DDoS mitigation through a collaborative trust-based request prioritization
-
Upload
davide-paltrinieri-gcih-gcfa -
Category
Technology
-
view
160 -
download
1
Transcript of DDoS mitigation through a collaborative trust-based request prioritization
![Page 1: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/1.jpg)
PhD Interview – Ruhr-University Bochum
DDoS mitigation
through a collaborative
trust-based request prioritization
Master thesis defended at University of Rome ”La Sapienza” on January 26, 2011
D a v i d e P a l t r i n i e r i [email protected]
http://it.linkedin.com/in/davidepaltrinieri
June 22, 2012
1 Davide Paltrinieri
![Page 2: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/2.jpg)
Layer 7 DDoS
Davide Paltrinieri
Ruhr University of Bochum
Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Page 2
![Page 3: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/3.jpg)
Layer 7 DDoS
22/03/2012 3 Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Page 3
Davide Paltrinieri
Ruhr University of Bochum
![Page 4: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/4.jpg)
Layer 7 DDoS
22/03/2012 4 Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Page 4
Davide Paltrinieri
Ruhr University of Bochum
![Page 5: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/5.jpg)
Layer 7 DDoS
22/03/2012 5 Davide Paltrinieri
Davide Paltrinieri
Ruhr University of Bochum
DDoS mitigation through a collaborative trust-based request prioritization Page 5
![Page 6: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/6.jpg)
DDoS Trends
22/03/2012 6 Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Page 6
Types of DDoS attacks H2 2011
Arbor Networks DDoS Summary
Davide Paltrinieri
Ruhr University of Bochum
![Page 7: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/7.jpg)
CoMiFin: case study
Framework for critical data exchange between
financial institutions
Objective:
• Business continuity
• Resilience from DDoS
• The challenge:
taking effort from ”the community” for reaching
those objectives.
→ Proactive Defense
22/03/2012 7 Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Page 7
Davide Paltrinieri
Ruhr University of Bochum
![Page 8: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/8.jpg)
Existing solutions approaches
• Detection
• Anomaly: - Distribution/Volume in the traffic
- Signatures
• Statistical
• Classification
• Flash-Crowds scenario
• Solving Quiz (ex. CAPTCHA)
• Countermeasure
• Drop
• Redirection
Davide Paltrinieri 8 22/03/2012 DDoS mitigation through a collaborative
trust-based request prioritization Page 8
Davide Paltrinieri
Ruhr University of Bochum
![Page 9: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/9.jpg)
Existing solutions approaches
• Detection
• Anomaly: - Distribution/Volume in the traffic
- Signatures
• Statistical
• Classification
• Flash-Crowds scenario
• Solving Quiz (ex. CAPTCHA)
• Countermeasure
• Drop
• Redirection
Davide Paltrinieri 9 22/03/2012 DDoS mitigation through a collaborative
trust-based request prioritization Page 9
Davide Paltrinieri
Ruhr University of Bochum
![Page 10: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/10.jpg)
Existing solutions approaches
• Detection
• Anomaly: - Distribution/Volume in the traffic
- Signatures
• Statistical
• Classification
• Flash-Crowds scenario
• Solving Quiz (ex. CAPTCHA)
• Countermeasure
• Drop
• Redirection
Davide Paltrinieri 10 22/03/2012 DDoS mitigation through a collaborative
trust-based request prioritization Page 10
Davide Paltrinieri
Ruhr University of Bochum
![Page 11: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/11.jpg)
Existing solutions approaches
• Detection
• Anomaly: - Distribution/Volume in the traffic
- Signatures
• Statistical
• Classification
• Flash-Crowds scenario
• Solving Quiz (ex. CAPTCHA)
• Countermeasure
• Drop
• Redirection
Davide Paltrinieri 11 22/03/2012 DDoS mitigation through a collaborative
trust-based request prioritization Page 11
Davide Paltrinieri
Ruhr University of Bochum
![Page 12: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/12.jpg)
Existing solutions approaches
• Detection
• Anomaly: - Distribution/Volume in the traffic
- Signatures
• Statistical
• Classification
• Flash-Crowds scenario
• Solving Quiz (ex. CAPTCHA)
• Countermeasure
• Drop
• Redirection
Davide Paltrinieri 12 22/03/2012 DDoS mitigation through a collaborative
trust-based request prioritization Page 12
Davide Paltrinieri
Ruhr University of Bochum
![Page 13: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/13.jpg)
Victim model
Typical server
web/farm
architecture
DDoS mitigation through a collaborative trust-based request prioritization Page 13
Davide Paltrinieri
Ruhr University of Bochum
![Page 14: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/14.jpg)
Attacker Model
• Request Flooding Attack: incremental requests
sent to the target server.
• Asymmetric Workload Attack: Sending random,
well-chosen sessions request to exhaust server
resources.
• Repeated One-Shot Attack: Sending single well-
chosen requests to exhaust server resources.
Davide Paltrinieri 14 DDoS mitigation through a collaborative
trust-based request prioritization Page 14
Davide Paltrinieri
Ruhr University of Bochum
![Page 15: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/15.jpg)
Building Requests
• Frantic Crawler: set of requests to cover all links
coming from the given URL.
