分散式阻斷攻擊防禦機制之設計

(1)

國立交通大學

資訊工程學系

博士論文

分散式阻斷攻擊防禦機制之設計

Designing Protection Mechanisms against DDoS

Attacks

研究生: 李富源

指導教授: 謝續平博士

(2)

Designing Protection Mechanisms against

DDoS Attacks

Student: Fu-Yuan Lee

Advisor: Dr. Shiuhpyng Shieh

A Dissertation Submitted to

Department of Computer Science and Information Engineering

College of Electrical Engineering and Computer Science

National Chiao-Tung University

In Partial Fulfillment of the Requirements

for the Degree of

Doctor of Philosophy

in

Computer Science and Information Engineering

May, 2005

(3)

分散式阻斷攻擊防禦機制之設計

研究生: 李富源指導教授: 謝續平博士

國立交通大學資訊工程學系

摘要

隨著電腦網路技術的不斷進展，人們的日常生活和電腦網路產生了密切的關聯，同時，網路攻擊也成了一個值得注意的議題。近年來，分散式阻斷攻擊成了諸多網路攻擊事件中最引人注目的焦點。攻擊者藉由入侵眾多安全防護較薄弱的電腦系統，進而利用這些被入侵的系統對網路伺服器進行阻斷式攻擊。在攻擊期間，該網路伺服器的使用者將感受到明顯的網路延遲、大量的封包遺失，或根本無法與伺服器建立網路連線，攻擊者據此可輕易達到其阻斷服務之效果。反之，要抵抗或偵測這類型的網路攻擊事件是非常困難的，其主要原因來自於網路上大量的防護層級較低的電腦、偽造網路位址的使用、攻擊封包與合法封包間的高相似度以及分散式網路管理所造成的困難。本篇論文所要探討的主題為分散式阻斷攻擊的防禦技術。為了要設計合宜且可行的防禦機制，首先我們得對分散式阻斷攻擊有深入的了解。因此，在本篇論文的第一部分，我們針對分散式阻斷攻擊的成因、分散式阻斷攻擊的型態以及常見的攻擊程式做廣泛的分析與整理。我們指出幾個在設計防禦機制時會面對的問題，並對目前既有的分散式阻斷攻擊防禦機制的運作和設計原理做深入的介紹和討論。本論文的第二部分著眼於分散式阻斷攻擊防禦機制之設計。對於該類型網路攻擊的對策，我們分別從三個不同的角度切入：受害者端的防禦、追踨攻擊者的技術以及攻擊者端的防禦。受害者端的防禦系統主要致力於偵測偽造來源位址之網路封包。由於分散式阻斷攻擊的攻擊流量主要由這類型的封包組成，因此，我們可以藉由辨認並阻絶偽造來源位址之網路封包來達成過濾攻擊封包的目的，進而維護網路伺服器繼續提供服務的能力。另外，由於攻擊者可以任意偽造來源位址，受害者無法辨認攻擊封包的來源，而攻擊者也藉此來降低被發現的風險。為了要嚇阻攻擊者持續進行攻擊，本論文的第二個研究主題即為探討追踨攻擊者的技術。本論文中所提出的追踨技術可以將攻擊封包所行經的網路路徑進行編碼，編碼後的路徑可以儲存在攻擊封包之中，和攻擊封包一起到達受害者端，或 i

(4)

是由幾個 ICMP 封包將路徑資訊送至受害者端。本論文研究的第三個主題為一個可以將攻擊封包限制於攻擊者端網路的防禦技術。此項研究可以阻止攻擊封包進入網際網路，進而減少因攻擊流量而造成網路雍塞之情形。在本論文中所提出的這三個防禦機制可協助受害者過濾攻擊封包、追蹤攻擊者位址以及可將攻擊封包局限於攻擊者端網路。根據實驗結果，本文所提之三個系統表現優於目前存在之防禦機制。除此之外，這三個系統都可用漸進的方式佈建於現有網際網路中，亦可和現有的路由器系統共存，並僅須對路由器進行少量的修改即可支援文中所提出之防禦機制。換言之，我們所提出的防禦機制可被部署於大型的網路系統，並可被視為建置分散式阻斷攻擊防禦機制時，幾個非常重要且有效的基石。關鍵詞: 網路安全、入侵偵測以及防禦、分散式阻斷攻擊、偽造網路位址、攻擊來源追蹤技術 ii

(5)

Designing Protection Mechanisms

against DDoS Attacks

Student: Fu-Yuan Lee Adviser: Dr. Shiuhpyng Shieh Department of Computer Science and Information Engineering

National Chiao Tung University

ABSTRACT

The widespread incidences of distributed denial-of-service (DDoS) attacks have highlighted a great demand for effective DDoS countermeasures. Owing to a large number of insecure systems supplying DDoS attackers with abun-dant attack zombies and the set of easily acquired and deployed DDoS attack tools, malicious users can easily overwhelm Internet servers with DDoS attack packets. On the other hand, the defense of DDoS attacks has been made very complicated by large sets of attack zombies, IP spoofing techniques, high level of similarity between legitimate and attack packets, and the independent and distributed nature of network administration.

The work presented in this dissertation is on the defense of DDoS at-tacks. To better understand DDoS attacks and to design effective and appro-priate DDoS defense and response, in the first part of this dissertation, we elaborate the causes of DDoS attacks, types of attack streams, and commonly used attack tools. Afterwards, we move on to identify fundamental challenges to DDoS defense and investigate existing approaches to DDoS attacks.

The second part of this dissertation concerns with the design of DDoS defense mechanisms. In particular, it explores defensive approaches from three distinct directions, namely victim-end defense, attack traceback and attacker-end defense. The proposed victim-attacker-end defense scheme aims at identifying spoofed IP packets which dominate DDoS attack traffic. This allows Internet servers to sustain their services to legitimate clients when under attack. With the presence of IP spoofing, the source IP addresses inscribed in DDoS attack

(6)

packets are usually untrustworthy, and DDoS attackers run at low risk of being discovered. To deter future DDoS attacks, it is imperative to locate origins of DDoS attack flows, and therefore the second focus of our research is to trace the sources of spoofed DDoS attack flows even if there is only one single packet in each attack flow. With the proposed traceback scheme, an Internet path traversed by an IP packet can be encoded with a small number of bits, and transmitted to the packet’s destination along with the packet itself or in a few additional ICMP packets. The third defense approach targets at detecting DDoS attack flows at their sources and confining attack packets at source networks. With a widespread deployment of this scheme, we can stop attack packets from entering the Internet and subsequently reduce possible network congestions caused by attack streams.

