supporting network forensicsSupporting network forensics• Locate origin of spoofed network trafficLocate origin of spoofed network traffic

Automated reaction to traffic anomaliesAutomated reaction to traffic anomalies• Suspicious increase in connection attempts from/to server or networkSuspicious increase in connection attempts from/to server or network• Detection of variations in address and/or port usage and spoofing Detection of variations in address and/or port usage and spoofing

attemptsattempts

Network debugging and optimizationNetwork debugging and optimization• Measure link delays, packet loss, quality of serviceMeasure link delays, packet loss, quality of service• Optimize content distribution networkOptimize content distribution network

Network forensicsNetwork forensics• Traffic sampling at flow-level and/or packet-level for network forensicsTraffic sampling at flow-level and/or packet-level for network forensics

Conclusions and OutlookConclusions and Outlook

• Any chance of success for the Traffic Control Service?Any chance of success for the Traffic Control Service?– Incrementally deployableIncrementally deployable

• Add-on boxAdd-on box• Function may be integrated into future routersFunction may be integrated into future routers• Not necessary to have complete coverage on all routersNot necessary to have complete coverage on all routers

– Premium (paid) service for large customers (not home users!)Premium (paid) service for large customers (not home users!)– Business incentive for network service providersBusiness incentive for network service providers

• Were issue’s of Internet Service Providers respected?Were issue’s of Internet Service Providers respected?– Approach not “scary” for ISPs: Safe, scalable, controllableApproach not “scary” for ISPs: Safe, scalable, controllable– Ever changing shape of DDoS attack threat needs adaptive Ever changing shape of DDoS attack threat needs adaptive

solutionsolution– Technology is Technology is notnot disruptive disruptive

• International patent application filed (PCT/CH2004/000631)International patent application filed (PCT/CH2004/000631)• Prototype implementation underwayPrototype implementation underway

Thank you!Thank you!

Any questions?Any questions?

Apply Data Mining to Apply Data Mining to Defense-in-Depth Network Defense-in-Depth Network

Security SystemSecurity System

Written by: Huang, Kao, Hun, Jai, LinWritten by: Huang, Kao, Hun, Jai, Lin

Presented by: Terry GriffinPresented by: Terry Griffin

IntroductionIntroduction

http://www.cert.org/present/cert-overview-trends/


• IDS / IPS– Intrusion Detection / Prevention System

• IDS– Packets pass through– Active logging– Signature comparisons

• IPS– Alters packet data– Blocks packets (possibly)


• IDS/IPS Types– Misused Detection

•Signature based

•Identifies patterns of traffic or application data presumed to be malicious

•presumed to be able to detect only 'known' attacks

•However, sometimes detect new attacks which share characteristics with old attacks, e.g., accessing 'cmd.exe' via a HTTP GET request.


• IDS/IPS Types– Misused Detection

•Signature based

•Snort currently has 2200+ signatures

•Used alone can lead to > false positives


• IDS/IPS Types– Anomaly Detection

•notify operators of traffic or application content presumed to be different from 'normal' activity on the network or host

•Typically use “self learning”•Require a training phase.•Observes “Normal Flow”•Normal is relative (set by administrator).•Any deviation from normal results in an alert


•This paper attempts to:– Incorporate data mining within an

IDS/IPS– Obtain real time Dos Alerts– Decrease number of False Alarms

Defense-in-Depth ArchitectureDefense-in-Depth Architecture

The Security Architecture is based on 2 The Security Architecture is based on 2 concepts / components:concepts / components:

1.1. LPS – Local Policy ServerLPS – Local Policy Server

2.2. GPS – Global Policy ServerGPS – Global Policy Server


LPS – Local Policy ServerLPS – Local Policy Server– contains a signature databasecontains a signature database– logs all packets logs all packets – somewhat of a local IDS/IPSsomewhat of a local IDS/IPS


GPS – Global Policy ServerGPS – Global Policy Server– Receives logs from LPS’sReceives logs from LPS’s– Monitors/Controls LPS’sMonitors/Controls LPS’s– Does the “Real Time” data mining Does the “Real Time” data mining – Can shut down / throttle the LANsCan shut down / throttle the LANs

