Download 18. Distributed Denial of Service (DDoS) ENEE 757 | CMSC 818V Today’s Lecture

11/18/15
18.DistributedDenialofService(DDoS)
ENEE757|CMSC818V
Prof.TudorDumitraș
AssistantProfessor,ECE
UniversityofMaryland,CollegePark
http://ter.ps/757
https://www.facebook.com/SDSAtUMD
Today’sLecture
•  Wherewe’vebeen
–  AuthenCcaConandaccesscontrol
–  Networksecurity
–  Exploits
–  Worms
•  Wherewe’regoingtoday
–  Denialofservice
•  Wherewe’regoingnext
–  Botnets
2
1
11/18/15
TypesofDoSAJacks
•  We’veseen
–  TCPSYNFloods
–  DNSamplificaCon
•  SomecommonpaQerns
–  DoSbysendingjunkpackets
–  HideaQackerlocaConbyspoofingIPaddresses
–  UseabotnettoconductDistributedDenialofService(DDoS)
–  Takeadvantageofprotocolsthatreflectandamplifytraffic(e.g.DNS,NTP)
3
Recall:TCPSYNFlood
S
SYNspoofedsourceaddr1
Listening…
SYNspoofedsourceaddr2
Spawnanewthread,
storeconnec4ondata
SYNspoofedsourceaddr3
…andmore
SYNspoofedsourceaddr4
SYNspoofedsourceaddr5
…andmore
…andmore
…andmore
…andmore
4
2
11/18/15
TCPDDoS
•  We’veseen:TCPSYNfloods
–  AQackersendsmanyconnecConrequestswithspoofedsourceIP
–  Defense:SYNcookies
•  Howdotheywork?
•  StrongeraQack:TCPConFlood
–  AQackercontrolsorrentsabotnet
–  Commandbotarmyto:
•  CompleteTCPconnecContowebsite
•  SendshortHTTPHEADrequest
•  Repeat
•  WillbypassSYNfloodprotecConproxybut…
–  AQackercannolongeruserandomsourceIPs
•  RevealslocaConofbotzombies
–  Proxycannowblockorrate-limitbots
5
DoSDefenses
•  Defense#1:Clientpuzzles
–  Goal:createmoreworkfortheaQacker
6
3
11/18/15
Defense#1:ClientPuzzles
•  Idea:slowdownaQacker
•  Moderatelyhardproblem:
–  GivenchallengeCfindXsuchthat
(
)
n
LSBn SHA-1(C||X) =0
–  AssumpCon:takesexpected2nCmetosolve
–  Forn=16takesabout.3secon1GhZmachine
–  Mainpoint:checkingpuzzlesoluConiseasy.
•  DuringDoSaQack:
–  EveryonemustsubmitpuzzlesoluConwithrequests
–  WhennoaQack:donotrequirepuzzlesoluCon
7
Examples
•  TCPconnecConfloods[JuelsandBrainard,1999]
–  Examplechallenge:C=TCPserver-seq-num
–  FirstdatapacketmustcontainpuzzlesoluCon
•  OtherwiseTCPconnecConisclosed
•  SSLhandshakeDoS:[DeanandStubblefield,2001]
–  ChallengeCbasedonTLSsessionID
–  Server:checkpuzzlesoluConbeforeRSAdecrypt.
•  SameforapplicaConlayerDoS
8
4
11/18/15
BenefitsandLimitaaons
•  Hardnessofchallenge:n
–  DecidedadapCvely,basedonDoSaQackvolume.
•  LimitaCons:
–  Requireschangestobothclientsandservers
–  HurtslowpowerlegiCmateclientsduringaQack:
•  Clientsoncellphonesandtabletscannotconnect
9
Memory-BoundFuncaons
•  CPUpowerraCo:
–  highendserver/lowendcellphone=8000
⇒Impossibletoscaletohardpuzzles
•  InteresCngobservaCon:
–  MainmemoryaccessCmeraCo:
•  highendserver/lowendcellphone=2
•  BeQerpuzzles:
–  SoluConrequiresmanymainmemoryaccesses
•  Dwork-Goldberg-Naor,Crypto‘03
•  Abadi-Burrows-Manasse-Wobber,ACMToIT‘05
10
5
11/18/15
DoSDefenses
•  Defense#1:Clientpuzzles
•  Defense#2:Sourceidenaficaaon
–  Goal:idenCfypacketsource
–  UlCmategoal:blockaQackatthesource
11
Defense#2,FirstIdea:Ingressfiltering
[RFC 2827, 3704]
•  Bigproblem:DDoSwithspoofedsourceIPs
ISP
Internet
•  Ingressfilteringpolicy:ISPonlyforwardspackets
withlegiCmatesourceIP
12
6
11/18/15
ImplementaaonChallenges
•  ALLISPsmustdothis.Requiresglobaltrust.
