Скачать презентацию A Taxonomy of DDo S Attack and DDo Скачать презентацию A Taxonomy of DDo S Attack and DDo

900cb769a57e2a858e627143ce74c3cd.ppt

  • Количество слайдов: 56

A Taxonomy of DDo. S Attack and DDo. S Defense Mechanisms Written By Jelena A Taxonomy of DDo. S Attack and DDo. S Defense Mechanisms Written By Jelena Mirkovic and Peter Reiher In ACM SIGCOMM Computer Communication Review, April 2005 Presented by Jared Bott

Key Point! • • DDo. S attacks can be carried out in a wide Key Point! • • DDo. S attacks can be carried out in a wide variety of manners, with a wide variety of purposes DDo. S defenses show great variety

DDo. S Attacks Agent • • • An explicit attempt to prevent the legitimate DDo. S Attacks Agent • • • An explicit attempt to prevent the legitimate use of a service Multiple attacking entities, known as agents DDo. S is a serious problem • Many proposals about how to deal with it Target

What makes DDo. S attacks possible? • Answer: The end-to-end paradigm • Internet security What makes DDo. S attacks possible? • Answer: The end-to-end paradigm • Internet security is highly interdependent • • • Susceptibility of system depends on security of Internet resources are limited Intelligence and resources are not collocated • End systems are intelligent, intermediate systems are high in resources

 • Accountability is not enforced • • IP Spoofing is possible Control is • Accountability is not enforced • • IP Spoofing is possible Control is distributed • No way to enforce global deployment of a security mechanism or policy

Taxonomy of Attacks Taxonomy of Attacks

DA: Degree of Automation • How involved is the attacker? • Automation of the DA: Degree of Automation • How involved is the attacker? • Automation of the recruit, exploit, infect and scan phases • DA-1: Manual DA-2: Semi-Automatic • • • Recruit, exploit and infect phases are automated DA-3: Automatic

DA-2: CM: Communication Mechanism • How do semi-autonomous systems communicate? • DA-2: CM-1: Direct DA-2: CM: Communication Mechanism • How do semi-autonomous systems communicate? • DA-2: CM-1: Direct Communication Agent/handlers know each other’s identities • Communication through TCP or UDP • • DA-2: CM-2: Indirect Communication • Communication through IRC

DA-2/DA-3: HSS: Host Scanning Strategy • How do attackers find computers to make into DA-2/DA-3: HSS: Host Scanning Strategy • How do attackers find computers to make into agents? • Choose addresses of potentially vulnerable machines to scan • DA-2/DA-3: HSS-1: Random Scanning DA-2/DA-3: HSS-2: Hitlist Scanning •

DA-2/DA-3: HSS: Host Scanning Strategy • DA-2/DA-3: HSS-3: Signpost Scanning Topological scanning • Email DA-2/DA-3: HSS: Host Scanning Strategy • DA-2/DA-3: HSS-3: Signpost Scanning Topological scanning • Email worms send emails to everyone in address book • Web-server worms infect visitors’ vulnerable browsers to infect servers visited later •

DA-2/DA-3: HSS: Host Scanning Strategy • DA-2/DA-3: HSS-4: Permutation Scanning Pseudo-random permutation of IP DA-2/DA-3: HSS: Host Scanning Strategy • DA-2/DA-3: HSS-4: Permutation Scanning Pseudo-random permutation of IP space is shared among all infected machines • Newly infected machine starts at a random point • • • DA-2/DA-3: HSS-5: Local Subnet Scanning Examples: HSS-1: Code Red v 2 • HSS-5: Code Red II, Nimda •

DA-2/DA-3: VSS: Vulnerability Scanning Strategy • We have found a machine, can it be DA-2/DA-3: VSS: Vulnerability Scanning Strategy • We have found a machine, can it be “infected? ” • DA-2/DA-3: VSS-1: Horizontal Scanning DA-2/DA-3: VSS-2: Vertical Scanning DA-2/DA-3: VSS-3: Coordinated Scanning • • Machines probe the same port(s) at multiple machines within a local subnet DA-2/DA-3: VSS-4: Stealthy Scanning

