Countering DoS Through Filtering

advertisement
Countering DoS Through Filtering
Omar Bashir
Communications Enabling Technologies
obashir@enabtech.com
1
Sequence
• Roots of IP Spoofing
• Effective Anti-Spoofing Through Ingress
Filtering
• Reducing DoS Effect Through Egress Filtering
• Pushback: Countering DoS Closer to the DoS
Source
• Trackback: Locating the DoS Source
2
Roots of IP Spoofing
• Source Independent Routing
– Next hop forwarding in packet switched networks is
not dependent on
• a packet’s original source
• the path that packet has taken before it arrives at a
particular packet switch
– Enhances the efficiency of routing mechanisms in
packet switches.
• Implications
– The source address of a packet may never be
required in a specific communication session.
– Routers and switches do not inspect the source
addresses of packets before forwarding a packet to
3
the next hop.
Roots of IP Spoofing (Contd.)
• Attackers can mask their identities by inserting false or
invalid source addresses on packets before
transmitting them to the destination.
• Typical invalid source addresses,
–
–
–
–
–
This host address, 0.0.0.0
Local loopback address, 127.0.0.1
Limited broadcast address, 255.255.255.255
Directed broadcast address.
Subnet address.
• False source addresses are addresses not assigned
to the transmitting host.
– Typically addresses of hosts on different subnets or internal
subnet addresses.
4
Network Ingress Filtering
• RFC-2827
• Automatic filtering on RAS and access routers to
drop packets with invalid or false source
addresses.
• Preventative measure to block an imminent DoS
attack closest to the source.
– Traffic rates substantially low to enable inspection of
each outbound packet.
• Firewalls without ingress filtering capability can be
configured to achieve ingress filtering.
• Logging and analysis of dropped packets
necessary to identify, locate and neutralise the
5
attacker.
Egress Filtering
• Deny entry of a packet with an invalid source
address into a subnet.
• Can also be used to filter packets with source
address fields containing local subnet
addresses.
• Considered necessary due to the lack of
implementation of network ingress filtering.
• May require implementation on platforms with
substantial processing resources.
• Can substantially reduce the impact of DRDoS
by eliminating the attack traffic before it reaches
the reflectors.
6
Ingress and Egress Filtering
Egress
Filtering
Ingress
Filtering
Ingress
Filtering
7
DoS Pushback
• DDoS attacks are treated as a congestion
control problem.
• Congestion resulting from a DoS attack has to
be handled by the routers.
– Routers to detect and preferentially drop packets
that probably belong to an attack.
– Upstream routers are also notified to drop such
packets in the order that the router’s resources be
used to route legitimate traffic.
• Focus is on handling DDoS activity closer to the
source where traffic rates are substantially low. 8
Traffic Characterisation
• Bad Packets
– Transmitted by the attacker.
– Characterised by the attack signature identified by
the congestion signature.
• Poor Packets
– Packets matching the congestion signature.
– Do not actually belong to the attack.
• Good Packets
– Packets not matching the congestion signature but
share links or destination with the bad traffic.
9
Typical DDoS Signature and
Pushback
R1
R2
R3
R5
R6
R4
R7
R8
Victim
10
Pushback Operations
• Attack Detection
– Detecting the congestion signature.
• Local Rate Limiting
– Packet filtering on the basis of congestion
signature.
• Upstream Notification
– Informing the upstream routers of the congestion
condition and its signature.
• Upstream Rate Limiting
– Packet filtering on the basis of congestion at the
upstream routers.
11
Congestion Detection
• Typical congestion identifiers
– Higher packet drop rates.
– Typically
• wi > 1.2wo
• Principal determinant
– Victim’s address.
• The algorithm prepares the list of prefixes of
destination addresses and the number of
packets dropped for each prefix.
12
Congestion Detection (Contd.)
• Prefix with highest drop rate is considered to be
the subnet being attacked.
• For multiple simultaneous attacks.
– Determine the congestion contribution for the prefix
with highest drop rate.
• wb
– If for other prefixes on the list wi- wb > 1.2wo, the
list is rescanned to determine the second attack.
13
Rate Limiting
• Rate limiter is implemented between the input
and the output queues.