Schemes presented in this dissertation allow victim servers distinguish-ing spoofed attack packets from legitimate ones, support identifydistinguish-ing attack sources and help confine attack flows at their sources. In light of our ex-perimental results, the proposed schemes outperform existing DDoS defense approaches. Furthermore the proposed schemes can be deployed incremen-tally and can coexist with legacy routers. Very little enhancements to Internet routers are involved. With these characteristics, the proposed schemes can be deployed gradually on large networks, such as the Internet, and are considered useful building blocks for constructing effective defense for DDoS attacks. Keywords: Network Security, Intrusion Detection and Prevention, Distrib-ution Denial-of-Service (DDoS) Attacks, IP Spoofing, IP Traceback

(7)

Acknowledgement

回首這六年博士班生涯，雖顛蹼走來一路跌跌撞撞，所幸路上不時有人給我扶持，為我指引方向，在我失志時給我鼓勵，在我略有所得時和我分享。感謝這二千多個日子以來所有幫助過我的人，謝謝你們，有了你們，我才能在這過程中有所成長。而今我即將走進博士班生涯的終點站，對於你們所有的付出，我，懷著滿心的感謝。在邁向下一階段旅程之際，在這裡，我要特別感謝我的指導教授謝續平老師這幾年來的教誨與照顧。從大學部專題、碩士班，到博士班這八年來的指導，使我能略窺電腦及網路安全之堂奧，若非謝老師在學術研究以及日常生活上給我諸多的幫助，這份學位論文就難以順利完成。此外，也要萬分感謝賴溪松教授、雷欽隆教授、詹進科教授、黃世昆教授、官大智教授及邵家健教授等口試委員，在百忙中撥冗，不辭遠道而來，提供諸多寶貴的意見和指正，使本論文能略臻於完備，也讓我更清楚未來要努力的方向。我還要感謝「分散式系統與網路安全實驗室」的所有成員，感謝他們無論是在課業的切磋或是生活經驗的分享上，都讓我渡過充實而美好的一段時光。其中，林宸堂學長及楊文和學長常不吝與我分享他們的經驗和研究心得，讓我在博士班就讀過程中受益匪淺。另外，也要特別感謝楊明豪博士和士一的幫忙，不管是我的研究工作或是實驗室的日常事務，少了他們的力量，很多事情都沒辦法順利地完成。衷心地感謝他們這幾年來在各方面給我的建議與協助，讓我能用更多的時間加速完成這份論文。最後，我要以這份博士學位的榮耀獻與我最親愛的父母與家人。感謝我的父母對我多年來的照顧與支持，費盡苦心為我鋪設受高等教育的道路。他們的辛勞，我永遠銘記在心，我知道我現在能擁有的一切都是用他們多年的汗水換來的，這份恩情實難以用言語文字表達。我也要感謝我的大哥、大妹和二妹，這些年來，我常因課業而無法善盡為人子的責任，多虧有了他們，使家中一切安好，並代我承歡膝下，才讓我能無後顧之憂地攻讀博士學位。另外，我要感謝陪著我近十年的女友怜儀，感謝她耐心地伴我渡過生命中的低潮，容忍我易焦躁不安的情緒，幫助我維持心境的平和，給我繼續往前走的勇氣。在學業上，也由於有了怜儀的鼓勵，我才能在困惑中冷靜地找到突破的方向。也謝謝我家的小狗 Dolly，每次回家看著牠搖尾巴、跳來跳去高興的樣子，總在不覺中減輕了我的壓力，為我的生活注入許多快樂的元素。感謝老天的安排，給我學習的機會，讓我在再出發時有謙卑的心境和充分的信心。回首這二千多個日子，一切得來不易，此刻的心情除了喜悅，還有更多的感恩，我願以心中的喜樂與所有曾幫助我、關心過我的人共享，也願今日這博士學位所代表的一切，能略略安慰父母與家人多年的辛勞與殷殷期盼之心。李富源 2005 年 5 月 30 日于新竹交通大學 v

(8)

List of Figures

2.1 Denial of Service attacks and Distributed Denial of Service attacks. . . . 10

2.2 The hierarchy of compromised computer systems. . . 11

2.3 Direct and indirect flooding streams . . . 13

2.4 The aggregate of DDoS attack streams exhausting network bandwidth. . 14

2.5 TCP three-way handshaking . . . 16

2.6 Distributed TCP SYN flooding attack . . . 16

2.7 Candidate points of deployment . . . 24

2.8 Packet marking schemes . . . 30

2.9 Messaging schemes . . . 31

2.10 Packet digesting schemes . . . 32

3.1 A two steps scenario for remotely exploring the number of hops between two end hosts . . . 40

3.2 (a) An example of determining the default gateway of an IP address being spoofed. (b) An example of enumerating the list of routers between a spoofed source and the victim . . . 41

3.3 An example of the proposed path fingerprinting scheme. . . 43

3.4 (a) The distribution of number of intermediate routers. (b) The distribu-tion of the value of path identificadistribu-tions . . . 53

3.5 The false negative ratio under the attack rate of 5000 packets per round. 55 3.6 The false negative ratio under the attack rates of 50000, 100000 and 150000 attack packets per round . . . 56

4.1 Mapping a sample network environment to a network model. (a) shows a sample network with 5 routers and 5 sub-networks. (b) shows the corre-spondent abstract network model. . . 64

(12)

4.2 (a) shows the identifiers of each directed links and (b) shows only directed

links in a sample route. . . 66

4.3 The structure of a partial path . . . 70

4.4 The network model . . . 71

4.5 The arrangement of IP option for storing partial paths . . . 76

4.6 Selected IP fields for computing the digest value . . . 77

4.7 The format of a PPD packet which is used to transmit partial paths to end hosts . . . 77

4.8 Reversed one-way key chain . . . 79

4.9 A probability model that reflects the state transition of IP packets. . . . 83

4.10 How L and q affect F (L) when α = 4 . . . 84

4.11 How L and α affect F (L) when q = 0.6 . . . 84

5.1 An example of the deployment of D-WARD . . . 92

5.2 Average O/I values . . . 95

5.3 Classification of Traffic Flow . . . 98

5.4 Constant SYNC attack. . . 103

5.5 Pulsing SYNC attack. . . 103

5.6 Increasing SYNC attack. . . 104

5.7 Gradual SYNC attack. . . 104

5.8 Constant bandwidth overloading attack. . . 105

5.9 Pulsing bandwidth overloading attack. . . 106

5.10 Increasing bandwidth overloading attack. . . 106

(13)

List of Tables

3.1 At different attack rates, the number of rounds and the number of table entries required to detect the attack. . . 56

(14)

Chapter 1 Introduction

Denial-of-service (DoS) attacks [18,52,80], which intend to disable target Internet servers from providing services to their clients or to degrade quality of services, have been con-sidered a major threat to the stability of the Internet. When interacting with an Internet server under DoS attack, legitimate clients would experience abnormally long network latency or high packet loss rates. In some cases of DoS attacks, legitimate clients may even be deprived of network connectivity to the server [16], or the server may crash and then all services running on it are suspended [17, 59]. As the Internet have increasingly become an important communication infrastructure for many business activities, DoS at-tacks can lead to not only disturbance in network communications but also huge financial costs. Commercial web sites would suffer considerable revenue losses if their web servers are forced to shut down or are overloaded with a multitude of malicious HTTP requests. Furthermore DoS attacks can also adversely interfere with some crucial communications that must be completed in a timely manner.

Owing to the ease of obtaining DoS attack programs and the user-friendly interfaces provided by these tools, launching DoS attack needs no advanced techniques in pro-gramming or system administration. An unsophisticated user can easily acquire attack programs and then employ these tools to exploit design weaknesses in communication protocols or in infrastructure components on the Internet. Due to the stateless nature of destination-based best-effort delivery service provided by the Internet, source IP ad-dresses in attack packets are untrustworthy. Attackers run at low risk of being discovered and punished. These factors consequently result in a huge population of so-called “script kiddie” (i.e. unsophisticated users who are capable of manipulating attack scripts to conduct DoS attacks) and contribute to a widespread incidence of DoS attacks.

