Characterizing and Defending Against DDoS Attacks
Christos Papadopoulos
..and many others
How Do Computers Find Each Other?
Internet
Computer1 Computer 2
What Are the Different Kinds of Addresses?
Have domain name (e.g., www.usc.edu) Global, human readable name
DNS translates name to IP address (e.g. 128.125.19.146) Global, understood by all networks
Finally, we need local net address e.g., Ethernet (08-00-2c-19-dc-45) Local, works only on a particular network
Domain Naming System (DNS)
Local DNS server
What’s the IP address for www.usc.edu?
Computer 1
It is 128.125.19.146
DNS address manually configured into OS
Finding Ether Address:Address Resolution (ARP)
Ethernet
Broadcast: who knows the Ethernet address for 128.125.51.41?
Ethernet
Broadcast: I do, it is08-00-2c-19-dc-45
Sending a Packet Through the Internet
R
R
R
RRHH
H
H
H
R
RH
R
Routers send packet to next closest point
H: Hosts
R: Routers
The Internet routes packets based on their destination!
Smurf Attack
attacker
target
broadcastecho request
source address is spoofed to be
target’s address
many echo replies are received by the target, since most machines
on the amplifier network respond to the broadcast
amplifiernetwork
TCP SYN Flooding- A more powerful attack -
client(port = 33623/tcp)
server(port = 23/tcp)
SYN
SYN - ACK
ACK
[session proceeds][ACK set for remainder of session]
target(port = 23/tcp)
SPOOFED SYN
SYN - ACK
FINAL ACK NEVER SENT
nonexistent host
So, What Is DDoS?
Distributed Denial of Service New, more pernicious type of attack Many hosts “gang” up to attack another host Network resource attack:
Bandwidth State
Why Should We Care?
Successfully used to attack prominent sites in the Internet by those with a primitive understanding of internet protocols
It is relatively easy to do, but hard to detect and stop
It is only going to get worse unless we develop adequate protection mechanisms
Anatomy of an Attack
Compromise a large set of machines Install attack tools Instruct all attack machines to initiate attack
against a victim
Process highly automated
Phase 1: Compromise
A (stolen) account is used as repository for attack tools.
A scan is performed to identify potential victims.
A script is used to compromise the victims.
Phase 2: Install Attack Tools
• An automated installation script is then run on the “owned” systems to download and install the attack tool(s) from the repository.
• Optionally, a “root kit” is installed on the compromised systems.
Phase 3: Launch attackPhase 3: Launch attack
•Launch a coordinated DDoS from different sites against a single victim.
•Network pipes of attackers can be small, but aggregated bw is far larger than victim’s pipe.
•Victim’s ISP may not notice elevated traffic.
•DDoS attacks are harder to track than a DoS.
Some Known DDoS attack Some Known DDoS attack toolstools
Trin00
Tribal Flood Network (TFN)
Tribal Flood Network 2000 (TFN2K)
Stacheldraht
Combines features of trin00 and TFN.
Adds encryption between the attacker and masters and automated update of agents.
Communication between attacker and masters take place on tcp port 16660.
Daemons receive commands from masters through ICMP echo replies
ICMP, UDP, SYN flood and SMURF attack.
StacheldrahtStacheldraht
# ./client 192.168.0.1[*] stacheldraht [*](c) in 1999 by ...trying to connect...connection established.--------------------------------------enter the passphrase : sicken--------------------------------------entering interactive session.******************************welcome to stacheldraht******************************type .help if you are lamestacheldraht(status: a!1 d!0)>
stacheldraht(status: a!1 d!0)>.helpavailable commands in this version are:--------------------------------------------------.mtimer .mudp .micmp .msyn .msort .mping.madd .mlist .msadd .msrem .distro .help.setusize .setisize .mdie .sprange .mstop .killall.showdead .showalive--------------------------------------------------stacheldraht(status: a!1 d!0)>
Some Commands--------.distro user server
Instructs the agent to install and run a new copy of itself
using the Berkeley "rcp" command, on the system "server",
using the account "user" (e.g., "rcp user@server:linux.bin ttymon")
.madd ip1[:ip2[:ipN]]Add IP addresses to list of attack victims.