–  If10%ofISPsdonotimplement⇒nodefense
–  NoincenCvefordeployment
•  StateofInternetspoofing(2015)
–  26%ofASesarefullyspoofable
–  14%ofannouncedIPaddressspaceisspoofable
–  hQp://spoofer.cmand.org/summary.php
•  AfewnetworksthatallowspoofingareenoughforlargeaQacks
–  The2013DDoSaQackagainstSpamhaususedonly3networks
13
Defense#2,SecondIdea:IPTraceback
[Savage et al.’00]
•  Goal:
–  GivensetofaQackpackets
–  Determinepathtosource
•  How:changerouterstorecordinfoinpackets
•  AssumpCons:
–  Mostroutersremainuncompromised
–  AQackersendsmanypackets
–  RoutefromaQackertovicCmremainsrelaCvelystable
14
7
11/18/15
SimpleMethod
•  Writepathintonetworkpacket
–  EachrouteraddsitsownIPaddresstopacket
–  VicCmreadspathfrompacket
•  Problem:requiresspaceinpacket
–  Pathcanbelong
–  NoextrafieldsincurrentIPpacketformat
•  Changestoformattoomuchtoexpect
15
BeJerIdea
•  DDoSinvolvesmanypacketson
A1
samepath
•  Storeonelinkineachpacket
–  EachrouterprobabilisCcallystores
ownaddress
–  Fixedspaceregardlessofpathlength
A2
R6
A3
R7
A4
A5
R8
R9
R10
R12
V
16
8
11/18/15
EdgeSampling
•  DatafieldswriQentopacket:
–  Edge:startandendIPaddresses
–  Distance:numberofhopssinceedgestored
•  MarkingprocedureforrouterR
ifcointurnsupheads(withprobabilityp)then
writeRintostartaddress
write0intodistancefield
else
ifdistance==0writeRintoendfield
incrementdistancefield
17
EdgeSampling:Picture
•  Packetreceived
–  R1receivespacketfromsourceoranotherrouter
–  Packetcontainsspaceforstart,end,distance
packet
R1
s e d
R2
R3
18
9
11/18/15
EdgeSampling:Picture
•  BeginwriCngedge
–  R1choosestowritestartofedge
–  Setsdistanceto0
packet
R1
0
R1
R2
R3
19
EdgeSampling
" FinishwriCngedge
n 
n 
R2choosesnottooverwriteedge
Distanceis0
w  Writeendofedge,incrementdistanceto1
packet
R1
R1 R2 1
R2
R3
20
10
11/18/15
EdgeSampling
" Incrementdistance
n 
n 
R3choosesnottooverwriteedge
Distance>0
w  Incrementdistanceto2
packet
R1
R2
R1 R2 2
R3
21
PathReconstrucaon
•  ExtractinformaConfromaQackpackets
•  BuildgraphrootedatvicCm
–  Each(start,end,distance)tupleprovidesanedge
•  #packetsneededtoreconstructpath
E(X)<
ln(d)
p(1-p)d-1
wherepismarkingprobability,dislengthofpath
22
11
11/18/15
Details:wheretostoreedge
•  IdenCficaConfield
–  UsedforfragmentaCon
–  FragmentaConisrare
–  16bits
Version
Flags
edgechunk
0237815
FragmentOffset
TimetoLive
Protocol
HeaderChecksum
•  Storeedgein16bits?
offset distance
HeaderLength
TypeofService
TotalLength
IdenCficaCon
SourceAddressofOriginaCngHost
DesCnaConAddressofTargetHost
–  Breakintochunks
–  Storestart+end
OpCons
Padding
IPData
23
Problem:ReflectedAJacks
[Paxson 2001]
•  Reflector:
–  Anetworkcomponentthatrespondstopackets
–  ResponsesenttovicCm(spoofedsourceIP)
–  We’veseen:DNSamplificaConaQacks(e.g.300GbpsaQackonSpamhaus)
•  ExamplesofprotocolsthatallowreflecCon:
[Rossow,2014]
–  Webservers:TCPSYN80withvicCm.comsource
•  AtvicCm:TCPSYNACKpacket
–  DNSresolvers:UDP53withvicCm.comsource
•  AtvicCm:DNSresponse
–  NTPservers:monlistcommandwithvicCm.comsource
•  AtvicCm:largenumberofaddressesthattalkedtotheNTPserver
24
12
11/18/15
TrafficAmplificaaon
[Paxson 2001]
•  SingleMaster
•  Manybotsto
generateflood
•  Millionsofreflectorstohide
bots
– Killstraceback
25
LargestRecordedDoSAJack
[Czyz,Kallitsis,Gharaibeh,Papadopoulos,Bailey,Karir,2014]
NTP:uptox1,000,000amplificaaon
monlist:“Givemetheaddressesof
thelast600machinesyoutalkedto”
SpoofedSrcIP:DoStarget
600addresses
DoS
Source
NTP(NetworkTimeProtocol)server
DoS
Target
•  10Feb2014:325GbpsaQackagainstFrenchtarget
hQp://www.arbornetworks.com/asert/2014/02/ntp-aQacks-welcome-to-the-hockey-sCck-era/
–  SeveralsimilaraQacksbetweenDec2013–Feb2014
