Modelling and simulation of a defense strategy to face indirect DDoS - - PowerPoint PPT Presentation

Modelling and simulation of a defense strategy to face indirect DDoS flooding attacks

• A. Furfaro, P. Pace, A. Parise, L. Molina Valdiviezo

Universit` a della Calabria D.I.M.E.S – 87036 Rende(CS) - Italy Email: a.furfaro@unical.it

September 24, 2014

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 1 / 18

Objectives Development of a simulation model enabling the study and the analysis of defense techniques against Distributed Denial of Service (DDoS) Extension of the StopIt technique for widening its applicability to more complex DDoS attack scenarios, i.e. shared link congestion. Outline DDoS attacks Defense mechanisms StopIt DiffServ A ns-3 simulation model A novel defense technique exploiting StopIt and DiffServ Results Conclusions and future work

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 2 / 18

Distributed Denial of Service (DDoS)

c Cisco Systems, Inc.

Cyber Security has become a very hot issue due the large and ever increasing diffusion of Internet-connected devices DDoS is one of the most sophisticated attack technique Due to its distributed nature, it is not easily to be faced DoS attacks are carried out by a Botnet consisting of widely scattered and remotely controlled computers called zombies zombies send a big amount

• f service requests and

data traffic to the target victim in order to exhaust its resources

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 3 / 18

DDoS defence mechanisms

ASx

Network-based DDoS Defense Mechanisms

Source AS Desnaon AS

Source’s edge router Access router Desnaon’s edge router Access router Source-based DDoS Defense Mechanisms

ASy ASz

Hybrid DDoS Defense Mechanisms

Destination-based DDoS Defense Mechanisms

Zargar et al.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks IEEE Communications Surveys & Tutorials, 14(4):2046–2069, 2013

Hybrid defence mechanisms are the most effective!

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 4 / 18

Hybrid mechanisms

Throttling/filtering and Hybrid packet marking: installation, by the victim’s side, of a router throttle at upstream routers several hops away with the aim of limiting the forwarding packets data rate. It only limits the rate of malicious packets. Capability-based: short-term authorization from the receivers by adding specific stamps on their packets. The recipients explicitly authorize the traffic it would like to receive. Active Internet Traffic Filtering (AITF): explicit refusal of traffic identified as undesirable. It needs a bounded amount of filtering resources from participating ISPs. StopIt: see next slides.

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 5 / 18

StopIt operation

ASs ASd ASi Rs Rd Hs Hd SSs SSi SSd

(1) (2) (3) (4) (5)

Hu

1

The victim Hd detects the attack and send a blocking request to its access router Rd

2

Rd verifies that the source Hs is really sending data to the server then, it installs a local filter and it sends a request of flow blocking to the StopIt server SSd

3

SSd forwards the request toward the StopIt server belonging to the sourcing AS by using the BGP protocol.

4

The StopIt server SSs within the sourcing AS, once received the request, notifies the blocking request to its access router Rs

5

Finally, the access router of ASd installs the filter to block the flow for a certain period.

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 6 / 18

DiffServ

DiffServ is a coarse-grained, class-based mechanism for traffic management and QoS differentiation. Traffic is first classified by taking into account a specific priority Then it is forwarded according to one of three per-hop behaviour (PHB) mechanisms PHBs Assured Forwarding (AF): gives assurance of delivery under prescribed and stringent conditions (Premium Service) Expedited Forwarding (EF): dedicated to low-loss, low-latency traffic Default Behaviour (BE): typically used for best-effort traffic

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 7 / 18

Modelling with ns-3

Class hierarchy DNSServer models the behavior (see next slide) of a DNS server able to process up to n requests in parallel StopItServer reproduces the behavior of a StopIt server AccessRouter implements the router application which is in charge of packet filtering, dispatching of StopIt requests and DiffServ policy enforcement.

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 8 / 18

DNS server behaviour

FSA model of the DNS server Available Busy

DNSRequest [av==1] / av--; process(request) DNSRequest [av>1] / av--; process(request) DNSRequest[!bufferFull] / enqueue(request) endProcess / av++ endProcess [bufferEmpty] / av++ endProcess [!bufferEmpty] / process(dequeue()) DNSRequest[bufferFull] / drop(request) av=RN

The above FSA models the behavior of a general server having RN resources and a limited buffer capacity for storing pending requests. It has been implemented by exploiting the State design pattern.

