* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download 18. Distributed Denial of Service (DDoS) ENEE 757 | CMSC 818V Today’s Lecture
Network tap wikipedia , lookup
Airborne Networking wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Computer network wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Distributed firewall wikipedia , lookup
Serial digital interface wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Internet protocol suite wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Packet switching wikipedia , lookup
TCP congestion control wikipedia , lookup
Real-Time Messaging Protocol wikipedia , lookup
Deep packet inspection wikipedia , lookup
11/18/15 18.DistributedDenialofService(DDoS) ENEE757|CMSC818V Prof.TudorDumitraș AssistantProfessor,ECE UniversityofMaryland,CollegePark http://ter.ps/757 https://www.facebook.com/SDSAtUMD Today’sLecture • Wherewe’vebeen – AuthenCcaConandaccesscontrol – Networksecurity – Exploits – Worms • Wherewe’regoingtoday – Denialofservice • Wherewe’regoingnext – Botnets 2 1 11/18/15 TypesofDoSAJacks • We’veseen – TCPSYNFloods – DNSamplificaCon • SomecommonpaQerns – DoSbysendingjunkpackets – HideaQackerlocaConbyspoofingIPaddresses – UseabotnettoconductDistributedDenialofService(DDoS) – Takeadvantageofprotocolsthatreflectandamplifytraffic(e.g.DNS,NTP) 3 Recall:TCPSYNFlood S SYNspoofedsourceaddr1 Listening… SYNspoofedsourceaddr2 Spawnanewthread, storeconnec4ondata SYNspoofedsourceaddr3 …andmore SYNspoofedsourceaddr4 SYNspoofedsourceaddr5 …andmore …andmore …andmore …andmore 4 2 11/18/15 TCPDDoS • We’veseen:TCPSYNfloods – AQackersendsmanyconnecConrequestswithspoofedsourceIP – Defense:SYNcookies • Howdotheywork? • StrongeraQack:TCPConFlood – AQackercontrolsorrentsabotnet – Commandbotarmyto: • CompleteTCPconnecContowebsite • SendshortHTTPHEADrequest • Repeat • WillbypassSYNfloodprotecConproxybut… – AQackercannolongeruserandomsourceIPs • RevealslocaConofbotzombies – Proxycannowblockorrate-limitbots 5 DoSDefenses • Defense#1:Clientpuzzles – Goal:createmoreworkfortheaQacker 6 3 11/18/15 Defense#1:ClientPuzzles • Idea:slowdownaQacker • Moderatelyhardproblem: – GivenchallengeCfindXsuchthat ( ) n LSBn SHA-1(C||X) =0 – AssumpCon:takesexpected2nCmetosolve – Forn=16takesabout.3secon1GhZmachine – Mainpoint:checkingpuzzlesoluConiseasy. • DuringDoSaQack: – EveryonemustsubmitpuzzlesoluConwithrequests – WhennoaQack:donotrequirepuzzlesoluCon 7 Examples • TCPconnecConfloods[JuelsandBrainard,1999] – Examplechallenge:C=TCPserver-seq-num – FirstdatapacketmustcontainpuzzlesoluCon • OtherwiseTCPconnecConisclosed • SSLhandshakeDoS:[DeanandStubblefield,2001] – ChallengeCbasedonTLSsessionID – Server:checkpuzzlesoluConbeforeRSAdecrypt. • SameforapplicaConlayerDoS 8 4 11/18/15 BenefitsandLimitaaons • Hardnessofchallenge:n – DecidedadapCvely,basedonDoSaQackvolume. • LimitaCons: – Requireschangestobothclientsandservers – HurtslowpowerlegiCmateclientsduringaQack: • Clientsoncellphonesandtabletscannotconnect 9 Memory-BoundFuncaons • CPUpowerraCo: – highendserver/lowendcellphone=8000 ⇒Impossibletoscaletohardpuzzles • InteresCngobservaCon: – MainmemoryaccessCmeraCo: • highendserver/lowendcellphone=2 • BeQerpuzzles: – SoluConrequiresmanymainmemoryaccesses • Dwork-Goldberg-Naor,Crypto‘03 • Abadi-Burrows-Manasse-Wobber,ACMToIT‘05 10 5 11/18/15 DoSDefenses • Defense#1:Clientpuzzles • Defense#2:Sourceidenaficaaon – Goal:idenCfypacketsource – UlCmategoal:blockaQackatthesource 11 Defense#2,FirstIdea:Ingressfiltering [RFC 2827, 3704] • Bigproblem:DDoSwithspoofedsourceIPs ISP Internet • Ingressfilteringpolicy:ISPonlyforwardspackets withlegiCmatesourceIP 