• For wi > 1.2wo, wl = wi - 1.2wo
• If wb > wl then rate limit the aggregate to wl.
• If wb < wl then drop all traffic matching the
congestion signature and allow the remaining
traffic to pass through the rate limiter.
– Traffic allowed by the rate limiter is not treated
preferentially.
14
Pushback
• Congestion condition and signature notified to
upstream routers.
• Pushback protocol messages
– Request
• Transmitted to upstream routers and received from
downstream routers.
• Suggest rate limiting to the upstream routers.
– Response
• Generated by upstream routers.
• Used to determine modifications in the pushback process.
– Cancel
• Instruction to upstream router for canceling the rate
limiting operation.
• Described in the IETF draft
– draft-floyd-pushback-messages-00.txt
15
Pushback Mechanism
-
-
R1
-
-
R2
-
R5
-
R6
-
R3
-
R4
R7
R8
Victim
16
Traceback
• Identification of the network paths traversed by
the attacking traffic.
• Principal categories
– Intrusive traceback
• Controlled flooding
• ICMP traceback
– Non-intrusive traceback
• Input debugging
• Logging
• Packet marking
17
Controlled Flooding
• Test links by flooding them with large bursts of
traffic and observing its affect on the attack
traffic.
• Victim coerces selected hosts along the
upstream route to iteratively flood incoming
routes on routers detected to be in path of the
attack traffic.
• Requires a pre-generated map of Internet
topology.
• DoS attack on DoS attack
– Considered unsuitable as it might affect traffic to
other routes sharing routers to the victim’s path.
18
ICMP Traceback
• Explicit router generated ICMP traceback messages.
• To forward, at a low rate, with one of the packets
forwarded by the router an ICMP packet containing
– The contents of the forwarded packet.
– Information about the adjacent routers along the path to the
destination.
• In a flooding attack, a victim can reconstruct path to
the attacker using these messages.
• Issues
– ICMP differentiation
– ICMP traceback spoofing
• IETF draft draft-bellovin-itrace-00.txt
19
Input Debugging
• Filter packets on the egress to the router and
determine the input port they arrived at.
• In an attack, the victim can use the attack
signature to query the closest router to
determine link on which they reached the
router.
• Router upstream to that link can be
successively queried to determine the identity
of the attacker.
• Considerable management overhead.
20
Logging
• Packet details are logged at key routers.
• Data mining applied to determine path
traversed by the packets.
• Considerably useful for post-attack analysis.
• Considerable resource requirements.
21
Packet Marking
• Marking packets probabilistically or
deterministically with the addresses of routers
they traverse.
• Marking techniques
– Node append
• Append each node’s address to the end of the packet as
it traverses the network.
– Node sampling
• Sampling the path one node at a time.
– Edge sampling
• In addition to sampling nodes, also encode the distance
of the attacker to the node.
22
Conclusions
• Enforcement of ingress filtering as preventative
measure.
• Enforcement of egress filtering to reduce the
possibility of spoofed attack and reflection
traffic.
• Inter-ISP cooperation,
– Data collection
– Attack signature determination
– Attack analysis
• Pushing the attack closer to the attackers and
zombies.
23
Q&A
• Most upstream ISPs do not allow filtering, how can
pushback be implemented in this case ?
– Possibly by using traceback to determine the ISP
hosting the attacker and using a firewall signaling
protocol to signal the access routers at that ISP to
perform ingress filtering at the source.
• In pushback, an attacker can generate spoof
requests to upstream routers performing DoS ?
– Requests to upstream routers are suggestions to the
upstream routers to perform filtering on the suggested
signature. It is possible for the upstream routers
determine their own attack signature and perform
filtering on that basis.
– Use encryption and authentication on requests and
responses.
24
Q&A
• Pushback may be effective incase of a
sustained attack. How does it scale to a pulse
attack where the attacker generates a surge at
intervals to start a pushback. In this case
pushback itself becomes DoS and by the time
the network neutralises another pulse arrives.
– More effective pattern matching
– Hysteresis in triggering pushback
– Determine pulse attack periodicity and patterns
through data logging and analysis. Use predictive
measures to be prepared for the attack before it
occurs.
25
Download