Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic

1

P R E S E N T E R : L E I W U

M A R C H , 2 0 0 9

Presentation for CAP 6135

Hop-Count Filtering: An Effective Defense Against

Spoofed DDoS Traffic

Cheng Jin ([email protected])Haining Wang ([email protected])Kang G. Shin ([email protected])

CCS’03, Oct, 2003, Washington, DC, USA

mailto:[email protected]



2

Outline


Background

Mechanism and construction

Measurement

Conclusion

3

Outline


Background


Measurement

Conclusion

4

Background


IP address spoofing

DDoS Attack

Two classes of defense approaches

5

IP address spoofing


In computer networking, the term IP address spoofing refers to the creation of IP packets with a forged (spoofed) source IP address with the purpose of concealing the identity of the sender or impersonating another computing system.

6

DDoS Attack


Distributed Denial Of Service (DDoS) Attack DDoS attack is one in which a multitude of

compromised systems attack a single target, thereby causing denial of service for users of the targeted system.

DDoS attacks on root nameservers October 21, 2002 February 6, 2007

7

Defense Approaches


Router-based Making improvements to the routing

infrastructure Off-line analysis of flooding traffic or on-line

filtering of DDoS traffic inside routers Require not only router support , but also

coordination among different routers and networks, and wide-spread deployment

Victim-based Enhancing the resilience of Internet servers

against attacks Easy to deploy

8

Weakness of conventional victim-based methods


Protection based on sophisticated resource management schemes No mechanism to detect and discard spoofed traffic Could confine the scope of damage to the service

under attack, but might not be able to sustain the availability of the service

Filtering spoofed traffic can help a lot TTL field of the IP header Assumption: attackers cannot sabotage routers to

alter TTL values of IP packets that traverse them

9

Outline


Background


Measurement

Conclusion

10



Introduction

Construction of IP2HC mapping table

Hop-Count Computation

Inspection Algorithm

Two running states of HCF

11

Introduction


Basic idea of Hop-Count Filtering (HCF) Building an accurate IP-to-hop-count (IP2HC) mapping

table Clustering address prefixes based on hop-count

Two running statesState Alert Action

Environment Under normal condition

Upon detection of an attack

Drop packets No Yes

12

Construction of IP2HC mapping table


Objectives in building an HCP table Accurate IP2HC mapping Up-to-date IP2HC mapping Moderate storage requirement

Two Issues Clustering address prefixes based on hop-counts

24-bits aggregation Divide IP addresses with each 24-bit prefix into smaller

clusters A pollution-proof update procedure to capture

legitimate hop-count changes while foiling attackers’ attempt to pollute HCF tables

13

Construction of IP2HC mapping table (cont)


An example of hop-count clustering

14



Accuracies of various filters

15



Sizes of various HCF tables

16



Pollution-Proof Initialization and Update Initialization

Collect traces of its clients that contain both IP addresses and the corresponding TTL values

Period depends on its traffic-load Update

HCF table should be updated only by those TCP connections in the established state

Provide a user-configurable parameter to adjust the frequency of update

Re-clustering is negligible

17

Hop-Count Computation


+ Bits 0–3 4–7 8–15 16–18 19–310 Version Header

lengthType of Service

Total Length

32 Identification Flags Fragment Offset

64 Time to Live Protocol Header Checksum96 Source Address128 Destination Address… …

Time To Live (TTL) IP Header

18

Hop-Count Computation (cont)


The challenge is that a destination only sees the final TTL value when receiving a packet. Most modern Oss use only a few selected initial TTL value

30, 32, 60, 64, 128 and 255 Few Internet hosts are apart by more than 30 hops

For example, if the final TTL value is 112, we can infer that its initial TTL value is 128

What about the ambiguities {30, 32}, {60, 64}, and {32, 60}? Compute a hop-count value for each of the possible initial

TTL value, and accept the packet if there is a match with one of the possible hop-counts.

19

Inspection Algorithm


20

Two running states of HCF


HCF causes delay in the critical path of packet processing, it should not be active at all time

Two running states Alert: detect the presence of spoofed packets

By default, HCF stays in alert state and monitors the trend of hop-count changes without discarding packets

Action: discard spoofed packets Upon detection of a flux of spoofed packets, HCF

switches to action state to examine each packet and discards spoofed IP packets

21

Two running states of HCF (cont)


Operations in two HCP states

22

Two running states of HCF (cont)


Extra benefits of two running states Against Distributed Reflected Denial of Service (DRDoS) attack Blocking Bandwidth Attacks

23

Outline


Background


Measurement Feasibility Effectiveness Resource Savings

Conclusion

24

Feasibility of HCF


The feasibility of HCF hinges on three factors Stability of hop-counts

The Internet paths were found to be dominated by a few prevalent routes

About two thirds of the Internet paths studied were observed to have routes persisting for either days or weeks

Diversity of hop-count distribution More standard deviation, more effective

Robustness against possible evasion Without compromising, it is very difficulty to get the IP2HC

mapping table for the whole random address space Spoofing from compromised machines makes detection and

removal much easier

25

Diversity of hop-count distribution


The largest percentage of IP addresses that have a common hop-count value is only 10%

26

Effectiveness of HCF


Simple Attacks: always using the default initial TTL value

27

Effectiveness of HCF (cont)


Sophisticated Attackers: randomly choose TTL value

28

Resource Savings


This part gives some practical skills to implement HCF, which reduces the resource consumption Insert into Linux Kernel Hash table for the organization of hop-count mapping

Please read the paper for details

29

Outline


Background


Measurement

Conclusion Contribution Weakness Improvement

30

Contribution


Propose a hop-count based filtering scheme that detects and discards spoofed IP packets to conserve system resources

Give some analytical measurement on feasibility and effectiveness

Give the details description on how to make the whole system perform efficient, and also give the evaluation

31

Weakness


TTL-based Hop-Count Computation Assume that most OSs use only a few selected initial TTL values The solution to the ambiguities {30, 32}, {60, 64}, and {32, 60}

No explicit way to assign and adjust values of parameters

Feasibility of HCF No definitive claim of whether hop-count distributions are Gaussian

or notEffectiveness of HCF, Sophisticated Attackers

No analysis on multiple flooding sourceNo comparison with other methodsNo consideration on more realistic and complex network

environment

32

Improvement


Use some machine learning methods to assign and adjust values of parameters

Find out the distributions of hop-count Give the analysis on multiple flooding source

of the sophisticated attackersCompare HCF with other methodsConsider more realistic and complex network

environment

33

Extra References


http://en.wikipedia.org/wiki/Internet_Protocol http://en.wikipedia.org/wiki/Distributed_Reflection_Denial_of_Servic

e

http://en.wikipedia.org/wiki/Distributed_Reflection_Denial_of_Service



34

THANK YOU!


Questions?

Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic

Documents

Transcript of Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic