1. Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security Lab. Department of Computer Science and Information Engineering National Chiao Tung University WADIS‘03

2. 2 Outline  Introduction to DDoS attacks.  Current DDoS defense strategies  Review of D-WARD  Proposed DDoS defense scheme  Evaluation  Conclusions and future work

3. 3 DDoS attacks  What is a Denial-of-Service (DoS) attack  Degrade the service quality or completely disable the target service by overloading critical resources of the target system or by exploiting software bugs.  What is a Distributed DoS (DDoS) attack  The objective is the same with DoS attacks but is accomplished by a of compromised hosts distributed over the Internet.

4. 4 Mechanisms against DDoS attacks (1)  Victim-end  Most existing Intrusion detection systems and DoS/DDoS tolerant system design fall in this category.  Used to protect a set of hosts from being attacked.  Advantages and disadvantages  DDoS attacks are easily detected due to the aggregate of huge traffic volume.  From a network’s perspective, protecting is consider ineffective. Attack flows can still incur congestion along the attack path.

5. 5 Mechanisms against DDoS attacks (2)  Infrastructure-based  DDoS defense lines are constructed towards attack sources to reduce network congestion.  Attack packets are filtered out by Internet core routers.  Advantages and disadvantages  The effectiveness of filtering is improved.  An Internet-wide authentication framework is required.  Internet core routers must be upgrade to filter out attack packets in high speeds

6. 6 Mechanisms against DDoS attacks (3)  Source-end  DDoS defense mechanism are used to prevent monitored hosts from participating in DDoS attacks.  Attack packets are dropped at sources. It allows preventing attack traffic from entering the Internet.  Advantages and disadvantages  The effectiveness of packet filter is the best.  It is very hard to identify DDoS attack flows at sources since the traffic is not so aggregate.  It require the support of all edge routers. In summary, source-end DDoS defense strategy is the most effective and with moderate deployment cost.

7. 7 D-WARD: A Source-End DDoS defense scheme  J. Mickovic et al. “Attacking DDoS at the Source,” IEEE ICNP’02  Ideas behind D-WARD: DDoS attack flows can be identified by comparing flow statistics against normal flow models. Signals of DDoS attacks:  High Packet loss rate:  The level of network congestion (or say packet loss rate) reflects on the ratio of number of packets sent to and received from the peer.  High packet sending rate: This may also indicate a DDoS attack  A large number of connections to the peer

8. 8 D-WARD: Architecture

9. 9 D-WARD: Observation Component  Gather per flow statistics  Flow: The aggregate traffic between monitored IP addresses and a foreign IP address.  Observation interval: A basic time frame for one observation  The number of packet and bytes sent to and received from the peer  The number of active connections  Legitimate flow model  TCP flows:  P sent /P rcv < TCP rto (set to 3)  ICMP flows:  P sent /P rcv < ICMP rto (set to 1.1)  UDP flows:  n conn < MAX conn (set to 100)  p conn > MIN pkts (set to 1)  B sent < UDP rate (set to 10MBps)

10. 10 Motivations  Using a global threshold of P sent /P rcv for TCP flows would result in high false positive and high false negative. In the following context, this ratio is denoted as O/I  High false positive  flows with O/I greater than 3 in its normal operation would be classified as attack flows  High false negative  low-rate attacks will not be detected. Consider a flow with O/I =1, then O/I only reaches 2 when the packet loss rate is 50%. In one word, using a single O/I threshold for different flows is problematic.

11. 11 Basic Idea  Ideas behind the proposed scheme  Focus: detecting DDoS attacks based on TCP  96% of current attacks are based on TCP. Only 2% use UDP and 2% use ICMP  The level of “congestion” should be determined according previous behavior of the each monitored flow.  Two more DDoS characteristics are utilized for detecting attacks  Distribution: the number of hosts sending packets to the destination in each observation period  Continuity: reflect to the observation that a DDoS attack always lasts for an extended period of time.

