haining wang, member, ieee, cheng jin, and kang g. shin, fellow, ieee expert systems with...
DESCRIPTION
年 4 月 台灣電玩大站巴哈姆特、遊戲基地,相繼 遭到大陸駭客以 DDoS 攻擊以致於癱瘓 難道,我們對於 DDoS ,一點辦法都沒有 !?TRANSCRIPT
Defense Against Spoofed IP Traffic
Using Hop-Count Filtering
Haining Wang, Member, IEEE, Cheng Jin, and Kang G. Shin, Fellow, IEEE
Expert Systems With Applications, 2008 - Elsevier
Speaker:羅聖傑 R96725015鄭京恆 R96725026劉俊良 R96725027
2
序2000 年 2 月
Yahoo 遭受 DDoS 攻擊以致於無法提供服務
3
2008 年 4 月台灣電玩大站巴哈姆特、遊戲基地,相繼遭到大陸駭客以 DDoS 攻擊以致於癱瘓
難道,我們對於 DDoS ,一點辦法都沒有 !?
序
4
序當然是 大錯特錯 !!!我們網路學術界高手如雲,豈會敗在區區一個 DDoS 之下,這篇文章,正是教導你如何對抗 DDoS !
5
名詞介紹 IP spoofing (IP 欺騙 )
同一台電腦用同一個 IP ,卻可以用某些方法,將自己發出之封包的 source IP 改掉,以隱藏自己的 IP 位址,常用於 DDoS 的攻擊。Distributed Denial of Service
(DDos , 分散式阻斷服務 )利用許多傀儡電腦,一起發送大量的垃圾封包給 server ,運用這些封包攻擊 server ,使 server 一直忙於處理垃圾封包,而無法服務正常使用者。
6
Outline
IntroductionBasic Principles in HCFDoes Hop-Count Filtering Really
Work?Construction of IP2HC Mapping TableRunning States of HCFConclusion and Feature Work
7
Introduction
What is the Problem ? Spoofed IP
▪ A compromised Internet host can spoof IP packed with arbitrary source IP address into packet header.
▪ Distributed Denial of Service (DDoS)▪ Router-based▪ Host-based
▪ Distributed Reflection Denial of Service (DRDoS)
8
Introduction (cont.)Defense Mechanisms
Distributed Denial of Service (DDoS)▪ Router-based approach
▪ Installs defense mechanisms inside IP routers▪ Coordination among different routers and network,
wide –spread deployment▪ Host-based approach
▪ Sophisticated resource-management▪ Reducing the resource consumption of each request▪ Most work at transport-layer
9
Introduction (cont.)Defense Mechanisms (Drawbacks)
Distributed Denial of Service (DDoS)▪ Router-based approach
▪ Not only router support, but also wide-deployment
▪ Host-based approach▪ Most work at transport-layer, can not prevent from
consumming CPU resource
10
Introduction (cont.)Without detecting and discarding
spoofed IP traffic at the very beginning , Spoofed packets will share the same resource principals and code path as legitimate request.
The ability to detect and filter spoofed packets at the IP layer without router support is essential to protect against DDoS.
11
Introduction (cont.)
Hop-Count FilteringGoal
Light-weight scheme Without using any cryptographic methodology
or router support Screen out most bogus traffic
12
Introduction (cont.)
Hop-Count FilteringFundamental Idea
Utilize inherent network information
1. Each packet carries2. Attacker cannot easily forge
▪ Number of hops ! ( indirect from the Time-to-Live ,TTL field)
13
Introduction (cont.)Hop-Count Filtering Fundamental Idea
Hop-Count (number of hops):most randomly spoofed IP packet , when arriving at victims, do not carry hop-count values that are consistent with the spoofed IP address.
Hop-Count Filtering with IP-to-Hop-Count (IP2HC) table.
14
Introduction (cont.)
Hop-Count Filtering (HCF) Two running state!