12 6 11/18/15 ImplementaaonChallenges • ALLISPsmustdothis.Requiresglobaltrust. – If10%ofISPsdonotimplement⇒nodefense – NoincenCvefordeployment • StateofInternetspoofing(2015) – 26%ofASesarefullyspoofable – 14%ofannouncedIPaddressspaceisspoofable – hQp://spoofer.cmand.org/summary.php • AfewnetworksthatallowspoofingareenoughforlargeaQacks – The2013DDoSaQackagainstSpamhaususedonly3networks 13 Defense#2,SecondIdea:IPTraceback [Savage et al.’00] • Goal: – GivensetofaQackpackets – Determinepathtosource • How:changerouterstorecordinfoinpackets • AssumpCons: – Mostroutersremainuncompromised – AQackersendsmanypackets – RoutefromaQackertovicCmremainsrelaCvelystable 14 7 11/18/15 SimpleMethod • Writepathintonetworkpacket – EachrouteraddsitsownIPaddresstopacket – VicCmreadspathfrompacket • Problem:requiresspaceinpacket – Pathcanbelong – NoextrafieldsincurrentIPpacketformat • Changestoformattoomuchtoexpect 15 BeJerIdea • DDoSinvolvesmanypacketson A1 samepath • Storeonelinkineachpacket – EachrouterprobabilisCcallystores ownaddress – Fixedspaceregardlessofpathlength A2 R6 A3 R7 A4 A5 R8 R9 R10 R12 V 16 8 11/18/15 EdgeSampling • DatafieldswriQentopacket: – Edge:startandendIPaddresses – Distance:numberofhopssinceedgestored • MarkingprocedureforrouterR ifcointurnsupheads(withprobabilityp)then writeRintostartaddress write0intodistancefield else ifdistance==0writeRintoendfield incrementdistancefield 17 EdgeSampling:Picture • Packetreceived – R1receivespacketfromsourceoranotherrouter – Packetcontainsspaceforstart,end,distance packet R1 s e d R2 R3 18 9 11/18/15 EdgeSampling:Picture • BeginwriCngedge – R1choosestowritestartofedge – Setsdistanceto0 packet R1 0 R1 R2 R3 19 EdgeSampling " FinishwriCngedge n n R2choosesnottooverwriteedge Distanceis0 w Writeendofedge,incrementdistanceto1 packet R1 R1 R2 1 R2 R3 20 10 11/18/15 EdgeSampling " Incrementdistance n n R3choosesnottooverwriteedge Distance>0 w Incrementdistanceto2 packet R1 R2 R1 R2 2 R3 21 PathReconstrucaon • ExtractinformaConfromaQackpackets • BuildgraphrootedatvicCm – Each(start,end,distance)tupleprovidesanedge • #packetsneededtoreconstructpath E(X)< ln(d) p(1-p)d-1 wherepismarkingprobability,dislengthofpath 22 11 11/18/15 Details:wheretostoreedge • IdenCficaConfield – UsedforfragmentaCon – FragmentaConisrare – 16bits Version Flags edgechunk 0237815 FragmentOffset TimetoLive Protocol HeaderChecksum • Storeedgein16bits? offset distance HeaderLength TypeofService TotalLength IdenCficaCon SourceAddressofOriginaCngHost DesCnaConAddressofTargetHost – Breakintochunks – Storestart+end OpCons Padding IPData 23 Problem:ReflectedAJacks [Paxson 2001] • Reflector: – Anetworkcomponentthatrespondstopackets – ResponsesenttovicCm(spoofedsourceIP) – We’veseen:DNSamplificaConaQacks(e.g.300GbpsaQackonSpamhaus) • ExamplesofprotocolsthatallowreflecCon: [Rossow,2014] – Webservers:TCPSYN80withvicCm.comsource • AtvicCm:TCPSYNACKpacket – DNSresolvers:UDP53withvicCm.comsource • AtvicCm:DNSresponse – NTPservers:monlistcommandwithvicCm.comsource • AtvicCm:largenumberofaddressesthattalkedtotheNTPserver 24 12 11/18/15 TrafficAmplificaaon [Paxson 2001] • SingleMaster • Manybotsto generateflood • Millionsofreflectorstohide bots – Killstraceback 25 LargestRecordedDoSAJack [Czyz,Kallitsis,Gharaibeh,Papadopoulos,Bailey,Karir,2014] NTP:uptox1,000,000amplificaaon monlist:“Givemetheaddressesof thelast600machinesyoutalkedto” SpoofedSrcIP:DoStarget 600addresses DoS Source NTP(NetworkTimeProtocol)server DoS Target • 10Feb2014:325GbpsaQackagainstFrenchtarget hQp://www.arbornetworks.com/asert/2014/02/ntp-aQacks-welcome-to-the-hockey-sCck-era/ – SeveralsimilaraQacksbetweenDec2013–Feb2014 • Exceededpreviouspeakthroughputsby200% – NTPmonlistamplifierpopulaCondroppedby93%betweenJan–Apr2014 • LikelyaresultofnoCficaConcampaignbyresearchers 26 13 11/18/15 DoSDefenses • Defense#1:Clientpuzzles • Defense#2:SourceidenCficaCon Datagram-oriented: Allowaccessbydefaultanddeny (orlimit)accesstooffendingflows • Defense#3:Networkcapabiliaes – Goal:dropunwantedpackets atrouters Connecaon-oriented: Denyaccessbydefaultandrequire clientstoconnectfirstandobtain authorizaContosend 27 Defense#3:NetworkCapabiliaes • We’veseen:CapabiliCesforfileaccesscontrol – UserholdsunforgeableCcketforeachfileitneedstoread/write • BasicideaofnetworkcapabiliCes: – Receiverscanspecifywhoisallowedtoconnect • ImplementaConontopofTCP: – SenderrequestscapabilityinSYNpacket(duringconnecConestablishment) – Receivergrantscapabilitytosendfewbytes;increasesquotaifclientbehaves – Routersonthepathmarkthepacket • Thesemarksarethecapability • CapabiliCeshaveexpiraCondates – Senderincludescapabilityinallfuturepackets – Mainpoint:RouterscheckcapabiliCesandonlyforward: • ConnecConestablishmentpackets,and • Datapacketswithvalidcapability 28 14 11/18/15 Defense#3:NetworkCapabiliaes [Anderson,Roscoe,Wetherall,2004] • CapabiliCesarenotrenewedifsourceisaQacking – BlocksaQackpacketsclosetosource – Routerschecktheirownmarks=>CapabiliCesdonotaddper-connecaon statetothenetwork R1 SourceAS R2 R3 dest R4 TransitAS DestAS AQackpackets dropped 29 Problem#1:DenialofCapability(DoC) [ArgyrakiandCheriton,2005] • CapabilityrequestscanbeaffectedbyaDoSaQack – TheserequestsareessenCallydatagramtraffic – Theyarenotprotected • A}erDoSstarts – Clientsthathaveobtainedacapabilitycanconnect – NewlegiCmateclientsareunlikelytoreceiveservice 30 15 11/18/15 Problem#2:DDoSThroughLinkFlooding • We’veseen:opCmisCcacknowledgmentaQack – AQackercansaturatethereturnpathsfromlegiCmateservers – Intheory,cancauseInternet-widecongesConcollapse • Coordinatedlink-floodingaQackscandegradeconnecCvityofNserverareaspersistently – N=small(e.g.1—1000servers) – N=medium(e.g.allserversinMaryland) – N=large(e.g.theWestCoastoftheUS) 10000 10000 "971108.out" exp(7.68585) * x ** ( -2.15632 ) "980410.out" exp(7.89793) * x ** ( -2.16356 ) 1000 1000 100 100 10 10 1 1 10 1 100 1 10 31 100 PowerLawsofInternetTopology [Faloutsos3,‘OnPower-LawRelaConshipsoftheInternetTopology’] • Powerlaw:y(x)=axk 10000 10000 "981205.out" exp(8.11393) * x ** ( -2.20288 ) "routes.out" exp(8.52124) * x ** ( -2.48626 ) Count – 80%ofroutestraverse20%ofrouters 1000 100 • LeveragethisempiricalobservaCon toimplementpersistentandscalable link-floodingaQacks 10 1 1 10 100 1000 100 10 1 1 10 100 Routerout-degree – AQacktrafficisindisCnguishablefrom legiCmateattargetrouter – AQackis“movingtarget”forsameN-serverarea • Changestargetlinksbeforetriggeringalarms 32 16 11/18/15 TheCoremeltAJack [Studer and Perrig, 2009] Nbotsand O(N2)legi4mateflows floodcorerouters 10Mbps Core Flooding Ex.N=104 =>108flows x10Kbps/flow =>exhausts100x10Gbpslinks 33 FundamentalCausesofDoSAJacks • AsymmetricstateallocaCon – Receivermustdomoreworkthansender(e.g.TCPSYNflood) • Persistentrategap – Maxnetworklinerate>>maxserverrate • ThisgaphasnotchangedmuchoverCme – Allowsanarmyofbotstofloodpublicserverswithjunktraffic • PowerlawsoftheInternettopology – ResultinanarrowpathwaisttoanypotenCaltarget – EnablescrossfireaQack • Sadtruth – Internetisill-equippedtohandleDDoSaQacks 34 17 11/18/15 ReviewofLecture • Whatdidwelearn? – Trade-offsandcausesofDDoSaQacks – DDoSdefenses – AdvancedDDoSaQacks(DoC,Coremelt,Crossfire) • Sources – VitalyShmaCkov,VirgilGligor,DanBoneh • What’snext? – Botnets 35 18