12. 12 Observations on normal traffics (1)  Observation: Average O/I of different flows rage from 3.68 to 0.5  Flows with highest ratio:  Contains one ftp data connection. The flow last for 227 second. Total 86685 packet (68158 packet send out, 18527 packet send in) The average O/I is 3.68. Standard deviation=0.16. Packet loss rate is 0%.  Standard deviation of the monitored flow are low (usually smaller 1). It indicates that the O/I value of flows tend to be stable in their normal operation.

13. 13 Observations on normal traffics (2)  Number of sources in each flow  In each observation interval, most of flows have only one source host sending packets to the peer.

14. 14 Proposed DDoS detection scheme  There are two phases in our scheme.  Learning phase: Define legitimate flow model  Detection phase: Detect malicious flows and apply rate limit  Learning phase contains two steps.  Step 1: determine the following thresholds  T f : the maximum allowed O/I.  N f : the mini-threshold of O/I.  c: a parameter used to quantify the level of distribution.  Steps 2: derive other configuration parameters  α: a value indicating the possibility that the flow is malicious. It is generated according to the level of congestion and the level of distribution  α f : the maximum allowed value ofα  t f : the maximum allowed number of the times that αcan continually breaches α f

15. 15 Flow Classification  Four types of traffic flows: Normal, Suspicious, Attack, and Transient.

16. 16 Generation of α  Generating α in an observation interval  S f : : the number of source in the flow.  n f : : the O/I of the current interval.  λ: a magic number used to restrict α between 0 and 1. λ is a number between 0 and 1.  Characteristics of α  It is between 0 and 1  It increases with n f. If n f approaches T f, α approaches to 1  α increases with the number of sources in the flow. Level of congestion The impact of distribution

17. 17 Rate limiting and recovery  Rate-Limiting  rl: imposed rate limit  rate: realized sending rate  Mini-rate: The lowest limited rate which can be imposed on network flows.  Recovery  If the attack flow show compliance with normal flow model for consecutive penalty observation periods, it is classified as transient, the recovery process begins.  Max-rate: Once the rate limit reaches Max-rate, it is classified as normal

18. 18 Thresholds  Configuring thresholds and other parameters:  Observation period = 1 second  T f : The maximum of the observed O/I * 2  N f : the average O/I  c: the maximum number of sources in a flow in the monitored network.  α f : the averageαin the learning process.  t f : the maximum consecutive number of time that αexceeds α f  λ= 0.5  Parameters learned from a monitored flow  Sending rate 10 pkts to the destination host per second. Maximum O/I is 1.25, Average O/I is 1.25  T f : = 2.5, n f = 1.04  c = 3  α f = 0.18  t f = 3

19. 19 Experiments  Types of Experiment  Resource consumption  TCP SYN flooding  link flooding  Attack scenarios  Constant rate attack  Pulsing rate attack  Increasing rate attack  Gradual pulsing attack

20. 20 Topology

21. 21 TCP SYN Flooding Attack

22. 22 SYN flooding: Constant Rate and Pulsing Rate

23. 23 SYN flooding Increasing Rate and Gradual Increasing Rate

24. 24 Link Overloading

25. 25 Bandwidth flooding Constant Rate and Pulsing Rate constant pulsing

26. 26 Bandwidth flooding Increasing Rate and Gradual Increasing Rate increasinggradual increasing

27. 27 Conclusion  The O/I used to define the level of network congestion must be determined according to the previous behavior of the flow.  The number of source in the flow and the number of observation intervals that the signal of DDoS attacks lasts should be taken into consideration.  Evaluation results show that the performance of proposed system is better than D-WARD, in terms of false positive and false negative.

28. 28 Future work  More experiments on estimating the effectiveness of the proposed scheme are required  A mechanism that can deal with new flows which are not in the flow profile database  A space-effective mechanism that helps to reduce the storage requirement for storing the profiles of flows.  Schemes which can detect DDoS attacks based on one-way flows such as ICMP and UDP.