- Количество слайдов: 45
“A Taxonomy of DDo. S Attack and DDo. S Defense Mechanisms” By Jelena Mirkovic and Peter Reiher (CCR April 2004) NSRG - Network Security Reading Group: Vijay Erramilli Nahur Fonseca Abhishek Sharma Georgios Smaragdakis and Prof John W. Byers http: //www. cs. bu. edu/groups/wing
Outline o Overview of DDo. S o Taxonomy of DDo. S Attacks o DDo. S Activity o Taxonomy of DDo. S Defenses o Examples of DDo. S Defenses
Overview (D)Do. S : = explicit attempt to prevent the legitimate use of a service Why this is part of today’s internet? o Current Internet Design is focused on effectiveness of moving packets. o Internet Resource Limitations. o Control is distributed.
DDo. S Overview
Taxonomy of DDo. S Attacks [MR 04] DDo. S Attack Mechanisms Classification By. . Degree of Automation Impact on the Victim Exploited Weakness Victim Type Source Address Validity Attack Rate Dynamics Persistence of Agent Set Possibility of Characterization
Classification By Degree of Automation o Mainly Worms n n o Manually (Semi-)Automated Scanning Strategies: n n n Random Scanning (CRv 2) Hitlist Scanning Permutation Scanning – sub Hit. List (Warhol) Topological Scanning (E-mail Worms) Local Subnet Scanning (CRv 2, nimba)
Classification By Degree of Automation o Vulnerability Scanning Strategies n n o Horizontal: same port of different machines Vertical: all ports of one machine Coordinated Stealthy Propagation Mechanism n n n Central Source (Li 0 n worm) Back-chaining (Ramer Worm, Morris worm) Autonomous Propagation (CR, Warhol)
Classification By Exploit Weakness To Deny Service o Searching for specific feature or bug n n o SYN ACK attack, NAPTHA /connection queue CGI Request attack /CPU Flooding (reflectors) DNS Request attacks n Smurf attacks (ICMP reply attacks) n
Classification By Source Address Validity o Spoofing Techniques Random Spoofed Source Address n Subnet Spoofed Source Address (hard to detect) n En Route Spoofed Source Address (future) address along the path from the slave to the victim n Fixed Spoofed Source Address n
Classification By Attack Rate Dynamics o Constant Rate n n o Attacker can deploy a min number of machines Patterns in traffic Variable Rate n n Increasing Rate Fluctuating Rate (Low Rate attacks like Shrew, Rat and Ro. Q)
Classification By Possibility of Characterization o Filterable n n Filtered by a firewall eg. UDP flooding, ICMP echo flood to Web Servers, DNS (TCP). Non-Filterable mainly try to consume bandwidth, using a mixture of TCP SYN, TCP Attack, ICMP ECHO/ REPLY, and UDP packets.
Classification By Persistence of Agent (Slave) Set o Constant Slave Set n o Lack of synchronization Variable Slave Set n eg. Take turns (waves) of floods of packets
Classification By Victim Type o Application n n o Host n o Critical resource eg. DNS, router, bottleneck Network n o CPU/Stack Resource n o Attack packets indistinguishable from legitimate packets at the transport level. A lot of applications that have to be modeled. Traffic Infrastructure n Misconfiguration by the attacker/BGP (future)
Classification By Impact on the Victim o Disruptive n o Deny the victim’s service to its clients Degrading n n n Consumes some portion of the victim’s resources. Not easily detected Lead to Disruptive Do. S in high load periods
Attack Tools o Very Easy to find code (eg. http: //www. ussrback. com/distributed. htm) Trinoo: Flood Attack The communication link btw Attacker and slaves is encrypted. TFN 2 k: Flood Attack, but also allows SYN, ICMP flood and Smurf Attacks. The communication link btw Attacker and slaves is encrypted. …
Outline x Overview of DDo. S x Taxonomy of DDo. S Attacks o DDo. S Activity o Taxonomy of DDo. S Defenses o Examples of DDo. S Defenses
Why bother ? Fact 1: prevalence David Moore, et al. Infering Internet Denial-of-Service Activity
Backscatter Analysis o Assumptions Flood attack n Randomly spoofed source address n Victims always respond n Backscatter is evidence of ongoing attack n Responses are equaly distributed across IP E(x) = nm/232, m=pkts R > R’ 232/n , n=224 n o Biases n n Underestimate due to o Ingress filtering, o Reflector attack, o Packet losses, o Rate limiting, Minor factor due to random port scans on the observed hosts.
Why bother? “Fact” 2: cost o What’s the worst-case worm ? n n n o A lot of resources, a nation state, to find A zero-day (never seen) vulnerability in A widely used service. Infect intranets first and then the Internet Very fast (e. g. flash worms). < 1 day. Cause data damage, hardware damage. How much would it cost ? n n A conservative linear model based on: recovery, data, work-hour and BIOS costs US$50 Bi
Taxonomy of DDo. S Defenses o Preventive x Reactive o Degree of Cooperation n o Autonomous Cooperative Interdependent Deployment Location n Victim network Intermediate network Source network
Proactive / Reactive Actions o Preventive o Reactive o Prevention Goal o Detection Strategy 1. 2. n 1. 2. Secured Target 1. 2. n Attack Prevention Do. S Prevention System security Protocol security Prevention Method 1. 2. Resource Accounting Resource Multiplication 3. o Pattern Anomaly Third Party Response Strategy 1. 2. 3. 4. Agent Identification Rate-limiting Filtering Reconfiguration
Degree of Cooperation o o o Autonomous – independent defense at the point of deployment Cooperative – perform better in joint operation. Interdependent – cannot operate autonomously.
