Source-End Defense System against
DDoS attacks
Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang
Distributed System and Network Security Lab.
Department of Computer Science and Information Engineering
National Chiao Tung University
WADIS‘03
Outline






Introduction to DDoS attacks.
Current DDoS defense strategies
Review of D-WARD
Proposed DDoS defense scheme
Evaluation
Conclusions and future work
2
DDoS attacks
 What is a Denial-of-Service
(DoS) attack
 Degrade the service quality or
completely disable the target
service by overloading critical
resources of the target system or by
exploiting software bugs.
 What is a Distributed DoS
(DDoS) attack
 The objective is the same with DoS
attacks but is accomplished by a of
compromised hosts distributed over
the Internet.
3
Mechanisms against DDoS attacks (1)
 Victim-end
 Most existing Intrusion detection systems and DoS/DDoS tolerant
system design fall in this category.
 Used to protect a set of hosts from being attacked.
 Advantages and disadvantages
 DDoS attacks are easily detected due to the aggregate of huge traffic
volume.
 From a network’s perspective, protecting is consider ineffective. Attack
flows can still incur congestion along the attack path.
4
Mechanisms against DDoS attacks (2)
 Infrastructure-based
 DDoS defense lines are constructed towards attack sources to reduce
network congestion.
 Attack packets are filtered out by Internet core routers.
 Advantages and disadvantages
 The effectiveness of filtering is improved.
 An Internet-wide authentication framework is required.
 Internet core routers must be upgrade to filter out attack packets in high
speeds
5
Mechanisms against DDoS attacks (3)
 Source-end
 DDoS defense mechanism are used to prevent monitored hosts from
participating in DDoS attacks.
 Attack packets are dropped at sources. It allows preventing attack
traffic from entering the Internet.
 Advantages and disadvantages
 The effectiveness of packet filter is the best.
 It is very hard to identify DDoS attack flows at sources since the traffic is
not so aggregate.
 It require the support of all edge routers.
In summary, source-end DDoS defense strategy is the most
effective and with moderate deployment cost.
6
D-WARD:
A Source-End DDoS defense scheme
 J. Mickovic et al. “Attacking DDoS at the Source,” IEEE
ICNP’02
 Ideas behind D-WARD: DDoS attack flows can be identified
by comparing flow statistics against normal flow models.
Signals of DDoS attacks:
 High Packet loss rate:
 The level of network congestion (or say packet loss rate) reflects on the
ratio of number of packets sent to and received from the peer.
 High packet sending rate: This may also indicate a DDoS attack
 A large number of connections to the peer
7
D-WARD: Architecture
Observation
Component
Internet
Classification
Preprocessing
Pac
ket
For
w
Statistics
a rd i
ng
Cache table
Rate limiting rules
Destination A | limiting rate | timestamp
…………………….
…………………….
Destination N | limiting rate | timestamp
Throttling Component
8
te
Ra
-l i m
g
itin
ru l
e
ju
ad
ng
sti
Intranet/
Source
network
D-WARD: Observation Component
 Gather per flow statistics
 Flow: The aggregate traffic between monitored IP addresses and a
foreign IP address.
 Observation interval: A basic time frame for one observation
 The number of packet and bytes sent to and received from the peer
 The number of active connections
 Legitimate flow model
 TCP flows:
 Psent/Prcv < TCPrto
 ICMP flows:
 Psent/Prcv < ICMPrto
 UDP flows:
 nconn < MAXconn
 pconn > MINpkts
 Bsent < UDPrate
(set to 3)
(set to 1.1)
(set to 100)
(set to 1)
(set to 10MBps)
9
Motivations
 Using a global threshold of Psent/Prcv for TCP flows would
result in high false positive and high false negative. In the
following context, this ratio is denoted as O/I
 High false positive
 flows with O/I greater than 3 in its normal operation would be classified as
attack flows
 High false negative
 low-rate attacks will not be detected. Consider a flow with O/I =1, then O/I
only reaches 2 when the packet loss rate is 50%.
In one word, using a single O/I threshold for
different flows is problematic.
10
Basic Idea
 Ideas behind the proposed scheme
 Focus: detecting DDoS attacks based on TCP
 96% of current attacks are based on TCP. Only 2% use UDP and 2% use
ICMP
 The level of “congestion” should be determined according previous
behavior of the each monitored flow.
 Two more DDoS characteristics are utilized for detecting attacks
 Distribution: the number of hosts sending packets to the destination in each
observation period
 Continuity: reflect to the observation that a DDoS attack always lasts for
an extended period of time.
11
Observations on normal traffics (1)
 Observation: Average O/I of different  Standard deviation of the monitored
flows rage from 3.68 to 0.5
flow are low (usually smaller 1). It
indicates that the O/I value of flows
 Flows with highest ratio:
tend to be stable in their normal
 Contains one ftp data connection.
The flow last for 227 second. Total
operation.
86685 packet (68158 packet send out,
18527 packet send in) The average
O/I is 3.68. Standard deviation=0.16.
Packet loss rate is 0%.
12
Observations on normal traffics (2)
 Number of sources in each flow
 In each observation interval, most of flows have only one source host
sending packets to the peer.
13
Proposed DDoS detection scheme
 There are two phases in our scheme.
 Learning phase: Define legitimate flow model
 Detection phase: Detect malicious flows and apply rate limit
 Learning phase contains two steps.
 Step 1: determine the following thresholds
 Tf: the maximum allowed O/I.
 Nf: the mini-threshold of O/I.
 c: a parameter used to quantify the level of distribution.
 Steps 2: derive other configuration parameters
 α: a value indicating the possibility that the flow is malicious. It is
generated according to the level of congestion and the level of distribution
 αf : the maximum allowed value ofα
 tf : the maximum allowed number of the times that αcan continually
breaches αf
14
Flow Classification
 Four types of traffic flows: Normal, Suspicious, Attack, and
Transient.
recovery phase
Normal Flow
Derive α
less then αf
αf
greater than αf
Suspicious Flow
Transient Flow
Increase counter for tf
samll than tf
tf
great than tf
αgreater αf
Attack Flow
Compliant for penalty
period
15
Generation of α
 Generating α in an observation interval
1   S f / c   n f  N f

