Presentation is loading. Please wait.

Presentation is loading. Please wait.

Link Flooding DDoS Attack

Published byJuliana Hopkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Link Flooding DDoS Attack"— Presentation transcript:

1 Link Flooding DDoS Attack
Group 6

2 Link Flooding Attack Bot Decoy Server Target Area Target Link

3 Contents Crossfire Attack CXPST Attack Coremelt Attack 3

4 Crossfire Attack The Crossfire Attack M. Kang et al. IEEE S&P 2013 4

5 Crossfire Attack-Definition
Flood a small set of selected network links using low-rate flows from bots to publicly accessible servers and degrade connectivity of, and even disconnect, chosen end-point servers. 5

6 Crossfire Attack-Elements
Target Area A geographic region of the Internet that the attack is launched Target Link Network links to be flood so that the target area is cut off from the rest of the Internet Decoy servers Share the same links with target servers 6

7 Crossfire Attack-Elements
Decoy Servers (Traffic destination) Target Servers Target Link The purpose of the attacker is to flood the shared link by the means of sending flow to the decoy servers. 7

8 Crossfire Attack-Steps
Link Map Construction Traceroute from Bots to Servers Use “Traceroute” Check Link-Persistence Exclude the unstable links 72% of the links are stable 8

9 Crossfire Attack-Steps
Attack Setup Flow-Density Computation Flow-Density The higher, the better Target-Link Selection Degradation ratio Select the target links maximize degradation ratio Heuristic algorithm(Greedy algorithm) 9

10 Crossfire Attack-Steps
Bot Coordination Goal Keep flow rate appropriate to evade the protection mechanisms Attack-Flow Assignment Aggregate traffic rate slightly higher than bandwidth of target Bots attack the target evenly 10

11 Key Factors Enable Crossfire
Power Law of Flow-density Distribution Flow Density # of persistent source-to-destination pairs Good targets for attack for a particular area Distribution Easy to find target links extremely high flow density for a selected target area Flow Density is not constant but varies depending on area 11

12 Key Factors Enable Crossfire
East Coast New York Fit to diagonal lines, probability much higher than significance level (i.e., 0.68 to 0.96 to 0.05 as normal) 12

13 Crossfire Attack-Flow Density Distribution
Target-area dependency A target link that has overall high flow density may have a very low density in some area These links are extremely useless in an attack targeted at such area 13

14 Crossfire Attack-Bot Distribution
Links are dependent on area but Bots are NOT Separate bots into subsets based on location Select different subsets to form different distributions Perform Crossfire attack to different locations Analysis relation between distribution and performance 14

15 Bot Distribution Experiment
overlap Performance 15

16 Crossfire Attack-Bot Distribution
Line selection matters Geographical position selection doesn’t matter, as long as the packets can get to the line 16

17 Conclusion : Crossfire
Undetectability at the Target Area Use legitimate flows, not directly attacked Indistinguishable of Flows in Routers Low rate, different source and destination Persistence Rolling attack Flexibility Large Number of links and decoy servers 17

18 CXPST Attack Losing control of the internet: using the data plane to attack the control plane M. Schuchard et al. ACM 2010 18

19 CXPST Attack-Definitions
Coordinated Cross Plane Session Termination Control Plane route around connectivity outages robustness to localized failure 19

20 CXPST Attack-Theory Weakness Exploited Main Theory
Control plane and data plane share the same physical media No priority defined Local events lead to global impact Main Theory Data plane congestions trigger failure of links Route withdrawal, re-calculate, broadcast Route flapping Overwhelm of routers’ calculation capacity 20

21 CXPST Attack-Strategy
Select Target Link BGP betweeness: number of routes passes through the link Select links with highest betweeness Counter Changing Topology Avoid using routes passing two target links simultaneously Send more traffic than needed on each branch 21

22 CXPST Attack-Strategy
Design Traffic Flow Build two flow networks Use max flow algorithm to select bots and destinations Thwart Defense Against route damping Keep an eye on disrupted paths Remove links do not re-appear 22