▪ 1. Learning▪ Learn and train IP2HC table▪ Under normal conditions, HCF stay in here.▪ Do not discard any packet, no collateral damage
▪ 2. Filtering▪ Switch in here while detecting an attack.▪ Discard any packet with mismatching hop-count
15
Outline
IntroductionBasic Principles in HCFDoes Hop-Count Filtering Really
Work?Construction of IP2HC Mapping TableRunning States of HCFConclusion and Feature Work
16
A. Hop-Count Computation Hop-Count is derived from 8-bit IP header field :TTL
fieldHop-Count = Initial TTL – final TTL value.
The destination only sees the final TTL value Most initial (OS default) TTL value are far apart.
▪ 30, 32, 60, 64, 128, 255 Few internet hosts are apart by more than 30 hops How to decide the initial TTL value ?
▪ The Closest One. Drawback…?
▪ “odd” initial TTL value may be incorrectly identified as spoofed.
Basic Principles in HCF (A.)
17
B. Capturing Legitimate Hop-Count Value In order to maintain an accurate IP2HC table
▪ Capture only valid hop-count mappings▪ Capture only legitimate change▪ Foil any attempt to slowly pollute the IP2HC
▪ The IP2HC should be updated only by packet belonging to TCP connections in the established state.
▪ User-configurable parameter k to adjust the frequency of update.
Basic Principles in HCF (B.)
18
C. Inspection and Validation Algorithm
Basic Principles in HCF (C.)
For each packet: extract the final TTL Tf and the source IP address S;
infer the initial TTL Ti;
compute the hop-count Hc = Ti – Tf;
index S to get the stored hop-count Hs;
if( Hc != Hs) the packet is spoofed; else the packet is legitimate;
19
Outline
IntroductionBasic Principles in HCFDoes Hop-Count Filtering Really
Work?Construction of IP2HC Mapping TableRunning States of HCFConclusion and Feature Work
20
Feasibility of HCF hinges on four factors1. diversity of hop-count values2. effectiveness in detecting spoofed packet3. robustness against evasions4. stability of hop-counts
Does HCF Really Work??
21
1. Diversity of Hop-Count Distribution A good hop-count distribution should have
two properties▪ 1. Symmetric around the mean value
▪ Advantage of the full range of hop-count▪ 2. reasonably diverse over the entire range
▪ Help maximize the effectiveness of HCF
Does HCF Really Work?? ( 1.)
22
1. Diversity of Hop-Count Distribution Use the raw traceroute data from 47 different traceroute
gateways
Does HCF Really Work?? ( 1.)cont.
23
1. Diversity of Hop-Count Distribution Gaussian distribution ( bell-shaped curve) founded
Does HCF Really Work?? ( 1.)cont.
24
1. Diversity of Hop-Count Distribution Gaussian distribution ( bell-shaped curve) founded
Does HCF Really Work?? ( 1.)cont.
CDF of means of hop-count dis. CDF of standard deviations of hop-count dis.
The larger the σ, the more diverse the HC dis. , and the more effective HCF will be!
25
2. Effectiveness of HCF Against Simple AttacksWhat fraction of spoofed IP packets can be
detected by proposed HCF ?? Assumption:
▪ Potential victim servers know the complete mapping between client IP address and hop-counts
▪ Attacker evenly divides the flooding traffic among the flooding sources
▪ Most of the available DDoS attacks do not alter the intial TTL value of packets
Does HCF Really Work?? (2.)
26
B. Effectiveness of HCF Against Simple AttacksTwo scenarios!
Single Flooding Source
Multiple Flooding Sources
Does HCF Really Work?? (2.)cont.
27
2. Effectiveness of HCF Against Simple Attacks
1.Single Flooding Source -> same hop-count
Does HCF Really Work?? (2.)cont.
Fraction of spoofed IP address that cannot be
detected is αh
, and identified and
discarded by HCF is (1-αh)
90% of success detection; HCF is highly effective against a single attacking source!!
