Design and Operational Characteristics of a Distributed Cooperative Infrastructure against DDoS Attacks Georgios Koutepas, Fotis Stamatelopoulos, Vasilios

Design and Operational Characteristics Design and Operational Characteristics of a Distributed Cooperative of a Distributed Cooperative

InfrastructureInfrastructureagainst DDoS Attacksagainst DDoS Attacks

Georgios Koutepas, Fotis Stamatelopoulos, Vasilios Hatziyannakis, and Basil MaglarisNational Technical University of Athens,

Greece

ECIW 2003ECIW 2003

July 1, 2003

A Distributed Cooperative Infrastructure against DDoS Attacks – ECIW 2003

What is "What is "Denial of ServiceDenial of Service"?"?

• An attack to suspend the availability of a service• Until recently the "bad guys" tried to enter our

systems. Now it’s:

""If not us, then NobodyIf not us, then Nobody""• No break-in attempts, no information stealing,

although they can be combined with other attacks to confuse Intrusion Detection Systems.– DoS: single correctly made malicious packets against the

target machine– Distributed DoS: traffic flows from various sources to

exhaust network or computing resources

• No easy solutions! DoS is still mostly a research issue


Main Characteristics of DoSMain Characteristics of DoS• Variable targets:

– Single hosts or whole domains– Computer systems or networks– ImportantImportant: Active network components (e.g.

routers) also vulnerable and possible targets!• Variable uses & effects:

– Hacker "turf" wars– High profile commercial targets (or just

competitors…).– Useful in cyber-warfare, terrorism etc.

• February 7-11 2000: Big commercial sites (CNN, Yahoo, E-Bay) are taken down by flooding of their networks.

• October 2002: attack against the Root DNS servers


1. Taking Control

2. Commandingthe attack

Distributed DoSDistributed DoS

Target

domain

"zombies"

Pirated machines

Domain A

Pirated machines

Domain B

Attacker

X


A DDoS Attack Domain-wiseA DDoS Attack Domain-wise

Sources of the attack

Innocent Domains, but their connectivity is affected

Attack TransitDomains Target Domain


Reaction to DDoSReaction to DDoS

• Incoming traffic has to be controlled, outsideoutside the victim’s domain, at the upstream providers

• Usually source IPs spoofedspoofed on attack packets

• The malicious flows have to be determined.• The attack characteristics have to be

communicated upstream. This usually is done manually and is an uncertain and time-consuming procedure.

• Filters that will block attack traffic must be set up and maintained. Their effectiveness must be verified.

• The bandwidth penalty is still present throughout all the affected networks. Actions are required on all the networks along the attack path

Our Solution:Our Solution:An Inter-Domain Cooperative An Inter-Domain Cooperative

InfrastructureInfrastructure


Inter-Domain Cooperative Inter-Domain Cooperative FrameworkFramework

Cooperative Counter-DDoS Entity

Non-participatingDomain

ParticipatingDomain

NotificationPropagation(Multicast)

Activation offilters and reactionaccordingto local Policies

The Cooperative Counter-DDoS Entities constitute an Overlay Network


The EntitiesThe Entities

• The Entities compose the infrastructure– They are the trusted points for the domain to

participate in the Infrastracture – They manage all communications and reaction

within the domain– They are on the top of the local IDS hierarchy, thus

combine the local picture with the one from peers– They are controlled locally according to the choices

and policies of the administrator – Communications by multicast methods

• They can implement reaction filters to routers, BUT:– Their duration is controlled, the admin is aware of

them and it’s possible to adjust to shifting attack patterns


Main Design Characteristics: Main Design Characteristics: Entity ImplementationEntity Implementation

• Lightweight and Modular software architecture, different components performing the various tasks

• Java Management Extensions (JMX) framework for control and configuration

• Using the Intrusion Detection Message Exchange Format (IDMEF) in all messages achieves compatibility with standards and inter-operability with installed IDS infrastructure

• Multicast advantages:– Stealthy presence – Independence from specific installation host– Possible parallel operation of backup Entities


Entity State TransitionEntity State Transition


Managementapplication

Networkingcomponent

configuration

To NetworkManagement

Console

Alerts

Heartbeats

Multicast Messagesto other Entities

ResponseUnit

Multicast Messagesfrom other Entities

Notifications

Alerts

Heartbeats

Local IDSHierarchy

Event infoDB

EntityDB

PolicyFile

Analysis Unit

DiagnosedSecurity Events

StatusInformation

Communication Unit

JMX Infrastructure

ConfigurationEvent

Notification

Internal Entity ArchitectureInternal Entity Architecture


What happens during an Attack What happens during an Attack

AA

BB

CCEE

DD

WW XX

YY

ZZ

Message DB of the Entity at domain B

Path Cases for domain BPath Case

Situation

1 B may be the source or on the attack path

2 B is on the attack path

3 B is the target of the attack

4 B out of the attack path

AlertSende

r

Source

Domain

TargetDomai

n

Next-Hop

Domain

EventType

1 A W D B (125) ICMP flood

2 A X D B (125)

3 C B D D (125)

4 C Z D D (125)

5 D C D N/A (125)

!


Policy EntriesPolicy Entries• Match Event Characteristics with actions taken against

the attack– Attack type– Attack destination (target domain)– Path positioning case

• Custom made actions to match the specific attack• Reaction for a certain time

Matching Part Reaction Part

Destination Attack Type

PathCase

Action Duration

D DDoS packet type (*)

1&2 a. Throttle traffic 25% b. Coming from source domain

that gives Path Case 1c. Packet Type the one derived

from messages, Dest. D

600 sec

* DDoS packet type (*)

1&2 a. Throttle traffic 50% b. Outgoing to the direction of

target domainc. Packet Type the one derived

from messages, Dest. the target domain

200 sec


Additional ConceptsAdditional Concepts

• Security– The messages are encrypted against

eavesdropping BUT by symmetric cryptography– Additionally there are timestamps and digital

signatures on the messages to avoid repetition attacks

• It is possible to create “communities” of Entities by multicast and distribute the notifications only within. – Geographically (by the TTL on the packets)– According to common interests etc. (by different

multicast groups)


Current StatusCurrent Status

• Finished prototype• Putting a WAN emulation facility (Dummynet)

between the Entities for testing behavior during attacks– Test the accuracy in setting up the right filters, at the right

points– Determine the effects on non-attack traffic, thus choose

the right configuration parameters, duration of filters

• Testing the effectiveness of a peer-2-peer communications scheme in addition to multicast

• Developing the Hot-Spare concepts• Introducing the usage of advanced inference

algorithms and/or expert systems• Plans to deploy it in the Greek Academic Network


ConclusionsConclusions

• It's not an IDS, but rather a “message management system” independent of the underlying detection technologies

• Distributed framework that uses a Cooperative Inter-Domain approach

• Trusted partners, each deploying a local software Entity

• Entities exchange security information so that positioning in the attack path is detected locally and without requiring traceback procedures

• Reaction is activated in parallel, controlled at each domain by local policies

Questions and AnswersQuestions and Answers

Documents

Design and Operational Characteristics of a Distributed Cooperative Infrastructure against DDoS Attacks Georgios Koutepas, Fotis Stamatelopoulos, Vasilios