“ to filter or to authorize: network-layer dos defense against multimillion-node botnets ”
DESCRIPTION
“ To Filter or to Authorize: Network-Layer DoS Defense Against Multimillion-node Botnets ”. Xin Liu, Xiaowei Yang, Yanbin Lu Department of Computer Science, University of California, Irvine Published: SIGCOMM 2008 Conference Presented by: Christopher Daiello Presented on: March 26, 2009 - PowerPoint PPT PresentationTRANSCRIPT
““ To Filter or to To Filter or to Authorize: Network-Authorize: Network-Layer DoS Defense Layer DoS Defense
Against Multimillion-Against Multimillion-
node Botnetsnode Botnets””Xin Liu, Xiaowei Yang, Yanbin LuXin Liu, Xiaowei Yang, Yanbin Lu
Department of Computer Science, University of California, Department of Computer Science, University of California, IrvineIrvine
Published: SIGCOMM 2008 ConferencePublished: SIGCOMM 2008 Conference
Presented by: Christopher DaielloPresented by: Christopher Daiello
Presented on: March 26, 2009Presented on: March 26, 2009
CAP 6135 Malware and Software Vulnerability Analysis (Spring CAP 6135 Malware and Software Vulnerability Analysis (Spring 2009)2009)
Professor: Dr. Cliff ZouProfessor: Dr. Cliff Zou
OutlineOutline
Motivation / StrategyMotivation / Strategy StopIt SummeryStopIt Summery StopIt DesignStopIt Design Prototype ExperimentPrototype Experiment Defense Solution ComparisonDefense Solution Comparison ReviewReview ReferencesReferences
MotivationMotivation Botnets continue to be a rising threat. Botnets continue to be a rising threat. In September 2007, the Storm botnet alone In September 2007, the Storm botnet alone
reached 50 million compromised hosts.reached 50 million compromised hosts. If each host sends one full packet (1500 If each host sends one full packet (1500
bytes), a 10-million botnet would exceed bytes), a 10-million botnet would exceed 120 Gbps, enough to take down any site on 120 Gbps, enough to take down any site on the internet.the internet.
Many solutions have been proposed to Many solutions have been proposed to combat this problem, however there lacks combat this problem, however there lacks a consensus on how to build a DoS a consensus on how to build a DoS resistant network. resistant network.
Botnet Defensive Botnet Defensive StrategiesStrategies
Capability ApproachCapability Approach Receiver controls the traffic it receives.Receiver controls the traffic it receives. Explicitly authorizes the traffic it receives.Explicitly authorizes the traffic it receives. Popular capability-based systems: TVA and Popular capability-based systems: TVA and
PortcullisPortcullis
Filter ApproachFilter Approach Receiver allows all traffic until it detects a Receiver allows all traffic until it detects a
problem.problem. Receiver limits attack traffic by dynamically Receiver limits attack traffic by dynamically
installing filters. installing filters. Popular filter-based systems: AITF and PushbackPopular filter-based systems: AITF and Pushback
Which strategy is more Which strategy is more effective?effective?
Capability Design vs Filter Design?Capability Design vs Filter Design? Current filter-based solutions have Current filter-based solutions have
limitations that prevent a fair comparison. limitations that prevent a fair comparison. AITF verifies filter install requests with a 3-AITF verifies filter install requests with a 3-
way handshake. Verification communication way handshake. Verification communication may get blocked by attack traffic.may get blocked by attack traffic.
Pushback uses rate limiting (instead of Pushback uses rate limiting (instead of completely blocking) to combat attack traffic.completely blocking) to combat attack traffic.
StopIt SummeryStopIt Summery
StopItStopIt
Filter-based approach design.Filter-based approach design. Closed-control and open-service Closed-control and open-service
architecture.architecture. Allows any receiver to block undesirable Allows any receiver to block undesirable
traffic.traffic. Mitigates link congestion. Mitigates link congestion. Resistant to filter exhaustion attacks.Resistant to filter exhaustion attacks. Resistant to bandwidth flooding attacks Resistant to bandwidth flooding attacks
that could prevent the installation of filters.that could prevent the installation of filters.