.madd ip1[:ip2[:ipN]]Add IP addresses to list of attack victims.
.mdieSends die request to all agents.
COSSACK: Coordinated Suppression
of Simultaneous Attacks
Computer Networks DivisionISI
http://www.isi.edu/cossack
People
Co-PIs: Christos Papadopoulos, Bob Lindell (USC/ISI)
Affiliations: Ramesh Govindan (USC/ISI) Staff: John Mehringer (ISI) Students: Alefiya Hussain (USC) DARPA synergies:
DWARD - Peter Reiher, Jelena Mirkovic (UCLA) SAMAN - John Heidemann (USC/ISI)
Cossack Overview
Distributed set of watchdogs at network perimeterLocal IDSGroup communicationTopology information (when available)
Fully distributed approachPeer-to-peer rather than master-slaveAttack-driven dynamic grouping of watchdogsAttack correlation via coordination with other
watchdogsIndependent, selective deployment of countermeasures
Cossack: A Simplified View
WW
W
target
watchdog
attacker
attacker
attacker
attacker
watchdog
watchdog
watchdog
watchdog
Attacks Begin
WW
W
target
watchdog
attacker
Watchdogs Communicate Using YOID
WW
W
target
watchdog
attacker
YOID
Attacks Detected
WW
W
target
watchdog
attacker
YOID
Watchdogs Install Filters and Eliminate Attack
WW
W
target
watchdog
attacker
Detecting Source Spoofed Attacks
WW
W
target
watchdog
attacker
YOID
Cossack Watchdog Architecture
Yoid Multicast InterfaceDistributed Blackboard
SnortInterface
RateMonitor
Other IDS(D-WARD)
Router Control
PulsingDetector
CiscoInterface
LinuxIPTables
RouterInterface
EventMonitor
YOID Multicast group
Cossack Plugin Operation
Packet Flow Statistics
Packet Averages Grouped by
Destination Address
Yoid Multicast Interface
Distributed Blackboard
SnortInterface
RateMonitor
Other IDS(D-WARD)
Router Control
PulsingDetector
CiscoInterface
LinuxIPTables
RouterInterface
EventMonitor
Request more stats
Cossack Plugin Operation
Packet Flow Statistics
Packet Averages Grouped by
Destination Address
Yoid Multicast Interface
Distributed Blackboard
SnortInterface
RateMonitor
Other IDS(D-WARD)
Router Control
PulsingDetector
CiscoInterface
LinuxIPTables
RouterInterface
EventMonitor
Request for more stats
Packet AveragesGrouped by Source
Address
Cossack Network InspectorTool to determine detection thresholds for watchdogs Interfaces with the Cossack Snort Plugin Collects aggregate level network traffic statistics
Traffic filters created using snort rules
Cossack Performance
Response time: 5 – 30 seconds Insensitive to attack type
Attack Capture and Analysis
Goal: Capture some attacks, analyze and learn from them
Packet-level capture facilities in several sites: Los Nettos USC CAIDA [Telcordia, Sprint]
Spectral analysis
LA-MAE
VerioCogentGenuity
Los Nettos Trace Machine140Mbps,38kpps
JPLCaltech
TRW USCCentergate
Tracing Infrastructure
Internet
Los Nettos Customers
Captured and classified about 120 attacks over several months
Attack Class Count PPS Kbps
Single-source 37 133-1360 640-2260
Multi-source 10 16000-98000
13000-46000
Reflected 20 1300-3700 1700-3000
Unclassified 13 550-33500 1600-16000
Captured Attacks
Spectral Attack Analysis
Multi-source attack (145 sources)
Localization of power in low frequencies in NCS
Single-source attack Strong higher
frequencies and linear Normalized Cumulative Spectrum (NCS)
F(60%) F(60%)
Spectral AnalysisGoal: identify single vs. multi-
source attacks• Single-source:
F(60%) mean 268Hz (240-295Hz)
• Multi-source: F(60%) mean 172Hz (142-
210Hz)
• Able to robustly categorize unclassified attacks
Conclusions
Cossack is a fully distributed approach against DDoS attacks
Software is operational and currently undergoing Red Team testing
We continue to capture attacks, analyze and learn from them
Spectral analysis work very promising
http://www.isi.edu/cossack