Deployment Location o o o Victim network – most common, the most interested party. Intermediate network – ISP can provide the service, potential to cooperation. Source network – prevent DDo. S at the source, least motivation (Tragedy of the Commons).
Examples of Defenses Preventive Reactive At Victim Autonomous IDS, SNORT Intermediate At Source Cooperative Puzzles In-Filter D-WARD Interdependent SOS Traceback
IDS, Snort o Intrusion Detection System n Purpose: to sniff all traffic on a network and to compare the network packets with certain patterns. Sniff all traffic Preprocess Patten matching Policy Enforcement Deny
SOS: Secure Overlay Service o Proactively prevent Do. S to allow legitimate users to communicate with critical target. + Illegitimate packets are dropped + Proxy forwards authentic traffic - Attackers take over source - Attackers may spoof proxy IP - Attackers spoof address - Attackers may attack proxy - Sources have mobile IP
SOS: Architecture A node on or off the overlay that wants to send a transmission to a target A node on the overlay, it receives traffic destined for the target and , after verifying the legitimacy of the traffic, forwards it to a secret servlet A node on the overlay that acts as the only entry point to the target Target node that wishes to receive transmissions from validated sources A node on the overlay that accepts traffic to the target from approved source points
Ingress Filtering (RFC 2267) o o o An ingress filter on "router 2” restricts traffic to allow only source addresses within the 9. 0. 0. 0/8 prefix. Problems with special cases, for example, mobile IP. Still can spoof addresses within the same prefix.
D-WARD o o o Monitors each peer in both ways. Keep per flow statistics. Compare to “normal traffic” models. Detect anomalies. Throttle malicious users.
Cliente Puzzles: Intuiton ? ? ? Table for four at 8 o’clock. Name of Mr. Smith. Please solve this puzzle. O. K. , O. K. Mr. Smith Restauranteur
Intuition Suppose: o o o A puzzle takes an hour to solve There are 40 tables in restaurant Reserve at most one day in advance A legitimate patron can easily reserve a table, but:
Intuition ? ? ? ? ? Would-be saboteur has too many puzzles to solve
The client puzzle protocol Client Service request R Server Buffer O. K.
IP traceback o o o The ability to trace IP packets to their origin. IP spoofing Ingress filtering prevents IP address manipulation n n not fully enforced due to political and technical reasons. Some ISPs refuse to install inbound filters to prevent source-address spoofing.
IP traceback approaches o Reactive : initiate the traceback process in response to an attack n n n e. g. Input debugging and controlled flooding Must be completed while the attack is active; ineffective once the attack ceases Require large degree of ISP cooperationextensive administrative burden, difficult legal and policy issues.
Input debugging: Figure from IP Traceback: A New Denialof-Service Deterrent? , H. Aljifri, IEEE Security & Privacy, 2003.
Proactive IP traceback o o o Record tracing measures as packets are routed through the network. Traceback data used for attack path reconstruction and subsequent attacker identification. Techniques: n Logging n Messaging n Packet-marking
Logging o o o Log packets at key routers throughout the Internet and then use data-mining techniques to extract information about attack traffic’s source. Huge amount of processing and storage power needed to store the logs. Need to save and share information among ISPs : logistical and legal problems, as well as privacy concerns.
How to reduce the resource demand? o o Probabilistic sampling of the packet stream and compression. n SPIE (Source Path Isolation Engine), A. Snoeren et. al. Makes use of Bloom filters to store a hash digest of only the relevant invariant portions of a packet Overlay Network of sensors, tracing agents and managing agents. n n n Selectively log traffic – after an attack is recognized. Log only certain relevant characteristics Increased speed and less storage.
ICMP-based traceback: Figure from IP Traceback: A New Denialof-Service Deterrent? , H. Aljifri, IEEE Security & Privacy, 2003.
ICMP-based traceback vs DDo. S o o In a DDo. S attack, each zombie contributes only a small amount of the total attack traffic. The probability of choosing an attack packet is much smaller than the sampling rate used. The victim probably will get many ICMP traceback messages from the closest routers but very few originating near the zombies’ machines. Intension-driven ICMP traceback : more effective against DDo. S.
Packet-Marking : Figure from IP Traceback: A New Denialof-Service Deterrent? , H. Aljifri, IEEE Security & Privacy, 2003.
Packet Marking o o To be effective, packet marking should not increase the packets’ size (to avoid additional downstream fragmentation, thus increasing network traffic). Secure enough to prevent attackers from generating false markings. Must work within the existing IP specifications : the specified order and length of fields in an IP header. Packet-marking algorithms and associated routers must be fast enough to allow real-time packet marking. n Probabilistic Packet Marking n Received widespread attention; active area of research
Discussion o o o What is the cost of ISPs to prevent DDo. S? Law Enforcement of Homogeneous Control? Is DDo. S an important problem for WINGers? n n Can be part of the i. BENCH: Safe & Secure Composition… Can be part of the ITM: Soft state and sampling of flows?