StopIt Design StopIt Design AssumptionsAssumptions
Secure Intra-AS Communication – Secure Intra-AS Communication – Communication between components Communication between components within the AS (Autonomous System) is within the AS (Autonomous System) is secured.secured.
Attack Traffic Classification – Target Attack Traffic Classification – Target systems can identify when they are being systems can identify when they are being attacked.attacked.
Feasible – Design is efficient enough to Feasible – Design is efficient enough to operate on current routers. Public key operate on current routers. Public key cryptography is not used at packet cryptography is not used at packet forwarding due to high processing costs.forwarding due to high processing costs.
StopIt GoalsStopIt Goals Effective Filtering – Filters installed to Effective Filtering – Filters installed to
protect a host machine should not prevent protect a host machine should not prevent other hosts from communicating with other hosts from communicating with legitimate sources.legitimate sources.
Secure the defense system itself!Secure the defense system itself! Strategic attacks – Attacks aimed to defeat or Strategic attacks – Attacks aimed to defeat or
abuse the systemabuse the system Destination Flood Attacks – Flood the system Destination Flood Attacks – Flood the system
with traffic to suppress communication.with traffic to suppress communication. Link Flood Attacks – Congest a link to disrupt Link Flood Attacks – Congest a link to disrupt
communications between systems that share communications between systems that share that link.that link.
StopIt GoalsStopIt Goals
Fail-Safe – System should provide Fail-Safe – System should provide degraded service in the event filters degraded service in the event filters fail to mitigate attack traffic.fail to mitigate attack traffic.
Incremental Deployment – System Incremental Deployment – System should support incremental should support incremental deployment and give immediate deployment and give immediate results to early adopters. results to early adopters.
StopIt DesignStopIt Design
StopIt ArchitectureStopIt Architecture Infrastructure ServiceInfrastructure Service
Open-services : any host co-located with the Open-services : any host co-located with the server may request services. server may request services.
Hosts request StopIt to block attacking traffic.Hosts request StopIt to block attacking traffic. Filter-based implementationFilter-based implementation
Source and destination address used to create Source and destination address used to create the filter.the filter.
Attack traffic is blocked for a period of time TAttack traffic is blocked for a period of time Tbb.. Attack traffic confirmed before the installation Attack traffic confirmed before the installation
of blocking filters.of blocking filters. Filter aggregation – compromised hosts share a Filter aggregation – compromised hosts share a
common address space.common address space.
StopIt – Autonomous StopIt – Autonomous System (AS)System (AS)
Is a network or collection Is a network or collection of networks that is of networks that is controlled by one controlled by one administrative entity.administrative entity. University Network.University Network.
Composed of:Composed of: StopIt serverStopIt server N number of N number of
routers/serversrouters/servers
Routers alert StopIt Routers alert StopIt server when a host makes server when a host makes a block request.a block request.
StopIt server directs StopIt server directs routers as to which filters routers as to which filters to install.to install.
StopIt Server
Host Routers
StopIt CommunicationStopIt Communication
StopIt servers communicate with each StopIt servers communicate with each other to alert of a potential attacking other to alert of a potential attacking host.host. Each StopIt server knows the address of Each StopIt server knows the address of
other StopIt servers. other StopIt servers. StopIt design uses BGP (Border Gateway StopIt design uses BGP (Border Gateway
Protocol) to publish the address of each Protocol) to publish the address of each StopIt server.StopIt server.
StopIt implements its own IP protocol for StopIt implements its own IP protocol for communication between servers and AS communication between servers and AS routers.routers.
StopIt ArchitectureStopIt Architecture
Hd
Rd
SdSs
Rs
Hs
StopIt RequestAttacker
Target
StopIt – Blocking an StopIt – Blocking an AttackerAttacker
Destination host (HDestination host (Hdd) ) determines it is determines it is under attack by under attack by source (Hsource (Hss).).
HHdd sends a host- sends a host-router “stop” request router “stop” request to router Rto router Rd.d.
The request includes:The request includes: Attack Source MACAttack Source MAC Host MACHost MAC Block Time TBlock Time Tbb
Hd
Rd
Sd
StopIt - Blocking an StopIt - Blocking an AttackerAttacker
Router RRouter Rdd verifies the verifies the that Hthat Hss is in fact is in fact attacking Hattacking Hdd..
Upon confirmation, RUpon confirmation, Rd d
sends a router-server sends a router-server request to local AS request to local AS StopIt server (SStopIt server (Sdd).).
SSd d sends an inter-sends an inter-domain stop request to domain stop request to the StopIt server in the the StopIt server in the same AS where Hsame AS where Hss is is located.located.
Hd
Rd
Sd
StopIt - Blocking an StopIt - Blocking an AttackerAttacker
SSss locates router R locates router Rss and and sends a server-router sends a server-router request.request.
RRss verifies the StopIt verifies the StopIt request and then request and then installs a filter.installs a filter.
Finally, RFinally, Rss sends a sends a request to Hrequest to Hss to stop to stop sending traffic to Hsending traffic to Hdd
Compliant hosts will Compliant hosts will comply to the StopIt comply to the StopIt request.request.
Ss
Rs
Hs
Securing StopItSecuring StopIt
Basic StopIt Architecture VulnerabilitiesBasic StopIt Architecture Vulnerabilities Source address spoofing – attacker may Source address spoofing – attacker may
spoof address to avoid detection / filtering.spoof address to avoid detection / filtering. Resource ExhaustionResource Exhaustion
Flood filtering requests to overload StopIt server Flood filtering requests to overload StopIt server and routersand routers
Exhaust router’s filters – no more filters available Exhaust router’s filters – no more filters available to block DoS attacks.to block DoS attacks.
Block legitimate traffic – compromised StopIt Block legitimate traffic – compromised StopIt server requests filters for legitimate traffic.server requests filters for legitimate traffic.
Source AuthenticationSource Authentication StopIt utilizes Passport to prevent source StopIt utilizes Passport to prevent source
address spoofing.address spoofing. Passport uses symmetric key cryptography.Passport uses symmetric key cryptography. Authentication overhead is equivalent to Authentication overhead is equivalent to
the authentication used in capability-based the authentication used in capability-based system. system.
Border routers at the destination AS verify Border routers at the destination AS verify the source AS before the packet enters the the source AS before the packet enters the network.network.
Pair-wise keys between two AS are Pair-wise keys between two AS are exchanged during the BGP announcement. exchanged during the BGP announcement.
Closed ControlClosed Control
Routers receive StopIt requests from:Routers receive StopIt requests from: Local nodes to the ASLocal nodes to the AS Another StopIt server.Another StopIt server.
This prevents stop request floods This prevents stop request floods from unknown sources. from unknown sources.
If the request is ultimately classified If the request is ultimately classified as attack traffic, the router can make as attack traffic, the router can make a stop request. a stop request.
Packet FloodsPacket Floods
Flooding a common link between two Flooding a common link between two domains could potentially suppress domains could potentially suppress StopIt requests from being received.StopIt requests from being received.
Routers have knowledge of StopIt Routers have knowledge of StopIt server addresses via BGP.server addresses via BGP.
Routers Separate StopIt requests Routers Separate StopIt requests from other trafficfrom other traffic Fair QueuingFair Queuing Hierarchical Rate LimitingHierarchical Rate Limiting
Confirming AttacksConfirming Attacks
What happens when a destination is What happens when a destination is compromised?compromised? Host may initiate filters to block legitimate Host may initiate filters to block legitimate
traffic to other co-located hosts.traffic to other co-located hosts. Exhaust a source router’s filters so that attack Exhaust a source router’s filters so that attack
traffic can successfully suppress hosts.traffic can successfully suppress hosts. Who needs to be verified?Who needs to be verified?