DA-2/DA-3: PM: Propagation Method • How does attack code get onto compromised machines? • DA-2/DA-3: PM: Propagation Method • How does attack code get onto compromised machines? • DA-2/DA-3: PM-1: Central Source Propagation • Attack code resides on server(s)

DA-2/DA-3: PM: Propagation Method • DA-2/DA-3: PM-2: Back-Chaining Propagation • Attack code is downloaded DA-2/DA-3: PM: Propagation Method • DA-2/DA-3: PM-2: Back-Chaining Propagation • Attack code is downloaded from the machine that exploited the system

DA-2/DA-3: PM: Propagation Method • DA-2/DA-3: PM-3: Autonomous Propagation Inject attack instructions directly into DA-2/DA-3: PM: Propagation Method • DA-2/DA-3: PM-3: Autonomous Propagation Inject attack instructions directly into the target host during the exploit phase • Ex. Code Red, various email worms, Warhol worm idea •

EW: Exploited Weakness to Deny Service • What weakness of the target machine is EW: Exploited Weakness to Deny Service • What weakness of the target machine is exploited to deny service? • EW-1: Semantic Exploit a specific feature or implementation bug • Ex. TCP SYN attack • • • Exploited feature is allocation of substantial space in a connection queue immediately upon receipt of a TCP SYN. EW-2: Brute-Force

SAV: Source Address Validity • Do packets have the agents’ real IP addresses? • SAV: Source Address Validity • Do packets have the agents’ real IP addresses? • SAV-1: Spoofed Source Address SAV-2: Valid Source Address • • • Frequently originate from Windows machines SAV-1: AR: Address Routability • This is not the attacker’s address, but can it be routed? SAV-1: AR-1: Routable Source Address • SAV-1: AR-2: Non-Routable Source Address •

SAV-1: ST: Spoofing Technique • How does an agent come up with an IP SAV-1: ST: Spoofing Technique • How does an agent come up with an IP address? • SAV-1: ST-1: Random Spoofed Source Address Random 32 -bit number • Prevented using ingress filtering, route-based filtering • • SAV-1: ST-2: Subnet Spoofed Source Address Spoofs a random address from the address space assigned to the machine’s subnet • Ex. A machine in the 131. 179. 192. 0/24 chooses in the range 131. 179. 192. 0 to 131. 179. 192. 255 •

SAV-1: ST: Spoofing Technique • SAV-1: ST-3: En Route Spoofed Source Address • • SAV-1: ST: Spoofing Technique • SAV-1: ST-3: En Route Spoofed Source Address • • Spoof address of a machine or subnet along the path to victim SAV-1: ST-4: Fixed Spoofed Source Address Choose a source address from a specific list • Reflector attack •

ARD: Attack Rate Dynamics • Does the attack rate change? • ARD-1: Constant Rate ARD: Attack Rate Dynamics • Does the attack rate change? • ARD-1: Constant Rate Used in majority of known attacks • Best cost-effectiveness: minimal number of computers needed • Obvious anomaly in traffic • • ARD-2: Variable Rate

ARD-2: RCM: Rate Change Mechanism • How does the rate change? • ARD-2: RCM-1: ARD-2: RCM: Rate Change Mechanism • How does the rate change? • ARD-2: RCM-1: Increasing Rate Gradually increasing rate leads to a slow exhaustion of victim’s resources • Could manipulate defense that train their baseline models • • ARD-2: RCM-2: Fluctuating Rate Adjust the attack rate based on victim’s behavior or preprogrammed timing • Ex. Pulsing attack •

