D-WARD: DDoS Network Attack Recognition and Defense

1
D-WARDDDoS Network Attack Recognition and
Defense

• PhD Qualifying Exam
• Jelena Mirkovic
• PhD Advisor Peter Reiher
• 01/23/2002

2

• Design and implement DDoS defense system
• located at source network
• autonomously detects and stops attacking flows
• does not affect legitimate flows

2/39
3
Overview

• Problem Statement
• Related Work
• Desirable Characteristics
• D-WARD
• Thesis Goals
• Conclusion

3/39
4
What is a DoS Attack?
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
4/39
5
What is a DDoS Attack?
5/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
6
DDoS Defense Problem

• Large number of unwitting participants
• No common characteristics of DDoS streams
• No administrative domain cooperation
• Automated tools
• Hidden identity of participants
• Persistent security holes on the Internet

6/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
7
DDoS Prevention

• Compromise prevention
• security patches
• virus detection programs
• intrusion detection systems (IDS)
• High deployment cannot be enforced

7/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
8
DDoS Defense
INTERMEDIATE NETWORK
VICTIM NETWORK
SOURCE NETWORK
8/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
9
Victim Network

• Intrusion Detection Systems
• On-off control approach
• Router monitoring tools (CISCO)
• Victim can successfully detect the attack
• - Victim is helpless if
• attack consists of legitimate packets or
• attack is of large volume

9/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
10
Intermediate Network

• WATCHERS
• Traceback
• Pushback
• Spoofing prevention
• Routers can effectively constrain/trace the
  attack
• - Possible performance degradation
• - Interdomain politics of isolation
• - Attack detection is hard
• - Communication has to be secured

10/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
11
Source Network

• MULTOPS
• Source routers can effectively constrain/trace
  the attack
• Internet resources are preserved
• - Attack detection is hard
• - Many deployment points needed for high
  efficacy

11/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
12
Desirable Characteristics

• High security
• Reliable attack detection
• Independent detection and response
• Low performance cost
• Incremental benefit with incremental deployment
• Handle recurring attacks
• Traceback
• Cooperation

REQUIRED
OPTIONAL
12/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
13
D-WARD

• DDoS defense system in Source Network
• Source Router detects attack and responds
• Monitors the two-way traffic
• Suspect flows are rate-limited
• Further observations lead to decrease or
  increase of rate-limit

13/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
14
System Architecture
14/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
15
Statistics Gathering

• Statistics help discover difficulties
• Only IP header data is used
• Statistics classified per peer IP address
• Statistics cache size is limited and the cache
  is purged periodically
• Records for normal flows deleted
• Records for transient and attack flows reset

15/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
16
Traffic Models

• TCP requires proportional reverse flow
• Non-TCP traffic requires NO reverse flow
• Non-TCP servers usually send constant amount of
  packets/Bytes per second to a given peer

16/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
17
Traffic Models

• Model of normal TCP traffic
• low ratio of number of sent/number of received
  packets
• Model of normal non-TCP traffic
• mean and standard deviation of number of sent
  packets/Bytes for certain destination
• Non-TCP models created in training phase

17/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
18
Flow Classification

• Comparison with models of normal traffic
• compliant - within limits of the model
• attack - outside of model limits
• Well behaved or not
• normal - well-behaved compliant flows
• transient - non well-behaved compliant flows

18/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
19
Throttling Component

• ATTACK Exponential decrease
• TRANSIENT Slow recovery, linear increase
• NORMAL Fast recovery, exponential increase

19/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
20
Experiment 1
CLIENT
ATTACKER
ROUTER
VICTIM
ATTACKER
20/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
21
attack starts
attack stops
21/39
22
attack starts
attack stops
22/39
23
Experiment 2
CLIENT
ATTACKER
ROUTER
VICTIM
ATTACKER
23/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
24
legitimate traffic starts
attack starts
attack stops
24/39
25
Legitimate traffic starts
attack stops
attack starts
FTP starts
25/39
26
Experiment 3
CLIENT
ATTACKER
ROUTER
VICTIM
ATTACKER
26/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
27
Legitimate traffic starts
attack stops
FTP starts
attack starts
27/39
28
attack starts
attack stops
28/39
29
Experiment 4
CLIENT
ATTACKER
ROUTER
VICTIM
ATTACKER
29/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
30
attack starts
attack stops
30/39
31
attack starts
attack stops
31/39
32
Summary of Results

• D-WARD successfully detects and stops attacks
• Legitimate clients from other domains benefit
  greatly
• System is friendly to non-TCP traffic
• Legitimate TCP connections from source network
  are slowed down
• There is no fairness guarantee to normal flows

32/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
33
Attack Detection

• Choice of monitored parameters
• reliability vs performance
• separating legitimate from attack flows
• Creation and update of models
• Cooperation with other Source Routers
• Cooperation with the victim
• Recurring attacks

33/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
34
Attack Response

• Effectiveness vs fairness of response
• aggressiveness should depend on reliability of
  classification
• design of feedback mechanism
• Traceback of the attack
• Interaction of multiple DDoS defense systems

34/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
35
Security

• Attackers follow developments in security
• Attackers could attempt to avoid detection
• pulsing attacks
• generating reverse packets
• gradually use up victims resources
• mistrain models
• Attackers could attempt to misuse the system
• drop legitimate packets
• Attackers might DDoS Source Router

35/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
36
Partial Deployment

• Effectiveness depends on degree of deployment
• Does not protect deploying network so motivation
  is low
• Legal factors could help
• Additional incentive
• minimal changes to existing routers
• low cost
• good performance

36/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
37
Deployment on Core Routers

• Large coverage with less deployment points
• Router performance must not be degraded
• Rate limit has impact on large portion of flows ?
  few false positives a must

37/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
38
Timeline
Year1 Year2 Jan
Apr Jul Oct Jan
Apr Jul Oct
7
10
1
9
12
3
5
8
2
11
4
6
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion
38/39
39
Conclusions

• DDoS attacks are a serious threat
• A design of effective detection and response
  strategy is a must
• D-WARD successfully detects and constraints the
  attacks but has undesired impact on legitimate
  flows
• Further research needed to refine the system and
  devise deployment strategy

39/39
Problem Statement? Related Work ? Desirable
Characteristics ? D-WARD ? Thesis Goals ?
Conclusion