Distributed Denial of Service
CRyptography Applications Bistro
Presented by Lingxuan Hu
April 15, 2004
Why DDoS is hard to prevent
• Internet
– Limited resources
– Security highly interdependent
ISP?
The problem with DDOS security is this: if you implement
DDOS security, it does not protect your network, it
merely prevents your network from harming others. Why
would an ISP spend extra time and effort implementing a
security protocol that was good for everyone else... but
not for them?
by simul, Kuro5hin.org (targeted by DDoS
attacks), February 4, 2004
Defenses
• IP spoofing
– Egress filtering
– Keep routing state for each packet
– New type of control message (ICMP)
– Embed traceback information into IP header
• Bandwidth flooding
– Use Overlay Networks to debug input
– Push back to preserve bandwidth
– Equip your host with gobs of bandwidth and
the appliances can mitigate the effect
Problem Statement
• Use IP traceback to defend IP spoofing
– Packets having the same routing path with
the attacker packets will be dropped
• Challenges
– The average Internet routing path length is
around 15, so reconstruct the path will take
60 bytes
– Where to put the traceback information?
PI Overview
• Model the Internet
as a binary tree
rooted at the
victim node
• The router mark 0
or 1 in IP
identification field
based on past
path information
IP Header
bit # 0
7 8
version
header
length
15 16
ECN
DS
Identification
time-to-live (TTL)
23
24
31
total length (in bytes)
0
D M
F F
protocol
Fragment offset
header checksum
source IP address
destination IP address
options (0 to 40 bytes)
payload
4 bytes
• Identification field (16 bits)
– IP identification is only used for fragmentation, which
constitutes less than 0.25% of the packets in
Internet
Pi Marking - Basic Marking Scheme
• Marking Scheme
– Each router marks n bits into IP Identification field
• Marking Location
– TTL (mod 16/n) indexes location in field to mark
• Marking Function
– Last n bits of hash (eg. MD5) of router IP address
The following slides are adapted from Abraham Yaar’s Oakland 2003
slides
Pi Marking - Example
Pi Marking Scheme - TTL Attack
• Problem
– Attacker shifts markings by modifying initial TTL
Final TTL
Pointer
Final TTL
Pointer
• Note - marking bits and order haven’t changed, just
location in the marking field
• Solution
– Victim uses final TTL to justify packet contents using bit
rotation
Pi Marking - IP Fragmentation
• Problem
– Mark values in IP Identification field breaks
fragmentation
• Solution
– Don’t mark packets that may ever get
fragmented, or are fragments themselves
– During DDoS attack, drop packets not
satisfying this predicate
Pi Filtering – Basic Scheme
• Basic Scheme
– Drop all packets with Pi marks matching that of
any attack packets
• Assumption
– Victim can identify attack packets
• Implementation Overhead
– Memory: Bit vector of length 216 (8kB)
• if (BitVec[PiMark] == 0) then accept() else drop();
– Computation: O(1) per packet
Pi Filtering - Thresholds
• Problem
– Single attacker causes multiple users’ rejections
• Solution
– Assume, for a particular Pi mark, i:
• ai= number of attack packets
• ui= number of legitimate users’ packets
– Victim chooses threshold, t, such that if:
ai
t
ai  ui
then all packets with Pi mark i are dropped
Experiment Results – Basic Filter
• DDoS protection
– Accepted:
• 60% of user traffic
• 17% attacker traffic
• Downward slope
due to “marking
saturation”
– All markings
flagged as attacker
Experiment Results – Threshold
Filter
• Thresholds Work!
– Victim increases
false positives to
decrease false
negatives
• Greater attack
traffic requires
greater threshold
values
Comments
• Review of the goal
– The same routing path yields the same marking
– Different routing path has little probability to overlap
• Question
– Why bother using rotated marking instead of a
simple hash function?
DDoS Attacks
• IP spoofing
• Bandwidth flooding
Back to Zhanxiang