Скачать презентацию Bandwidth Do S Attacks and Defenses Robert Morris Скачать презентацию Bandwidth Do S Attacks and Defenses Robert Morris

8a68e1a289a0a03fd21a5a0e8f71e3e9.ppt

  • Количество слайдов: 28

Bandwidth Do. S Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT Bandwidth Do. S Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS

What is a Denial of Service Attack? • Goal: make a service unusable. • What is a Denial of Service Attack? • Goal: make a service unusable. • How: overload a server, router, network link. • Focus: bandwidth attacks (“trinoo”, “tfn”).

Logical View of Attack Net Attacker Control Traffic Master Slave Attack Traffic Slave Victim Logical View of Attack Net Attacker Control Traffic Master Slave Attack Traffic Slave Victim Slave

Attack Targets Router ISP Link Customer’s Router Other ISPs Host App O/S Other Customers Attack Targets Router ISP Link Customer’s Router Other ISPs Host App O/S Other Customers Customer’s LAN

Attacks use IP Packets IP Header: Source Address Destination Address User Data • Routers Attacks use IP Packets IP Header: Source Address Destination Address User Data • Routers forward each packet independently. • Routers don’t know about connections. • Complexity is in end hosts; routers are simple.

Outline • Case study: Yahoo. – What happened. – Analysis. • Our framework for Outline • Case study: Yahoo. – What happened. – Analysis. • Our framework for defense: RON.

Case Study: Yahoo Attack • Early February 2000. • Took Yahoo off the net Case Study: Yahoo Attack • Early February 2000. • Took Yahoo off the net for hours.

Yahoo’s Point of View ISP Router Yahoo’s Router www. yahoo. com 1 Gbit/second of Yahoo’s Point of View ISP Router Yahoo’s Router www. yahoo. com 1 Gbit/second of Ping Response packets.

Yahoo Attack Overview Co-location Centers Other ISPs Yahoo’s ISP Yahoo Yahoo Attack Overview Co-location Centers Other ISPs Yahoo’s ISP Yahoo

Attack Packet Generation Leader Slaves Co-location Center M S 1 S 2 Ping, DST=bcast, Attack Packet Generation Leader Slaves Co-location Center M S 1 S 2 Ping, DST=bcast, SRC=Yahoo Ping Responses, DST=Yahoo Internet … Sn

What did the attack depend on? • • • Pervasive insecure hosts. Fake IP What did the attack depend on? • • • Pervasive insecure hosts. Fake IP source addresses. Use of hosts as amplifiers. Weak router software. Difficulty of diagnosis.

Pervasive Insecure Hosts • Required for disguise and to generate enough traffic. • How Pervasive Insecure Hosts • Required for disguise and to generate enough traffic. • How do they break in? – Buffer overruns. – Typically Solaris and Linux. – Highly automated. • Defenses? – – Better programming practices. Disable services by default. Firewalls, intrusion detection. Motivation for deployment is not strong.

Fake IP Source Addresses • Two uses: – Hide the source of attack. – Fake IP Source Addresses • Two uses: – Hide the source of attack. – Part of weapon. • • Example: SYN flooding. Defense: – Ingress/egress filtering. – But motivation for deployment is not strong.

Attacker SRC=Site 2 Ingress Filtering Site 1 Site 2 ISP 1 ISP 2 ISP Attacker SRC=Site 2 Ingress Filtering Site 1 Site 2 ISP 1 ISP 2 ISP 3 Victim

Use of Hosts as Amplifiers • Attackers need this: – To avoid using their Use of Hosts as Amplifiers • Attackers need this: – To avoid using their own machines. – To generate lots of traffic. – To avoid detection via load monitoring. • Two approaches: – Break into 1000 s of machines. – Trick legitimate machines into generating traffic.

Weak Router Software • Routers themselves are often victims. • Why? – Forwarding and Weak Router Software • Routers themselves are often victims. • Why? – Forwarding and management compete for CPU. – Control and data traffic compete for net b/w. • Solutions? – Simplify and partition.

Difficulty of Diagnosis • Very little automatic support for traffic analysis and correlation. – Difficulty of Diagnosis • Very little automatic support for traffic analysis and correlation. – Is the high load legitimate? – What does the attack consist of? – Where does the attack come from? – How ask upstream routers to discard attack packets? • Defense: distributed analysis system.

Why are these attacks easy? • Internet built around end-to-end principle: – Most functions Why are these attacks easy? • Internet built around end-to-end principle: – Most functions done by end hosts. – Examples: reliable delivery. • Advantages: – Simplifies network core. • Example: IP packet forwarding. • Example: it’s easy to start an ISP. – Anyone can introduce new services. • Result: lots of innovation.

Why is defense hard? • End-to-end principle conflicts with: – Centralized control. – Centralized Why is defense hard? • End-to-end principle conflicts with: – Centralized control. – Centralized monitoring. – Separation of data from control traffic. – Mandatory authentication. – Mandatory accounting.

RON Project • End-to-end framework for: – Cooperative statistics collection. – Cooperative reaction to RON Project • End-to-end framework for: – Cooperative statistics collection. – Cooperative reaction to attacks. – Fault-tolerant control and data routing. • How: resilient overlay network (RON). • Funded by DARPA/IA/FTN.

What is an Overlay Network? N 2 N 3 N 1 ISP 2 N What is an Overlay Network? N 2 N 3 N 1 ISP 2 N 5 N 4 • Better routing functions built in end hosts. • Can be used to build distributed defenses.

Why Distributed Defenses? • Presence of attack obvious near victim. – Not obvious near Why Distributed Defenses? • Presence of attack obvious near victim. – Not obvious near sources of attack. – But control is easier near sources. • Identifying attackers requires cooperation. – Asymmetric routing. – Fake source addresses.

Why Distribution is Hard • RON itself is a target. • Authorized communication between Why Distribution is Hard • RON itself is a target. • Authorized communication between RON nodes. • Bandwidth attacks on RON nodes. • Application-level Do. S attacks. • Political / deployment problems. – Needs cooperation? Or single-organization?

Monitoring Scenario 1. Measure N 2 Victim N 3 N 1 Backbone B 1 Monitoring Scenario 1. Measure N 2 Victim N 3 N 1 Backbone B 1 2. Communicate Backbone B 2 3. Control N 5 N 4 Attacker

Fault-Tolerant Routing • Use Internet to connect multiple sites. • Inter-ISP routing: – Ignores Fault-Tolerant Routing • Use Internet to connect multiple sites. • Inter-ISP routing: – Ignores link quality. – Ignores many available paths due to policy. – Chooses only one path. – Reacts slowly. • RON allows end-system control of routing.

Fault-tolerant Routing (2) N 2 N 3 N 1 Backbone B 1 Peering Point Fault-tolerant Routing (2) N 2 N 3 N 1 Backbone B 1 Peering Point P Peering Point Q Backbone B 2 N 5 Attacker N 4

Peer-to-Peer Networking • Multi-organization overlays. • Early work: Gnutella and Free. Net. – Data Peer-to-Peer Networking • Multi-organization overlays. • Early work: Gnutella and Free. Net. – Data replicated at many sites. – Queries traverse reliable overlay. – Explicit protection of virtual infrastructure.

Summary • Raise the bar: – Improve host security. – Make it hard to Summary • Raise the bar: – Improve host security. – Make it hard to fake IP addresses. • Experiment with RON-like and peer-to-peer architectures.