28
2. Effectiveness of HCF Against Simple Attacks n sources of flood, total F packets
Adding more flooding sources does not diminish the ability of HCF to identify spoofed IP packets!!
Does HCF Really Work?? (2.)cont.
29
3. Robustness Against HCF-Aware Attackers 1. Randomization of Initial TTL
▪ Randomizing the initial TTL value create an illusion of attacking packets having many different hop-count value
▪ Randomize from range Ir = [Id + hz - 30, Id + hz -1]▪ Id : default initial TTL, hz : hop-count from source to victim▪ The final TTL value Tv follow the same R random
distribution.
Does HCF Really Work?? (3.)cont.
30
3. Robustness Against HCF-Aware Attackers 1. Randomization of Initial TTL
▪ Uniform distribution
▪ Based on hop-count distribution
Does HCF Really Work?? (3.)cont.
31
3. Robustness Against HCF-Aware Attackers 2. Learning of Hop-Count Values (set a n
appropriate initial TTL value for each spoofed packet)
▪ Learning hz from “a” zombie to hop-count is easy (by using traceroute)`, but… from “n” zombies ?
▪ Learning hs ? Attacker has to build priori an IP2HC that cover the “entire” spoofed IP address space
Does HCF Really Work?? (3.)cont.
hz : hop-count from zombiehs : hop-count from spoofed IP
32
4. Hop-Count Stability The stability in hop-count between server and
clients is “crucial” for HCF’s accuracy and effectiveness.
Frequent changes lead to excessive mapping update, enlarge damage from out-of-date mapping
So… Is current Internet stable ..?
Does HCF Really Work?? (4.)
33
4. Hop-Count Stability According to studies on end-to-end routing stability
▪ Internet paths were found to be dominated by a few prevalent routes
▪ About 2/3 of internet paths were observed to have routes persisting for either days or weeks.
According to observation▪ Daily traceroute measurement, ten-minute intervals, among 113
sites, from Jan 1st to Apri 30, 2003 -> 95% of the paths had fewer than 5 observable daily change
According to recent Internet experiments▪ A large fraction of destination prefixes have remarkably stable
BGP.▪ Popular prefixes tend to have stable BGP routes for days or weeks▪ A vast majority of BGP instability stems from a small number of
unpopular destinations
Does HCF Really Work?? (4.)cont.
It’s reasonable to expect hop-count to be stable in the Internet. Also, the proposed filter contains a dynamic update procedure to get hop-count changes
34
Outline
Introduction Basic Principles in HCF Does Hop-Count Filtering Really Work?Construction of IP2HC Mapping
Table Running States of HCF Conclusion and Feature Work
35
Construction of IP2HC Mapping Table
We know that HCF can remove nearly 90% of spoofed traffic with an accurate mapping between IP addresses and hop counts. Thus, building an accurate IP2HC mapping table is critical. Our objectives in building a table are: 1) accurate IP2HC mapping2) up-to-date IP2HC mapping3) moderate storage requirement.
36
Construction of IP2HC Mapping Table
(cont.) IP Address Aggregation
Aggregation Techniques Evaluation of Filtering Accuracy
Table Initialization and Update Initialization and Addition of New Entries Updating Hop-Count
Hop-Count Ambiguity Caused by NATs.
37
IP Address Aggregation
Ideally, the IP2HC mapping table has one entry for each valid IP address.
But this will consume a very large amount of memory.
So, we use IP address aggregation.
38
Aggregation Techniques Aggregating hosts according to address
prefix, especially the 24-bit address prefix.
We use an array with one-byte hop-count entry per network prefix, the storage requirement is 224 bytes or 16 MB.
But IP addresses within each 24-bit address prefix may be allocated to different physical networks, and they do not have identical hop-counts.
39
Aggregation Techniques (cont.) To obtain a more accurate IP2HC
mapping, one can further divide IP addresses within each 24-bit prefix into smaller clusters based on hop-count.