PC: Possibility of Characterization • Can the attacking traffic be characterized? • Characterization may PC: Possibility of Characterization • Can the attacking traffic be characterized? • Characterization may lead to filtering rules • PC-1: Characterizable Those that target specific protocols or applications at the victim • Can be identified by a combination of IP header and transport protocol header values or packet contents • Ex. TCP SYN attack • • SYN bit set

PC-1: RAVS: Relation of Attack to Victim Services • The traffic is characterizable, but PC-1: RAVS: Relation of Attack to Victim Services • The traffic is characterizable, but is it related to the target’s services? • PC-1: RAVS-1: Filterable Traffic made of malformed packets or packets for non-critical services of the victim’s operation • Ex. ICMP ECHO flood attack on a web server • • PC-1: RAVS-2: Non-Filterable Well-formed packets that request legitimate and critical services • Filtering all packets that match attack characterization would lead to a denial of service •

PC: Possibility of Characterization • PC-2: Non-Characterizable • • Traffic that uses a variety PC: Possibility of Characterization • PC-2: Non-Characterizable • • Traffic that uses a variety of packets that engage different applications and protocols Classification depends on resources that can be used to characterize and the level of characterization • Ex. Attack uses a mixture of TCP packets with various combinations of TCP header fields • Characterizable as TCP attack, but nothing finer without vast resources

PAS: Persistence of Agent Set • Do the same agents attack the whole time? PAS: Persistence of Agent Set • Do the same agents attack the whole time? • Some attacks vary their set of active agent machines • • • Avoid detection and hinder traceback PAS-1: Constant Agent Set PAS-2: Variable Agent Set Bright red attacks for 4 hours Dark red attacks for next 4 hours

VT: Victim Type • What does the attack target? • VT-1: Application • Ex. VT: Victim Type • What does the attack target? • VT-1: Application • Ex. Bogus signature attack on an authentication server • • Authentication not possible, but other applications still available VT-2: Host Disable access to the target machine • Overloading, disabling communications, crash machine, freeze machine, reboot machine • Ex. TCP SYN attack overloads communications of machine •

VT: Victim Type • VT-3: Resource Attacks • Target a critical resource in the VT: Victim Type • VT-3: Resource Attacks • Target a critical resource in the victim’s network • • • Ex. DNS server, router Prevented by replicating critical services, designing robust network topology VT-4: Network Attacks Consume the incoming bandwidth of a target network • Victim must request help from upstream networks •

VT: Victim Type • VT-5: Infrastructure Target a distributed service that is crucial for VT: Victim Type • VT-5: Infrastructure Target a distributed service that is crucial for global Internet operation • Ex. Root DNS server attacks in October 2002, February 2007 •

IV: Impact on the Victim n How does an attack affect the victim’s service? IV: Impact on the Victim n How does an attack affect the victim’s service? n IV-1: Disruptive ¨ Completely deny the victim’s service to its clients ¨ All currently reported attacks are this kind n IV-2: Degrading ¨ Consume some portion of a victim’s resources, seriously degrading service to customers ¨ Could remain undetected for long time

IV-1: PDR: Possibility of Dynamic Recovery • Can a system recover from an attack? IV-1: PDR: Possibility of Dynamic Recovery • Can a system recover from an attack? How? • IV-1: PDR-1: Self-Recoverable • • IV-1: PDR-2: Human-Recoverable • • Ex. UDP flooding attack Ex. Computer freezes, requires reboot IV-1: PDR-3: Non-Recoverable Permanent damage to victim’s hardware • No reliable accounts of these attacks •

DDo. S Defense • Several factors hinder the advance of DDo. S defense research DDo. S Defense • Several factors hinder the advance of DDo. S defense research • Need for a distributed response at many points on the Internet • • Many attacks need upstream network resources to stop attacks Economic and social factors • A distributed response system must be deployed by parties that aren’t directly damaged by a DDo. S attack