Destination RouterDestination Router Source RouterSource Router SourceSource
Confirming AttacksConfirming Attacks
Destination Router ConfirmationDestination Router Confirmation Router, RRouter, Rdd checks internal flow cache checks internal flow cache
upon receiving a stop request from Hupon receiving a stop request from Hdd
If HIf Hdd received traffic recently from H received traffic recently from Hss the the router will install a local filter.router will install a local filter.
Router sends a StopIt request directly to Router sends a StopIt request directly to HHss
If HIf Hss does not comply, R does not comply, Rdd notifies the local notifies the local StopIt server of the attacking traffic.StopIt server of the attacking traffic.
Confirming AttacksConfirming Attacks
Source Router ConfirmationSource Router Confirmation Source Routers RSource Routers Rss also use a flow cache also use a flow cache
to confirm a legitimate stop requestto confirm a legitimate stop request RRss installs filters to block the installs filters to block the
misbehaving host.misbehaving host. Verification protects the source from Verification protects the source from
invalid filter requests from a invalid filter requests from a compromised Hcompromised Hd d or another StopIt or another StopIt server.server.
Non-StopIt Enabled Non-StopIt Enabled SourcesSources
StopIt can only block attack traffic at a StopIt can only block attack traffic at a source when the source implements source when the source implements StopIt.StopIt. Attack traffic blocked at the destination router.Attack traffic blocked at the destination router. Attack mitigated with queuing or rate limiting.Attack mitigated with queuing or rate limiting.
Sources using Passport only.Sources using Passport only. Destination AS can confirm source of attacking Destination AS can confirm source of attacking
traffic.traffic. Passport prevents source from using address Passport prevents source from using address
spoofing.spoofing. Sources have incentive to implement Sources have incentive to implement
StopIt to isolate possible congestion from StopIt to isolate possible congestion from compromised hosts.compromised hosts.
Deploying StopItDeploying StopIt Upgrade routers to use Upgrade routers to use
Passport for source Passport for source authentication.authentication.
Upgrade routers to Upgrade routers to utilize the StopIt utilize the StopIt protocol.protocol.
Add StopIt server to Add StopIt server to AS.AS.
Enable per-AS and per-Enable per-AS and per-host resource allocation host resource allocation scheme at congested scheme at congested network links.network links.
StopIt Server
Host Routers
Prototype ExperimentPrototype Experiment
Proof of Concept Proof of Concept ImplementationImplementation
Access Router PrototypeAccess Router Prototype LinuxLinux Click modular router software architectureClick modular router software architecture User-level application for source logic.User-level application for source logic. Authentication for Inter-Domain StopIt requests or filter Authentication for Inter-Domain StopIt requests or filter
replacement requests use, UHASH, AES, and UMAC.replacement requests use, UHASH, AES, and UMAC. StopIt protocol built on top of UDP.StopIt protocol built on top of UDP.
(Liu et al, 8)
Proof of Concept Proof of Concept ImplementationImplementation
(Liu et al, 8)
Stopping DoS AttacksStopping DoS Attacks
Scenario InputsScenario Inputs Destination router filters : 256KDestination router filters : 256K End-to-End StopIt requests : 3End-to-End StopIt requests : 3
For confirming an actual attackFor confirming an actual attack Attacker host simulates 1 to 10 million Attacker host simulates 1 to 10 million
attackersattackers Each attack repeats 10 times.Each attack repeats 10 times.
Stopping DoS AttacksStopping DoS Attacks
Time it takes for the victim to block N attackers.(Liu et al, 9)
Defense Solution Defense Solution ComparisonComparison
Comparing Anti-DoS Comparing Anti-DoS SolutionsSolutions
StopIt design implemented in ns-2 : StopIt design implemented in ns-2 : The The Network SimulatorNetwork Simulator
StopIt tested against:StopIt tested against: AITF, Pushback (capability-based) AITF, Pushback (capability-based) TVA, TVA+, and Portcullis (filter-based)TVA, TVA+, and Portcullis (filter-based)
Scenario topology created from BGP table Scenario topology created from BGP table dump.dump. Used 1/20 of topology due to ns-2 limitations.Used 1/20 of topology due to ns-2 limitations. 2/3 AS have attacking hosts, non-uniformly 2/3 AS have attacking hosts, non-uniformly
distributed.distributed.
