source-end defense system against ddos attacks fu-yuan lee, shiuhpyng shieh, jui-ting shieh and...
TRANSCRIPT
Source-End Defense System against DDoS attacks
Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan WangDistributed System and Network Security Lab.
Department of Computer Science and Information EngineeringNational Chiao Tung University
WADIS‘03
2
Outline
Introduction to DDoS attacks. Current DDoS defense strategies Review of D-WARD Proposed DDoS defense scheme Evaluation Conclusions and future work
3
DDoS attacks
What is a Denial-of-Service (DoS) attack Degrade the service quality or com
pletely disable the target service by overloading critical resources of the target system or by exploiting software bugs.
What is a Distributed DoS (DDoS) attack The objective is the same with DoS
attacks but is accomplished by a of compromised hosts distributed over the Internet.
4
Mechanisms against DDoS attacks (1)
Victim-end Most existing Intrusion detection systems and DoS/DDoS tolerant syst
em design fall in this category. Used to protect a set of hosts from being attacked. Advantages and disadvantages
DDoS attacks are easily detected due to the aggregate of huge traffic volume.
From a network’s perspective, protecting is consider ineffective. Attack flows can still incur congestion along the attack path.
5
Mechanisms against DDoS attacks (2)
Infrastructure-based DDoS defense lines are constructed towards attack sources to reduce n
etwork congestion. Attack packets are filtered out by Internet core routers. Advantages and disadvantages
The effectiveness of filtering is improved. An Internet-wide authentication framework is required. Internet core routers must be upgrade to filter out attack packets in high sp
eeds
6
Mechanisms against DDoS attacks (3)
Source-end DDoS defense mechanism are used to prevent monitored hosts from particip
ating in DDoS attacks. Attack packets are dropped at sources. It allows preventing attack traffic fro
m entering the Internet. Advantages and disadvantages
The effectiveness of packet filter is the best. It is very hard to identify DDoS attack flows at sources since the traffic is not so
aggregate. It require the support of all edge routers.
In summary, source-end DDoS defense strategy is the most effective and with moderate deployment cost.
7
D-WARD: A Source-End DDoS defense scheme
J. Mickovic et al. “Attacking DDoS at the Source,” IEEE ICNP’02
Ideas behind D-WARD: DDoS attack flows can be identified by comparing flow statistics against normal flow models. Signals of DDoS attacks: High Packet loss rate:
The level of network congestion (or say packet loss rate) reflects on the ratio of number of packets sent to and received from the peer.
High packet sending rate: This may also indicate a DDoS attack A large number of connections to the peer
8
D-WARD: Architecture
Internet
Intranet/Sourcenetwork
ObservationComponent
Throttling Component
Classification
Statistics
Preprocessing
Cache table
Rate limiting rulesDestination A | limiting rate | timestamp
…………………….…………………….
Destination N | limiting rate | timestamp
9
D-WARD: Observation Component Gather per flow statistics
Flow: The aggregate traffic between monitored IP addresses and a foreign IP address.
Observation interval: A basic time frame for one observation The number of packet and bytes sent to and received from the peer The number of active connections
Legitimate flow model TCP flows:
Psent/Prcv < TCPrto (set to 3) ICMP flows:
Psent/Prcv < ICMPrto (set to 1.1) UDP flows:
nconn < MAXconn (set to 100) pconn > MINpkts (set to 1) Bsent < UDPrate (set to 10MBps)
10
Motivations
Using a global threshold of Psent/Prcv for TCP flows would result in high false positive and high false negative. In the following context, this ratio is denoted as O/I High false positive
flows with O/I greater than 3 in its normal operation would be classified as attack flows
High false negative low-rate attacks will not be detected. Consider a flow with O/I =1, then O/I
only reaches 2 when the packet loss rate is 50%.
In one word, using a single O/I threshold for
different flows is problematic.
11
Basic Idea Ideas behind the proposed scheme
Focus: detecting DDoS attacks based on TCP 96% of current attacks are based on TCP. Only 2% use UDP and 2% use I
CMP
The level of “congestion” should be determined according previous behavior of the each monitored flow.
Two more DDoS characteristics are utilized for detecting attacks Distribution: the number of hosts sending packets to the destination in eac
h observation period Continuity: reflect to the observation that a DDoS attack always lasts for a
n extended period of time.
12
Observations on normal traffics (1) Observation: Average O/I of different
flows rage from 3.68 to 0.5 Flows with highest ratio:
Contains one ftp data connection. The flow last for 227 second. Total 86685 packet (68158 packet send out, 18527 packet send in) The average O/I is 3.68. Standard deviation=0.16. Packet loss rate is 0%.
