Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others
How Do Computers Find Each Other? Internet Computer1Computer 2
What Are the Different Kinds of Addresses? Have domain name (e.g., Global, human readable name DNS translates name to IP address (e.g ) Global, understood by all networks Finally, we need local net address e.g., Ethernet ( c-19-dc-45) Local, works only on a particular network
Domain Naming System (DNS) Local DNS server What’s the IP address for Computer 1 It is DNS address manually configured into OS
Finding Ether Address: Address Resolution (ARP) Ethernet Broadcast: who knows the Ethernet address for ? Ethernet Broadcast: I do, it is c-19-dc-45
Sending a Packet Through the Internet R R R R R HH H H H R R H R Routers send packet to next closest point H: Hosts R: Routers The Internet routes packets based on their destination!
Smurf Attack attacker target broadcast echo request source address is spoofed to be target’s address many echo replies are received by the target, since most machines on the amplifier network respond to the broadcast amplifier network
TCP SYN Flooding - A more powerful attack - client (port = 33623/tcp) server (port = 23/tcp) SYN SYN - ACK ACK [session proceeds] [ACK set for remainder of session] target (port = 23/tcp) SPOOFED SYN SYN - ACK FINAL ACK NEVER SENT nonexistent host
So, What Is DDoS? Distributed Denial of Service New, more pernicious type of attack Many hosts “gang” up to attack another host Network resource attack: Bandwidth State
Why Should We Care? Successfully used to attack prominent sites in the Internet by those with a primitive understanding of internet protocols It is relatively easy to do, but hard to detect and stop It is only going to get worse unless we develop adequate protection mechanisms
Anatomy of an Attack Compromise a large set of machines Install attack tools Instruct all attack machines to initiate attack against a victim Process highly automated
Phase 1: Compromise A (stolen) account is used as repository for attack tools. A scan is performed to identify potential victims. A script is used to compromise the victims.
Phase 2: Install Attack Tools An automated installation script is then run on the “ owned ” systems to download and install the attack tool(s) from the repository. Optionally, a “ root kit ” is installed on the compromised systems.
Phase 3: Launch attack Launch a coordinated DDoS from different sites against a single victim. Network pipes of attackers can be small, but aggregated bw is far larger than victim’s pipe. Victim’s ISP may not notice elevated traffic. DDoS attacks are harder to track than a DoS.
Some Known DDoS attack tools Trin00 Tribal Flood Network (TFN) Tribal Flood Network 2000 (TFN2K) Stacheldraht
Combines features of trin00 and TFN. Adds encryption between the attacker and masters and automated update of agents. Communication between attacker and masters take place on tcp port Daemons receive commands from masters through ICMP echo replies ICMP, UDP, SYN flood and SMURF attack. Stacheldraht
#./ client [*] stacheldraht [*] (c) in 1999 by... trying to connect... connection established enter the passphrase : sicken entering interactive session. ****************************** welcome to stacheldraht ****************************** type.help if you are lame stacheldraht( status: a!1 d!0)>
stacheldraht(status: a!1 d!0)>.help available commands in this version are: mtimer.mudp.micmp.msyn.msort.mping.madd.mlist.msadd.msrem.distro.help.setusize.setisize.mdie.sprange.mstop.killall.showdead.showalive stacheldraht(status: a!1 d!0)>
Some Commands distro user server Instructs the agent to install and run a new copy of itself using the Berkeley "rcp" command, on the system "server", using the account "user" (e.g., "rcp ttymon").madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims..madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims..mdie Sends die request to all agents.
COSSACK: Coordinated Suppression of Simultaneous Attacks Computer Networks Division ISI
People Co-PIs: Christos Papadopoulos, Bob Lindell (USC/ISI) Affiliations: Ramesh Govindan (USC/ISI) Staff: John Mehringer (ISI) Students: Alefiya Hussain (USC) DARPA synergies: DWARD - Peter Reiher, Jelena Mirkovic (UCLA) SAMAN - John Heidemann (USC/ISI)
Cossack Overview Distributed set of watchdogs at network perimeter Local IDS Group communication Topology information (when available) Fully distributed approach Peer-to-peer rather than master-slave Attack-driven dynamic grouping of watchdogs Attack correlation via coordination with other watchdogs Independent, selective deployment of countermeasures
Cossack: A Simplified View WW W target watchdog attacker watchdog
Attacks Begin WW W target watchdog attacker
Watchdogs Communicate Using YOID WW W target watchdog attacker YOID
Attacks Detected WW W target watchdog attacker YOID
Watchdogs Install Filters and Eliminate Attack WW W target watchdog attacker
Detecting Source Spoofed Attacks WW W target watchdog attacker YOID
Cossack Watchdog Architecture Yoid Multicast Interface Distributed Blackboard Snort Interface Rate Monitor Other IDS (D-WARD) Router Control Pulsing Detector Cisco Interface Linux IPTables Router Interface Event Monitor YOID Multicast group
Cossack Plugin Operation Packet Flow Statistics Packet Averages Grouped by Destination Address Yoid Multicast Interface Distributed Blackboard Snort Interface Rate Monitor Other IDS (D-WARD) Router Control Pulsing Detector Cisco Interface Linux IPTables Router Interface Event Monitor Request more stats
Cossack Plugin Operation Packet Flow Statistics Packet Averages Grouped by Destination Address Yoid Multicast Interface Distributed Blackboard Snort Interface Rate Monitor Other IDS (D-WARD) Router Control Pulsing Detector Cisco Interface Linux IPTables Router Interface Event Monitor Request for more stats Packet Averages Grouped by Source Address
Cossack Network Inspector Tool to determine detection thresholds for watchdogs Interfaces with the Cossack Snort Plugin Collects aggregate level network traffic statistics Traffic filters created using snort rules
Cossack Performance Response time: 5 – 30 seconds Insensitive to attack type
Attack Capture and Analysis Goal: Capture some attacks, analyze and learn from them Packet-level capture facilities in several sites: Los Nettos USC CAIDA [Telcordia, Sprint] Spectral analysis
LA-MAE VerioCogent Genuity Los Nettos Trace Machine 140Mbps,38kpps JPL Caltech TRWUSC Centergate Tracing Infrastructure Internet Los Nettos Customers
Captured and classified about 120 attacks over several months Attack ClassCountPPSKbps Single-source Multi-source Reflected Unclassified Captured Attacks
Spectral Attack Analysis Multi-source attack (145 sources) Localization of power in low frequencies in NCS Single-source attack Strong higher frequencies and linear Normalized Cumulative Spectrum (NCS) F(60%)
Spectral Analysis Goal: identify single vs. multi-source attacks Single-source: F(60%) mean 268Hz ( Hz) Multi-source: F(60%) mean 172Hz ( Hz) Able to robustly categorize unclassified attacks
Conclusions Cossack is a fully distributed approach against DDoS attacks Software is operational and currently undergoing Red Team testing We continue to capture attacks, analyze and learn from them Spectral analysis work very promising