Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Published byMyles Murphy Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies"— Presentation transcript:

1 1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies obashir@enabtech.com

2 2 Sequence Roots of IP Spoofing Effective Anti-Spoofing Through Ingress Filtering Reducing DoS Effect Through Egress Filtering Pushback: Countering DoS Closer to the DoS Source Trackback: Locating the DoS Source

3 3 Roots of IP Spoofing Source Independent Routing –Next hop forwarding in packet switched networks is not dependent on a packet’s original source the path that packet has taken before it arrives at a particular packet switch –Enhances the efficiency of routing mechanisms in packet switches. Implications –The source address of a packet may never be required in a specific communication session. –Routers and switches do not inspect the source addresses of packets before forwarding a packet to the next hop.

4 4 Roots of IP Spoofing (Contd.) Attackers can mask their identities by inserting false or invalid source addresses on packets before transmitting them to the destination. Typical invalid source addresses, –This host address, 0.0.0.0 –Local loopback address, 127.0.0.1 –Limited broadcast address, 255.255.255.255 –Directed broadcast address. –Subnet address. False source addresses are addresses not assigned to the transmitting host. –Typically addresses of hosts on different subnets or internal subnet addresses.

5 5 Network Ingress Filtering RFC-2827 Automatic filtering on RAS and access routers to drop packets with invalid or false source addresses. Preventative measure to block an imminent DoS attack closest to the source. –Traffic rates substantially low to enable inspection of each outbound packet. Firewalls without ingress filtering capability can be configured to achieve ingress filtering. Logging and analysis of dropped packets necessary to identify, locate and neutralise the attacker.

6 6 Egress Filtering Deny entry of a packet with an invalid source address into a subnet. Can also be used to filter packets with source address fields containing local subnet addresses. Considered necessary due to the lack of implementation of network ingress filtering. May require implementation on platforms with substantial processing resources. Can substantially reduce the impact of DRDoS by eliminating the attack traffic before it reaches the reflectors.

7 7 Ingress and Egress Filtering Ingress Filtering Egress Filtering

8 8 DoS Pushback DDoS attacks are treated as a congestion control problem. Congestion resulting from a DoS attack has to be handled by the routers. –Routers to detect and preferentially drop packets that probably belong to an attack. –Upstream routers are also notified to drop such packets in the order that the router’s resources be used to route legitimate traffic. Focus is on handling DDoS activity closer to the source where traffic rates are substantially low.

9 9 Traffic Characterisation Bad Packets –Transmitted by the attacker. –Characterised by the attack signature identified by the congestion signature. Poor Packets –Packets matching the congestion signature. –Do not actually belong to the attack. Good Packets –Packets not matching the congestion signature but share links or destination with the bad traffic.

10 10 Typical DDoS Signature and Pushback R2R4 R6R7 R3 R8 Victim R1 R5

11 11 Pushback Operations Attack Detection –Detecting the congestion signature. Local Rate Limiting –Packet filtering on the basis of congestion signature. Upstream Notification –Informing the upstream routers of the congestion condition and its signature. Upstream Rate Limiting –Packet filtering on the basis of congestion at the upstream routers.

12 12 Congestion Detection Typical congestion identifiers –Higher packet drop rates. –Typically w i > 1.2  w o Principal determinant –Victim’s address. The algorithm prepares the list of prefixes of destination addresses and the number of packets dropped for each prefix.

13 13 Congestion Detection (Contd.) Prefix with highest drop rate is considered to be the subnet being attacked. For multiple simultaneous attacks. –Determine the congestion contribution for the prefix with highest drop rate. w b –If for other prefixes on the list w i - w b > 1.2  w o, the list is rescanned to determine the second attack.

14 14 Rate Limiting Rate limiter is implemented between the input and the output queues. For w i > 1.2  w o, w l = w i - 1.2  w o If w b > w l then rate limit the aggregate to w l. If w b < w l then drop all traffic matching the congestion signature and allow the remaining traffic to pass through the rate limiter. –Traffic allowed by the rate limiter is not treated preferentially.

