SourceEnd Defense System against DDoS attacks - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

SourceEnd Defense System against DDoS attacks

Description:

Distributed System and Network Security Lab. ... Observation: Average O/I of different flows rage from 3.68 to 0.5. Flows with highest ratio: ... – PowerPoint PPT presentation

Number of Views:46
Avg rating:3.0/5.0
Slides: 29
Provided by: lywu
Category:

less

Transcript and Presenter's Notes

Title: SourceEnd Defense System against DDoS attacks


1
Source-End Defense System against DDoS attacks
  • Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and
    Sheng Hsuan Wang
  • Distributed System and Network Security Lab.
  • Department of Computer Science and Information
    Engineering
  • National Chiao Tung University
  • WADIS03

2
Outline
  • Introduction to DDoS attacks.
  • Current DDoS defense strategies
  • Review of D-WARD
  • Proposed DDoS defense scheme
  • Evaluation
  • Conclusions and future work

3
DDoS attacks
  • What is a Denial-of-Service (DoS) attack
  • Degrade the service quality or completely disable
    the target service by overloading critical
    resources of the target system or by exploiting
    software bugs.
  • What is a Distributed DoS (DDoS) attack
  • The objective is the same with DoS attacks but is
    accomplished by a of compromised hosts
    distributed over the Internet.

4
Mechanisms against DDoS attacks (1)
  • Victim-end
  • Most existing Intrusion detection systems and
    DoS/DDoS tolerant system design fall in this
    category.
  • Used to protect a set of hosts from being
    attacked.
  • Advantages and disadvantages
  • DDoS attacks are easily detected due to the
    aggregate of huge traffic volume.
  • From a networks perspective, protecting is
    consider ineffective. Attack flows can still
    incur congestion along the attack path.

5
Mechanisms against DDoS attacks (2)
  • Infrastructure-based
  • DDoS defense lines are constructed towards attack
    sources to reduce network congestion.
  • Attack packets are filtered out by Internet core
    routers.
  • Advantages and disadvantages
  • The effectiveness of filtering is improved.
  • An Internet-wide authentication framework is
    required.
  • Internet core routers must be upgrade to filter
    out attack packets in high speeds

6
Mechanisms against DDoS attacks (3)
  • Source-end
  • DDoS defense mechanism are used to prevent
    monitored hosts from participating in DDoS
    attacks.
  • Attack packets are dropped at sources. It allows
    preventing attack traffic from entering the
    Internet.
  • Advantages and disadvantages
  • The effectiveness of packet filter is the best.
  • It is very hard to identify DDoS attack flows at
    sources since the traffic is not so aggregate.
  • It require the support of all edge routers.

In summary, source-end DDoS defense strategy is
the most effective and with moderate deployment
cost.
7
D-WARD A Source-End DDoS defense scheme
  • J. Mickovic et al. Attacking DDoS at the
    Source, IEEE ICNP02
  • Ideas behind D-WARD DDoS attack flows can be
    identified by comparing flow statistics against
    normal flow models. Signals of DDoS attacks
  • High Packet loss rate
  • The level of network congestion (or say packet
    loss rate) reflects on the ratio of number of
    packets sent to and received from the peer.
  • High packet sending rate This may also indicate
    a DDoS attack
  • A large number of connections to the peer

8
D-WARD Architecture
9
D-WARD Observation Component
  • Gather per flow statistics
  • Flow The aggregate traffic between monitored IP
    addresses and a foreign IP address.
  • Observation interval A basic time frame for one
    observation
  • The number of packet and bytes sent to and
    received from the peer
  • The number of active connections
  • Legitimate flow model
  • TCP flows
  • Psent/Prcv lt TCPrto (set to 3)
  • ICMP flows
  • Psent/Prcv lt ICMPrto (set to 1.1)
  • UDP flows
  • nconn lt MAXconn (set to 100)
  • pconn gt MINpkts (set to 1)
  • Bsent lt UDPrate (set to 10MBps)

10
Motivations
  • Using a global threshold of Psent/Prcv for TCP
    flows would result in high false positive and
    high false negative. In the following context,
    this ratio is denoted as O/I
  • High false positive
  • flows with O/I greater than 3 in its normal
    operation would be classified as attack flows
  • High false negative
  • low-rate attacks will not be detected. Consider a
    flow with O/I 1, then O/I only reaches 2 when
    the packet loss rate is 50.

