Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,

Similar presentations


Presentation on theme: "An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,"— Presentation transcript:

1 An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10, 2003

2 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 What is "Denial of Service"? An attack to suspend the availability of a service Until recently the "bad guys" tried to enter our systems. Now its: "If not us, then Nobody" No break-in attempts, no information stealing, although they can be combined with other attacks to confuse Intrusion Detection Systems. No easy solutions! DoS is still mostly a research issue

3 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Main Characteristics of DoS Variable targets: –Single hosts or whole domains –Computer systems or networks –Important –Important: Active network components (e.g. routers) also vulnerable and possible targets! Variable uses & effects: –Hacker "turf" wars –High profile commercial targets (or just competitors…). –Useful in cyber-warfare, terrorism etc…

4 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Brief History First Phase (starting in the '90s): Single System DoS Started as bug/vulnerability exploitation The targets are single hosts - single services One single malicious packet many times is enough Second Phase ( ): Resource Consuming DoS Resource consuming requests from many sources Internet infrastructure used for attack amplification Third Phase (after 2000): Distributed DoS Bandwidth of network connections is the main target Use of many pirated machines, possibly many attack stages, that will have an escalating effect to saturate the victim(s)

5 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Brief History (cont.) Important Events: February : Big commercial sites (CNN, Yahoo, E-Bay) are taken down by flooding of their networks. –The attacks capture the attention of the media –The US President assembles emergency council members of Internet, e-commerce companies, civil liberties organizations, and security experts to jointly announce actions strengthening Internet and computer network security January 2002: The British ISP CloudNine suspends operations because of continuous interruption in Internet connectivity.

6 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw Taking Control 2. Commanding the attack Distributed DoS Target domain "zombies" Pirated machines Domain A Pirated machines Domain B Attacker X

7 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 A DDoS Attack Domain-wise Sources of the attack Innocent Domains, but their connectivity is affected Attack Transit Domains Target Domain Sources of the attack

8 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 DDoS Facts Some hundred of persistent flows are enough to knock a large network off the Internet outsideIncoming traffic has to be controlled, outside the victims domain, at the upstream providers spoofedUsually source IPs spoofed on attack packets Offending systems may be controlled without their users suspecting it Possibly many levels of command & control: –Attacker-Manager-Agents Examples of automatic tools for such attacks: "Trinoo", "Stacheldraht", and "TFN2K", also called rootkits

9 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Multi-tier attack Multi-tier attack Target domain "zombies" Attack Agents Attacker X Attack Master Attack Master

10 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Reflection DDoS Attack Reflection DDoS Attack Target domain "zombies" Attacker X Attack Master Routers Web or other servers Legitimate TCP SYN requests TCP SYN-ACK answers

11 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Reaction to DDoS The malicious flows have to be determined. Timely reaction is critical! The attack characteristics have to be communicated (in any way possible) upstream. This usually has to be done manually and is an uncertain and time-consuming procedure. Filters that will block attack traffic must be set up and maintained. Their effectiveness must be verified. The bandwidth penalty is still present throughout all the affected networks. Actions are required on all the networks along the attack path

12 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Reaction to DDoS (cont.) Another possible solution (helps the ISP): stop all traffic to the target. Direct it to a central point and discard it. Completes the attack! Trace-back efforts: –Following the routing (if sources not spoofed) –Step by step through ISPs. Difficult to convince them if not concerned about the bandwidth penalty Conclusion: Its not a matter of a single site

13 Our Solution: Inter-Domain Cooperative IDS Entities

14 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Inter-Domain Cooperative IDS Entities Cooperative IDS Entity Non-participating Domain Participating Domain Notification Propagation (Multicast) Activation of filters and reaction according to local Policies The Cooperative IDS Entities constitute an Overlay Network

15 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Main Design Characteristics: Architecture Unit of Reaction to the attack: each administrative domain Requires agreement between domains but this is not difficult, since they preserve their independence Actions along the attack path in as many networks as possible Minimizing the bandwidth loss not only at the victim but at each step in the attack. Non-malicious traffic has then better chances to get-through

16 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 The Entities The Entities compose the infrastructure –They are the trusted points for the domain –They manage all communications and reaction within the domain, aimed to stopping an on-going attack –Communications by multicast methods –They are on the top of the local IDS hierarchy, thus combine the local picture with the one from peers –They are controlled locally according to the choices and policies of the administrator They can implement reaction filters to routers, BUT: –Their duration is controlled, the admin is aware of them and its possible to adjust to shifting attack patterns

17 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Main Design Characteristics: Entity Implementation Lightweight and Modular software architecture, different components performing the various tasks Java Management Extensions (JMX) framework for control and configuration Using the Intrusion Detection Message Exchange Format (IDMEF) in all messages achieves compatibility with standards and inter-operability with installed IDS infrastructure Multicast advantages: –Independence from specific installation host –Stealthy presence –Possible parallel operation of backup Entities

18 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Main Design Characteristics: Internal Entity Architecture Alerts Heartbeats Local Notifications Communication Unit Filtering Unit Analysis Unit Event Info Configuration Transcription Response Unit JMX Infrastructure Response Policies Management Console Peer Entities Local Network Components

19 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 What happens during an Attack Cooperative IDS Entity Non-participating Domain Hot-spare Entities (1) The Attack may be detected in many places in the same time with the help of local IDS ! ! ! ! ! ! (2) The alerted Entities notify all other ones in their community, using multicast (3) Some of them may determine that they are not on the attack path (4) The rest, automatically, set up filters to suppress the attack

20 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Additional Concepts It is possible to create communities of entities and distribute the notifications only within. Only events transcending two communities will be let to pass, thus limiting traffic and notification overhead The communities can be set up thanks to multicast either: –Geographically (by the TTL on the packets) –According to common interests etc. (by different groups) Security –The messages are encrypted against eavesdropping BUT by symmetric cryptography –Additionally there are timestamps and digital signatures on the messages to avoid repetition attacks

21 Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Current Status Currently developing a prototype –Linking with a Panoptis / Netflow detection engine Plans to deploy it in the Greek Academic Network Testing the effectiveness of a peer-2-peer communications scheme in addition to multicast Developing the Hot-Spare concepts

22 Questions and Answers


Download ppt "An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,"

Similar presentations


Ads by Google