Network Layer Security Distributed Denial of Service (DDoS) attacks and the proposed solutions November 12, 2007 Network Layer security Definition: Network layer security is the security of IP routing mechanism and accessibility of networks, services and specific IP machines under general network conditions. Sample Network Level Threats: IP hijacking: the IP address of a machine is stolen by another machine. The data streams of the forst machin are diverted by the second machine. MAC address hijacking: Same as IP hijacking in the MC level. This is done by abusing the ARP protocol and something known as ARP poisoning. Distributed Denial of service. What is a DDoS? •A DDoS is a collaborative effort of many machines distributed across the internet. The machines are infected by a piece of malware, which makes them to be abused for a DDoS attack. •The owners of the machines are usually un-aware of the infection. •The infected machines are called zombies. •All the zombie machines are controlled by a mastermind of the DDoS. Illustrating a DDoS The Victim Edge router Core router DDoS source Some of the Recent Incidents In May 2006, Internet spammers launched a massive DDoS attack against the anti-spam company Blue Security. As a result of a change in DNS entries of Blue Security at the time of the attack, the DDoS also targeted millions of blogs. In the aftermath of this DDoS attack, Blue Security was forced to stop providing anti-spam services and revised its business strategy A report of Online Wired Magazine on this event reads: “... at 4 pm on May 2, 2006, the sites went dark, and so did the mood at Six Apart, the company that owns them. In the blink of an eye, 10 million blogs and online communities disappeared. Flash floods of data thundered into one network port, stopped inexplicably, then reappeared to overwhelm another. The engineers pored over logs, desperately looking for a cause. After an agonizing hunt, they found it: a distributed denial-of-service attack, or DDoS” Some of The Recent Incedents The alleged attack of Russia against Estonia in April-May 2007: • The crisis unleashed a wave of so-called DDoS, or Distributed Denial of Service, attacks, where websites are suddenly swamped by tens of thousands of visits, jamming and disabling them by overcrowding the bandwidths for the servers running the sites. The attacks have been pouring in from all over the world, but Estonian officials and computer security experts say that, particularly in the early phase, some attackers were identified by their internet addresses - many of which were Russian, and some of which were from Russian state institutions. ... • The attacks have come in three waves: from April 27, when the Bronze Soldier riots erupted, peaking around May 3; then on May 8 and 9 - a couple of the most celebrated dates in the Russian calendar, when the country marks Victory Day over Nazi Germany, and when President Vladimir Putin delivered another hostile speech attacking Estonia and indirectly likening the Bush administration to the Hitler regime; and again this week. Source: http://www.csmonitor.com/2007/0517/p99s01-duts.html The Root of Vulnerability • The main root of DDoS is the fact that the IP has an open structure and it is had to block distributed users to send traffic to a specific address. • As of now, there is no solution to DDoS problem. • Some of the solutions partially solve the problem. Some of the Difficulties • The source IP addresses are often spoofed. Therefore, it is hard to identify the real sources. • In the network layer and the interim routers, the DDoS traffic looks like normal traffic. • Often the sources are very distributed across the internet, and the number of active sources range from a few hundred to tens of thousands. Example: reflected attacks • The source sends traffic to a so-called reflector. The source IP address is spoofed as the IP address of the victim. Therefore, the response of the reflector is sent to the victim. • Advantage: hiding the identity of the source, and reflection gain. Illustrating Reflected Attack 66.22.45.11 S SYN S: 10.1.1.12 (spoofed) D: 66.22.45.11 SYN R SYN-ACK S: 66.22.45.11 D: 10.1.1.12 S: source R: reflector V: Victim SYN-ACK 10.1.1.12 V For every SYN at the source, the victim receives 3-5 SYN-ACKs. So the attack is amplified at the victim. Some of the Proposed Solutions • • • • • • Egress (Ingress) filtering Route based filtering Probabilistic packet marking Pushback D-ward I-trace through ICMP messages Ingress and Egress Filtering • When leaving a network, the source IP address is checked for its validity. Therefore, the IP packets with a spoofed source do not leave the network Issues of Egress Filtering • No incentive for the source domains to implement: DDoS does not harm them! • The attackers can still hide themselves within the IP address range of the domain. Route-based filtering • A router checks to see if a packet with a given source IP address is supposed to pass through that router • Routers use BGP route information for such tests • Route-based filtering is a generalization of egress filtering. Illustrating Route-based Filtering Node 7 uses IP address belonging to node 2 when attacking node 4. Node 6 detects that a packet from node 2 is not supposed to be received On the interface connecting it to node 7. The packet is filtered. Issues of Route-based Filtering • A huge network support is needed • Same problems as egress filtering • Needs exchanging BGP route tables among routers Probabilistic Packet Marking • Each router randomly writes a piece of its IP address on some unused field in IP header. • By using enough packets, the victim can recover the complete path to the sources. Problems of Probabilistic Packet Marking • Usually, the victim needs to receive too many packets from a source to be able to completely recover the path. • The sources may be programmed to stop before they will be detectable by PPM • It can only find the source networks not the real source machines. I-trace through ICMP Messages • For each IP packet being received, with a small probability, an ICMP packet with the complete information of the packet and the IP address of the router through which the packet was forwarded is generated. • The probability of generating an ICMP message is 1/20,000 per receive packet • If a DDoS source generates enough packets, then enough ICMP messages will be generated to help recover the complete path to the source. Problems of I-trace through ICMP Messages • The approach requires sources generate too many messages. • It can only find the source networks not the real source machines. Pushback • Pushback is based on the fact that DDoS causes congestion • A congestion signature is identified by the routers in proximity of the victim. • The congestion signature is advertised to the upstream routers. • Whenever there is a high rate of packets matching the congestion signature, the mechanism continues iteratively. • Pushback is designed to continue toward the sources Illustrating Pushback Pushback limits the traffic rate closer to the sources Pushback in More Details ACC: Aggregate-based Congestion Control RED: Random Early Detection (Drop) Problems of Pushback • Many false positives and false negatives • Often hard to extract a congestion signature • Traffic becomes very sparse close to the sources. Therefore, pushback often fails to continue all the way to a DDoS source. D-WARD • D-WARD monitors the traffic at the egress router of a stub domain in order to determine whether the ratio of outgoing to incoming traffic for a set of remote addresses is abnormally high. A high ratio is taken as a signal that an attack is being mounted from within the stub domain. Issues of D-WARD • Performance of D-WARD degrades in detecting DDoS in transit domains because possibility of asymmetry in routes. • D-WARD does not work when routes are not symmetric. • D-WARD is not well suited for UD traffic.