(15)

Roughly DoS attacks can be classified into two categories: vulnerability-based attacks and flooding-based attacks. The former consists of attacks exploiting vulner-abilities in software (including service programs, software utilities, operating systems and configurations of them) to disable chosen Internet services. The latter refers to attacks paralyzing target services by over-consuming resources that are critical for the services to function properly. Software vulnerabilities mostly originated from implementation er-rors or mis-configurations. By taking advantage of software vulnerabilities, an attacker usually can gain additional privileges on target systems or even crash them with small numbers of attack packets. These attack packets are usually mal-formatted and are of special type and content. This feature allows intrusion detection systems (IDSs) detect-ing malicious packets by lookdetect-ing for attack patterns in IP packets. Moreover, software vendors will generally issue patches to fix vulnerabilities immediately after vulnerabili-ties are discovered. From the above-mentioned perspectives, vulnerability-based attacks normally can be prevented by secure programming techniques [4, 35] and sophisticated administration skills/tools [19, 20, 74, 110], and can be effectively detected and stopped by IDSs/firewalls and system patches respectively.

Unlike vulnerability-based DoS attacks, flooding-based DoS attacks do not rely on software vulnerabilities. Instead, they adversely affect the execution of a target Internet service by simply exhausting some critical resources, such as network bandwidth, memory space, or CPU computation power. Internet services being subject to flooding-based DoS attacks mostly have a common design weakness. That is, in general they will devote some resources in prior to, or in part of, inspecting the legitimacy of received service requests. Even if the amount of resources devoted for each service request is small, attackers can still over-consume these resources by sending a target servers a large number of malicious service requests. A crucial fact is that distinguishing malicious service requests from legitimate ones is extremely difficult for target Internet servers. Malicious service requests are usually very similar, or even identical, to requests originated from legitimate clients. The high level of similarity generally will lead to collateral damages to legitimate clients, and this constitutes a major obstacle to effective DoS defense.

Distributed DoS (DDoS) attacks refer to flooding-based DoS attacks accomplished with a enormous number of attacking machines distributed over the Internet. The major difference between DoS and DDoS attacks is in their scale. In a DDoS attack, many

(16)

flooding-based DoS streams originated from multiple machines are arranged to flood selected Internet servers around in the same time. In this way, the impact of a simple DoS attack can be greatly amplified. To conduct such a DDoS attack, an attacker first needs to compromise a sufficient number of computer systems. Then at some later points in time, these compromised hosts, or simply called zombies, are used to flood chosen Internet servers in order to jam their Internet links, overload the servers or crash them.

The design of effective DDoS countermeasures is made very complicated by several reasons. First, the Internet is naturally vulnerable to DDoS attacks. This is mainly because the Internet was not designed with security issues in mind. Internet routers simply provide destination-based best-effort packet delivery service and generally do not have the capability to determine legitimacy of IP packets. Attackers are allowed to arbitrarily construct mal-formatted IP packets or to forge IP header fields. Currently there is nothing Internet routers can do to stop malicious users from attacking other users on the Internet. Second, DDoS attack flows are usually composed of legitimate-like packets. And finally, there will always be careless system administrators or don’t-care users who expose weaknesses of their systems to attackers, and these insecure computers form a fertile ground for attack zombies. All these characteristics make DDoS attacks very effective and also very hard to defend against.

This introductory chapter first describes the demand for effective DDoS countermea-sures and briefly discusses challenges in designing DDoS solutions. Then we move on to present major defensive strategies and highlight three essential issues that will be discussed in this dissertation. Design principles and criteria for evaluation of DDoS solu-tions are presented next. Finally key contribusolu-tions of our work and the roadmap of this dissertation are given in the end of this chapter.

1.1 Motivations and Problem Statements

As aforementioned, DDoS attacks have long been regarded as a serious problem, and many research efforts have been devoted to the design of countermeasures. Herein we first present a classification of DDoS defense strategies. (Technical details of approaches belonging to each class will be discussed shortly in Chapter 2.) We then elaborate the selection of our defense approaches, and explicitly define the problems to be addressed.

(17)

Most existing DDoS defense schemes roughly fall into the following three categories: proactive defenses, reactive defense and DDoS attack traceback. The first category is composed of approaches which aim at eliminating fundamental causes of DDoS attacks. For instance, some such approaches attempt to hide real location (i.e. the IP address) of a protected Internet server, and at the same time, retain its service to legitimate clients. Without the server’s IP address, it would be very difficult for an attacker to overwhelm the server or to jam its network connection. Usually such solutions involve changes to existing communication protocols and Internet infrastructure components Softwares/firmwares installed on switches, routers and end host systems need to be updated, and therefore these solutions generally incur tremendous efforts for their deployment.

The second field of research consists of approaches responding to DDoS attacks when an attack is ongoing. Schemes in this category actually contain both techniques for detecting the presence of DDoS attacks and responding mechanisms for mitigating the impact of attacks. Techniques for attack detection generally involve analyzing network traffic statistics, monitoring system behaviors and inspecting known attack patterns in IP packets. Responding mechanisms control resource usage, discard identified attack packets or impose rate-limiting rules on attack flows. Most of these solutions are embodied in firewalls, end host operating systems and sometimes on Internet routers, and currently these reactive approaches are dominant solutions for DDoS attacks. The final research area focuses on locating the sources of DDoS attack flows. Though attack traceback provide little help to protect Internet servers from being attacked, it is considered an essential element for automatic response to DDoS attacks and the first step to further determine attackers who manipulate recognized attack zombies. In other words, attack traceback helps construct a deterrence for future DDoS attacks.

This dissertation is on the defense of DDoS attacks. In particular, according to the classification on DDoS defense systems, our work is about the following two types of defense approaches: (1) reactive schemes that enable edge routers and end host systems to defend against DDoS attacks, and (2) traceback schemes that allow constructing the Internet paths traversed by DDoS attack flows.

One key consideration in designing effective DDoS countermeasures is to impose ap-propriate defense mechanisms at correct positions. Specifically, defense systems need to be deployed at or before positions where resource exhaustion occurs. Otherwise, a

(18)

incorrectly-placed defense system will suffer from either the ineffectiveness in blocking attack flows or difficulties in detecting attacks. For instance, consider a DDoS attack that attempts to exhaust CPU computation power of victims. The persistent high CPU utilization at victim systems can serve as a signal of the attack, and reactive defense systems installed on victims can start to discard identified attack packets once an attack signal is captured. While, without a significant surge on the volume of network traffic or a observable anomaly in traffic statistics, it is relatively harder for defense systems installed at Internet routers to sense the occurrence of such attacks, and consequently they are weak in blocking attack flows. Consider another attack example that purports to exhaust network bandwidth of a victim network. In this example, defense systems on Internet routers can detect the presence of such attack by monitoring network traffics and suppress attack flows quickly by rate-limiting rules. On the other hand, defense installed on victims provide little help because dropping identified attack packets at victims would not help alleviate network congestions on upstream routers.

Hence, in this dissertation, we choose to develop two types of reactive DDoS defense systems, which are deployed at victim-end and source-end (or, attacker-end) respectively. The major objective of victim-end defense is to identify and discard attack packets at victims, and the source-end defense system is used to confine attack flows at their sources. The two systems complement each other and can handle a majority of DDoS attacks.

Another issue addressed in this dissertation falls into the category of attack traceback. Specifically, we focus on a difficult case of the IP traceback problem, i.e. single packet IP traceback. In a highly distributed DDoS attack, each zombie may only send a few attack packets, and most of existing traceback techniques cannot identify attack sources in this situation. This dissertation attempts to solve this problem by proposing a traceback mechanism that are capable to locate attack origin(s) even if there is only one single packet in each attack flow.

In short, we explore the DDoS problem from three directions, namely victim-end de-fense, source-end dede-fense, and IP traceback. Three DDoS defense approach are developed and objectives of each approach are summarized below.