• Cloned Legitimate Recorded Session: pre-saved
”legitimate” browsing session performed by each
bot.
• Randomized Legitimate Recorded Session: pre-
saved ”legitimate” browsing session performed by
each bot poisoned with random actions.
DDoS mitigation through a collaborative trust-based request prioritization Page 15
Davide Paltrinieri
Ruhr University of Bochum
![Page 16: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/16.jpg)
Proposed solution
DDoS mitigation through a collaborative trust-based request prioritization Page 16
Davide Paltrinieri
Ruhr University of Bochum
![Page 17: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/17.jpg)
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Yes
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 17
Davide Paltrinieri
Ruhr University of Bochum
![Page 18: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/18.jpg)
Request processing
Is there
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 18
Davide Paltrinieri
Ruhr University of Bochum
![Page 19: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/19.jpg)
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 19
Davide Paltrinieri
Ruhr University of Bochum
![Page 20: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/20.jpg)
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 20
Davide Paltrinieri
Ruhr University of Bochum
![Page 21: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/21.jpg)
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 21
Davide Paltrinieri
Ruhr University of Bochum
![Page 22: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/22.jpg)
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 22
Davide Paltrinieri
Ruhr University of Bochum
![Page 23: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/23.jpg)
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 23
Davide Paltrinieri
Ruhr University of Bochum
![Page 24: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/24.jpg)
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 24
Davide Paltrinieri
Ruhr University of Bochum
![Page 25: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/25.jpg)
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 25
Davide Paltrinieri
Ruhr University of Bochum
![Page 26: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/26.jpg)
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
DDoS mitigation through a collaborative trust-based request prioritization Page 26
Davide Paltrinieri
Ruhr University of Bochum
![Page 27: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/27.jpg)
Request processing
Is There
session
ID?
Request
IS ID
valid?
Putting request in the
appropriate queue
Client has
Fingerprint
?
Preleva dal DB il trust
associato al client
Forward request to the server if
there are sufficient resources
NO
Reduce trust level of the client
Get data from client to build
his fingerprint
NO
NO
Extract from DB the trust level
of the client
Yes
Yes
Yes
Page 27
Davide Paltrinieri
Ruhr University of Bochum
![Page 28: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/28.jpg)
Requests Prioritization
DDoS mitigation through a collaborative trust-based request prioritization Page 28
Davide Paltrinieri
Ruhr University of Bochum
![Page 29: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/29.jpg)
Prototype
DDoS mitigation through a collaborative trust-based request prioritization Page 29
Davide Paltrinieri
Ruhr University of Bochum
![Page 30: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/30.jpg)
DETERlab
22/03/2012 30 Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Page 30
Davide Paltrinieri
Ruhr University of Bochum
![Page 31: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/31.jpg)
Davide Paltrinieri 31
SP OFF
22/03/2012
![Page 32: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/32.jpg)
Davide Paltrinieri 32
SP ON
![Page 33: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/33.jpg)
Test results
22/03/2012 33 Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Page 33
Davide Paltrinieri
Ruhr University of Bochum
Small Botnet:
Mid Botnet:
Large Botnet:
(1) Percentage of completed sessions (coming from legitimate client)
![Page 34: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/34.jpg)
• WebAnalytics tools
• Open Web Analytics (OWA)
• Mouse tracking:
• Simple Mouse Tracking (SMT2)
• Third-party database:
• WOMBAT API (WAPI)
ADL - Auditing
22/03/201 34 Davide Paltrinieri DDoS mitigation through a collaborative
trust-based request prioritization Pagina 34
Davide Paltrinieri
Ruhr University of Bochum
![Page 35: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/35.jpg)
• SMT2
Davide Paltrinieri 35
ADL – Auditing
22/03/2012
![Page 36: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/36.jpg)
ADL - Auditing
OWA
22/03/2012 36 Davide Paltrinieri
![Page 37: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/37.jpg)
Conclusion
• First steps integrating:
• Fine-grain requests priority
• Shared trust
• Tools for auditing cloned sessions
• Results:
• Emulation beats simulation – thanks to DETERlab.
• Business continuity against large botnet
( up to 150 physical PC) attacks:
• Coming from known botnets.
• Coming from know and unknown botnets
• Low latency detected on legitimate clients
Davide Paltrinieri 37 22/03/2012 DDoS mitigation through a collaborative
trust-based request prioritization Page 37
Davide Paltrinieri
Ruhr University of Bochum
![Page 38: DDoS mitigation through a collaborative trust-based request prioritization](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a2bc021a28ab355f8b4797/html5/thumbnails/38.jpg)
Next steps
• Automatically extract cloned session’s attack sources.
• Differentiating tests with high workload from lower one.
• Implement and test client fingerprint attribution.
• Test the prototype on a critical server to collect data on
trusted client.
Davide Paltrinieri 38 DDoS mitigation through a collaborative
trust-based request prioritization Page 38
Davide Paltrinieri
Ruhr University of Bochum