23 22

24 CXPST Attack-Impact Overwhelm Routers on Target Links
Handle heavy traffic Impose Workload on Routers Globally Compute new routes Send/receive broadcast Crippling the control plane Cause loss of Data Traffic on routes will continue until its failure announced globally 23

25 CXPST Attack-Defense Deployed Measures Stopping Session Failure
BGP Graceful Restart: Not work Route Flap Damping: No significant impact Stopping Session Failure Focus: Stop it before updates generated Disable hold timer functionality in routers 10% implementation produce dramatic change 24

26 Coremelt Attack The Coremelt Attack A. Studer, A. Perrig ESORICS 2009
25

27 Coremelt Attack-Strategy
Select Target Link Identify Bots Pairs of subverted machines can generate traffic that traverse the target link Send traffic between the pairs identified in step 2 to overload the target link 26

28 Coremelt Attack-Advantage
Wanted Traffic Defense against DoS attack may eliminate ‘unwanted’ traffic Both ends of the traffic are owned by attacker The attacker know ‘wanted’ traffic of every receiver All traffic in the attack will be ‘legitimate’ 27

29 Coremelt Attack-Defense
Defense Mode Trace Back System Administrators can turn off the port to stop the attack traffic. Can’t separate legitimate and attack traffic Capacity Based System Give legitimate traffic priority Bots will give permissions to each other 28

30 Coremelt Attack-Defense
Puzzles Increase the cost of the attacker. If the puzzle is large enough, the attacker will be unable to launch a successful attack. Computational capacity becomes the bottleneck 29

31 Coremelt Attack-Defense
Fair Bandwidth Allocation Based on Source/Destination Pair Isolate legitimate traffic from attack traffic such that an attack flow can only use as much bandwidth as the non-attack flow. Distributed botnet means a fair share (O(N- 2)) is much less than users typically experience 29

32 Reference M.S. Kang, S.B. Lee, and V.D. Gligor, "The Crossfire Attack", ;in Proc. IEEE Symposium on Security and Privacy, 2013, pp M. Schuchard, A. Mohaisen, D. Foo Kune, N. Hopper, Y. Kim, and E. Y. Vasserman, “Losing control of the in- ternet: using the data plane to attack the control plane,” in Proceedings of NDSS ACM, 2010, pp. 726–728 Y. Zhang, Z. M. Mao, and J. Wang, “Low-rate TCP- targeted DoS attack disrupts internet routing,” in Proc. 14th Annual Network & Distributed System Security Symposium, 2007 A. Studer and A. Perrig, “The Coremelt attack,” in Proceed- ings of ESORICS’09. Berlin, Heidelberg: Springer-Verlag, 2009, pp. 37–52 30

33 Thank You! Group Member Yisi Lu Hua Li Hao Wu Yuantong Lu Yuchen Liu
31

Download ppt "Link Flooding DDoS Attack"

Similar presentations

2009-03-16 1 Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
Data and Computer Communications

Data and Computer Communications
Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.
Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.
© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.

© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
 Unlike other forms of computer attacks, goal isn’t access or theft of information or services  The goal is to stop the service from operating o.

 Unlike other forms of computer attacks, goal isn’t access or theft of information or services  The goal is to stop the service from operating o.
1 LINK STATE PROTOCOLS (contents) Disadvantages of the distance vector protocols Link state protocols Why is a link state protocol better?

1 LINK STATE PROTOCOLS (contents) Disadvantages of the distance vector protocols Link state protocols Why is a link state protocol better?
Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.

Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.
An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.
DDoS Defense by Offense Presented by: Matthew C.H. Ma Damon Chan.

DDoS Defense by Offense Presented by: Matthew C.H. Ma Damon Chan.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.

Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.
A General approach to MPLS Path Protection using Segments Ashish Gupta Ashish Gupta.

A General approach to MPLS Path Protection using Segments Ashish Gupta Ashish Gupta.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Tesseract A 4D Network Control Plane

Tesseract A 4D Network Control Plane
A General approach to MPLS Path Protection using Segments Ashish Gupta Ashish Gupta.

A General approach to MPLS Path Protection using Segments Ashish Gupta Ashish Gupta.

Similar presentations

Ads by Google