Victim-End Defense To stop DDoS attacks from inflicting damages on victims, a de-fense system deployed at victims must be able to identified and then discard attack packets at high accuracy. Because DDoS attack flows mostly comprise spoofed IP

(19)

packets, the goal of proposed victim-end defense systems is to identify IP packets with spoofed source IP addresses. In this way, we can discard a majority of DDoS packets at the victim and thus sustain the service quality to legitimate clients. IP Traceback An IP traceback mechanism for tracing individual packets is proposed.

Specifically single packet IP traceback refers to the process of identifying a list of IP addresses representing the routers on the Internet path traversed by an IP packet. With the proposed scheme, information for reconstructing an Internet path is en-coded with a small number of bits and can be delivered to a destination host along with each IP packet in an efficient and authenticated way. Though the proposed scheme requires support from Internet routers, it can coexist with legacy routers and can be deployed incrementally.

Source-End Defense An approach for recognizing and confining DDoS attack flows at attack sources is presented. Our approach models behaviors of legitimate network flows and construct profiles for each of them. A network flow that does not comply with existing normal flow profile is consider an attack flow, and rate-limiting rules are then imposed on attack flows so as to prevent attack packets from entering the Internet. With a widespread deployment of this scheme, DDoS attack flows can be confine at their sources.

1.2 Common Design Guidelines

Before we go into details of each proposed solutions, we first discuss several design prin-ciples that are considered important to the effectiveness of DDoS defense mechanisms.

• Lightweight Processing: The processing load of DDoS defense systems must be lightweight. Otherwise, a defense system itself would be the target of DDoS attacks. An attacker can disable the defense by overloading the defense system. In particular, modifications or enhancements to routers should be design very carefully so as not to cause substantial processing overhead on routers.

• Incremental Deployment: DDoS defense systems should avoid relying on a sig-nificant retrofitting to routers or end host systems in a all-or-nothing fashion. It is

(20)

unrealistic to assume that the required retrofit can be completed within a short pe-riod of time. Instead, a feasible solution needs to support incremental deployment, which makes the defense system gains its effectiveness with respect to the degree of deployment.

• Loose Cooperation: A DDoS defense system had better avoid a tight cooperation assumption among different ISP networks. This is because cooperation normally involves complex coordinations among ISPs and therefore incurs substantial over-head. This will make deployment of the DDoS defense mechanism difficult in large networks, such as the Internet.

• Accuracy: An effective DDoS countermeasure should be accurate, in terms of low false positive ratios and low false negative ratios. Low false positives mean that the defense will not lead to significant collateral damage to legitimate traffic, and low false negatives mean that only a negligible portion of attack traffic is left undetected. More importantly, accuracy must be maintained all the time even when the DDoS defense mechanism itself is under some sorts of attacks launched by attackers who possess reasonable and sufficient resources, such as a complete topological map of the Internet and the IP addresses of the Internet routers. Attackers would try all the possibilities to circumvent the defense such that (1) attack traffic can circumvent detection and filtering mechanism, or (2) the defense mechanism will be deceived into misjudging legitimate packets as malicious ones. Therefore it is important for a DDoS defense mechanism to resist sophisticated attacks and keep its accuracy under all circumstances.

1.3 Contributions and Synopsis of the Dissertation

In this dissertation, we first present in Chapter 2 an investigation on fundamental causes of DDoS attacks, types of attacks and attack programs. An extensive literature sur-vey on DDoS defense mechanisms are also given in the chapter. Design concepts and operational overviews of existing defensive approaches are described. This investigation helps recognize major tends in the evolution of both DDoS attacks and defense. It con-sequently serves as a useful foundation for developing appropriate and effective DDoS countermeasures.

(21)

The main contribution of this dissertation is on the design of three distinct DDoS countermeasures. In this dissertation, a chapter is devoted to each proposed defensive approach. For each proposed scheme, we first present background, related work and then describe the motivation, key concepts and rationales, details of the proposed defensive approach, and corresponding evaluations.

In Chapter 3, we will describe a victim-end approach for identifying IP packets with spoofed source addresses. The proposed scheme allows detecting and blocking attack packets on a per packet basis, and experimental results showed that our scheme can detect a majority of spoofed attack packets and cause very little collateral damage to legitimate clients.

In Chapter 4, we will present a traceback scheme that allows constructing an Inter-net path traversed by a single IP packet. An space-effective route encoding technique is presented, and with the proposed encoding, path information can be transmitted to the destination of an IP packet along with the packet, or by a few additional ICMP packets. Our scheme requires only one multiplication and one addition operation on Internet routers and can be deployed incrementally. Furthermore, analysis and experi-mental results showed that our scheme can identify the origin(s) of IP packets at high accuracy.

In Chapter 5, a scheme for detecting and blocking attack flows at their sources will be presented. The proposed scheme is based on an existing source-end DDoS defense system, called D-WARD. Our approach attempts to complement rather than to replace D-WARD. New criteria for detecting DDoS attacks are derived from several characteristics of DDoS attack flows. Experiment results showed that the proposed scheme can fix weaknesses of D-WARD and outperforms D-WARD in terms of detection accuracy and response time. Finally, Chapter 6 concludes this dissertation by discussing directions for future work in the field of DDoS defense.

(22)

Chapter 2 Distributed Denial-of-Service

Attacks and Defense Approaches

Essentially Distributed Denial-of-Service (DDoS) attacks are flooding-based DoS attacks conducted by multiple attacking machines on the Internet. A DDoS attacker is very un-likely to have a sufficient number of computer systems to perform DDoS attacks. Instead, the set of attacking machines mostly comprises compromised computer systems and these compromised computers are so-called zombies. By aggregating the attack power of zom-bies, a DDoS attacker can flood Internet servers and then disable them even if they are well-equipped. In fact, DDoS attacks can inflict damages on not only Internet servers but also clients of servers being attacked. No one can actually free from the threat of DDoS attacks.

Due to the large number of vulnerable computers on the Internet and the set of easily acquired and deployed exploit programs, an attacker without much technical background can easily conduct successful DDoS attacks. Moreover, DDoS attack tools certainly will continue to evolve in order to make launching DDoS attacks even easier. For instance, techniques for scanning and compromising vulnerable computers are getting more so-phisticated, and thus detection of malicious behaviors becomes much harder than before. The increasing level of sophistication also helps an attacker to identify/collect vulnerable computers more efficiently. The deployment of attack tools tends to be automatic. As a result, an attacker can widely deploy attack tools on a large set of compromised hosts with a few key strokes. All these evolutions make DDoS attacks become more powerful and harder to defend against.

(23)

the causes of DDoS attacks, frequently used DDoS techniques, and existing DDoS attack tools. Next, we provide an analysis on the fundamental challenges to effective DDoS defense and give an overview on existing DDoS countermeasures. Finally, a summary is given in the end of this chapter.

2.1 The DDoS Attack Problem

DDoS attacks are simply distributed versions of resource-overwhelming DoS attacks. As shown in Fig. 2.1, the major difference between a DoS attack and a DDoS attack is in the their scale – DoS attacks use one attack machine to generate attack traffic while DDoS attacks use a large numbers of attack zombies.

Figure 2.1: Denial of Service attacks and Distributed Denial of Service attacks. Consider a simple DDoS attack that over-consumes bandwidth of a victim network. In this case, a vast number of large IP packets will be directed to the victim network when the attack is ongoing. Though individual IP packets toward the victim seems harmless, a multitude of them can effectively overwhelm the victim’s network bandwidth or other critical packet-processing resources. Consequently requests originated from legitimate

(24)

clients would not be able to compete with the malicious flood and has very little chance to acquire good service from the server. Legitimate clients would experience significant service degradation for the entire attack period. The DDoS attack streams can even effectively take the victim network off the Internet.