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 9 / 18

Simulation Scenario

Network topology

ASs0 Rs0 Hd ASsj Rsj ASsk Rsk ASsn Rsn ASd

... ... ... ... ... ...

Rd SSd SS0 SSj SSk SSn Hu Ld

First zone: 10 ASs, 50 hosts each, contains traffic sources (50% corrupted) Second zone: intermediate network Third zone: victim’s AS.

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 10 / 18

Simulation Parameters

Traffic sources 24 VoIP (ilbc mode 30 codec at 13.33kbps) [AF] 230 HTTP sources [BE] 230 DNS clients (50% malicious) [BE]

Links DNS Service Bandwidth 10 Mbps Resources 8 Delay 1 ms Buffer size 200 Mean service time 5 ms Legal DNS traffic Malicious traffic Packet size 26 bytes Packet size 78 bytes Packet rate 1 pkt/s Packet rate 100 pkt/s

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 11 / 18

Direct Flooding Attack

DNS VoIP HTTP total traffic DDoS traffic legal requests

(a) (b)

(a) Direct DNS DDoS attack (b) Detail of legal and malicious DNS traffic The attack begins at t = 20s and it is detected at t = 23s After the filter are installed the botnet traffic is blocked VoIP traffic is unaffected due to Diffserv

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 12 / 18

Shared Link Flooding Attack (StopIt only)

StopIt

DNS VoIP HTTP total traffic DDoS

StopIt is not able to face the attack VoIP traffic is unaffected In this scenario the attack is achieved by flooding the host Hu in the same AS the victim Hd The bandwidth of link shared by Hu, Hd and the other hosts of the same AS is exhausted by the attack Hd observes a drastic decrease in the number of received requests.

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 13 / 18

StopIt and DiffServ cooperation (1)

Assumptions At least one StopIt server is present within each AS; Each AS corresponds to a DiffServ domain; In each DiffServ domain, the packets coming from the StopIt server are managed throughout the highest priority Assured Forwarding (AF) queue; The DiffServ system is able to install new Service Level Agreements (SLAs) at run time; The server Hd experiencing a performance degradation is able to detect anomalous traffic conditions by using a specific detection algorithm.

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 14 / 18

StopIt and DiffServ cooperation (2)

Once the server Hd detects a decrease in its performance, mostly due to traffic anomalies, it starts the activation of the jointly StopIt-DiffServ defense mechanism by executing the following steps:

1

Hd sends a temporary DiffServ activation request toward the access router Rd within its AS

2

Rd forwards the request to the StopIt server after filling the packet with the information about all the interfaces connected to the AS;

3

The StopIt server installs the specific SLA for a certain time Tb, then it decreases by one the hop limit field and forwards the request to all the neighbour ASs

4

The other StopIt servers, once received the request packet, repeat the actions from point 2 until the hop limit field reaches zero.

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 15 / 18

Shared Link Flooding Attack

StopIt

DNS VoIP HTTP total traffic DDoS

StopIt is not able to face the attack VoIP traffic is unaffected StopIt + DiffServ

DNS VoIP HTTP total traffic DDoS

The necessary bandwidth for the DNS server is ensured HTTP traffic still remains affected by DoS

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 16 / 18

Conclusions

A ns-3 simulation model for the analysis of DDoS attack has been implemented A novel defense mechanism based on the cooperation of StopIt and DiffServ has been defined and evaluated The technique overcomes StopIt limitations in that it is able to cope with indirect DDoS flooding attacks. Future work Devise a better technique for exploiting DiffServ capability (e.g by lowering the priority of flooding traffic) Design suitable detection algorithms able to cooperate with StopIt for blocking malicious source also in the case of indirect attacks Relaxing the constraint of the existence of a StopIt server for each AS.

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 17 / 18

Questions?

• A. Furfaro et al.

A defense strategy against indirect DDoS flooding attacks September 24, 2014 18 / 18