System Architecture of GPSSystem Architecture of GPS

Consists of 4 components:Consists of 4 components:1.1. Security Information Management (SIM) Security Information Management (SIM)

modulemodule

2.2. Global Log Server (GLS)Global Log Server (GLS)

3.3. GUIGUI

4.4. Global DatabaseGlobal Database


1.1. Security Information Management (SIM) moduleSecurity Information Management (SIM) module• Does the actual data miningDoes the actual data mining• Details in next section Details in next section

2.2. Global Log Server (GLS)Global Log Server (GLS)• Manages all logs from the LPSManages all logs from the LPS• Must handle multiple parallel incoming Must handle multiple parallel incoming

connectionsconnections• Does no mining, just loggingDoes no mining, just logging


3.3. GuiGui• Well... it’s a GUIWell... it’s a GUI

4.4. Global DatabaseGlobal Database• Signature database Signature database • Created through the logs received from the Created through the logs received from the

GLSGLS


Sim Module has 4 componentsSim Module has 4 components

1.1. Online Data MinerOnline Data Miner• classifies records in active databaseclassifies records in active database

2.2. Rules TunerRules Tuner• runs the machine learning algorithmsruns the machine learning algorithms• tunes the parameters of rules accordinglytunes the parameters of rules accordingly

3.3. GLSGLS

4.4. Policy DispatcherPolicy Dispatcher• Waits for commands from online minerWaits for commands from online miner

System Architecture of GPSSystem Architecture of GPSData mining frameworkData mining framework

System Implementation and Experiment System Implementation and Experiment ResultsResults

Data flow of online detecting phase is separated into 3 Data flow of online detecting phase is separated into 3 stages:stages:1.1. LoadingLoading

• all drivers are loadedall drivers are loaded

• classifiers loaded and initializedclassifiers loaded and initialized

2.2. MonitoringMonitoring• endless loop monitoring logged packets for signaturesendless loop monitoring logged packets for signatures

3.3. Event HandlingEvent Handling• Alerts LPS’sAlerts LPS’s

• Controls / Throttles them if necessaryControls / Throttles them if necessary

• Author used IDS Snort and IPS NetKeeper as the Author used IDS Snort and IPS NetKeeper as the IDS/IPS backend.IDS/IPS backend.


Data Collection ResultsData Collection Results– For 18 days NetKeeper detected 886,764 For 18 days NetKeeper detected 886,764

events.events.– For 5 days Snort logged 11,070 eventsFor 5 days Snort logged 11,070 events

This was the data used to test the system.This was the data used to test the system.

The system was tested with the following 4 The system was tested with the following 4 combinations of events:combinations of events:

• Single type Single type (SYN Flooding, TCP Flooding, UDP Flooding / Smurfing, IP

Flooding, ICMP Flooding / Smurfing, IGMP Flooding)

• Mix – 2 Mix – 2 (TCP-SYN, TCP-IP,TCP-ICMP, TCP-IGMP, TCP-UDP, UDP-IP,

UDP-ICMP,UDP-IGMP, IP-SYN, IP-ICMP, IP-IGMP, ICMP-IGMP)

• Mix – 3Mix – 3(TCP-SYN-IP, TCP-SYN-UDP,SYN-UDP-IP,

SYN-IP-ICMP, UDP-ICMP-IP)

• Mix – 4 Mix – 4 (SYN-TCP-ICMP-IP,SYN-TCP-UDP-IP, TCP-UDP-ICMP-IP)


Intrusion Detection Results Intrusion Detection Results (Detection Rate)(Detection Rate)


95% detection rate which is “really good” (quote from author)

Intrusion Detection Results Intrusion Detection Results (False Alarm Rate)(False Alarm Rate)


around 1% false alarms (if remove IGMP)

ConclusionsConclusions

• Author never really gave detail about the real time system.

• Really just wrote a wrapper around OTB IDS/IPS systems.

• This explains formatting problems he mentioned (I didn’t though)

• Never explained the “retraining” or tuning phase. Whether this was online, or offline. (most important part)

• Paper made references to figures that didn’t exist.

DoS Seminar 2DoS Seminar 2

Spoofed Packet Attacks Spoofed Packet Attacks and Detection Methodsand Detection Methods

ByBy

Prateek AroraPrateek Arora


• When a denial of service (DoS) attack When a denial of service (DoS) attack occurs, a computer or a network user occurs, a computer or a network user is unable to access resources like e-is unable to access resources like e-mail and the Internet. An attack can mail and the Internet. An attack can be directed at an operating system be directed at an operating system or at the network.or at the network.