To turn compromised hosts into zombies, a DDoS attacker normally has to install some attack softwares on compromised systems. The execution process of these attack software are called attack daemons. In addition, the attacker would also install root kits [37, 66] on compromised systems in order to hide installed attack programs and the execution of daemon processes.

To manage compromise computer systems, in general the attacker will organize them into a hierarchical structure. As depicted in Fig. 2.2, in the top of the hierarchy is the attacker who takes control over all computers in lower layers. Hosts in the lowest layer are attack zombies, which create flooding streams and other intermediary computer systems in the hierarchy are referred to as masters, which are responsible for forwarding attack instructions from the attacker to zombies. Upon the receipt of attack instructions, zombies create attack streams of particular types and content at a given time, and the attack will last for a specified time duration.

(25)

2.1.1 Direct and Indirect DDoS Attacks

According to the way DDoS attack streams are created, DDoS attacks can be categorized into two classes: direct DDoS attacks and indirect DDoS attacks. As shown in Fig. 2.3, in a direct DDoS attack, attack streams are generated directly from attack zombies, while in an indirect DDoS attack, the attacker takes advantage of other uncompromised systems, generally called reflectors, to attack victims. Indirect DDoS attacks are also referred to as Distributed Reflector DoS (DRDoS) attacks [51, 84]. In a DRDoS attack, innocent Internet servers, which will automatically reply a service request with a relatively larger (in terms of message size) response message, are selected as a candidate of a reflector. The property of generating response automatically allows attackers to further amplify the volume of attack traffic created by zombies.

To conduct a DRDoS attack, an attacker needs to construct a list of reflectors which will later be used to reflect attack streams. Zombies are instructed to send a multitude of service requests, with victim’s IP address as source IP addresses, to reflectors. And then a larger multitude of response messages will be returned to the victim. In this way, the attack traffic, in the form of normal response messages originated from selected innocent reflectors, will fill up inbound link bandwidth of the victim’s network.

2.1.2 Types of Resource Exhaustion

Basically there are three types of resource exhaustion in DDoS/DRDoS attacks: network bandwidth, memory space and computation power. Each resource exhaustion can be accomplished via many different types of attack flows. For instance, network bandwidth can be exhausted by a high volume of network traffics. Memory resource can be tied up by a multitude of service requests, each of which will occupy a portion of memory space at the victim machine. And, computation power can be over-consumed by large numbers of high-computation load service requests. In this section, we will present details on overwhelming the three major types of resources.

Network Bandwidth

Fig. 2.4 illustrates bandwidth exhaustion DDoS attacks. The goal of bandwidth flooding attacks is to create severe network congestions on network links of a victim or a victim

(26)

Figure 2.3: Direct and indirect flooding streams

network. To this end, zombies generally will send full-size IP packets to the victim. Especially the inbound network bandwidth will be saturated with attack packets, and as a result, a high percentage of legitimate packets would be discarded.

Smurf attack [21] is a well-known DRDoS attack that creates a high volume of attack traffic using reflectors. In a smurf attack, zombies broadcast ICMP echo requests [93] with victim IP address as source IP addresses to a local network. (That is, the destination IP address is an broadcast address, and victim’s IP address is used as the source IP addresses.) Computers receiving the forged ICMP echo requests will return ICMP echo reply messages to the victim. In this example, it is clear that computers which generate ICMP echo reply messages are treated as reflectors. With a sufficient number of such reflectors, the inbound network bandwidth of victim’s network can be exhausted. It is worthy to note that sometimes smurf attacks may also inflict damages on reflectors. Consider that there are n reflectors in the same local network, and each ICMP echo reply message is s-bit long. Let the attacker send f ICMP echo requests per second. Then, the outbound bandwidth of reflectors’ network will also be exhausted if it is smaller than n ∗ s ∗ f .

(27)

Figure 2.4: The aggregate of DDoS attack streams exhausting network bandwidth. In addition to ICMP, attackers can employ many other protocols, such TCP, HTTP and DNS to trigger the generation of huge amount of network traffic from innocent computer systems [84]. Via raw socket interfaces [3, 109], most zombies can send TCP SYN packets, TCP SYN-ACK packets, HTTP requests and DNS requests, with forged source IP addresses to a corresponding list of reflectors (i.e. computers listening on a particular TCP port, HTTP servers and DNS servers), and consequently the victim’s network would be disabled owing to bandwidth exhaustion.

There are still other ways to create bandwidth attacks. For instance, by connecting two UDP services, each of which generates outputs, we can create a huge amount of traffics transmitted between the two service machines in an infinite loop. This will result in denial of services on both service machines and on intermediary networks between them. One such example is given in [15], and it is summarized below. Chargen [91] is a service running on port 19. Whenever an UDP datagram is received, chargen will return an answering datagram containing a random number (between 0 and 512) of characters. Echo [92] service runs on port 7. When an UDP datagram is received, the data from it is sent back in an answering datagram to the original sender. An attacker can easily connect the chargen service running on one machine to the echo service on another machine by one forged echo or chargen datagram to a chargen or a echo service respectively. Once the two services are connected, the created traffic volume can persistently consume a huge amount of network bandwidth in an endless loop, causing loss of packets or exhausting

(28)

the power of two machines (running echo and chargen services) to process packets that are echoed between them.

Buffer Space

Another commonly used method to penetrate denial-of-service attacks is to tie up some particular buffer space which plays a critical role in the execution of the server process. In general, this would lead to the suspension of the service for as long as the attack lasts. TCP SYN flooding attack [16] is a well-known DDoS attack in this category. To better understand how TCP SYN flooding attack works, we need first review the establishment of a TCP connection. As shown in Fig. 2.5, the establishment of a TCP connection requires exchanging three packets between two communicating peers, and this procedure is widely known as the TCP three-way handshake. The system that wants to establish a TCP connection is referred to as a TCP client, and the system a TCP client connects to is called a TCP server. In TCP three-way handshake, the TCP client first sends a SYN packet expressing its attempt to connect to the TCP server. The SYN packet notifies the TCP server of the initial sequence number (ISN) used by the TCP client. Presume that the ISN recorded in the SYN packet is x, and the TCP server accepts the connection-initiating request. The TCP server acknowledges the receipt of the TCP SYN packet and sends its own ISN, y, in a SYN-ACK response packet. The SYN-ACK packet contains an ACK field with a value x+1. A TCP connection in this state is called a half-established connection and each half-established TCP connection occupies an entry, storing parameters of the pending connection (e.g., received ISN and other connection attributes), in a half-established connection queue. (If the connection initiating request is not accepted, a RST-ACK packet, or an ICMP port-unreachable packet, is returned to the TCP client.) Afterwards, the TCP client finishes the handshake procedure by sending an ACK packet which acknowledges the receipt of the SYN-ACK packets. The ACK field in this packet is y+1.

In this way, a bi-directional connection is established between the TCP client and the TCP server. The entry in the half-established connection queue, which corresponding to a newly established TCP connection is removed. Without the last ACK packet de-livered from the TCP client, the data structure describing a pending connection will be maintained for a predefined period of time, and the memory space allocated for it will be

(29)

deallocated when timeout. TCP Client SYN, ISN=x SYN-ACK, S N y, I = AC =K x 1+ TCP Server A _, K y+ CK AC = ₁ Memory Allocation Memory Allocation

Figure 2.5: TCP three-way handshaking

The weakness of TCP three-way handshaking is on the allocation of memory space for half-established connections. This give malicious users a chance to tie up half-established connection queue using a vast number of TCP SYN packets, as depicted in Fig. 2.6. In a TCP SYN flooding attack, the source IP addresses of malicious SYN packets are forged intensionally. As a result, the last ACK packets corresponding to the malicious SYN packets will never return to the victim server. By persistently sending a large number of such malicious SYN packets to the victim, an attacker can effectively stop the victim from accepting new TCP connections. In this way, services relying upon TCP connections are disabled.