DDo. S Defense • Lack of defense system benchmarks • • No benchmark suite DDo. S Defense • Lack of defense system benchmarks • • No benchmark suite of attack scenarios or established evaluation methodologies Lack of detailed attack information • • • We have information on control programs Information on frequency of various attack types is lacking Information on rate, duration, packet size, etc. are lacking

DDo. S Defense • Difficulty of large-scale testing • No large-scale test beds • DDo. S Defense • Difficulty of large-scale testing • No large-scale test beds • • • U. S. National Science Foundation is funding development of a large-scale cybersecurity test bed No safe ways to perform live distributed experiments across the Internet No detailed and realistic simulation tools that support thousands of nodes

Taxonomy of DDo. S Defenses Taxonomy of DDo. S Defenses

AL: Activity Level • When does a defense system work? • AL-1: Preventive • AL: Activity Level • When does a defense system work? • AL-1: Preventive • • Eliminate possibility of DDo. S attacks or enable victims to endure the attack without denial of service AL-1: PG: Prevention Goal • What is the system trying to do? • AL-1: PG-1: Attack Prevention • The system is trying to prevent attacks

AL-1: PG-1: ST: Secured Target • What does a system try to secure to AL-1: PG-1: ST: Secured Target • What does a system try to secure to prevent an attack? • AL-1: PG-1: ST-1: System Security Secure the system Guard against illegitimate accesses to a machine Remove application bugs, Update protocol installations • Ex. Firewall systems, IDSs, Automated updates • • •

AL-1: PG-1: ST: Secured Target • AL-1: PG-1: ST-2: Protocol Security Secure the protocols AL-1: PG-1: ST: Secured Target • AL-1: PG-1: ST-2: Protocol Security Secure the protocols • Bad protocol design examples: TCP SYN Attack, • Authentication server attack, IP source address spoofing Ex. Deployment of a powerful proxy server that completes TCP connections • Ex. TCP SYN cookies •

AL-1: PG: Prevention Goal • AL-1: PG-2: Do. S Prevention The system is trying AL-1: PG: Prevention Goal • AL-1: PG-2: Do. S Prevention The system is trying to prevent a denial of service • Enable the victim to endure attack attempts without denying service • • • Enforce policies for resource consumption Ensure that abundant resources exist

AL-1: PG-2: PM: Prevention Method • How do the defense systems prevent Do. S? AL-1: PG-2: PM: Prevention Method • How do the defense systems prevent Do. S? • AL-1: PG-2: PM-1: Resource Accounting Police the access of each user to resources based on the privileges of the user and user’s behavior • Let real, good users have access • Coupled with legitimacy-based access mechanisms • • AL-1: PG-2: PM-2: Resource Multiplication • Ex. Pool of servers with load balancer, high bandwidth network

AL-2: Reactive • Defense systems try to alleviate the impact of an attack • AL-2: Reactive • Defense systems try to alleviate the impact of an attack • • Detect attack and respond to it as early as possible AL-2: ADS: Attack Detection Strategy • How does the system detect attacks? • AL-2: ADS-1: Pattern Detection • • • Store signatures of known attacks and monitor communications for the presence of patterns Only known attacks can be detected Ex. Snort

AL-2: ADS-2: Anomaly Detection • • • Compare current state of system to a AL-2: ADS-2: Anomaly Detection • • • Compare current state of system to a model of normal system behavior Previously unknown attacks can be discovered Tradeoff between detecting all attacks and false positives

AL-2: ADS-2: NBS: Normal Behavior Specification • How is normal behavior defined? • AL-2: AL-2: ADS-2: NBS: Normal Behavior Specification • How is normal behavior defined? • AL-2: ADS-2: NBS-1: Standard Rely on some protocol standard or set of rules • Ex. TCP protocol specification describes three -way handshake • • • Detect half-open TCP connections No false positives, but sophisticated attacks can be left undetected