Types of DoS attacksTypes of DoS attacks

• Ping Flood Attack (ICMP echo)Ping Flood Attack (ICMP echo)• SYN Flood Attack (DoS attack)SYN Flood Attack (DoS attack)• DDoS Attack (Distributed SYN Flood)DDoS Attack (Distributed SYN Flood)• UDP Flood AttacksUDP Flood Attacks• Smurf AttackSmurf Attack• DNS name server AttackDNS name server Attack• Land AttackLand Attack• Ping of Death AttackPing of Death Attack• Fragmentation / Teardrop AttackFragmentation / Teardrop Attack• Connection SpoofingConnection Spoofing• Bounce ScanningBounce Scanning• Stealth CommunicationStealth Communication

What is a “Spoofed Packet”?What is a “Spoofed Packet”?

• Packets sent by an attacker such that Packets sent by an attacker such that the true source is not authenticthe true source is not authentic– MAC spoofingMAC spoofing– IP packet spoofingIP packet spoofing– Email spoofingEmail spoofing

• This is not same as routing attacksThis is not same as routing attacks– These cause packets to be redirectedThese cause packets to be redirected

•e.g. DNS cache poisoning; router table attacks; e.g. DNS cache poisoning; router table attacks; ARP spoofingARP spoofing

Significance of “Spoofed Significance of “Spoofed Packets” in DoS attacksPackets” in DoS attacks

• Spoofed packets are a part of many Spoofed packets are a part of many attacksattacks– SYN Flood AttackSYN Flood Attack– Smurf AttackSmurf Attack– Connection SpoofingConnection Spoofing– Bounce ScanningBounce Scanning– Stealth CommunicationStealth Communication

IP/TCP Header ReviewIP/TCP Header Review

identification

header checksum

version TOSheaderlength

destination IP address

source IP address

TTL protocol

options (if any)

fragment offsetflags

total length

IP Header Format

data

20 bytes

IP/TCP Header ReviewIP/TCP Header Review

source port number

headerlength

acknowledgement number

sequence number

options (if any)

destination port number

reserved window size

TCP Header Format

data (if any)

TCP checksum urgent pointer

URG

ACK

PSH

SYN

FIN

RST

20 bytes

Smurf AttackSmurf Attack

• In this attack, In this attack, spoofed IP packetsspoofed IP packets containing ICMP Echo-Request with a source containing ICMP Echo-Request with a source address equal to that of the attacked system address equal to that of the attacked system and a broadcast destination address are sent and a broadcast destination address are sent to the intermediate network.to the intermediate network.

• Sending a ICMP Echo Request to a broadcast Sending a ICMP Echo Request to a broadcast address triggers all hosts included in the address triggers all hosts included in the network to respond with an ICMP response network to respond with an ICMP response packet, thus creating a large mass of packets packet, thus creating a large mass of packets which are routed to the victim's spoofed which are routed to the victim's spoofed address.address.

Smurf Attack Smurf Attack (contd.)(contd.)

INTERNET

PERPETRATORVICTIM

ICMP echo (spoofed source address of victim) Sent to IP broadcast address

ICMP echo reply ICMP = Internet Control Message Protocol

INNOCENTREFLECTOR SITES

BANDWIDTH MULTIPLICATION:A T1 (1.54 Mbps) can easilyyield 100 MBbps of attack

1 SYN

Simultaneous10,000 SYN/ACKs - VICTIM IS DEAD

SOURCE: CISCO

SYN Flood AttackSYN Flood Attack

• TCP Handshake ReviewTCP Handshake Review– client client

• sends SYN packet to serversends SYN packet to server

• waits for SYN-ACK from serverwaits for SYN-ACK from server

– server server • responds with SYN-ACK responds with SYN-ACK

packetpacket

• waits for ACK packet from waits for ACK packet from clientclient

– clientclient• sends ACK to serversends ACK to server

SYN

SYN-ACK

ACK


• Attacker causes TCP Attacker causes TCP buffer to be exhausted buffer to be exhausted with half-open with half-open connectionsconnections

• No reply from target No reply from target needed, so source may needed, so source may be spoofed.be spoofed.

• Claimed source must Claimed source must not be an active host.not be an active host.

