Presentation is loading. Please wait.

Presentation is loading. Please wait.

“To Filter or to Authorize: Network-Layer DoS Defense Against Multimillion-node Botnets ” Xin Liu, Xiaowei Yang, Yanbin Lu Department of Computer Science,

Published byKristin Phelps Modified over 8 years ago

Similar presentations

Presentation on theme: "“To Filter or to Authorize: Network-Layer DoS Defense Against Multimillion-node Botnets ” Xin Liu, Xiaowei Yang, Yanbin Lu Department of Computer Science,"— Presentation transcript:

1 “To Filter or to Authorize: Network-Layer DoS Defense Against Multimillion-node Botnets ” Xin Liu, Xiaowei Yang, Yanbin Lu Department of Computer Science, University of California, Irvine Published: SIGCOMM 2008 Conference Presented by: Christopher Daiello Presented on: March 26, 2009 CAP 6135 Malware and Software Vulnerability Analysis (Spring 2009) Professor: Dr. Cliff Zou

2 Outline Motivation / Strategy Motivation / Strategy StopIt Summery StopIt Summery StopIt Design StopIt Design Prototype Experiment Prototype Experiment Defense Solution Comparison Defense Solution Comparison Review Review References References

3 Motivation Botnets continue to be a rising threat. Botnets continue to be a rising threat. In September 2007, the Storm botnet alone reached 50 million compromised hosts. In September 2007, the Storm botnet alone reached 50 million compromised hosts. If each host sends one full packet (1500 bytes), a 10- million botnet would exceed 120 Gbps, enough to take down any site on the internet. If each host sends one full packet (1500 bytes), a 10- million botnet would exceed 120 Gbps, enough to take down any site on the internet. Many solutions have been proposed to combat this problem, however there lacks a consensus on how to build a DoS resistant network. Many solutions have been proposed to combat this problem, however there lacks a consensus on how to build a DoS resistant network.

4 Botnet Defensive Strategies Capability Approach Capability Approach Receiver controls the traffic it receives. Receiver controls the traffic it receives. Explicitly authorizes the traffic it receives. Explicitly authorizes the traffic it receives. Popular capability-based systems: TVA and Portcullis Popular capability-based systems: TVA and Portcullis Filter Approach Filter Approach Receiver allows all traffic until it detects a problem. Receiver allows all traffic until it detects a problem. Receiver limits attack traffic by dynamically installing filters. Receiver limits attack traffic by dynamically installing filters. Popular filter-based systems: AITF and Pushback Popular filter-based systems: AITF and Pushback

5 Which strategy is more effective? Capability Design vs Filter Design? Capability Design vs Filter Design? Current filter-based solutions have limitations that prevent a fair comparison. Current filter-based solutions have limitations that prevent a fair comparison. AITF verifies filter install requests with a 3-way handshake. Verification communication may get blocked by attack traffic. AITF verifies filter install requests with a 3-way handshake. Verification communication may get blocked by attack traffic. Pushback uses rate limiting (instead of completely blocking) to combat attack traffic. Pushback uses rate limiting (instead of completely blocking) to combat attack traffic.

6 StopIt Summery

7 StopIt Filter-based approach design. Filter-based approach design. Closed-control and open-service architecture. Closed-control and open-service architecture. Allows any receiver to block undesirable traffic. Allows any receiver to block undesirable traffic. Mitigates link congestion. Mitigates link congestion. Resistant to filter exhaustion attacks. Resistant to filter exhaustion attacks. Resistant to bandwidth flooding attacks that could prevent the installation of filters. Resistant to bandwidth flooding attacks that could prevent the installation of filters.

8 StopIt Design Assumptions Secure Intra-AS Communication – Communication between components within the AS (Autonomous System) is secured. Secure Intra-AS Communication – Communication between components within the AS (Autonomous System) is secured. Attack Traffic Classification – Target systems can identify when they are being attacked. Attack Traffic Classification – Target systems can identify when they are being attacked. Feasible – Design is efficient enough to operate on current routers. Public key cryptography is not used at packet forwarding due to high processing costs. Feasible – Design is efficient enough to operate on current routers. Public key cryptography is not used at packet forwarding due to high processing costs.

9 StopIt Goals Effective Filtering – Filters installed to protect a host machine should not prevent other hosts from communicating with legitimate sources. Effective Filtering – Filters installed to protect a host machine should not prevent other hosts from communicating with legitimate sources. Secure the defense system itself! Secure the defense system itself! Strategic attacks – Attacks aimed to defeat or abuse the system Strategic attacks – Attacks aimed to defeat or abuse the system Destination Flood Attacks – Flood the system with traffic to suppress communication. Destination Flood Attacks – Flood the system with traffic to suppress communication. Link Flood Attacks – Congest a link to disrupt communications between systems that share that link. Link Flood Attacks – Congest a link to disrupt communications between systems that share that link.