AL-2: ADS-2: NBS-2: Trained • • Monitor network traffic and system behavior Generate threshold AL-2: ADS-2: NBS-2: Trained • • Monitor network traffic and system behavior Generate threshold values for different parameters Communications exceeding one or more thresholds are marked as anomalous • Low threshold leads to many false positives, high threshold reduces sensitivity • • Model of normal behavior must be updated • Attacker can slowly increase traffic rate so that new models are higher and higher

AL-2: Reactive • AL-2: ADS-3: Third-Party Detection • • Rely on external message that AL-2: Reactive • AL-2: ADS-3: Third-Party Detection • • Rely on external message that signals occurrence of attack and attack characterization AL-2: ARS: Attack Response Strategy • What does the system do to minimize impact of attack? • Goal is to relieve impact of attack on victim with minimal collateral damage

AL-2: ARS: Attack Response Strategy • AL-2: ARS-1: Agent Identification Provides victim with information AL-2: ARS: Attack Response Strategy • AL-2: ARS-1: Agent Identification Provides victim with information about the ID of the attacking machines • Ex. Traceback techniques • • AL-2: ARS-2: Rate-Limiting • Extremely high-scale attacks might still be effective

AL-2: ARS: Attack Response Strategy • AL-2: ARS-3: Filtering • Filter out attack streams AL-2: ARS: Attack Response Strategy • AL-2: ARS-3: Filtering • Filter out attack streams • • • Risk of accidental Do. S to legitimate traffic, clever attackers might use as Do. S tools Ex. Dynamically deployed firewalls AL-2: ARS-4: Reconfiguration • Change topology of victim or intermediate network • • Add more resources or isolate attack machines Ex. Reconfigurable overlay networks, replication services

CD: Cooperation Degree • How much do defense systems work together? • CD-1: Autonomous CD: Cooperation Degree • How much do defense systems work together? • CD-1: Autonomous Independent defense at point of deployment • Ex. Firewalls, IDSs • • CD-2: Cooperative Capable of autonomous detection/response • Cooperate with other entities for better performance • Ex. Aggregate Congestion Control (ACC) with pushback mechanism • • • Autonomously detect, characterize and act on attack Better performance if rate-limit requests sent to upstream routers

CD-3: Interdependent • • • Cannot operate on own Require deployment at multiple networks CD-3: Interdependent • • • Cannot operate on own Require deployment at multiple networks or rely on other entities for attack prevention, detection or efficient response Ex. Traceback mechanism on one router is useless

DL: Deployment Location • Where are defense systems located? • DL-1: Victim Network • DL: Deployment Location • Where are defense systems located? • DL-1: Victim Network • • Ex. Resource accounting, protocol security mechanisms DL-2: Intermediate Network Provide defense service to a large number of hosts • Ex. Pushback, traceback techniques • • DL-3: Source Network • Prevent network customers from generating DDo. S attacks

Using The Taxonomies • How can the taxonomies be used? • • A map Using The Taxonomies • How can the taxonomies be used? • • A map of DDo. S research Common vocabulary Understanding of solution constraints DDo. S benchmark generation Exploring new attack strategies Design of attack class-specific solutions Identifying unexplored research areas

Strengths • Primary Contribution • • • Obviously the taxonomy of DDo. S mechanisms Strengths • Primary Contribution • • • Obviously the taxonomy of DDo. S mechanisms and defenses Fosters easier cooperation among researchers Covers current attacks and research

Weaknesses • • Clearly non-exhaustive categorization of attacks Naming conventions • AL-2: ADS-2: NBS-1 Weaknesses • • Clearly non-exhaustive categorization of attacks Naming conventions • AL-2: ADS-2: NBS-1 is not easily understandable

Improvements • Use taxonomy to create defenses • How do you improve a taxonomy? Improvements • Use taxonomy to create defenses • How do you improve a taxonomy?

Summary • Taxonomy of DDo. S attacks and defenses • • There are many Summary • Taxonomy of DDo. S attacks and defenses • • There are many characteristics of DDo. S attacks and defenses Hard to design a defense against all attack types