DDoS mitigation through a collaborative trust-based request prioritization

PhD Interview – Ruhr-University Bochum

DDoS mitigation

through a collaborative

trust-based request prioritization

Master thesis defended at University of Rome ”La Sapienza” on January 26, 2011

D a v i d e P a l t r i n i e r i [email protected]

http://it.linkedin.com/in/davidepaltrinieri

June 22, 2012

1 Davide Paltrinieri

Layer 7 DDoS

Davide Paltrinieri

Ruhr University of Bochum

Davide Paltrinieri DDoS mitigation through a collaborative

trust-based request prioritization Page 2

Layer 7 DDoS

22/03/2012 3 Davide Paltrinieri DDoS mitigation through a collaborative


Davide Paltrinieri


Layer 7 DDoS



Davide Paltrinieri


Layer 7 DDoS

22/03/2012 5 Davide Paltrinieri

Davide Paltrinieri


DDoS mitigation through a collaborative trust-based request prioritization Page 5

DDoS Trends



Types of DDoS attacks H2 2011

Arbor Networks DDoS Summary

Davide Paltrinieri


CoMiFin: case study

Framework for critical data exchange between

financial institutions

Objective:

• Business continuity

• Resilience from DDoS

• The challenge:

taking effort from ”the community” for reaching

those objectives.

→ Proactive Defense



Davide Paltrinieri


Existing solutions approaches

• Detection

• Anomaly: - Distribution/Volume in the traffic

- Signatures

• Statistical

• Classification

• Flash-Crowds scenario

• Solving Quiz (ex. CAPTCHA)

• Countermeasure

• Drop

• Redirection

Davide Paltrinieri 8 22/03/2012 DDoS mitigation through a collaborative


Davide Paltrinieri



• Detection


- Signatures

• Statistical

• Classification



• Countermeasure

• Drop

• Redirection



Davide Paltrinieri



• Detection


- Signatures

• Statistical

• Classification



• Countermeasure

• Drop

• Redirection



Davide Paltrinieri



• Detection


- Signatures

• Statistical

• Classification



• Countermeasure

• Drop

• Redirection



Davide Paltrinieri



• Detection


- Signatures

• Statistical

• Classification



• Countermeasure

• Drop

• Redirection



Davide Paltrinieri


Victim model

Typical server

web/farm

architecture


Davide Paltrinieri


Attacker Model

• Request Flooding Attack: incremental requests

sent to the target server.

• Asymmetric Workload Attack: Sending random,

well-chosen sessions request to exhaust server

resources.

• Repeated One-Shot Attack: Sending single well-

chosen requests to exhaust server resources.

Davide Paltrinieri 14 DDoS mitigation through a collaborative


Davide Paltrinieri


Building Requests

• Frantic Crawler: set of requests to cover all links

coming from the given URL.

• Cloned Legitimate Recorded Session: pre-saved

”legitimate” browsing session performed by each

bot.

• Randomized Legitimate Recorded Session: pre-

saved ”legitimate” browsing session performed by

each bot poisoned with random actions.


Davide Paltrinieri


Proposed solution


Davide Paltrinieri


Request processing

Is There

session

ID?

Request

IS ID

valid?

Putting request in the

appropriate queue

Client has

Fingerprint

?

Preleva dal DB il trust

associato al client

Forward request to the server if

there are sufficient resources

NO

Yes

Reduce trust level of the client

Get data from client to build

his fingerprint

NO

NO

Extract from DB the trust level

of the client

Yes

Yes


Davide Paltrinieri


Request processing

Is there

session

ID?

Request

IS ID

valid?


appropriate queue

Client has

Fingerprint

?


associato al client



NO



his fingerprint

NO

NO


of the client

Yes

Yes

Yes


Davide Paltrinieri


Request processing

Is There

session

ID?

Request

IS ID

valid?


appropriate queue

Client has

Fingerprint

?


associato al client



NO



his fingerprint

NO

NO


of the client

Yes

Yes

Yes


Davide Paltrinieri


Request processing

Is There

session

ID?

Request

IS ID

valid?


appropriate queue

Client has

Fingerprint

?


associato al client



NO



his fingerprint

NO

NO


of the client

Yes

Yes

Yes


Davide Paltrinieri


Request processing

Is There

session

ID?

Request

IS ID

valid?


appropriate queue

Client has

Fingerprint

?


associato al client



NO



his fingerprint

NO

NO


of the client

Yes

Yes

Yes


Davide Paltrinieri


Request processing

Is There

session

ID?

Request

IS ID

valid?


appropriate queue

Client has

Fingerprint

?


associato al client



NO



his fingerprint

NO

NO


of the client

Yes

Yes

Yes


Davide Paltrinieri


Request processing

Is There

session

ID?

Request

IS ID

valid?


appropriate queue

Client has

Fingerprint

?


associato al client



NO



his fingerprint

NO

NO


of the client

Yes

Yes

Yes


Davide Paltrinieri


Request processing

Is There

session

ID?

Request

IS ID

valid?


appropriate queue

Client has

Fingerprint

?


associato al client



NO



his fingerprint

NO

NO


of the client

Yes

Yes

Yes


Davide Paltrinieri


Request processing

Is There

session

ID?

Request

IS ID

valid?


appropriate queue

Client has

Fingerprint

?


associato al client



NO



his fingerprint

NO

NO


of the client

Yes

Yes

Yes


Davide Paltrinieri


Request processing

Is There

session

ID?

Request

IS ID

valid?


appropriate queue

Client has

Fingerprint

?


associato al client



NO



his fingerprint

NO

NO


of the client

Yes

Yes

Yes


Davide Paltrinieri


Request processing

Is There

session

ID?

Request

IS ID

valid?


appropriate queue

Client has

Fingerprint

?


associato al client



NO



his fingerprint

NO

NO


of the client

Yes

Yes

Yes

Page 27

Davide Paltrinieri


Requests Prioritization


Davide Paltrinieri


Prototype


Davide Paltrinieri


DETERlab



Davide Paltrinieri


Davide Paltrinieri 31

SP OFF

22/03/2012


SP ON

Test results



Davide Paltrinieri


Small Botnet:

Mid Botnet:

Large Botnet:

(1) Percentage of completed sessions (coming from legitimate client)

• WebAnalytics tools

• Open Web Analytics (OWA)

• Mouse tracking:

• Simple Mouse Tracking (SMT2)

• Third-party database:

• WOMBAT API (WAPI)

ADL - Auditing


trust-based request prioritization Pagina 34

Davide Paltrinieri


• SMT2


ADL – Auditing

22/03/2012

ADL - Auditing

OWA

22/03/2012 36 Davide Paltrinieri

Conclusion

• First steps integrating:

• Fine-grain requests priority

• Shared trust

• Tools for auditing cloned sessions

• Results:

• Emulation beats simulation – thanks to DETERlab.

• Business continuity against large botnet

( up to 150 physical PC) attacks:

• Coming from known botnets.

• Coming from know and unknown botnets

• Low latency detected on legitimate clients



Davide Paltrinieri


Next steps

• Automatically extract cloned session’s attack sources.

• Differentiating tests with high workload from lower one.

• Implement and test client fingerprint attribution.

• Test the prototype on a critical server to collect data on

trusted client.

Davide Paltrinieri 38 DDoS mitigation through a collaborative


Davide Paltrinieri


Technology

DDoS mitigation through a collaborative trust-based request prioritization