Distributed Denial of Service Attacks & Defenses Guest Lecture - - PowerPoint PPT Presentation

distributed denial of service attacks defenses
SMART_READER_LITE
LIVE PREVIEW

Distributed Denial of Service Attacks & Defenses Guest Lecture - - PowerPoint PPT Presentation

Nov 12, 2022 181 likes •432 views

Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall 2011 Distributed Denial of Service (DDoS) Exhaust resources of a target, or the resources it depends on Resources: CPU, Memory, Bandwidth

slide-1
SLIDE 1

Distributed Denial of Service Attacks & Defenses

Fall 2011

Guest Lecture by: Vamsi Kambhampati

slide-2
SLIDE 2

Distributed Denial of Service (DDoS)

  • Exhaust resources of a target, or the

resources it depends on

  • Resources: CPU, Memory, Bandwidth

– Legitimate clients cannot access the target server

  • Should we care?

– For researchers: interesting problem; difficult to solve. – For others: monetary loss, infrastructure security.

slide-3
SLIDE 3

Example: Bandwidth Exhaustion DDoS Attack

legitimate packets also dropped destination attacker packets dropped attacker congested router legitimate client attacker

slide-4
SLIDE 4

Well-behaved and misbehaving flow at router

time rate pkts/sec congestion at router Legitimate flow Attacker flow congested router

slide-5
SLIDE 5

congested router

Well-behaved and misbehaving traffic at router

time rate pkts/sec misbehaving aggregate gains throughput well-behaved aggregate looses throughput

slide-6
SLIDE 6

Well-behaved and misbehaving traffic at destination

time rate pkts/sec well-behaved traffic slows down when destination requests misbehaving traffic does not slow down when destination requests destination

slide-7
SLIDE 7

What is the problem?

  • Well-behaved (i.e., legitimate) traffic

follows protocol rules

  • Misbehaving traffic does not follow

protocol rules

  • Internet lacks distributed enforcement of

protocol rules

slide-8
SLIDE 8

Defending DDoS Attacks

  • Filtering

– Ingress filtering, Traceback, Pushback

  • Network capabilities

– Stateless Internet flow filtering (SIFF) – Traffic validation architecture (TVA)

  • Proof of work

– Congestion puzzles, Defense by offense

  • Location hiding

– Secure overlay services (SOS), i3

slide-9
SLIDE 9

DDoS defense with traceback

destination

packet

routers insert edge information destination constructs path from edge information

slide-10
SLIDE 10

DDoS defense with pushback

contributing router congested router

destination identify aggregate responsible for congestion pushback to contributing router

slide-11
SLIDE 11

Network Capabilities

  • Fundamental change to the Internet, so

that sender must have authorization from receiver to send traffic

– Receiver decides what traffic it wants to receive or not receive – Network enforces receiver’s decision

slide-12
SLIDE 12

Phase 1: Request Capabilities

destination source

SYN

pre-capabilities

SYN SYN

slide-13
SLIDE 13

Pre-Capabilities

  • Cryptographically generated at each router R

– Each router can independently verify its own pre- capability

  • Timestamp + Hash(SrcIP, DstIP, time, Rsecret)

– SrcIP, DstIP tie the capability to a flow – Rsecret : secret key only known to the router (the same secret is used for all pre-capabilities)

  • Rsecret changed twice per timestamp roll over
slide-14
SLIDE 14

Phase 2: Authorizing a source

destination source

host-capability

SYN

attacker

slide-15
SLIDE 15

Host-Capability

  • Cryptographically generated at the

destination using pre-capabilities

  • Timestamp + Hash(pre-capabilities, N, T)

– N is the number of packets authorized per capability – T is the time period for which the capability is valid

  • Routers track N, and T
slide-16
SLIDE 16

Phase 3: Send Traffic

destination source

DATA

verify pre-capability verify host-capability

attacker

BOGUS

slide-17
SLIDE 17

Traffic Classes

  • Traffic classes

– Request

  • Request packets (such as TCP SYN)

– Regular

  • Packets with capabilities

– Demoted

  • Packets with invalid capabilities

– Legacy

  • Separate bandwidth allocated to regular and

request traffic at each router

slide-18
SLIDE 18

Denial of Capabilities (DoC)

  • Attacker sends flood of request packets

– Legitimate requests get lost before reaching the destination

  • TVA solution:

– Path identifiers (Pi)

slide-19
SLIDE 19

Path Identifiers

  • Routers insider Pi bits into request

packets

– Kind of like pre-capabilities

  • Next downstream router fair-queues on

the Pi bits inserted at upstream routers

– Number of Pi queues = number of upstream routers

slide-20
SLIDE 20

Simulation Topology

destination colluder

10ms 10ms

10 legitimate clients 1 ~ 100 attackers

10Mbps, 10ms

bottleneck link

slide-21
SLIDE 21

Simulation Results (1)

Legacy traffic floods As number of attackers increase, legitimate clients suffer Legitimate clients are unaffected

slide-22
SLIDE 22

Simulation Results (2)

Request traffic floods

slide-23
SLIDE 23

Summary

  • DDoS attacks are a major threat to the

Internet

  • Capabilities make fundamental changes

to the Internet to defend DDoS attacks

– Sender needs authorization from receiver to send traffic

  • Capabilities setup is challenging

– Denial of Capability attacks