•  Exceededpreviouspeakthroughputsby200%
–  NTPmonlistamplifierpopulaCondroppedby93%betweenJan–Apr2014
•  LikelyaresultofnoCficaConcampaignbyresearchers
26
13
11/18/15
DoSDefenses
•  Defense#1:Clientpuzzles
•  Defense#2:SourceidenCficaCon
Datagram-oriented:
Allowaccessbydefaultanddeny
(orlimit)accesstooffendingflows
•  Defense#3:Networkcapabiliaes
–  Goal:dropunwantedpackets
atrouters
Connecaon-oriented:
Denyaccessbydefaultandrequire
clientstoconnectfirstandobtain
authorizaContosend
27
Defense#3:NetworkCapabiliaes
•  We’veseen:CapabiliCesforfileaccesscontrol
–  UserholdsunforgeableCcketforeachfileitneedstoread/write
•  BasicideaofnetworkcapabiliCes:
–  Receiverscanspecifywhoisallowedtoconnect
•  ImplementaConontopofTCP:
–  SenderrequestscapabilityinSYNpacket(duringconnecConestablishment)
–  Receivergrantscapabilitytosendfewbytes;increasesquotaifclientbehaves
–  Routersonthepathmarkthepacket
•  Thesemarksarethecapability
•  CapabiliCeshaveexpiraCondates
–  Senderincludescapabilityinallfuturepackets
–  Mainpoint:RouterscheckcapabiliCesandonlyforward:
•  ConnecConestablishmentpackets,and
•  Datapacketswithvalidcapability
28
14
11/18/15
Defense#3:NetworkCapabiliaes
[Anderson,Roscoe,Wetherall,2004]
•  CapabiliCesarenotrenewedifsourceisaQacking
–  BlocksaQackpacketsclosetosource
–  Routerschecktheirownmarks=>CapabiliCesdonotaddper-connecaon
statetothenetwork
R1
SourceAS
R2
R3
dest
R4
TransitAS
DestAS
AQackpackets
dropped
29
Problem#1:DenialofCapability(DoC)
[ArgyrakiandCheriton,2005]
•  CapabilityrequestscanbeaffectedbyaDoSaQack
–  TheserequestsareessenCallydatagramtraffic
–  Theyarenotprotected
•  A}erDoSstarts
–  Clientsthathaveobtainedacapabilitycanconnect
–  NewlegiCmateclientsareunlikelytoreceiveservice
30
15
11/18/15
Problem#2:DDoSThroughLinkFlooding
•  We’veseen:opCmisCcacknowledgmentaQack
–  AQackercansaturatethereturnpathsfromlegiCmateservers
–  Intheory,cancauseInternet-widecongesConcollapse
•  Coordinatedlink-floodingaQackscandegradeconnecCvityofNserverareaspersistently
–  N=small(e.g.1—1000servers)
–  N=medium(e.g.allserversinMaryland)
–  N=large(e.g.theWestCoastoftheUS)
10000
10000
"971108.out"
exp(7.68585) * x ** ( -2.15632 )
"980410.out"
exp(7.89793) * x ** ( -2.16356 )
1000
1000
100
100
10
10
1
1
10
1
100
1
10
31
100
PowerLawsofInternetTopology
[Faloutsos3,‘OnPower-LawRelaConshipsoftheInternetTopology’]
•  Powerlaw:y(x)=axk
10000
10000
"981205.out"
exp(8.11393) * x ** ( -2.20288 )
"routes.out"
exp(8.52124) * x ** ( -2.48626 )
Count
–  80%ofroutestraverse20%ofrouters
1000
100
•  LeveragethisempiricalobservaCon
toimplementpersistentandscalable
link-floodingaQacks
10
1
1
10
100
1000
100
10
1
1
10
100
Routerout-degree
–  AQacktrafficisindisCnguishablefrom
legiCmateattargetrouter
–  AQackis“movingtarget”forsameN-serverarea
•  Changestargetlinksbeforetriggeringalarms
32
16
11/18/15
TheCoremeltAJack
[Studer and Perrig, 2009]
Nbotsand
O(N2)legi4mateflows
floodcorerouters
10Mbps
Core
Flooding
Ex.N=104
=>108flows
x10Kbps/flow
=>exhausts100x10Gbpslinks
33
FundamentalCausesofDoSAJacks
•  AsymmetricstateallocaCon
–  Receivermustdomoreworkthansender(e.g.TCPSYNflood)
•  Persistentrategap
–  Maxnetworklinerate>>maxserverrate
•  ThisgaphasnotchangedmuchoverCme
–  Allowsanarmyofbotstofloodpublicserverswithjunktraffic
•  PowerlawsoftheInternettopology
–  ResultinanarrowpathwaisttoanypotenCaltarget
–  EnablescrossfireaQack
•  Sadtruth
–  Internetisill-equippedtohandleDDoSaQacks
34
17
11/18/15
ReviewofLecture
•  Whatdidwelearn?
–  Trade-offsandcausesofDDoSaQacks
–  DDoSdefenses
–  AdvancedDDoSaQacks(DoC,Coremelt,Crossfire)
•  Sources
–  VitalyShmaCkov,VirgilGligor,DanBoneh
•  What’snext?
–  Botnets
35
18