The Crossfire Attack
33
The Crossfire Attack MIN SUK KANG, SOO BUM LEE, VIRGIL D. GLIGOR ECE DEPARTMENT AND CYLAB CARNEGIE MELLON UNIVERSITY 2013 IEEE Symposium on Security and Priv
description
The Crossfire Attack. Min Suk Kang, Soo Bum Lee, Virgil D. Gligor ECE Department and CyLab Carnegie Mellon University. 2013 IEEE Symposium on Security and Privacy. Outline. INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK - PowerPoint PPT Presentation
Transcript of The Crossfire Attack
The Crossfire Attack
MIN SU K KAN G, SO O B UM L EE , V IR GIL D. GLIG OR
EC E DE PARTME N T A N D C YLAB
C ARN EG IE MELLO N U N IV ERS ITY
2013 IEEE Symposium on Security and Privacy
2
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION
3
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION
4
INTRODUCTION – Old DDoSTypical attack:
floods server with HTTP, UDP, SYN, ICMP…… packets
Persistence:Maximum: 2.5 daysAverage: 1.5days
Adversary’s Challenge:DDoS Attacks are either Persistent or Scalable to N Servers
N traffic to 1 server => high-intensity traffic triggers network detectionDetection not triggered => low-intensity traffic is insufficient for N srevers
5
INTRODUCTION – Crossfire AttackLink flooding by botnets cannot be easily counteredSpoofed IP addresses.Can flood links without using unwanted traffic.Launch an attack with low-intensity traffic flows that cross a
targeted link at roughly the same time and flood it.
6
A link-flooding attack that degrades/cuts off network connections of scalable N-server area persistently.Scalable N-Server areas
N = small(e.g., 1-1000 servers), medium(e.g., all servers in a US state), large(e.g., the West Coast of the US)
Persistent:Attack traffic is indistinguishable from legitimate
Low-rate, changing sets of flowsAttack is “ moving target ” for same N-server area
Changing target links before triggering alarms
INTRODUCTION – Crossfire Attack
7
INTRODUCTION – Definitions
8
Attack flows => Indistinguishable from legitimate
INTRODUCTION – 1 link crossfire
9
Attack flows => Alarms not triggered
INTRODUCTION – 1 link crossfire
link-failure detection latency, Interior Gateway Protocol(IGP) routers (OSPF)
Default waiting time: 40sec, Failure detection: 217 secExterior Gateway Protocol(EGP) routers(BGP) Default waiting time: 180sec, Failure detection : 1,076 sec
10
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION
11
THE CROSSFIRE ATTACK
12
Public servers : To construct an attack topology centered at target area
Decoy servers: To create attack flow
THE CROSSFIRE ATTACK
13
ATTACK - Step 1 : Link Map Construction
( 72% )
(1) Traceroute ( B->S )(2) Link-Persistence
14
ATTACK - Step 2 : Attack setup
(1) Flow-Density Computation(2) Target-Link Selection
DR: Degradation Ratio
15
ATTACK - Step 3 : Bot Coordination
(1) Attack-Flow Assignment(2) Target-Link Flooding
16
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION
17
ATTACK PERSISTENCE AND COSTData-Plane-Only Attack : Indefinite Duration
Link failure detectionTraffic engineering
Proactive Attack Techniques : Rolling AttackMaintaining the same target links
Changes bot and decoy serversMaintaining the same target area
Changes target links
18
Attack bots available from Pay-per Install (PPI) markets [2011]
ATTACK PERSISTENCE AND COST
In experiments : 49% in US or UK, 37% in Europe, 14% rest of the world10 target links : can be as low as 107,200 bots. Cost approximately $9K
19
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION
20
EXPERIMENT SETUP AND RESULTSBots:
1,072 traceroute nodes 620 PlanetLab nodes, 452 LG(Looking Glass) servers
21
EXPERIMENT SETUP AND RESULTSDecoy servers:
552 institutions (i.e., universities and colleges ) on both the East Coast (10 states) and West Coast (7 states) of the US
2737 public web servers within Univ1 in Pennsylvania7411 public web servers within Univ2 in Massachusetts
22
EXPERIMENT SETUP AND RESULTSTarget Areas:
23
EXPERIMENT SETUP AND RESULTS
24
EXPERIMENT SETUP AND RESULTS Link map
Run a traceroute six times to diagnose link persistence
25
EXPERIMENT SETUP AND RESULTS
26
EXPERIMENT SETUP AND RESULTSAverage rate when flooding 10 Target Links against Pennsylvania
27
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION
28
The Coremelt Attack
29
“Spamhaus” Attack
30
RELATED WORK
31
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS CONCLUSION
32
CONCLUSIONAttack CharacteristicsUndetectability at the Target Area.Indistinguishability of Flows in RoutersPersistenceFlexibility
New DDoS Attack: The Crossfire AttackScalable & Persistent
Internet-scale experimentFeasibility of the attackHigh impact with low cost
33
Q&A