15 15 Pushback Congestion condition and signature notified to upstream routers. Pushback protocol messages –Request Transmitted to upstream routers and received from downstream routers. Suggest rate limiting to the upstream routers. –Response Generated by upstream routers. Used to determine modifications in the pushback process. –Cancel Instruction to upstream router for canceling the rate limiting operation. Described in the IETF draft –draft-floyd-pushback-messages-00.txt

16 16 Pushback Mechanism R2R4 R6R7 R3 R8 R1 R5 - - -- -- -- - - -- - -- Victim

17 17 Traceback Identification of the network paths traversed by the attacking traffic. Principal categories –Intrusive traceback Controlled flooding ICMP traceback –Non-intrusive traceback Input debugging Logging Packet marking

18 18 Controlled Flooding Test links by flooding them with large bursts of traffic and observing its affect on the attack traffic. Victim coerces selected hosts along the upstream route to iteratively flood incoming routes on routers detected to be in path of the attack traffic. Requires a pre-generated map of Internet topology. DoS attack on DoS attack –Considered unsuitable as it might affect traffic to other routes sharing routers to the victim’s path.

19 19 ICMP Traceback Explicit router generated ICMP traceback messages. To forward, at a low rate, with one of the packets forwarded by the router an ICMP packet containing –The contents of the forwarded packet. –Information about the adjacent routers along the path to the destination. In a flooding attack, a victim can reconstruct path to the attacker using these messages. Issues –ICMP differentiation –ICMP traceback spoofing IETF draft draft-bellovin-itrace-00.txt

20 20 Input Debugging Filter packets on the egress to the router and determine the input port they arrived at. In an attack, the victim can use the attack signature to query the closest router to determine link on which they reached the router. Router upstream to that link can be successively queried to determine the identity of the attacker. Considerable management overhead.

21 21 Logging Packet details are logged at key routers. Data mining applied to determine path traversed by the packets. Considerably useful for post-attack analysis. Considerable resource requirements.

22 22 Packet Marking Marking packets probabilistically or deterministically with the addresses of routers they traverse. Marking techniques –Node append Append each node’s address to the end of the packet as it traverses the network. –Node sampling Sampling the path one node at a time. –Edge sampling In addition to sampling nodes, also encode the distance of the attacker to the node.

23 23 Conclusions Enforcement of ingress filtering as preventative measure. Enforcement of egress filtering to reduce the possibility of spoofed attack and reflection traffic. Inter-ISP cooperation, –Data collection –Attack signature determination –Attack analysis Pushing the attack closer to the attackers and zombies.

24 24 Q&A Most upstream ISPs do not allow filtering, how can pushback be implemented in this case ? –Possibly by using traceback to determine the ISP hosting the attacker and using a firewall signaling protocol to signal the access routers at that ISP to perform ingress filtering at the source. In pushback, an attacker can generate spoof requests to upstream routers performing DoS ? –Requests to upstream routers are suggestions to the upstream routers to perform filtering on the suggested signature. It is possible for the upstream routers determine their own attack signature and perform filtering on that basis. –Use encryption and authentication on requests and responses.

25 25 Q&A Pushback may be effective incase of a sustained attack. How does it scale to a pulse attack where the attacker generates a surge at intervals to start a pushback. In this case pushback itself becomes DoS and by the time the network neutralises another pulse arrives. –More effective pattern matching –Hysteresis in triggering pushback –Determine pulse attack periodicity and patterns through data logging and analysis. Use predictive measures to be prepared for the attack before it occurs.

Download ppt "1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies"

Similar presentations

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
Packet Switching COM1337/3501 Textbook: Computer Networks: A Systems Approach, L. Peterson, B. Davie, Morgan Kaufmann Chapter 3.

Packet Switching COM1337/3501 Textbook: Computer Networks: A Systems Approach, L. Peterson, B. Davie, Morgan Kaufmann Chapter 3.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.

Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.
Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.

Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.

Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Detecting Traffic Differentiation in Backbone ISPs with NetPolice Ying Zhang Zhuoqing Morley Mao Ming Zhang.

Detecting Traffic Differentiation in Backbone ISPs with NetPolice Ying Zhang Zhuoqing Morley Mao Ming Zhang.
1 Controlling High Bandwidth Aggregates in the Network.

1 Controlling High Bandwidth Aggregates in the Network.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.

IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.

1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
Examining IP Header Fields

Examining IP Header Fields
John Kristoff DePaul Security Forum 2003 1 Network Defenses to Denial of Service Attacks John Kristoff +01 312 362-5878.

John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google