(30)

Computation Power

Some other types of DDoS attacks aim at the exhaustion of computing power of the victim rather than its network bandwidth or memory space. Herein the computing power mostly refers to the capability of processing network packets or encrypting/decrypting communi-cation contents. Services that commit extensive computations prior to the authenticommuni-cation of service requests are vulnerable to such kind of DDoS attacks. For instance, firewalls, intrusion detection systems and Internet routers have to commit some of their computing capabilities to each received packets. This characteristic might encourage malicious users to tie up the processing power of these network entities by feeding them a large number of small packets in a burst. Though such attack traffic may only occupy a small portion of available link bandwidth, an attacker can keep Internet routers/firewalls/IDSs very busy in processing a flood of small packets and legitimate packets may be discarded owning to the lack of enough power to process them.

Furthermore, attackers can take advantage of some improperly designed security pro-tocols, especially authentication propro-tocols, to exhaust the CPU resource of the victim. This is mainly because many authentication protocols are based on public-key cryptog-raphy in which computationally-expensive modular exponentiation operations are exten-sively used. If a service involves authenticating the validity of a service request, using public-key cryptography, right after the request arrives at, the service is subject to com-putation power based DDoS attacks. That is, an attacker can initiate a such kind of DDoS attack by sending the server a lot of bogus service request. Consequently the com-putation power of the victim server will be exhausted in order to honestly authenticate all these malicious requests.

2.2 DDoS Attack Tools

It has been made very clear that, to conduct DDoS attacks, an attacker first needs to take control over a large number of zombies. An attacker uses exploit programs to penetrate vulnerable computer systems and then installs attack programs on them. After that, the attacker can conduct DDoS attacks by sending zombies attack commands asking them to flood victims with specified attack streams.

(31)

tools and security assessment softwares, such as nmap [50] and nessus [39], to scan a extremely large number of systems. Both nmap and nessus are capable of detecting vulnerabilities on target machines. Particularly nmap was designed to identify available hosts on the Internet and to recognize operating systems and Internet services running on those hosts. It can also detect firewalls deployed in the network being scanned. By cooperating with nmap, nessus is capable of discovering known vulnerabilities on target machines automatically. Both systems were originally designed to help system adminis-trators identify security flaws on machines in their administrative domain. Unfortunately from the dark side, both systems can also help attackers find weaknesses of computer systems and subsequently allow attackers to penetrate vulnerable systems.

In addition to the infection process, the attack softwares running on masters and zombies are another core of DDoS attacks. Most of DDoS attack programs are built upon code fragments adopted from other DDoS attack tools. In other words, DDoS attack tools are enhanced incrementally, and they are mostly differ in the communication mechanisms between attacker and masters, and between masters and zombies. Moreover, DDoS attack tools could provide different customizations in creating attack flows. In the following, we will summarize characteristics of known DDoS attack tools according to some reports on them [8, 22–24, 26, 41–45].

Trinoo

Trinoo [23, 43] is a DDoS attack tool which creates UDP flooding attacks. The attacker sends attack commands to masters via TCP, and masters communicate with zombies via UDP. According to attack instructions, trinoo zombies will flood victims using UDP packets of a given size, over random UDP ports and for a specified attack duration. Notice that the source IP addresses of the UDP flooding packets are not spoofed. Both masters and zombies are protected by password, i.e. communications to masters or zombies require a password. Moreover, if a second connection is made to a master (or zombie) while the attacker is connected, an alert message containing the IP address of the second connection will be delivered to the attacker.

The trinoo attack program (i.e. the executable of the trinoo daemon process) contains IP addresses of trinoo masters. Upon the execution of a trinoo daemon on a zombie, it will announce its availability to one of the default trinoo masters

(32)

by sending the default master a UDP message containing the string “*HELLO*”. The trinoo master then stores a list of known zombies in a file named “...” in an encrypted form. To check the status of those zombies, a trinoo master broadcasts a request to all known daemons, and daemons receiving the request will return an UDP packet containing the string “PONG”.

Tribe Flood Network

Tribe Flood Network (TFN) [23, 45] employs a master and zombie architecture which is similar to that of trinoo. TFN is capable of launching UDP flooding, TCP SYN flooding, ICMP echo flooding and smurf attacks at specific or random ports. It is worthy to note that TFN can generate attack streams with spoofed source IP addresses, and sizes of attack packets can be altered.

A TFN master accepts attack instructions through command line interface. This is generally done via normal telnet sessions, SSH sessions or remote shell bound to a specific TCP port. Each TFN master maintains a list of known zombie which is supplied by the attacker. It was reported that some TFN masters may encrypt the zombie list using blowfish algorithm [99]. A TFN master communicates with zombies using ICMP echo reply packets. An attack instruction is encoded as a 16-bit binary value, which is defined at the compile time of the master executable. The 16-bit attack instruction is stored in the ID field of an ICMP echo reply packet, and additional arguments are embedded in the data portion of the packet.

Stacheldraht

Stacheldraht [26, 44] is a DDoS attack tool that adopts features from trinoo and TFN. Communications between an attacker and masters are protected using blow-fish encryption algorithm. Furthermore the executable of daemon process can be updated automatically on demand. The attacker uses a telnet-like session to com-municate with masters, and masters send attack commands to zombies via ICMP echo reply packets. Finally, stacheldraht can launch UDP flooding, TCP SYN flooding, ICMP echo flooding, and smurf attacks.

Shaft

Shaft [24, 41, 42] is a DDoS tool which creates UDP flooding, TCP SYN flooding, TCP ACK flooding, ICMP flooding or a mixture of them. The source ports and

(33)

source IP addresses of shaft attack packets are randomized. The attacker commu-nicates with masters via telnet connections. Communications between masters and zombies are accomplished via UDP packets.

Furthermore a “ticket” mechanism is developed to keep track of individual zombies. Whenever a shaft zombie starts up, it announces its availability to its default master by sending a “new” command and a password. Upon receipt of the announcement, the corresponding master returns a ticket number to the zombie. Afterwards, both the password and the ticket number must have a match for a zombie to execute an attack command. Finally, the creators of shaft attack tool are particularly interested in packet statistics. A shaft master can query zombies for obtaining the amount of malicious traffic generated. This might be used to estimate the amount of traffic created by shaft zombies.

TFN2k

As its name indicates, TFN2k [8,22] is a successor of TFN. It employs UDP flooding, TCP SYN flooding, ICMP flooding, smurf attacks or a mixture of them. It can also obfuscates the traffic sources by forging source IP addresses randomly or within a specific range of IP addresses. This allows TFN attack packets circumventing ingress filters [49]. (Ingress filtering will be described later in this chapter.) In addition, TFN2k is capable of creating random mal-formatted IP packets which can crash some IP protocol stacks. Moreover, TFN2k was designed to compile on different operating systems, such as Linux, Solaris and Windows platforms. In other words, these systems are susceptible to be infected by TFN2k.

