1. 1 Experiments and Tools for DDoS Attacks Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness Shroff Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University October 25 th, 2004

2. 2 Objectives  Design, integrate, and deploy a methodology and tools for performing realistic and reproducible DDoS experiments:  Tools to configure traffic and attacks  Tools for automation of experiments, measurements, and visualization of results  Integration of multiple third-party software components  Understand the testing requirements of different types of third party detection and defense mechanisms  Gain insight into the phenomenology of attacks including their first-order and their second-order effects, and impact on defenses

3. 3 Accomplishments  Designed and implemented experimental tools:  Scriptable event system to control and synchronize events at multiple nodes  Automated measurement tools, log processing tools, and plotting tools  Automated configuration of interactive and replayed background traffic, routing, attack parameters, and measurements  Generated requirements for DETER to easily support the testing of third party products (e.g., ManHunt, Sentivist)

4. 4 Accomplishments (cont’d)  Analytical characterization, simulations, and experiments for low-rate TCP-targeted DDoS attacks  Preliminary analysis of BGP behavior during DDoS, and BGP impact on DDoS

5. 5 Demonstration Topology

6. 6 Scriptable Event System  Having more than a few computers proves a real challenge to handle in a fast and reasonable manner.  Must have a central way to delegate arbitrary tasks to experimental nodes.  Event completion notification is required to trigger further events in the experiment.

7. 7 Routing  DeterLab experiments can be used with static or OSPF routing; however, there is no support of BGP, RIP, ISIS etc  eBGP and iBGP routing can be accomplished with Quagga routing daemons  Initialization scripts coupled with the central control make it easy to restart all of the routers in experiment to get a clean starting point.

8. 8 Measurement  Measurement of systems statistics at different points in the network can yield an understanding of what events are occurring in the entire network.  A tool based on a 1sec timer records CPU, PPSin, PPSout, BPSin, BPSout, RTO, Memory. The collected logs can be aggregated and used to produce graphs via a collection of scripts.  Future scripts will have an ability to correlate events between system measurements/ routing log files

9. 9 Measurement (cont’d)

10. 10 Challenges in Testing Third-Party Mechanisms  ManHunt license is IP/MAC specific  Control of machine selection in DETER  Administration software: some products for Windows XP only, e.g., Sentivist. Luckily command line interface provided in this case.  Some mechanisms require their hardware to be installed (sensors/authentication).  Certain features of mechanisms like traceback/pushback are dependant on interaction with the network devices (routers/switches)

11. 11 Challenges (cont’d) How to install sensors? Current solution: hardware bridging: cannot install more than one sensor  serious problem since prior research has shown the limited effectiveness of single point sensing Future solution: software bridging

12. 12 Challenges (cont’d)  Sentivist Sensor distributed as bootable CD-ROM  Is it possible to “boot” a machine from an ISO image?  Perhaps using FreeBSD network install (Sentivist Sensor built on FreeBSD), but no administrative privilege to do so  Otherwise, need someone to insert CD-ROM in drive  Sentivist Sensor installation requires interaction:  Must establish serial console connection to machine: COM1 or COM2, no COM1 on DETER IBM machines  Else need someone to use a monitor and keyboard

13. 13 Plans  Continue development of experiment automation and instrumentation/plotting tools and documentation  Design increasingly high fidelity experimental suites  Continue investigation of TCP-targeted DDoS attacks in more depth, and compare analytical and simulation results with DETER testbed results to identify artifacts

14. 14 Plans (cont’d)  Investigate routing problems/attacks, and compare with DETER testbed results  Continue to collaborate with routing team and McAfee team to identify experimental scenarios and build tools for routing experiments