 
 i 1  T f  N f




Level of congestion
i
The impact of distribution
 Sf: : the number of source in the flow.
 nf: : the O/I of the current interval.
 λ: a magic number used to restrict α between 0 and 1. λ is a number
between 0 and 1.
 Characteristics of α
 It is between 0 and 1
 It increases with nf . If nf approaches Tf, α approaches to 1
 α increases with the number of sources
in the flow.
16
Rate limiting and recovery
 Rate-Limiting
Psent
rl  min( rl , rate)  (1   ) 
Psent  Pdrop
 rl: imposed rate limit
 rate: realized sending rate
 Mini-rate: The lowest limited rate which can be imposed on network
flows.
 Recovery
 If the attack flow show compliance with normal flow model for
consecutive penalty observation periods, it is classified as transient, the
recovery process begins.
Psent
rl  rl  
 Psent  Pdrop
1
 Max-rate: Once the rate limit reaches Max-rate, it is classified as
normal
17
Thresholds
 Configuring thresholds and other parameters:







Observation period = 1 second
Tf: The maximum of the observed O/I * 2
Nf: the average O/I
c: the maximum number of sources in a flow in the monitored network.
αf: the averageαin the learning process.
tf: the maximum consecutive number of time that αexceeds αf
λ= 0.5
 Parameters learned from a monitored flow
 Sending rate 10 pkts to the destination host per second. Maximum O/I
is 1.25, Average O/I is 1.25
 Tf: = 2.5, nf = 1.04
 c=3
 αf = 0.18
 tf = 3
18
Experiments
 Types of Experiment
 Resource consumption
 TCP SYN flooding
 link flooding
 Attack scenarios




Constant rate attack
Pulsing rate attack
Increasing rate attack
Gradual pulsing attack
19
Topology
DDoS defense
system
Attack agents
Switch
Switch
Router
Attack agents
Attack agents
Attack agents
Attack agents
20
Victim
Bandwidth
Controller
TCP SYN Flooding Attack
DDoS defense
system
Attack agents
Switch
Switch
Router
TCP SYN
attack flow
Attack agents
Attack agents
Attack agents
Attack agents
21
Victim
Bandwidth
Controller
SYN flooding:
Constant Rate and Pulsing Rate
22
SYN flooding
Increasing Rate and Gradual Increasing Rate
23
Link Overloading
DDoS defense
system
Attack agents
Switch
100KBps
Switch
100KBps
100KBps
Attack agents
Router
100KBps
100KBps
Aggregate of
attack traffic:
500KBps
Link Bandwidth:
250KBps
Attack agents
Attack agents
Attack agents
24
Victim
Bandwidth
Controller
Bandwidth flooding
Constant Rate and Pulsing Rate
constant
pulsing
25
Bandwidth flooding
Increasing Rate and Gradual Increasing Rate
increasing
gradual increasing
26
Conclusion
 The O/I used to define the level of network congestion must be
determined according to the previous behavior of the flow.
 The number of source in the flow and the number of
observation intervals that the signal of DDoS attacks lasts
should be taken into consideration.
 Evaluation results show that the performance of proposed
system is better than D-WARD, in terms of false positive and
false negative.
27
Future work
 More experiments on estimating the effectiveness of the
proposed scheme are required
 A mechanism that can deal with new flows which are not in
the flow profile database
 A space-effective mechanism that helps to reduce the storage
requirement for storing the profiles of flows.
 Schemes which can detect DDoS attacks based on one-way
flows such as ICMP and UDP.
28