Standard deviation of the monitored flow are low (usually smaller 1). It indicates that the O/I value of flows tend to be stable in their normal operation.
13
Observations on normal traffics (2)
Number of sources in each flow In each observation interval, most of flows have only one source host
sending packets to the peer.
14
Proposed DDoS detection scheme
There are two phases in our scheme. Learning phase: Define legitimate flow model Detection phase: Detect malicious flows and apply rate limit
Learning phase contains two steps. Step 1: determine the following thresholds
Tf: the maximum allowed O/I.
Nf: the mini-threshold of O/I.
c: a parameter used to quantify the level of distribution. Steps 2: derive other configuration parameters
α: a value indicating the possibility that the flow is malicious. It is generated according to the level of congestion and the level of distribution
αf : the maximum allowed value ofα
tf : the maximum allowed number of the times that αcan continually breaches αf
15
Flow Classification
Four types of traffic flows: Normal, Suspicious, Attack, and Transient.
Normal Flow
Suspicious Flow
Attack Flow
Transient Flow
tf
α f
less then α f
greater than α f
great than tfsamll than tf
Compliant for penaltyperiod
recovery phase
α greater α f
Derive α
Increase counter for tf
16
Generation of α
Generating α in an observation interval
Sf: : the number of source in the flow.
nf: : the O/I of the current interval.
λ: a magic number used to restrict α between 0 and 1. λ is a number between 0 and 1.
Characteristics of α It is between 0 and 1 It increases with nf . If nf approaches Tf, α approaches to 1
α increases with the number of sources in the flow.
Level of congestion
The impact of distribution
i
cS
i ff
fff
NT
Nn
/
1
1
17
Rate limiting and recovery Rate-Limiting
rl: imposed rate limit rate: realized sending rate Mini-rate: The lowest limited rate which can be imposed on network fl
ows. Recovery
If the attack flow show compliance with normal flow model for consecutive penalty observation periods, it is classified as transient, the recovery process begins.
Max-rate: Once the rate limit reaches Max-rate, it is classified as normal
dropsent
sent
PP
Praterlrl
)1(),min(
dropsent
sent
PP
Prlrl
1
18
Thresholds Configuring thresholds and other parameters:
Observation period = 1 second Tf: The maximum of the observed O/I * 2 Nf: the average O/I c: the maximum number of sources in a flow in the monitored network. αf: the averageαin the learning process. tf: the maximum consecutive number of time that αexceeds αf
λ= 0.5 Parameters learned from a monitored flow
Sending rate 10 pkts to the destination host per second. Maximum O/I is 1.25, Average O/I is 1.25
Tf: = 2.5, nf = 1.04 c = 3 αf = 0.18 tf = 3
19
Experiments
Types of Experiment Resource consumption
TCP SYN flooding link flooding
Attack scenarios Constant rate attack Pulsing rate attack Increasing rate attack Gradual pulsing attack
20
Topology
Router
Switch
Attack agents Attack agents Attack agents Victim
Switch
DDoS defense system
Attack agents
Attack agents
Bandwidth Controller
21
TCP SYN Flooding Attack
Router
Switch
Attack agents Attack agents Attack agents Victim
Switch
DDoS defense system
Attack agents
Attack agents
Bandwidth Controller
TCP SYN attack flow
22
SYN flooding:Constant Rate and Pulsing Rate
23
SYN floodingIncreasing Rate and Gradual Increasing Rate
24
Link Overloading
Router
Switch
Attack agents Attack agents Attack agents Victim
Switch
Link Bandwidth: 250KBps
DDoS defense system
Attack agents
Attack agents
Bandwidth Controller
Aggregate of attack traffic:
500KBps
100KBps
100KBps
100KBps
100KBps
100KBps
25
Bandwidth floodingConstant Rate and Pulsing Rate
constant pulsing
26
Bandwidth floodingIncreasing Rate and Gradual Increasing Rate
increasing gradual increasing
27
Conclusion
The O/I used to define the level of network congestion must be determined according to the previous behavior of the flow.
The number of source in the flow and the number of observation intervals that the signal of DDoS attacks lasts should be taken into consideration.
Evaluation results show that the performance of proposed system is better than D-WARD, in terms of false positive and false negative.
28
Future work
More experiments on estimating the effectiveness of the proposed scheme are required
A mechanism that can deal with new flows which are not in the flow profile database
A space-effective mechanism that helps to reduce the storage requirement for storing the profiles of flows.
Schemes which can detect DDoS attacks based on one-way flows such as ICMP and UDP.