169.237.5.23168.150.241.155

169.237.7.114

TCP Buffers

Half-open connection; Waiting for

ACK

Completed handshake; connection

open

emptybuffer


• Attacker causes TCP Attacker causes TCP buffer to be exhausted buffer to be exhausted with half-open with half-open connectionsconnections

• No reply from target No reply from target needed, so source may needed, so source may be spoofed.be spoofed.

• Claimed source must Claimed source must not be an active host.not be an active host.

128.120.254.1128.120.254.2128.120.254.3128.120.254.4128.120.254.5128.120.254.6128.120.254.7128.120.254.8128.120.254.9128.120.254.10128.120.254.11128.120.254.12128.120.254.13128.120.254.14169.237.7.114128.120.254.15

TCP Buffers

Half-open connection; Waiting for

ACK

Completed handshake; connection

open

emptybuffer

Summary of attack methodsSummary of attack methodsAttack packetsAttack packets Reply packetsReply packets

SmurfSmurf ICMP echo queries to ICMP echo queries to broadcast addressbroadcast address

ICMP echo repliesICMP echo replies

SYN SYN floodingflooding

TCP SYN packetsTCP SYN packets TCP SYN ACK TCP SYN ACK packetspackets

RST RST floodingflooding

TCP packets to closed portsTCP packets to closed ports TCP RST packetsTCP RST packets

ICMP ICMP floodingflooding

•ICMP queriesICMP queries

•UDP packets to closed UDP packets to closed portsports

•IP packets with low TTLIP packets with low TTL

•ICMP repliesICMP replies

•Port Port unreachableunreachable

•Time exceededTime exceeded

DNS reply DNS reply floodingflooding

DNS queries (recursive) to DNS queries (recursive) to DNS serversDNS servers

DNS repliesDNS replies

Detection MethodsDetection Methods

• Routing-basedRouting-based

• ActiveActive– ProactiveProactive– ReactiveReactive

• PassivePassive

Routing-based MethodRouting-based Method

• For a given network For a given network topology certain source IP topology certain source IP addresses should never be addresses should never be seenseen– Internal addresses arriving Internal addresses arriving

on external interfaceon external interface– External addresses External addresses

arriving on internal arriving on internal interfaceinterface

– IANA non-routable IANA non-routable addresses on external addresses on external interfaceinterface

– Other special addressesOther special addresses

Internal NIC

External NIC

Special AddressesSpecial Addresses

• 0.0.0.0/80.0.0.0/8 - Historical Broadcast- Historical Broadcast

• 10.0.0.0/8 10.0.0.0/8 - RFC 1918 Private Network- RFC 1918 Private Network

• 127.0.0.0/8 127.0.0.0/8 - Loopback- Loopback

• 169.254.0.0/16 169.254.0.0/16 - Link Local Networks- Link Local Networks


• 192.0.2.0/24 192.0.2.0/24 - TEST-NET- TEST-NET


• 240.0.0.0/5 240.0.0.0/5 - Class E Reserved- Class E Reserved

• 248.0.0.0/5 248.0.0.0/5 - Unallocated- Unallocated

• 255.255.255.255/32 255.255.255.255/32 - Broadcast- Broadcast

Routing-based MethodsRouting-based Methods

• Most commonly used methodMost commonly used method– firewalls, filtering routersfirewalls, filtering routers

• Relies on knowledge of network Relies on knowledge of network topology and routing specs.topology and routing specs.

• Primarily used at organizational border.Primarily used at organizational border.

• Cannot detect many examples of Cannot detect many examples of spoofingspoofing– Externally spoofed external addressesExternally spoofed external addresses– Internally spoofed internal addressesInternally spoofed internal addresses

Proactive methodsProactive methods

• Looks for behavior that would not Looks for behavior that would not occur if client actually processed occur if client actually processed packet from client.packet from client.

• Method: change in IP stack behaviorMethod: change in IP stack behavior

• Can observe suspicious activityCan observe suspicious activity

• Examples –Examples –– TCP window gamesTCP window games– SYN-Cookies (block with out detection)SYN-Cookies (block with out detection)

TCP Window GamesTCP Window Games

• Modified TCP HandshakeModified TCP Handshake– client client

• sends SYN packet and ACK number to sends SYN packet and ACK number to server server

• waits for SYN-ACK from server w/ waits for SYN-ACK from server w/ matching ACK numbermatching ACK number

– server server • responds with SYN-ACK packet w/ initial responds with SYN-ACK packet w/ initial

“random” sequence number“random” sequence number• Sets window size Sets window size to zeroto zero• waits for ACK packet from client with waits for ACK packet from client with

matching sequence numbermatching sequence number

– clientclient• sends ACK to server with matching sends ACK to server with matching

sequence number, sequence number, but no data but no data • Waits for ACK with window > 0Waits for ACK with window > 0• After receiving larger window, client After receiving larger window, client

sends data.sends data.

