1. Packet Score: Statistics-based Overload Control against Distributed Denial-of- service Attacks: Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan Chao Presenter Name Yatin Manjrekar

2. Agenda Introduction Overview of Packetscore approach Packetscore Methodologies Performance Evaluation Conclusion

3. Introduction Denial-of-service attack overload the server to bring it down Distributed Denial-of-service attack End point attacks Infrastructure attack Limitations of Manual detection

4. Introduction cont.. D-WARD approach –Statistical traffic profiling at the edge of the network –Aims at stopping attack near source. –Viability hinges on cooperation of ingress network administrator –Deployment issue. (backbone network ?) Available Commercial products do not fully automate packet differentiation, filter enforcement

5. Overview of Packetscore approach Three Phases (3D-R) –Detect the onset of an attack –Differentiate between legitimate/attack packets using CLP –Discard packets selectively What is Packetscore ? Score based filtering approach.

7. Packetscore methodologies Packet differentiation via fine grain traffic profile comparison –Assumption: Some traffic characteristics are stable during normal operation –Increase in frequency of packet attribute indicate attacking packet –Can One guess Distribution of attribute ?

8. Attribute value distribution

9. Attribute value distribution cont..

10. Attribute value distribution cont.

11. Conditional Legitimate Probability (CLP) The likelihood of suspicious packet being legitimate Each packet carries a set of discrete- valued attributes Joint distribution for strongly correlated attributes Marginal distribution for other attributes

12. Conditional Legitimate Probability (CLP)

13. CLP cont..

14. Variation of Nominal profiles The nominal traffic profile is function of time –The traffic profile changes with day of week, time of day –These profile changes could be handled using periodic recalibration –Used 95 percentile to save storage

15. Managing Nominal traffic profiles. Iceberg style histograms –Traffic profile of each target stored in the form of normalized histograms –Iceberg Histograms only includes most frequent entries –Missing entries assume relative upper bound frequency –Per target profile is kept to manageable size and saves on storage requirement

16. Real Time Profiling The packet attribute distributions are updated with packet arrival Update is decoupled from computing CLP and done in parallel at different time scale CLP is computed based on recent snapshot of measured histogram Generate set of scorebooks which map to specific combination of attributes

17. Real Time traffic profiling

18. Selective Packet discarding On arrival of suspicious packet –CLP as differentiating metric –The aggregate arrival rate is adjusted. Which in turn changes load shedding algorithm –Packet attributes are used to update traffic profile. –CLP based score is computed using frozen /snapshot scorebooks –Discard packet if CLP is less than threshold –Immunity rules could be used for certain minimum throughput requirement packets

20. Performance Evaluation

21. Performance Criteria Difference in score distribution R A & R L Score distribution has long/thin tail with outliers Min L (Max A ) is 1 st (99 th ) percentile used

23. Different evaluated attack types Generic Attack TCP-SYN flood attack SQL Slammer Worm attack Nominal attack Mixed attack Changing attack

25. Effect of increasing Attack intensity

26. Nominal Profile sensitivity

27. Different options of scoring Strategies

28. Scoring strategy

29. Setting thresholds

30. Conclusion Collaboration of 3D-R and DCS defend against DDoS attacks The proposed scheme leverages hardware implementation of data stream processing technique We studied Performance and design tradeoffs of proposed packet scoring scheme It can tackle never seen before DDoS attack (Weak claim ? Too many parameters?)

31. Q & A Comments ?