Using a binary tree, we can easily cluster IP addresses.
In our test, we are able to aggregate 11 /17 IP addresses into four network prefixes.
40
Aggregation Techniques (cont.)
41
Evaluation of Filtering Accuracy We assume that the attacker
generates packets by randomly selecting source IP addresses among legitimate clients.
We further assume that the attacker knows the general hop-count distribution for each web server and uses it to randomly generate a hop-count for each spoofed packet.
42
Evaluation of Filtering Accuracy (cont.)We use two symbols:
False Positives▪ Those legitimate client IP addresses that are
incorrectly identified as spoofed. False Negatives
▪ Spoofed IP addresses that go undetected by HCF.
A good aggregation method should minimize both.
43
Evaluation of Filtering Accuracy (cont.)
44
Evaluation of Filtering Accuracy (cont.)
47 routers
test results
45
Evaluation of Filtering Accuracy (cont.) Clustering-Based Filtering has nearly
identical performance as 32-bit Strict Filtering.
Clustering-based Filtering increases the number of entries by no more than 20%.
The 32-bit Strict Filtering increases the number of entries by at least 67%.
46
Table Initialization and Update Initialization and Addition of New
Entries. The initial collection period should be long
enough to ensure good filtering accuracy. Updating Hop-Counts.
IP2HC table only update when there is an TCP connection.
Reclustering is complex, but should have a relatively small impact on system performance.
47
Hop-Count Ambiguity Caused by NATs What is NAT (Network Address
Translation)? How does it lower the IP2HC mapping
accuracy? But NAT automatically prevents the
zombies behind NAT boxes from IP spoofing.
To have NAT boxes reset the TTL value of each outgoing IP packet to a default initial TTL.
48
Outline
IntroductionBasic Principles in HCFDoes Hop-Count Filtering Really
Work?Construction of IP2HC Mapping TableRunning States of HCFConclusion and Feature Work
49
Running States of HCF
Tasks in two states : Learning state
▪ sample incoming packets for hop-count inspection
▪ calculate the spoofed packet counter▪ update the IP2HC mapping table
Filtering state▪ must examine every packet (instead of
sampling only a subset of packets)▪ discards spoofed packets
50
Running States of HCF (cont.)
51
Running States of HCF (cont.)Server :HCF should not alternate between
the learning and filtering states when t fluctuates T1 around .
52
Blocking Bandwidth AttacksTo protect server resources such as
CPU and memory, HCF can be installed at a server itself or at any network device near the servers.
This scheme will not be effective against DDoS attacks that target the bandwidth of a network.
The solution must involve the stub network’s ISP.
53
Blocking Bandwidth Attacks (cont.) Solution :
To maintain an updated HCF table since only end-hosts can see established TCP connections.
If under an attack, install a packet filter based on the HCF table on the ISP’s edge router.
Once the HCF table is enabled at the ISP’s edge router, most spoofed packets will be intercepted
54
Staying “Alert” to DRDoS AttacksDistributed Reflections Denial of
Service (DRDos). An attacker forges IP packets that
contain legitimate requests by setting the source IP addresses of these spoofed packets to the actual victim’s IP address.
The attacker then sends these spoofed packets to a large number of reflectors
But it’s no use for HCF.
55
Outline
IntroductionBasic Principles in HCFDoes Hop-Count Filtering Really
Work?Construction of IP2HC Mapping TableRunning States of HCFConclusion and Feature Work
56
Conclusion
We presented HCF, IP2HC mapping table. It can remove 90% of spoofed traffic. HCF is a simple and effective solution in
protecting Internet servers against spoofed IP packets and readily deployable in end-system.
HCF is not a complete solution to the generic DDoS, but it deprives an attacker of his power weapon.
57
Feature Work
We need a systematic procedure for setting the parameters of HCF, such as the frequency of dynamic updates.
We would like to build and deploy HCF in various high-profile server sites to see how effective it is against real spoofed DDoS traffic.
58
End
Thank You