Distributed Denial of Service

1
Distributed Denial of Service
CRyptography Applications Bistro Presented by
Lingxuan Hu April 15, 2004
2
Why DDoS is hard to prevent

• Internet
• Limited resources
• Security highly interdependent

3
ISP?

• The problem with DDOS security is this if you
  implement DDOS security, it does not protect your
  network, it merely prevents your network from
  harming others. Why would an ISP spend extra time
  and effort implementing a security protocol that
  was good for everyone else... but not for them?
• by simul, Kuro5hin.org (targeted by DDoS
  attacks), February 4, 2004

4
Defenses

• IP spoofing
• Egress filtering
• Keep routing state for each packet
• New type of control message (ICMP)
• Embed traceback information into IP header
• Bandwidth flooding
• Use Overlay Networks to debug input
• Push back to preserve bandwidth
• Equip your host with gobs of bandwidth and the
  appliances can mitigate the effect

5
Problem Statement

• Use IP traceback to defend IP spoofing
• Packets having the same routing path with the
  attacker packets will be dropped
• Challenges
• The average Internet routing path length is
  around 15, so reconstruct the path will take 60
  bytes
• Where to put the traceback information?

6
PI Overview

• Model the Internet as a binary tree rooted at the
  victim node
• The router mark 0 or 1 in IP identification field
  based on past path information

Victim
RX
RA
RY
RZ
RB
RC
A
A
A
A
U
U
7
IP Header

• Identification field (16 bits)
• IP identification is only used for fragmentation,
  which constitutes less than 0.25 of the packets
  in Internet

8
Pi Marking - Basic Marking Scheme

• Marking Scheme
• Each router marks n bits into IP Identification
  field
• Marking Location
• TTL (mod 16/n) indexes location in field to mark
• Marking Function
• Last n bits of hash (eg. MD5) of router IP
  address

The following slides are adapted from Abraham
Yaars Oakland 2003 slides
9
Pi Marking - Example
TTL 255
A
?
Known Attacker
00000111
01100111

01100101

01100111

10101100

11001100

10
Pi Marking Scheme - TTL Attack

• Problem
• Attacker shifts markings by modifying initial TTL

251
255
254
Final TTL Pointer
p
p
A
V
xx
xx
xx
xx
xx
xx
xx
00
00
10
10
11
1000101110
254
253
250
Final TTL Pointer
p
p
A
V
xx
xx
xx
xx
xx
xx
xx
00
00
10
10
11
111000101110

• Note - marking bits and order havent changed,
  just location in the marking field
• Solution
• Victim uses final TTL to justify packet contents
  using bit rotation

11
Pi Marking - IP Fragmentation

• Problem
• Mark values in IP Identification field breaks
  fragmentation
• Solution
• Dont mark packets that may ever get fragmented,
  or are fragments themselves
• During DDoS attack, drop packets not satisfying
  this predicate

12
Pi Filtering Basic Scheme

• Basic Scheme
• Drop all packets with Pi marks matching that of
  any attack packets
• Assumption
• Victim can identify attack packets
• Implementation Overhead
• Memory Bit vector of length 216 (8kB)
• if (BitVecPiMark 0) then accept() else
  drop()
• Computation O(1) per packet

13
Pi Filtering - Thresholds

• Problem
• Single attacker causes multiple users rejections
• Solution
• Assume, for a particular Pi mark, i
• ai number of attack packets
• ui number of legitimate users packets
• Victim chooses threshold, t, such that if
• then all packets with Pi mark i are dropped

14
Experiment Results Basic Filter

• DDoS protection
• Accepted
• 60 of user traffic
• 17 attacker traffic
• Downward slope due to marking saturation
• All markings flagged as attacker

15
Experiment Results Threshold Filter

• Thresholds Work!
• Victim increases false positives to decrease
  false negatives
• Greater attack traffic requires greater threshold
  values

16
Comments

• Review of the goal
• The same routing path yields the same marking
• Different routing path has little probability to
  overlap
• Question
• Why bother using rotated marking instead of a
  simple hash function?

17
DDoS Attacks

• IP spoofing
• Bandwidth flooding
• Back to Zhanxiang