Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley Holliday and Travis Reid Presented by: Jesus F. Morales
2 Overview Introduction: the problem Proposed solution The experiment Results Observations Conclusions
3 Introduction The problem Distributed Denial of Service (DDoS) attacks Hacker toolkits January 2001 DDoS attack against websites hosting Hotmail, MSN, Expedia and other large services Services inaccessible for 22 hours
4 Current state of response Relies on expert, manual labor by network administrators Response includes two main activities: “Input debugging” Find router’s physical interfaces used for the attack (statistics, network traffic probes) Mitigation of network traffic flow Packet filtering or rate limiting at the associated router Contact upstream organizations
5 Current state of response: drawbacks Requires immediate availability of highly skilled network administrators Time consuming Downtime & costs It does not scale What about attacks involving hundreds of networks? “Whack a mole” attacks
6 Proposed solution Intruder Detection and Isolation Protocol (IDIP) Protocol for reporting intrusion-related events and coordinating attack tracebacks and automated response actions Cooperative Intrusion Traceback and Response Architecture (CITRA) The architecture based on IDIP Authors have adapted CITRA and IDIP for DDoS attacks
7 CITRA: components and attack traceback and mitigation
8 Attack response Policy mechanisms for each CITRA component along the attack path determine the adequate response Block attacked service port on all requests from attacker’s address or network for a specified amount of time At CITRA-enabled hosts Kill offending process Disable offending user’s account Goal: use the narrowest network response Stop the attack Minimize impact on legitimate users Reports with responses taken is sent to the Discovery Coordinator (DC) Global view and system topology allows, hopefully, for the best community-wide response
9 Experiment: Autonomic response to DDoS The problem Sophisticated DDoS toolkits generate traffic that “blends in” with legitimate traffic Cannot be blocked by router packet filters without blocking legitimate traffic Traffic rate limiting may be more useful Experiment goals Prove that CITRA and IDIP can defend against DDoS attacks In particular, against a Stacheldraht v4 attack
10 Experiment: Stacheldraht toolkit and test application Stacheldraht toolkit Can generate ICMP, UDP and TCP floods and Smurf attacks Provides one or more master servers that control agents (flood sources) Can target floods at arbitrary machines and ports Test application Audio/video streaming RealNetworks’ RealSystem sever RealPlayer client
11 Experiment: topology and scenario
12 Experiment: settings Test data 8-minute 11-seconds continuous motion video Encoded at Kbps RealPlayet Best quality video setting (10 Mbps bandwidth) Data buffering: 5 seconds (the minimum) Transport protocol: UDP Attack Target is the RealSystem server UDP packets indistinguishable from control packets sent to the server from RealPlayer clients
13 Experiment: Stacheldraht flooding and autonomic rate limiting
14 Experiment results: Normal run
15 Experiment results: Flood run
16 Experimental results: Full recovery run
17 Experimental results: Degraded recovery run
18 Observations Degraded recovery probably due to detector’s slow response speed (366 MHz Pentium II) Independent experiment Results confirmed Full recovery obtained every time Higher performance detector CITRA’s response effective after 2 seconds vs. 10 – 12 seconds. Results are preliminary UDP allows traceback and mitigation request with one IP packet vs. TCP would require a three-way handshake first. May result in a slower propagation upstream
19 Conclusions DDoS attacks an increasing threat to the Internet Manual defense is inadequate CITRA prototype for DDoS with rate limiting function seems to be a promising automatic response