In one word, using a single O/I threshold for
different flows is problematic.
11
Basic Idea
  • Ideas behind the proposed scheme
  • Focus detecting DDoS attacks based on TCP
  • 96 of current attacks are based on TCP. Only 2
    use UDP and 2 use ICMP
  • The level of congestion should be determined
    according previous behavior of the each monitored
    flow.
  • Two more DDoS characteristics are utilized for
    detecting attacks
  • Distribution the number of hosts sending packets
    to the destination in each observation period
  • Continuity reflect to the observation that a
    DDoS attack always lasts for an extended period
    of time.

12
Observations on normal traffics (1)
  • Observation Average O/I of different flows rage
    from 3.68 to 0.5
  • Flows with highest ratio
  • Contains one ftp data connection. The flow last
    for 227 second. Total 86685 packet (68158 packet
    send out, 18527 packet send in) The average O/I
    is 3.68. Standard deviation0.16. Packet loss
    rate is 0.
  • Standard deviation of the monitored flow are low
    (usually smaller 1). It indicates that the O/I
    value of flows tend to be stable in their normal
    operation.

13
Observations on normal traffics (2)
  • Number of sources in each flow
  • In each observation interval, most of flows have
    only one source host sending packets to the peer.

14
Proposed DDoS detection scheme
  • There are two phases in our scheme.
  • Learning phase Define legitimate flow model
  • Detection phase Detect malicious flows and apply
    rate limit
  • Learning phase contains two steps.
  • Step 1 determine the following thresholds
  • Tf the maximum allowed O/I.
  • Nf the mini-threshold of O/I.
  • c a parameter used to quantify the level of
    distribution.
  • Steps 2 derive other configuration parameters
  • a a value indicating the possibility that the
    flow is malicious. It is generated according to
    the level of congestion and the level of
    distribution
  • af the maximum allowed value ofa
  • tf the maximum allowed number of the times that
    acan continually breaches af

15
Flow Classification
  • Four types of traffic flows Normal, Suspicious,
    Attack, and Transient.

16
Generation of a
  • Generating a in an observation interval
  • Sf the number of source in the flow.
  • nf the O/I of the current interval.
  • ? a magic number used to restrict a between 0
    and 1. ? is a number between 0 and 1.
  • Characteristics of a
  • It is between 0 and 1
  • It increases with nf . If nf approaches Tf, a
    approaches to 1
  • a increases with the number of sources in the
    flow.

Level of congestion
The impact of distribution
17
Rate limiting and recovery
  • Rate-Limiting
  • rl imposed rate limit
  • rate realized sending rate
  • Mini-rate The lowest limited rate which can be
    imposed on network flows.
  • Recovery
  • If the attack flow show compliance with normal
    flow model for consecutive penalty observation
    periods, it is classified as transient, the
    recovery process begins.
  • Max-rate Once the rate limit reaches Max-rate,
    it is classified as normal

18
Thresholds
  • Configuring thresholds and other parameters
  • Observation period 1 second
  • Tf The maximum of the observed O/I 2
  • Nf the average O/I
  • c the maximum number of sources in a flow in the
    monitored network.
  • af the averageain the learning process.
  • tf the maximum consecutive number of time that
    aexceeds af
  • ? 0.5
  • Parameters learned from a monitored flow
  • Sending rate 10 pkts to the destination host per
    second. Maximum O/I is 1.25, Average O/I is
    1.25
  • Tf 2.5, nf 1.04
  • c 3
  • af 0.18
  • tf 3

19
Experiments
  • Types of Experiment
  • Resource consumption
  • TCP SYN flooding
  • link flooding
  • Attack scenarios
  • Constant rate attack
  • Pulsing rate attack
  • Increasing rate attack
  • Gradual pulsing attack

20
Topology
21
TCP SYN Flooding Attack
22
SYN floodingConstant Rate and Pulsing Rate
23
SYN floodingIncreasing Rate and Gradual
Increasing Rate
24
Link Overloading
25
Bandwidth floodingConstant Rate and Pulsing Rate
constant
pulsing
26
Bandwidth floodingIncreasing Rate and Gradual
Increasing Rate
increasing
gradual increasing
27
Conclusion
  • The O/I used to define the level of network
    congestion must be determined according to the
    previous behavior of the flow.
  • The number of source in the flow and the number
    of observation intervals that the signal of DDoS
    attacks lasts should be taken into consideration.
  • Evaluation results show that the performance of
    proposed system is better than D-WARD, in terms
    of false positive and false negative.

28
Future work
  • More experiments on estimating the effectiveness
    of the proposed scheme are required
  • A mechanism that can deal with new flows which
    are not in the flow profile database
  • A space-effective mechanism that helps to reduce
    the storage requirement for storing the profiles
    of flows.
  • Schemes which can detect DDoS attacks based on
    one-way flows such as ICMP and UDP.
Write a Comment
User Comments (0)
About PowerShow.com