Communications between an TFN2k attacker and masters are accomplished via randomized TCP, UDP and ICMP packets, and is protected by encryption algo-rithms. Masters and zombies are protected by passwords determined at compile time. All attack commands are represented using a single character, and there-fore it is very difficult to identify packets carrying TFN2k attack instructions by inspecting payloads of IP packets. Furthermore TFN2k attackers can hide the ori-gins of attack instructions by IP spoofing. As a consequence, there is no way for acknowledging the receipt of attack commands. To increase the probability that masters can receive attack instructions successfully, attack instructions are issued

(34)

multiple times. All these factors make TFN2k very hard to defend against. Mstream

Like other DDOS attack tools, mstream [25,36] conducts DDoS attacks via masters and dozens of zombies. Communications between an attacker and masters are ac-complished via TCP, and communications between masters and zombies are through UDP. Compared with other DDoS attack tools, mstream is relatively primitive. It creates a flood of TCP packets, with ACK bit set, and the source IP addresses of these attack packets are randomly spoofed. A vast number of attack packets con-sume inbound network bandwidth of the victim network. Additionally, the TCP RST packets triggered by the attack packets would also tie up outbound network bandwidth of the victim network.

Trinity and Entitee

Trinity and its variant, Entitee, [55], are DDoS attack tools using IRC to deliver attack instructions. Upon the execution of attack daemons, zombies will connect to an IRC server and then wait for commands sent from the attacker. Using IRC, an attack instruction can be delivered to a single trinity zombie individually, or it can be broadcasted to a specific IRC channel. In the latter case, all zombie receiving the instructions will execute the attack command accordingly. Available DDoS attacks are UDP flooding, IP fragment, TCP SYN flooding, TCP RST flooding [108] and TCP ACK flooding [25, 36].

2.3 Fundamental Challenges to DDoS Defense

DDoS attacks are rooted on the resource asymmetry between zombies and the victim under attack. They are, in fact, simple brute force attacks. It is the simplicity makes DDoS attacks very hard to defend against. Additionally, there are other factors that constitute obstacles to the design of effective DDoS countermeasures, and major obstacles are described below.

• IP header fields can be spoofed. As above-mentioned, most DDoS attack tools are capable of forging arbitrary IP header fields, such as source IP address, source/destination ports and other header fields. Especially they can create IP

(35)

packets with source IP addresses being spoofed randomly or within a specific range of IP addresses. IP spoofing allows attackers canceling the sources of attack streams or attack instructions. Thus, attackers run at low risk of being caught because the source IP addresses are often implausible. It is very hard for victims to trace back to zombies, and it is even harder to find the attackers controlling zombies and masters. Furthermore, IP spoofing helps attackers to circumvent sophisticate queuing algorithm [2, 62], which help share limited resource fair among several participants. It is also worthy to note that IP spoofing is a key to create DRDoS attacks. In DRDoS attacks, zombies use IP spoofing to deceive selected Internet servers into flooding victims.

• Attack streams are composed of legitimate-like packets. To avoid being detected and filtered by intrusion detection systems and firewalls, DDoS attack tools tend to use common or expected communication protocols as vehicles of their attack streams. Most DDoS attack tools use TCP, UDP, ICMP, upper layer protocols or a mixture of them to flood the victim. For instance, attackers can use a huge number of large-size HTTP requests to saturate the network bandwidth of a web server or to overwhelm the web server. IDSs that use explicit attack patterns to detect attack packets cannot work well in this situation. Furthermore legitimate packets could suffer from collateral damages. In other words, filtering attack packets in an effective and accurate manner remains a very challenging issue.

• Computer systems are usually exploitable. One simple solution against DDoS attacks is to secure all computer systems on the Internet. In this way, it will be hard for attackers to take control over a large number of zombies, and thus conducting DDoS attacks would become harder. Unfortunately, this simple approach is infea-sible. First, computer systems on the Internet are administrated independently. It requires tremendous efforts to ensure all computer systems in different admin-istrative domains from being compromised. Second, securing a computer system itself is a very difficult problem. Computer systems can be vulnerable for various reasons. For instance, an attacker can penetrate a system by taking advantage of software bugs, mis-configurations or weak passwords. All these problems together make securing a computer systems a very complicated issue, and it is even harder

(36)

to assure the security of all computers. In other words, it is unrealistic to assume that we can secure all computers on the Internet. There will always be abundant attack zombies for DDoS attackers.

• No one-size-fit-all solution for DDoS attacks. The diversity of DDoS attacks, especially in terms of types of resource exhaustion, further complicates the design of effective DDoS countermeasures. Some DDoS attacks tend to be detected easier on victims or victims’ networks than in other positions, while others DDoS attacks need to be handled by Internet routers in a cooperative manner. Specifically, attack detection can be very effective at victims or victim networks, while attack filtering is usually ineffective in these places. On the other hand, attack filterig can be effective at upstream of the attack, while it is usually also very hard to detect attack upstream.

2.4 An Overview of DDoS Countermeasures

In recent years, many DDoS defense mechanisms have been presented in the literature. Some of these approaches attempted to eliminate DDoS attacks by removing fundamental causes of attacks, and such DDoS solutions are usually referred to as proactive defense. Some approaches, classified as reactive defense, aim at detecting DDoS attacks and at alleviating the syndrome of attacks when attacks are ongoing. And some other DDoS defense systems focus on locating the sources of attack streams. With IP traceback mechanisms, attacker would run higher risk of being discovered, and this may help stop future attacks.

In this section, we first present several candidate positions for the deployment of DDoS defense systems. Afterwards, we briefly describe design concepts and operational overview of existing proactive defense approaches, reactive defense approaches and trace-back schemes.

2.4.1 Points of Deployment

Fig. 2.7 depicts candidate points for the deployment of DDoS defense systems. Basi-cally, DDoS defense can be placed at victim-end elements, source-end elements, or multi-ple defense nodes, including victim-end elements, intermediate network components and

(37)

Figure 2.7: Candidate points of deployment

source-end elements. In the context of this dissertation, victim-end elements include end host systems and edge routers which serve as ingress and egress points for subnetworks. Intermediate network components mainly direct to Internet routers. Source-end elements, much like victim-end elements, comprise also end host systems and edge routers. Though victim-end elements and source-end elements both refer to almost the same set of net-work entities, the functions of DDoS defense systems deploy on victim-end elements and source-end elements are very different, and this will be make clear later in this section.

First, consider a victim-end deployment for DDoS defense systems. DDoS defense systems in this category protect an end hosts if the defenses are installed on an end host system. Or they protect a set of end hosts connecting to an edge router if the defense are deployed on an edge router. Owing to the direct benefits to the deployed sites, victim-end approaches generally have a stronger incentive to be widely deployed. Since DDoS attack traffic aggregates in points approaching victims or victim networks, traffic anomalies will be more observable on victim-end elements. However, victim-end defenses sometimes provide little help in filtering attack packets if the competition for resources take places on upstreams routers.

Second, DDoS defense systems can be deployed on end host systems or edge routers in order to prevent deployed sites or subnetworks from participating in DDoS attacks. The major advantage of such deployment is the ability to confine attack traffics at their sources or sources networks. DDoS attacks can be suppressed quickly, and network congestions caused by attack traffic can be reduced. Though schemes in this category seems very effective in defending against DDoS attacks, they need to be deployed widely on the Internet, and they generally provide very little motivations for their deployment.