10 StopIt Goals Fail-Safe – System should provide degraded service in the event filters fail to mitigate attack traffic. Fail-Safe – System should provide degraded service in the event filters fail to mitigate attack traffic. Incremental Deployment – System should support incremental deployment and give immediate results to early adopters. Incremental Deployment – System should support incremental deployment and give immediate results to early adopters.

11 StopIt Design

12 StopIt Architecture Infrastructure Service Infrastructure Service Open-services : any host co-located with the server may request services. Open-services : any host co-located with the server may request services. Hosts request StopIt to block attacking traffic. Hosts request StopIt to block attacking traffic. Filter-based implementation Filter-based implementation Source and destination address used to create the filter. Source and destination address used to create the filter. Attack traffic is blocked for a period of time T b. Attack traffic is blocked for a period of time T b. Attack traffic confirmed before the installation of blocking filters. Attack traffic confirmed before the installation of blocking filters. Filter aggregation – compromised hosts share a common address space. Filter aggregation – compromised hosts share a common address space.

13 StopIt – Autonomous System (AS) Is a network or collection of networks that is controlled by one administrative entity. Is a network or collection of networks that is controlled by one administrative entity. University Network. University Network. Composed of: Composed of: StopIt server StopIt server N number of routers/servers N number of routers/servers Routers alert StopIt server when a host makes a block request. Routers alert StopIt server when a host makes a block request. StopIt server directs routers as to which filters to install. StopIt server directs routers as to which filters to install. StopIt Server Host Routers

14 StopIt Communication StopIt servers communicate with each other to alert of a potential attacking host. StopIt servers communicate with each other to alert of a potential attacking host. Each StopIt server knows the address of other StopIt servers. Each StopIt server knows the address of other StopIt servers. StopIt design uses BGP (Border Gateway Protocol) to publish the address of each StopIt server. StopIt design uses BGP (Border Gateway Protocol) to publish the address of each StopIt server. StopIt implements its own IP protocol for communication between servers and AS routers. StopIt implements its own IP protocol for communication between servers and AS routers.

15 StopIt Architecture HdHd RdRd SdSd SsSs RsRs HsHs StopIt Request Attacker Target

16 StopIt – Blocking an Attacker Destination host (H d ) determines it is under attack by source (H s ). Destination host (H d ) determines it is under attack by source (H s ). H d sends a host-router “stop” request to router R d. H d sends a host-router “stop” request to router R d. The request includes: The request includes: Attack Source MAC Attack Source MAC Host MAC Host MAC Block Time T b Block Time T b HdHd RdRd SdSd

17 StopIt - Blocking an Attacker Router R d verifies the that H s is in fact attacking H d. Router R d verifies the that H s is in fact attacking H d. Upon confirmation, R d sends a router-server request to local AS StopIt server (S d ). Upon confirmation, R d sends a router-server request to local AS StopIt server (S d ). S d sends an inter-domain stop request to the StopIt server in the same AS where H s is located. S d sends an inter-domain stop request to the StopIt server in the same AS where H s is located. HdHd RdRd SdSd

18 StopIt - Blocking an Attacker S s locates router R s and sends a server-router request. R s verifies the StopIt request and then installs a filter. Finally, R s sends a request to H s to stop sending traffic to H d Compliant hosts will comply to the StopIt request. SsSs RsRs HsHs

19 Securing StopIt Basic StopIt Architecture Vulnerabilities Basic StopIt Architecture Vulnerabilities Source address spoofing – attacker may spoof address to avoid detection / filtering. Source address spoofing – attacker may spoof address to avoid detection / filtering. Resource Exhaustion Resource Exhaustion Flood filtering requests to overload StopIt server and routers Flood filtering requests to overload StopIt server and routers Exhaust router’s filters – no more filters available to block DoS attacks. Exhaust router’s filters – no more filters available to block DoS attacks. Block legitimate traffic – compromised StopIt server requests filters for legitimate traffic. Block legitimate traffic – compromised StopIt server requests filters for legitimate traffic.

20 Source Authentication StopIt utilizes Passport to prevent source address spoofing. StopIt utilizes Passport to prevent source address spoofing. Passport uses symmetric key cryptography. Passport uses symmetric key cryptography. Authentication overhead is equivalent to the authentication used in capability-based system. Authentication overhead is equivalent to the authentication used in capability-based system. Border routers at the destination AS verify the source AS before the packet enters the network. Border routers at the destination AS verify the source AS before the packet enters the network. Pair-wise keys between two AS are exchanged during the BGP announcement. Pair-wise keys between two AS are exchanged during the BGP announcement.

