Download Autonomic Response to Distributed Denial of Service Attacks

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Internet protocol suite wikipedia , lookup

Airborne Networking wikipedia , lookup

Network tap wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Distributed firewall wikipedia , lookup

Deep packet inspection wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript
Autonomic Response to
Distributed Denial of Service
Attacks
Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson,
Bill Babson, Dan Schnackenberg,
Harley Holliday and Travis Reid
Presented by: Jesus F. Morales
Overview






Introduction: the problem
Proposed solution
The experiment
Results
Observations
Conclusions
2
Introduction

The problem



Distributed Denial of Service (DDoS)
attacks
Hacker toolkits
January 2001


DDoS attack against websites hosting Hotmail,
MSN, Expedia and other large services
Services inaccessible for 22 hours
3
Current state of response


Relies on expert, manual labor by network
administrators
Response includes two main activities:

“Input debugging”


Mitigation of network traffic flow


Find router’s physical interfaces used for the attack
(statistics, network traffic probes)
Packet filtering or rate limiting at the associated router
Contact upstream organizations
4
Current state of response:
drawbacks


Requires immediate availability of highly
skilled network administrators
Time consuming


Downtime & costs
It does not scale


What about attacks involving hundreds of
networks?
“Whack a mole” attacks
5
Proposed solution

Intruder Detection and Isolation Protocol
(IDIP)


Cooperative Intrusion Traceback and
Response Architecture (CITRA)


Protocol for reporting intrusion-related events and
coordinating attack tracebacks and automated
response actions
The architecture based on IDIP
Authors have adapted CITRA and IDIP for
DDoS attacks
6
CITRA: components and attack
traceback and mitigation
7
Attack response

Policy mechanisms for each CITRA component along the
attack path determine the adequate response


Block attacked service port on all requests from attacker’s
address or network for a specified amount of time
At CITRA-enabled hosts



Goal: use the narrowest network response



Kill offending process
Disable offending user’s account
Stop the attack
Minimize impact on legitimate users
Reports with responses taken is sent to the Discovery
Coordinator (DC)

Global view and system topology allows, hopefully, for the best
community-wide response
8
Experiment: Autonomic
response to DDoS

The problem




Sophisticated DDoS toolkits generate traffic that
“blends in” with legitimate traffic
Cannot be blocked by router packet filters without
blocking legitimate traffic
Traffic rate limiting may be more useful
Experiment goals


Prove that CITRA and IDIP can defend against
DDoS attacks
In particular, against a Stacheldraht v4 attack
9
Experiment: Stacheldraht toolkit
and test application

Stacheldraht toolkit




Can generate ICMP, UDP and TCP floods and
Smurf attacks
Provides one or more master servers that control
agents (flood sources)
Can target floods at arbitrary machines and ports
Test application



Audio/video streaming
RealNetworks’ RealSystem sever
RealPlayer client
10
Experiment: topology and
scenario
11
Experiment: settings

Test data



RealPlayet




8-minute 11-seconds continuous motion video
Encoded at 200.1 Kbps
Best quality video setting (10 Mbps bandwidth)
Data buffering: 5 seconds (the minimum)
Transport protocol: UDP
Attack


Target is the RealSystem server
UDP packets indistinguishable from control packets
sent to the server from RealPlayer clients
12
Experiment: Stacheldraht flooding
and autonomic rate limiting
13
Experiment results: Normal run
14
Experiment results: Flood run
15
Experimental results: Full recovery run
16
Experimental results: Degraded
recovery run
17
Observations


Degraded recovery probably due to detector’s slow
response speed (366 MHz Pentium II)
Independent experiment


Results confirmed
Full recovery obtained every time




Higher performance detector
CITRA’s response effective after 2 seconds vs. 10 – 12 seconds.
Results are preliminary
UDP allows traceback and mitigation request with
one IP packet vs. TCP would require a three-way
handshake first. May result in a slower propagation
upstream
18
Conclusions



DDoS attacks an increasing threat to
the Internet
Manual defense is inadequate
CITRA prototype for DDoS with rate
limiting function seems to be a
promising automatic response
19