Upload
davide-paltrinieri-gcih-gcfa
View
159
Download
1
Tags:
Embed Size (px)
Citation preview
PhD Interview – Ruhr-University Bochum
DDoS mitigation
through a collaborative
trust-based request prioritization
Master thesis defended at University of Rome ”La Sapienza” on January 26, 2011
D a v i d e P a l t r i n i e r i [email protected]
http://it.linkedin.com/in/davidepaltrinieri
June 22, 2012
1 Davide Paltrinieri
Layer 7 DDoS
Davide Paltrinieri
Ruhr University of Bochum
Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Page 2
Layer 7 DDoS
22/03/2012 3 Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Page 3
Davide Paltrinieri
Ruhr University of Bochum
Layer 7 DDoS
22/03/2012 4 Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Page 4
Davide Paltrinieri
Ruhr University of Bochum
Layer 7 DDoS
22/03/2012 5 Davide Paltrinieri
Davide Paltrinieri
Ruhr University of Bochum
DDoS mitigation through a collaborative trust-based request prioritization Page 5
DDoS Trends
22/03/2012 6 Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Page 6
Types of DDoS attacks H2 2011
Arbor Networks DDoS Summary
Davide Paltrinieri
Ruhr University of Bochum
CoMiFin: case study
Framework for critical data exchange between
financial institutions
Objective:
• Business continuity
• Resilience from DDoS
• The challenge:
taking effort from ”the community” for reaching
those objectives.
→ Proactive Defense
22/03/2012 7 Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Page 7
Davide Paltrinieri
Ruhr University of Bochum
Existing solutions approaches
• Detection
• Anomaly: - Distribution/Volume in the traffic
- Signatures
• Statistical
• Classification
• Flash-Crowds scenario
• Solving Quiz (ex. CAPTCHA)
• Countermeasure
• Drop
• Redirection
Davide Paltrinieri 8 22/03/2012 DDoS mitigation through a collaborative
trust-based request prioritization Page 8
Davide Paltrinieri
Ruhr University of Bochum
Existing solutions approaches
• Detection
• Anomaly: - Distribution/Volume in the traffic
- Signatures
• Statistical
• Classification
• Flash-Crowds scenario
• Solving Quiz (ex. CAPTCHA)
• Countermeasure
• Drop
• Redirection
Davide Paltrinieri 9 22/03/2012 DDoS mitigation through a collaborative
trust-based request prioritization Page 9
Davide Paltrinieri
Ruhr University of Bochum
Existing solutions approaches
• Detection
• Anomaly: - Distribution/Volume in the traffic
- Signatures
• Statistical
• Classification
• Flash-Crowds scenario
• Solving Quiz (ex. CAPTCHA)
• Countermeasure
• Drop
• Redirection
Davide Paltrinieri 10 22/03/2012 DDoS mitigation through a collaborative
trust-based request prioritization Page 10
Davide Paltrinieri
Ruhr University of Bochum
Existing solutions approaches
• Detection
• Anomaly: - Distribution/Volume in the traffic
- Signatures
• Statistical
• Classification
• Flash-Crowds scenario
• Solving Quiz (ex. CAPTCHA)
• Countermeasure
• Drop
• Redirection
Davide Paltrinieri 11 22/03/2012 DDoS mitigation through a collaborative
trust-based request prioritization Page 11
Davide Paltrinieri
Ruhr University of Bochum
Existing solutions approaches
• Detection
• Anomaly: - Distribution/Volume in the traffic
- Signatures
• Statistical
• Classification
• Flash-Crowds scenario
• Solving Quiz (ex. CAPTCHA)
• Countermeasure
• Drop
• Redirection
Davide Paltrinieri 12 22/03/2012 DDoS mitigation through a collaborative
trust-based request prioritization Page 12
Davide Paltrinieri
Ruhr University of Bochum
Victim model
Typical server
web/farm
architecture
DDoS mitigation through a collaborative trust-based request prioritization Page 13
Davide Paltrinieri
Ruhr University of Bochum
Attacker Model
• Request Flooding Attack: incremental requests
sent to the target server.