21 Closed Control Routers receive StopIt requests from: Routers receive StopIt requests from: Local nodes to the AS Local nodes to the AS Another StopIt server. Another StopIt server. This prevents stop request floods from unknown sources. This prevents stop request floods from unknown sources. If the request is ultimately classified as attack traffic, the router can make a stop request. If the request is ultimately classified as attack traffic, the router can make a stop request.

22 Packet Floods Flooding a common link between two domains could potentially suppress StopIt requests from being received. Flooding a common link between two domains could potentially suppress StopIt requests from being received. Routers have knowledge of StopIt server addresses via BGP. Routers have knowledge of StopIt server addresses via BGP. Routers Separate StopIt requests from other traffic Routers Separate StopIt requests from other traffic Fair Queuing Fair Queuing Hierarchical Rate Limiting Hierarchical Rate Limiting

23 Confirming Attacks What happens when a destination is compromised? What happens when a destination is compromised? Host may initiate filters to block legitimate traffic to other co- located hosts. Host may initiate filters to block legitimate traffic to other co- located hosts. Exhaust a source router’s filters so that attack traffic can successfully suppress hosts. Exhaust a source router’s filters so that attack traffic can successfully suppress hosts. Who needs to be verified? Who needs to be verified? Destination Router Destination Router Source Router Source Router Source Source

24 Confirming Attacks Destination Router Confirmation Destination Router Confirmation Router, R d checks internal flow cache upon receiving a stop request from H d Router, R d checks internal flow cache upon receiving a stop request from H d If H d received traffic recently from H s the router will install a local filter. If H d received traffic recently from H s the router will install a local filter. Router sends a StopIt request directly to H s Router sends a StopIt request directly to H s If H s does not comply, R d notifies the local StopIt server of the attacking traffic. If H s does not comply, R d notifies the local StopIt server of the attacking traffic.

25 Confirming Attacks Source Router Confirmation Source Router Confirmation Source Routers R s also use a flow cache to confirm a legitimate stop request Source Routers R s also use a flow cache to confirm a legitimate stop request R s installs filters to block the misbehaving host. R s installs filters to block the misbehaving host. Verification protects the source from invalid filter requests from a compromised H d or another StopIt server. Verification protects the source from invalid filter requests from a compromised H d or another StopIt server.

26 Non-StopIt Enabled Sources StopIt can only block attack traffic at a source when the source implements StopIt. StopIt can only block attack traffic at a source when the source implements StopIt. Attack traffic blocked at the destination router. Attack traffic blocked at the destination router. Attack mitigated with queuing or rate limiting. Attack mitigated with queuing or rate limiting. Sources using Passport only. Sources using Passport only. Destination AS can confirm source of attacking traffic. Destination AS can confirm source of attacking traffic. Passport prevents source from using address spoofing. Passport prevents source from using address spoofing. Sources have incentive to implement StopIt to isolate possible congestion from compromised hosts. Sources have incentive to implement StopIt to isolate possible congestion from compromised hosts.

27 Deploying StopIt Upgrade routers to use Passport for source authentication. Upgrade routers to use Passport for source authentication. Upgrade routers to utilize the StopIt protocol. Upgrade routers to utilize the StopIt protocol. Add StopIt server to AS. Add StopIt server to AS. Enable per-AS and per-host resource allocation scheme at congested network links. Enable per-AS and per-host resource allocation scheme at congested network links. StopIt Server Host Routers

28 Prototype Experiment

29 Proof of Concept Implementation Access Router Prototype Access Router Prototype Linux Linux Click modular router software architecture Click modular router software architecture User-level application for source logic. User-level application for source logic. Authentication for Inter-Domain StopIt requests or filter replacement requests use, UHASH, AES, and UMAC. Authentication for Inter-Domain StopIt requests or filter replacement requests use, UHASH, AES, and UMAC. StopIt protocol built on top of UDP. StopIt protocol built on top of UDP. (Liu et al, 8)

30 Proof of Concept Implementation (Liu et al, 8)

31 Stopping DoS Attacks Scenario Inputs Scenario Inputs Destination router filters : 256K Destination router filters : 256K End-to-End StopIt requests : 3 End-to-End StopIt requests : 3 For confirming an actual attack For confirming an actual attack Attacker host simulates 1 to 10 million attackers Attacker host simulates 1 to 10 million attackers Each attack repeats 10 times. Each attack repeats 10 times.

32 Stopping DoS Attacks Time it takes for the victim to block N attackers. (Liu et al, 9)

33 Defense Solution Comparison

34 Comparing Anti-DoS Solutions StopIt design implemented in ns-2 : The Network Simulator StopIt design implemented in ns-2 : The Network Simulator StopIt tested against: StopIt tested against: AITF, Pushback (capability-based) AITF, Pushback (capability-based) TVA, TVA+, and Portcullis (filter-based) TVA, TVA+, and Portcullis (filter-based) Scenario topology created from BGP table dump. Scenario topology created from BGP table dump. Used 1/20 of topology due to ns-2 limitations. Used 1/20 of topology due to ns-2 limitations. 2/3 AS have attacking hosts, non-uniformly distributed. 2/3 AS have attacking hosts, non-uniformly distributed.

