1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

2 Sequence Roots of IP Spoofing Effective Anti-Spoofing Through Ingress Filtering Reducing DoS Effect Through Egress Filtering Pushback: Countering DoS Closer to the DoS Source Trackback: Locating the DoS Source

3 Roots of IP Spoofing Source Independent Routing –Next hop forwarding in packet switched networks is not dependent on a packet’s original source the path that packet has taken before it arrives at a particular packet switch –Enhances the efficiency of routing mechanisms in packet switches. Implications –The source address of a packet may never be required in a specific communication session. –Routers and switches do not inspect the source addresses of packets before forwarding a packet to the next hop.

4 Roots of IP Spoofing (Contd.) Attackers can mask their identities by inserting false or invalid source addresses on packets before transmitting them to the destination. Typical invalid source addresses, –This host address, –Local loopback address, –Limited broadcast address, –Directed broadcast address. –Subnet address. False source addresses are addresses not assigned to the transmitting host. –Typically addresses of hosts on different subnets or internal subnet addresses.

5 Network Ingress Filtering RFC-2827 Automatic filtering on RAS and access routers to drop packets with invalid or false source addresses. Preventative measure to block an imminent DoS attack closest to the source. –Traffic rates substantially low to enable inspection of each outbound packet. Firewalls without ingress filtering capability can be configured to achieve ingress filtering. Logging and analysis of dropped packets necessary to identify, locate and neutralise the attacker.

6 Egress Filtering Deny entry of a packet with an invalid source address into a subnet. Can also be used to filter packets with source address fields containing local subnet addresses. Considered necessary due to the lack of implementation of network ingress filtering. May require implementation on platforms with substantial processing resources. Can substantially reduce the impact of DRDoS by eliminating the attack traffic before it reaches the reflectors.

7 Ingress and Egress Filtering Ingress Filtering Egress Filtering

8 DoS Pushback DDoS attacks are treated as a congestion control problem. Congestion resulting from a DoS attack has to be handled by the routers. –Routers to detect and preferentially drop packets that probably belong to an attack. –Upstream routers are also notified to drop such packets in the order that the router’s resources be used to route legitimate traffic. Focus is on handling DDoS activity closer to the source where traffic rates are substantially low.

9 Traffic Characterisation Bad Packets –Transmitted by the attacker. –Characterised by the attack signature identified by the congestion signature. Poor Packets –Packets matching the congestion signature. –Do not actually belong to the attack. Good Packets –Packets not matching the congestion signature but share links or destination with the bad traffic.

10 Typical DDoS Signature and Pushback R2R4 R6R7 R3 R8 Victim R1 R5

11 Pushback Operations Attack Detection –Detecting the congestion signature. Local Rate Limiting –Packet filtering on the basis of congestion signature. Upstream Notification –Informing the upstream routers of the congestion condition and its signature. Upstream Rate Limiting –Packet filtering on the basis of congestion at the upstream routers.

12 Congestion Detection Typical congestion identifiers –Higher packet drop rates. –Typically w i > 1.2  w o Principal determinant –Victim’s address. The algorithm prepares the list of prefixes of destination addresses and the number of packets dropped for each prefix.

13 Congestion Detection (Contd.) Prefix with highest drop rate is considered to be the subnet being attacked. For multiple simultaneous attacks. –Determine the congestion contribution for the prefix with highest drop rate. w b –If for other prefixes on the list w i - w b > 1.2  w o, the list is rescanned to determine the second attack.

14 Rate Limiting Rate limiter is implemented between the input and the output queues. For w i > 1.2  w o, w l = w i  w o If w b > w l then rate limit the aggregate to w l. If w b < w l then drop all traffic matching the congestion signature and allow the remaining traffic to pass through the rate limiter. –Traffic allowed by the rate limiter is not treated preferentially.

15 Pushback Congestion condition and signature notified to upstream routers. Pushback protocol messages –Request Transmitted to upstream routers and received from downstream routers. Suggest rate limiting to the upstream routers. –Response Generated by upstream routers. Used to determine modifications in the pushback process. –Cancel Instruction to upstream router for canceling the rate limiting operation. Described in the IETF draft –draft-floyd-pushback-messages-00.txt

16 Pushback Mechanism R2R4 R6R7 R3 R8 R1 R Victim

17 Traceback Identification of the network paths traversed by the attacking traffic. Principal categories –Intrusive traceback Controlled flooding ICMP traceback –Non-intrusive traceback Input debugging Logging Packet marking

18 Controlled Flooding Test links by flooding them with large bursts of traffic and observing its affect on the attack traffic. Victim coerces selected hosts along the upstream route to iteratively flood incoming routes on routers detected to be in path of the attack traffic. Requires a pre-generated map of Internet topology. DoS attack on DoS attack –Considered unsuitable as it might affect traffic to other routes sharing routers to the victim’s path.

19 ICMP Traceback Explicit router generated ICMP traceback messages. To forward, at a low rate, with one of the packets forwarded by the router an ICMP packet containing –The contents of the forwarded packet. –Information about the adjacent routers along the path to the destination. In a flooding attack, a victim can reconstruct path to the attacker using these messages. Issues –ICMP differentiation –ICMP traceback spoofing IETF draft draft-bellovin-itrace-00.txt

20 Input Debugging Filter packets on the egress to the router and determine the input port they arrived at. In an attack, the victim can use the attack signature to query the closest router to determine link on which they reached the router. Router upstream to that link can be successively queried to determine the identity of the attacker. Considerable management overhead.

21 Logging Packet details are logged at key routers. Data mining applied to determine path traversed by the packets. Considerably useful for post-attack analysis. Considerable resource requirements.

22 Packet Marking Marking packets probabilistically or deterministically with the addresses of routers they traverse. Marking techniques –Node append Append each node’s address to the end of the packet as it traverses the network. –Node sampling Sampling the path one node at a time. –Edge sampling In addition to sampling nodes, also encode the distance of the attacker to the node.

23 Conclusions Enforcement of ingress filtering as preventative measure. Enforcement of egress filtering to reduce the possibility of spoofed attack and reflection traffic. Inter-ISP cooperation, –Data collection –Attack signature determination –Attack analysis Pushing the attack closer to the attackers and zombies.

24 Q&A Most upstream ISPs do not allow filtering, how can pushback be implemented in this case ? –Possibly by using traceback to determine the ISP hosting the attacker and using a firewall signaling protocol to signal the access routers at that ISP to perform ingress filtering at the source. In pushback, an attacker can generate spoof requests to upstream routers performing DoS ? –Requests to upstream routers are suggestions to the upstream routers to perform filtering on the suggested signature. It is possible for the upstream routers determine their own attack signature and perform filtering on that basis. –Use encryption and authentication on requests and responses.

25 Q&A Pushback may be effective incase of a sustained attack. How does it scale to a pulse attack where the attacker generates a surge at intervals to start a pushback. In this case pushback itself becomes DoS and by the time the network neutralises another pulse arrives. –More effective pattern matching –Hysteresis in triggering pushback –Determine pulse attack periodicity and patterns through data logging and analysis. Use predictive measures to be prepared for the attack before it occurs.