Spoofer will not see 0-len window Spoofer will not see 0-len window and will send data without and will send data without

waitingwaiting..

SYN

ack-number

SYN-ACK

seq-number, ack-numberwindow = 0

ACK

seq_number, ack-number(no data)

ACK

seq-number, ack-numberwindow = 4096

ACK

seq_number, ack-numberw/ data

SYN-CookiesSYN-Cookies

• Modified TCP HandshakeModified TCP Handshake

• Example of “stateless” handshakeExample of “stateless” handshake– client client

• sends SYN packet and ACK number to server sends SYN packet and ACK number to server • waits for SYN-ACK from server with matching ACK waits for SYN-ACK from server with matching ACK

numbernumber

– server server • responds with SYN-ACK packet with initial SYN-responds with SYN-ACK packet with initial SYN-

cookie sequence numbercookie sequence number• Sequence number is cryptographically generated Sequence number is cryptographically generated

value based on client address, port, and time.value based on client address, port, and time.• No TCP buffers are allocatedNo TCP buffers are allocated

– clientclient• sends ACK to server with matching sequence sends ACK to server with matching sequence

numbernumber

– serverserver• If ACK is to an unopened socket, server validates If ACK is to an unopened socket, server validates

returned sequence number as SYN-cookiereturned sequence number as SYN-cookie• If value is reasonable, a buffer is allocated and If value is reasonable, a buffer is allocated and

socket is opened.socket is opened.

..

Spoofed packets will not consume TCP Spoofed packets will not consume TCP buffersbuffers

SYN

ack-number

SYN-ACK

seq-number as SYN-cookie,ack-number

NO BUFFER ALLOCATED

ACK

seq_numberack-number+data

SYN-ACK

seq-number, ack-number

TCP BUFFER ALLOCATED

Reactive methodsReactive methods

• When a suspicious packet is received, a When a suspicious packet is received, a probe of the source is conducted to verify probe of the source is conducted to verify if the packet was spoofedif the packet was spoofed

• May use same techniques as proactive May use same techniques as proactive methods methods

• Example probesExample probes– Is TTL appropriate?Is TTL appropriate?– Is ID appropriate?Is ID appropriate?– Is host up?Is host up?– Change window sizeChange window size

Passive MethodsPassive Methods

• Learn expected values for observed Learn expected values for observed packetspackets

• When an anomalous packet is When an anomalous packet is received, treat it as suspiciousreceived, treat it as suspicious

• Example values –Example values –– Expected TTLExpected TTL– Expected client portExpected client port– Expected client OS idiosyncrasiesExpected client OS idiosyncrasies

ExperimentsExperiments

• Determine the validity of various Determine the validity of various spoofed-packet detection methodsspoofed-packet detection methods

• Predictability of TTLPredictability of TTL

• Predictability of TTL (active)Predictability of TTL (active)

• Predictability of ID (active)Predictability of ID (active)

Experiment Description - Experiment Description - PassivePassive• Monitor network trafficMonitor network traffic

• RecordRecord– Source IP addressSource IP address– TTLTTL– Protocol Protocol

• Count occurrences of all unique Count occurrences of all unique combinationscombinations

• Statistically analyze predictability of the Statistically analyze predictability of the datadata

Results - PassiveResults - Passive

• Data collected over 2 week periods Data collected over 2 week periods at University of California, Davisat University of California, Davis

• 23,000,000 IP packets observed23,000,000 IP packets observed– 23461 source IP addresses23461 source IP addresses

•110 internal110 internal

•23351 external23351 external


• Predictability measurePredictability measure– Conditional Entropy (unpredictability)Conditional Entropy (unpredictability)