(38)

Next, consider a distributed deployment of DDoS defense. That is, DDoS defense sys-tems are deployed on multiple nodes including end hosts, edge routers and Internet core routers. In this case, the DDoS problem is addressed in a cooperative manner. Whenever a DDoS attack signal is detected on victims or edge routers, an alert is send to upstream defense nodes. In this way, we could push the defense line approaching attack sources, and the filtering components may achieve better performances. The effectiveness of dis-tributed deployment largely depends on tight cooperation of defense nodes. These nodes may belong to different autonomous systems that are administrated independently, and such a distributed deployment could incur tremendous coordination efforts among differ-ent ISP networks. Furthermore, alert messages containing packet filtering instructions need to be protected. Especially they should be authenticated; otherwise, malicious users can instruct defense entities which are capable of filtering packets to arbitrarily discard legitimate packets. The establishment of secure communication channels among defense entities would also incur substantial cost.

2.4.2 Proactive Defense Approaches

One naive approach to improve a server’s resistance to DDoS attacks is to allocate re-sources redundantly. By replicating critical rere-sources, the difficulty of conducting a DDOS attack on the server is arisen. This naive approach might work in defending against a DoS attack or a small-scale DDoS attack. However, it certainly cannot cope with DDoS attacks with a large number of zombies.

Another simple proactive approach is to secure all computers systems on the Internet. By minimizing the candidates of attack zombies, we may have a chance to weaken the power of DDoS attacks at some level, and resource-replicating approaches might work better. However, as aforementioned, this approach is infeasible on large scale networks, such as the Internet, and in other words, though approaches described above might be helpful, they simply cannot stop DDoS attacks.

A well-known proactive scheme for addressing DDoS attacks is so-called ingress filter-ing [49, 70]. Ingress filterfilter-ing is a source-end defense system. Assume that an edge router has the set of valid IP addresses used by computer systems connecting to it. Then an ingress filter, installed on an edge router, is capable of prohibiting attackers within the originating network from launching DDoS attacks with forged source IP addresses that

(39)

do not conform to valid IP addresses. In this way, ingress filters installed at the periphery networks can help reduce the power of spoofed DDoS attacks. Another similar approach, named DPF, is proposed in [82]. DPF addressed DDoS attacks by preventing spoofed IP packets from reaching their destinations. In DPF, given the reachability constraints imposed by routing topology, a border gateway can determine whether an incoming IP packet is valid or not by inspecting its inscribed source/destination IP addresses. DPF requires only 18% of deployment in Internet AS topologies to achieve a synergistic fil-tering effect. However, its ultimate effect is identical to that of a widely deploy ingress filtering scheme.

Secure Overlay Service (SOS) [60,61] is proposed to protect a predefined set of Internet servers and clients from DDoS attacks. In brief, the SOS employs a set of overlay nodes, secure overlay tunneling, and filtering to control access to protected sites. SOS works well under simple congestion based DDoS attacks, but it is vulnerable under two more intelligent attacks [113]. A mechanism for protecting web servers from DDoS attacks, called WebSOS [33], is built on the SOS architecture and the use of TLS/SSL [40, 94]. WebSOS is simply a direct extension of SOS. That is, it allows a predetermined set of clients scattered on the Internet to access a protected web site.

In [112], a DDoS defense scheme for sustaining availability of web servers is presented. Protection is simply achieved by redirecting clients to a new IP address and port number via a standard HTTP redirection message. Part of the new IP address and port number will be translated into a Message Authentication Code (MAC) for the client. If the source IP address of the first HTTP request is forged, the attacker would not received the redirection message. Thus without a valid MAC, attacker will not be able to arbitrarily access a protected web server and therefore the high availability of the server can be sustained.

An IP-layer anonymizing infrastructure, called ANON [29, 67, 68], is proposed to hide actual IP addresses of Internet servers from legitimate clients and attackers, while at the same time, the services are sustained. With ANON, a client communicates with its target server by using “server handles” rather than server IP address, where a server handle is actually an encrypted string from which can be decrypted into the server IP address. Other techniques, such as protocol camouflaging, link encryption, link padding are also adopted to protect against attackers from learning the IP addresses that ANON intend

(40)

to hide. In [63], a hardware DDoS solutions that can block malicious TCP packets at edge routers is proposed. Simply speaking, this approach determine the legitimacy of TCP packet by examining whether the packets belongs to a previously established TCP connection or not. TCP packets, except for TCP SYN packets, that do not in any known TCP connections are discarded.

2.4.3 Reactive Defense Approaches

Next, we turn to look at reactive approaches which respond to DDoS attacks when they occur. This kind of DDoS defense approaches generally consist of two phases: attack detection phase and attack filtering phase. The mission of attack detection phase is to determine whether a DDoS attack is ongoing or not. Upon the recognition of DDoS attacks at the detection phase, components responsible for attack filtering start to distinguish malicious packets from legal ones. Identified attack packets will be dropped, or rate-limiting rules will be imposed on identified attack flows. In the following, we will group reactive defense approaches according to their deployment, and present an overview on each schemes.

Victim-end DDoS defense

A preliminary study on detecting and responding to DDoS attack with chi-square statistic and entropy is presented in [47, 48]. Techniques for DDoS detection and response is briefly introduced, while the effectiveness and reliability of the proposed approach is not evaluated. There are still some other schemes detecting DDoS attacks with statistical techniques [72, 111]. These schemes mostly focus on detecting attacks, and responding techniques are seldom discussed.

PacketScore [31, 64] is another scheme using statistical techniques to detect DDoS attacks. In PacketScore, profiles of incoming traffic are compared with normal traffic profiles in order to detect anomalies. Given the attributes of an incoming IP packets (i.e. IP header fields), PacketScore system computes “Conditional Legitimate Probabil-ity” (CLP) of the incoming packet, and by comparing the CLP of each packet with a dynamically adjusted threshold, attack packets can be identified and discarded selectively. NetBouncer [106] is a victim-end solution to DDoS attacks. Upon the receipt of an incoming packet, a NetBouncer device determines the legitimacy of the packet by

分散式阻斷攻擊防禦機制之設計

國 立 交 通 大 學

資 訊 工 程 學 系

博 士 論 文

分散式阻斷攻擊防禦機制之設計

Designing Protection Mechanisms against DDoS

Attacks

研 究 生: 李富源

指導教授: 謝續平 博士

Designing Protection Mechanisms against

DDoS Attacks

Student: Fu-Yuan Lee

Advisor: Dr. Shiuhpyng Shieh

A Dissertation Submitted to

Department of Computer Science and Information Engineering

College of Electrical Engineering and Computer Science

National Chiao-Tung University

In Partial Fulfillment of the Requirements

for the Degree of

Doctor of Philosophy

in

Computer Science and Information Engineering

May, 2005

分散式阻斷攻擊防禦機制之設計

研究生: 李富源 指導教授: 謝續平 博士

國立交通大學資訊工程學系

摘要

Designing Protection Mechanisms

against DDoS Attacks

Acknowledgement

Table of Contents

List of Figures

List of Tables

Chapter 1

Introduction

1.1

Motivations and Problem Statements

1.2

Common Design Guidelines

1.3

Contributions and Synopsis of the Dissertation

Chapter 2

Distributed Denial-of-Service

Attacks and Defense Approaches

2.1

The DDoS Attack Problem

2.1.1

Direct and Indirect DDoS Attacks

2.1.2

Types of Resource Exhaustion

2.2

DDoS Attack Tools

2.3

Fundamental Challenges to DDoS Defense

2.4

An Overview of DDoS Countermeasures

2.4.1

Points of Deployment

2.4.2

Proactive Defense Approaches

2.4.3

Reactive Defense Approaches

國立交通大學

資訊工程學系

博士論文

研究生: 李富源

指導教授: 謝續平博士

研究生: 李富源指導教授: 謝續平博士