Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others

How Do Computers Find Each Other? Internet Computer1Computer 2

What Are the Different Kinds of Addresses? •Have domain name (e.g., –Global, human readable name •DNS translates name to IP address (e.g ) –Global, understood by all networks • Finally, we need local net address –e.g., Ethernet ( c-19-dc-45) –Local, works only on a particular network

Domain Naming System (DNS) Local DNS server What’s the IP address for Computer 1 It is DNS address manually configured into OS

Finding Ether Address: Address Resolution (ARP) Ethernet Broadcast: who knows the Ethernet address for ? Ethernet Broadcast: I do, it is c-19-dc-45

Sending a Packet Through the Internet R R R R R HH H H H R R H R Routers send packet to next closest point H: Hosts R: Routers The Internet routes packets based on their destination!

Smurf Attack attacker target broadcast echo request source address is spoofed to be target’s address many echo replies are received by the target, since most machines on the amplifier network respond to the broadcast amplifier network

TCP SYN Flooding - A more powerful attack - client (port = 33623/tcp) server (port = 23/tcp) SYN SYN - ACK ACK [session proceeds] [ACK set for remainder of session] target (port = 23/tcp) SPOOFED SYN SYN - ACK FINAL ACK NEVER SENT nonexistent host

So, What Is DDoS? Distributed Denial of Service  New, more pernicious type of attack  Many hosts “gang” up to attack another host  Network resource attack:  Bandwidth  State

Why Should We Care?  Successfully used to attack prominent sites in the Internet by those with a primitive understanding of internet protocols  It is relatively easy to do, but hard to detect and stop  It is only going to get worse unless we develop adequate protection mechanisms

Anatomy of an Attack  Compromise a large set of machines  Install attack tools  Instruct all attack machines to initiate attack against a victim Process highly automated

Phase 1: Compromise A (stolen) account is used as repository for attack tools. A scan is performed to identify potential victims. A script is used to compromise the victims.

Phase 2: Install Attack Tools An automated installation script is then run on the “ owned ” systems to download and install the attack tool(s) from the repository. Optionally, a “ root kit ” is installed on the compromised systems.

Phase 3: Launch attack Launch a coordinated DDoS from different sites against a single victim. Network pipes of attackers can be small, but aggregated bw is far larger than victim’s pipe. Victim’s ISP may not notice elevated traffic. DDoS attacks are harder to track than a DoS.

Some Known DDoS attack tools  Trin00  Tribal Flood Network (TFN)  Tribal Flood Network 2000 (TFN2K)  Stacheldraht

 Combines features of trin00 and TFN.  Adds encryption between the attacker and masters and automated update of agents.  Communication between attacker and masters take place on tcp port  Daemons receive commands from masters through ICMP echo replies  ICMP, UDP, SYN flood and SMURF attack. Stacheldraht

#./ client [*] stacheldraht [*] (c) in 1999 by... trying to connect... connection established enter the passphrase : sicken entering interactive session. ****************************** welcome to stacheldraht ****************************** type.help if you are lame stacheldraht( status: a!1 d!0)>

stacheldraht(status: a!1 d!0)>.help available commands in this version are: mtimer.mudp.micmp.msyn.msort.mping.madd.mlist.msadd.msrem.distro.help.setusize.setisize.mdie.sprange.mstop.killall.showdead.showalive stacheldraht(status: a!1 d!0)>

Some Commands distro user server Instructs the agent to install and run a new copy of itself using the Berkeley "rcp" command, on the system "server", using the account "user" (e.g., "rcp ttymon").madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims..madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims..mdie Sends die request to all agents.

COSSACK: Coordinated Suppression of Simultaneous Attacks Computer Networks Division ISI

People  Co-PIs: Christos Papadopoulos, Bob Lindell (USC/ISI)  Affiliations: Ramesh Govindan (USC/ISI)  Staff: John Mehringer (ISI)  Students: Alefiya Hussain (USC)  DARPA synergies:  DWARD - Peter Reiher, Jelena Mirkovic (UCLA)  SAMAN - John Heidemann (USC/ISI)

Cossack Overview  Distributed set of watchdogs at network perimeter  Local IDS  Group communication  Topology information (when available)  Fully distributed approach  Peer-to-peer rather than master-slave  Attack-driven dynamic grouping of watchdogs  Attack correlation via coordination with other watchdogs  Independent, selective deployment of countermeasures

Cossack: A Simplified View WW W target watchdog attacker watchdog

Attacks Begin WW W target watchdog attacker

Watchdogs Communicate Using YOID WW W target watchdog attacker YOID

Attacks Detected WW W target watchdog attacker YOID

Watchdogs Install Filters and Eliminate Attack WW W target watchdog attacker

Detecting Source Spoofed Attacks WW W target watchdog attacker YOID

Cossack Watchdog Architecture Yoid Multicast Interface Distributed Blackboard Snort Interface Rate Monitor Other IDS (D-WARD) Router Control Pulsing Detector Cisco Interface Linux IPTables Router Interface Event Monitor YOID Multicast group

Cossack Plugin Operation Packet Flow Statistics Packet Averages Grouped by Destination Address Yoid Multicast Interface Distributed Blackboard Snort Interface Rate Monitor Other IDS (D-WARD) Router Control Pulsing Detector Cisco Interface Linux IPTables Router Interface Event Monitor Request more stats

Cossack Plugin Operation Packet Flow Statistics Packet Averages Grouped by Destination Address Yoid Multicast Interface Distributed Blackboard Snort Interface Rate Monitor Other IDS (D-WARD) Router Control Pulsing Detector Cisco Interface Linux IPTables Router Interface Event Monitor Request for more stats Packet Averages Grouped by Source Address

Cossack Network Inspector Tool to determine detection thresholds for watchdogs •Interfaces with the Cossack Snort Plugin •Collects aggregate level network traffic statistics –Traffic filters created using snort rules

Cossack Performance •Response time: 5 – 30 seconds •Insensitive to attack type

Attack Capture and Analysis Goal: Capture some attacks, analyze and learn from them •Packet-level capture facilities in several sites: –Los Nettos –USC –CAIDA –[Telcordia, Sprint] •Spectral analysis

LA-MAE VerioCogent Genuity Los Nettos Trace Machine 140Mbps,38kpps JPL Caltech TRWUSC Centergate Tracing Infrastructure Internet Los Nettos Customers

•Captured and classified about 120 attacks over several months Attack ClassCountPPSKbps Single-source Multi-source Reflected Unclassified Captured Attacks

Spectral Attack Analysis Multi-source attack (145 sources) Localization of power in low frequencies in NCS Single-source attack Strong higher frequencies and linear Normalized Cumulative Spectrum (NCS) F(60%)

Spectral Analysis Goal: identify single vs. multi-source attacks Single-source: F(60%) mean 268Hz ( Hz) Multi-source: F(60%) mean 172Hz ( Hz) Able to robustly categorize unclassified attacks

Conclusions  Cossack is a fully distributed approach against DDoS attacks  Software is operational and currently undergoing Red Team testing  We continue to capture attacks, analyze and learn from them  Spectral analysis work very promising