• Values closer to zero indicate higher Values closer to zero indicate higher predictabilitypredictability

yx

yxPyxPXYH,

)|(log),()|(


All packets

Protocol H mean H varianceNumber Addresses

Number Packets

All 0.055759 0.029728 23461 22999999

ICMP 0.027458 0.023726 801 223341

IGMP 0 0 23 297

TCP 0.046149 0.023114 15891 20925893

UDP 0.065164 0.040655 7397 1850468


External addresses only


Number Packets

All 0.055505 0.029731 23351 9229608

ICMP 0.026159 0.023271 780 88371

IGMP 0 0 3 26

TCP 0.046324 0.023201 15825 8857983

UDP 0.065537 0.041015 7306 283228


Internal Addresses Only


Number Packets

All0.109633 0.026097 110 13770391

ICMP0.075714 0.03822 21 134970

IGMP0 0 20 271

TCP0.004189 0.000321 66 12067910

UDP0.035207 0.010859 91 1567240


Only Addresses with more than 250 packets


Number Packets

All 0.060041 0.035521 2876 22338795

ICMP 0.035778 0.020212 33 219605

IGMP 0 0 1 0

TCP 0.051132 0.027288 2713 20332940

UDP 0.165818 0.175238 148 1779896


Only Addresses with more than 500 packets


Number Packets

All 0.050635 0.031506 2306 22140140

ICMP 0.022401 0.014516 30 218560

IGMP 0 0 1 0

TCP 0.042716 0.022273 2190 20150197

UDP 0.164326 0.209436 104 1764716


• TTL differs by protocolTTL differs by protocol

• UDP most unreliableUDP most unreliable– traceroute is major contributor (can be traceroute is major contributor (can be

filtered)filtered)– certain programs set TTL anomalouslycertain programs set TTL anomalously– ToS may be useful in reducing ToS may be useful in reducing

inconsistenciesinconsistencies

• TTL on local network highly regularTTL on local network highly regular– must filter traceroute trafficmust filter traceroute traffic

Experiment Description - Experiment Description - ReactiveReactive• Monitor network trafficMonitor network traffic

• Record IP address, Protocol, TTL and ID Record IP address, Protocol, TTL and ID

• Send probe packet(s)Send probe packet(s)– ICMP echo reply packetICMP echo reply packet– TCP syn packetTCP syn packet– UDP packetUDP packet

• Note the differences between the stored Note the differences between the stored TTL/ID to that of the returning probes.TTL/ID to that of the returning probes.

Results - ReactiveResults - Reactive

• Evaluate – Evaluate – – initial vs. probe reply TTLinitial vs. probe reply TTL– Initial vs. probe reply ID (delta from Initial vs. probe reply ID (delta from

original)original)

• Predictability measurePredictability measure– Conditional Entropy (unpredictability)Conditional Entropy (unpredictability)

• Values closer to zero indicate higher Values closer to zero indicate higher predictabilitypredictability


• Preliminary onlyPreliminary only– Ran for 18 hoursRan for 18 hours– 8058 probes sent8058 probes sent– 218 unique addresses218 unique addresses

•173 external173 external

•45 internal45 internal


• TTL off by:TTL off by:– Total # probesTotal # probes 80588058 1591 1591– +/- 2 or less+/- 2 or less 64676467 371 371 80%80%– +/-1 or less+/-1 or less 60966096 986 986 75%75%– 00 51105110 63%63%


• ID off by:ID off by:– Total # probesTotal # probes 80588058

– Offset Count– 1 601– 2 57– 4 21– 6 16– 5 14– 7 11– 8 9

– Offset Count– 256 73– 512 5– 768 22– 1280 10

ConclusionConclusion

• Spoofed-packets used in many Spoofed-packets used in many different attacksdifferent attacks

• Spoofed-packets can be detected by Spoofed-packets can be detected by a number of methodsa number of methods

• High predictability in TTL and ID High predictability in TTL and ID allow use of passive and active allow use of passive and active methodsmethods

ReferencesReferences

• www.google.co.inwww.google.co.in

• http://seclab.cs.ucdavis.edu/http://seclab.cs.ucdavis.edu/

• www.cert.orgwww.cert.org

• www.caida.comwww.caida.com

• http://www.uspto.gov/http://www.uspto.gov/

• www.cisco.comwww.cisco.com

http://www.google.co.in/

http://seclab.cs.ucdavis.edu/

http://www.cert.org/

http://www.caida.com/

http://www.uspto.gov/

http://www.cisco.com/

Adaptive Distributed Traffic Control Service for DDoS Attack Mitigation By VIJAY CHAND UYYURU.

Documents

Transcript of Adaptive Distributed Traffic Control Service for DDoS Attack Mitigation By VIJAY CHAND UYYURU.