35 Comparing Anti-DoS Solutions Test three types of attacks: Test three types of attacks: Destination Flooding Destination Flooding One-Way Link Flooding One-Way Link Flooding Two-Way Link Flooding Two-Way Link Flooding Testing Metric Testing Metric TCP Transfer performance TCP Transfer performance Legitimate user sends one 20KB transfer to the designated victim. Legitimate user sends one 20KB transfer to the designated victim. TCP transfer is aborted after 25 seconds. TCP transfer is aborted after 25 seconds.

36 Destination Flooding Test (Liu et al, 10)

37 One-Way Link Flood Test (Liu et al, 10)

38 Two-Way Link Flood Test (Liu et al, 11)

39 Comparison Summery StopIt design outperforms many of the currently existing DoS defense architectures. StopIt design outperforms many of the currently existing DoS defense architectures. StopIt does not outperform capability based solutions in all types of DoS attacks. StopIt does not outperform capability based solutions in all types of DoS attacks. Neither solution, filter or capability, has shown a definitive edge over the other. Neither solution, filter or capability, has shown a definitive edge over the other. The best solution maybe a hybrid design. The best solution maybe a hybrid design.

40 Contributions A thorough analysis of the DoS problem domain. A thorough analysis of the DoS problem domain. A complete high level design to a potential solution for destination and link flood DoS attacks. A complete high level design to a potential solution for destination and link flood DoS attacks. A convincing comparison between StopIt and other currently available filter/capability solutions. A convincing comparison between StopIt and other currently available filter/capability solutions.

41 Weaknesses Description of prototype implementation was fairly brief. Description of prototype implementation was fairly brief. Prototype testing only utilized one host to simulate multiple attackers. Larger scale testing should be conducted. Prototype testing only utilized one host to simulate multiple attackers. Larger scale testing should be conducted. Internet wide deployment will make updating software challenging. Software must remain backwards compatible with earlier versions. Internet wide deployment will make updating software challenging. Software must remain backwards compatible with earlier versions. Full deployment of solution required to fully realize the benefits of the StopIt design. Full deployment of solution required to fully realize the benefits of the StopIt design.

42 Future Enhancements Complete another iteration of prototype development. Complete another iteration of prototype development. Implement the StopIt protocol as intended, as an IP protocol. Implement the StopIt protocol as intended, as an IP protocol. Test on a larger network infrastructure. Test on a larger network infrastructure.

43 References 1. Border Gateway Protocol (BGP). Cisco. http://www.cisco.com/en/US/docs/internetworking/technology/handbook/bgp. html http://www.cisco.com/en/US/docs/internetworking/technology/handbook/bgp. html http://www.cisco.com/en/US/docs/internetworking/technology/handbook/bgp. html 2. The Network Simulator – ns-2. http://www.isi.edu/nsnam/ns/ http://www.isi.edu/nsnam/ns/ 3. Autonomous System (Internet). Wikipedia. http://en.wikipedia.org/wiki/Autonomous_system_(Internet) http://en.wikipedia.org/wiki/Autonomous_system_(Internet) 4. Liu, Xin; Yang, Xiaowei; Lu, Yanbin; “To Filter or to Authorize: Network-Layer DoS Defense Against Multimillion-node Botnets”. SIGCOMM ’08. August 17-22, 2008.

Download ppt "“To Filter or to Authorize: Network-Layer DoS Defense Against Multimillion-node Botnets ” Xin Liu, Xiaowei Yang, Yanbin Lu Department of Computer Science,"

Similar presentations

The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June 28 2007.

The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June
Security in Mobile Ad Hoc Networks

Security in Mobile Ad Hoc Networks
1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
NPLA: Network Prefix Level Authentication Ming Li,Yong Cui,Matti Siekkinen,Antti Ylä-Jääski Aalto University, Finland Tsinghua University, China.

NPLA: Network Prefix Level Authentication Ming Li,Yong Cui,Matti Siekkinen,Antti Ylä-Jääski Aalto University, Finland Tsinghua University, China.
Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.

Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.
The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets Xin Liu Xiaowei Yang Yanbin Lu UC Irvine

To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets Xin Liu Xiaowei Yang Yanbin Lu UC Irvine
A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.

A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
Mitigating routing misbehavior in ad hoc networks Mary Baker Departments of Computer Science and.

Mitigating routing misbehavior in ad hoc networks Mary Baker Departments of Computer Science and.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

Similar presentations

Ads by Google