Comparing Anti-DoS Comparing Anti-DoS SolutionsSolutions
Test three types of attacks:Test three types of attacks: Destination FloodingDestination Flooding One-Way Link FloodingOne-Way Link Flooding Two-Way Link FloodingTwo-Way Link Flooding
Testing MetricTesting Metric TCP Transfer performanceTCP Transfer performance Legitimate user sends one 20KB Legitimate user sends one 20KB
transfer to the designated victim.transfer to the designated victim. TCP transfer is aborted after 25 TCP transfer is aborted after 25
seconds.seconds.
Destination Flooding Destination Flooding TestTest
(Liu et al, 10)
One-Way Link Flood TestOne-Way Link Flood Test
(Liu et al, 10)
Two-Way Link Flood TestTwo-Way Link Flood Test
(Liu et al, 11)
Comparison SummeryComparison Summery
StopIt design outperforms many of the StopIt design outperforms many of the currently existing DoS defense currently existing DoS defense architectures.architectures.
StopIt does not outperform capability StopIt does not outperform capability based solutions in all types of DoS based solutions in all types of DoS attacks.attacks.
Neither solution, filter or capability, has Neither solution, filter or capability, has shown a definitive edge over the other.shown a definitive edge over the other.
The best solution maybe a hybrid design.The best solution maybe a hybrid design.
ContributionsContributions
A thorough analysis of the DoS A thorough analysis of the DoS problem domain. problem domain.
A complete high level design to a A complete high level design to a potential solution for destination and potential solution for destination and link flood DoS attacks.link flood DoS attacks.
A convincing comparison between A convincing comparison between StopIt and other currently available StopIt and other currently available filter/capability solutions. filter/capability solutions.
WeaknessesWeaknesses Description of prototype implementation Description of prototype implementation
was fairly brief. was fairly brief. Prototype testing only utilized one host to Prototype testing only utilized one host to
simulate multiple attackers. Larger scale simulate multiple attackers. Larger scale testing should be conducted. testing should be conducted.
Internet wide deployment will make Internet wide deployment will make updating software challenging. Software updating software challenging. Software must remain backwards compatible with must remain backwards compatible with earlier versions. earlier versions.
Full deployment of solution required to fully Full deployment of solution required to fully realize the benefits of the StopIt design. realize the benefits of the StopIt design.
Future EnhancementsFuture Enhancements
Complete another iteration of Complete another iteration of prototype development. prototype development. Implement the StopIt protocol as Implement the StopIt protocol as
intended, as an IP protocol.intended, as an IP protocol. Test on a larger network infrastructure.Test on a larger network infrastructure.
ReferencesReferences1.1. Border Gateway Protocol (BGP). Cisco. Border Gateway Protocol (BGP). Cisco.
http://www.cisco.com/en/US/docs/internetworking/technology/hhttp://www.cisco.com/en/US/docs/internetworking/technology/handbook/bgp.htmlandbook/bgp.html
2.2. The Network Simulator – ns-2. The Network Simulator – ns-2. http://www.isi.edu/nsnam/ns/http://www.isi.edu/nsnam/ns/
3.3. Autonomous System (Internet). Wikipedia. Autonomous System (Internet). Wikipedia. http://en.wikipedia.org/wiki/Autonomous_system_(Internet)http://en.wikipedia.org/wiki/Autonomous_system_(Internet)
4.4. Liu, Xin; Yang, Xiaowei; Lu, Yanbin; “To Filter or to Authorize: Liu, Xin; Yang, Xiaowei; Lu, Yanbin; “To Filter or to Authorize: Network-Layer DoS Defense Against Multimillion-node Network-Layer DoS Defense Against Multimillion-node Botnets”. SIGCOMM ’08. August 17-22, 2008.Botnets”. SIGCOMM ’08. August 17-22, 2008.