• Asymmetric Workload Attack: Sending random,
well-chosen sessions request to exhaust server
resources.
• Repeated One-Shot Attack: Sending single well-
chosen requests to exhaust server resources.
Davide Paltrinieri 14 DDoS mitigation through a collaborative
trust-based request prioritization Page 14
Davide Paltrinieri
Ruhr University of Bochum
Building Requests
• Frantic Crawler: set of requests to cover all links
coming from the given URL.
• Cloned Legitimate Recorded Session: pre-saved
”legitimate” browsing session performed by each
bot.
• Randomized Legitimate Recorded Session: pre-
saved ”legitimate” browsing session performed by
each bot poisoned with random actions.
DDoS mitigation through a collaborative trust-based request prioritization Page 15
Davide Paltrinieri
Ruhr University of Bochum
Proposed solution
DDoS mitigation through a collaborative trust-based request prioritization Page 16
Davide Paltrinieri
Ruhr University of Bochum
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Yes
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 17
Davide Paltrinieri
Ruhr University of Bochum
Request processing
Is there
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 18
Davide Paltrinieri
Ruhr University of Bochum
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 19
Davide Paltrinieri
Ruhr University of Bochum
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 20
Davide Paltrinieri
Ruhr University of Bochum
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 21
Davide Paltrinieri
Ruhr University of Bochum
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 22
Davide Paltrinieri
Ruhr University of Bochum
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 23
Davide Paltrinieri
Ruhr University of Bochum
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 24
Davide Paltrinieri
Ruhr University of Bochum
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 25
Davide Paltrinieri
Ruhr University of Bochum
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 26
Davide Paltrinieri
Ruhr University of Bochum
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
Page 27
Davide Paltrinieri
Ruhr University of Bochum
Requests Prioritization
DDoS mitigation through a collaborative trust-based request prioritization Page 28
Davide Paltrinieri
Ruhr University of Bochum
Prototype
DDoS mitigation through a collaborative trust-based request prioritization Page 29
Davide Paltrinieri
Ruhr University of Bochum
DETERlab
22/03/2012 30 Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Page 30
Davide Paltrinieri
Ruhr University of Bochum
Davide Paltrinieri 31
SP OFF
22/03/2012
Davide Paltrinieri 32
SP ON
Test results
22/03/2012 33 Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Page 33
Davide Paltrinieri
Ruhr University of Bochum
Small Botnet:
Mid Botnet:
Large Botnet:
(1) Percentage of completed sessions (coming from legitimate client)
• WebAnalytics tools
• Open Web Analytics (OWA)
• Mouse tracking:
• Simple Mouse Tracking (SMT2)
• Third-party database:
• WOMBAT API (WAPI)
ADL - Auditing
22/03/201 34 Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Pagina 34
Davide Paltrinieri
Ruhr University of Bochum
• SMT2
Davide Paltrinieri 35
ADL – Auditing
22/03/2012
ADL - Auditing
OWA
22/03/2012 36 Davide Paltrinieri
Conclusion
• First steps integrating:
• Fine-grain requests priority
• Shared trust
• Tools for auditing cloned sessions
• Results:
• Emulation beats simulation – thanks to DETERlab.
• Business continuity against large botnet
( up to 150 physical PC) attacks:
• Coming from known botnets.
• Coming from know and unknown botnets
• Low latency detected on legitimate clients
Davide Paltrinieri 37 22/03/2012 DDoS mitigation through a collaborative
trust-based request prioritization Page 37
Davide Paltrinieri
Ruhr University of Bochum
Next steps
• Automatically extract cloned session’s attack sources.
• Differentiating tests with high workload from lower one.
• Implement and test client fingerprint attribution.
• Test the prototype on a critical server to collect data on
trusted client.
Davide Paltrinieri 38 DDoS mitigation through a collaborative
trust-based request prioritization Page 38
Davide Paltrinieri
Ruhr University of Bochum