Link Flooding DDoS Attack Group 6. Link Flooding Attack BotDecoy Server Target Area Target Link.
-
Upload
juliana-hopkins -
Category
Documents
-
view
222 -
download
0
Transcript of Link Flooding DDoS Attack Group 6. Link Flooding Attack BotDecoy Server Target Area Target Link.
Link Flooding DDoS Attack
Group 6
Link Flooding Attack
Bot Decoy ServerTarget Area
Target Link
Contents
• Crossfire Attack
• CXPST Attack
• Coremelt Attack
3
Crossfire AttackThe Crossfire AttackM. Kang et al.
IEEE S&P 2013
4
Crossfire Attack-Definition
• Flood a small set of selected network links using low-rate flows from bots to publicly accessible servers and degrade connectivity of, and even disconnect, chosen end-point servers.
5
Crossfire Attack-Elements
• Target Area– A geographic region of the Internet that the att
ack is launched
• Target Link– Network links to be flood so that the target are
a is cut off from the rest of the Internet
• Decoy servers– Share the same links with target servers
6
7
Crossfire Attack-Elements
Decoy Servers (Traffic destination)
Target Servers
Target Link
The purpose of the attacker is to flood the shared link by the means of sending flow to the decoy servers.
Crossfire Attack-Steps
• Link Map Construction– Traceroute from Bots to Servers
• Use “Traceroute”
– Check Link-Persistence• Exclude the unstable links• 72% of the links are stable
8
Crossfire Attack-Steps
• Attack Setup– Flow-Density Computation
• Flow-Density• The higher, the better
– Target-Link Selection• Degradation ratio• Select the target links maximize degradation ratio
– Heuristic algorithm(Greedy algorithm)
9
Crossfire Attack-Steps
• Bot Coordination– Goal
•Keep flow rate appropriate to evade
the protection mechanisms
– Attack-Flow Assignment•Aggregate traffic rate slightly higher than bandwidth of ta
rget•Bots attack the target evenly
10
Key Factors Enable Crossfire
• Power Law of Flow-density Distribution– Flow Density
• # of persistent source-to-destination pairs• Good targets for attack for a particular area
– Distribution• Easy to find target links extremely high flow density
for a selected target area• Flow Density is not constant but varies depending o
n area
11
Key Factors Enable Crossfire
12
• East Coast • New York
Fit to diagonal lines, probability much higher than significance level (i.e., 0.68 to 0.96 to 0.05 as normal)
Crossfire Attack-Flow Density Distribution
•Target-area dependency– A target link that has overall high flow density
may have a very low density in some area– These links are extremely useless in an attack
targeted at such area
13
Crossfire Attack-Bot Distribution
• Links are dependent on area but Bots are NOT– Separate bots into subsets based on location– Select different subsets to form different distri
butions– Perform Crossfire attack to different locations– Analysis relation between distribution and perf
ormance
14
Bot Distribution Experiment
15
Distribution
Performance
overlap
Crossfire Attack-Bot Distribution
•Line selection matters
•Geographical position selection doesn’t matter, as long as the packets can get to the line
16
Conclusion : Crossfire
• Undetectability at the Target Area Use legitimate flows, not directly attacked
• Indistinguishable of Flows in Routers Low rate, different source and destination
• Persistence Rolling attack
• Flexibility Large Number of links and decoy servers
17
CXPST AttackLosing control of the internet: using the data plan
e to attack the control plane M. Schuchard et al.
ACM 2010
18
CXPST Attack-Definitions
• CXPST– Coordinated Cross Plane Session Termination
• Control Plane– route around connectivity outages– robustness to localized failure
19
CXPST Attack-Theory
• Weakness Exploited– Control plane and data plane share the same phys
ical media– No priority defined– Local events lead to global impact
• Main Theory– Data plane congestions trigger failure of links– Route withdrawal, re-calculate, broadcast– Route flapping– Overwhelm of routers’ calculation capacity
20
CXPST Attack-Strategy
• Select Target Link– BGP betweeness: number of routes passes th
rough the link– Select links with highest betweeness
• Counter Changing Topology– Avoid using routes passing two target links si
multaneously– Send more traffic than needed on each branc
h
21
CXPST Attack-Strategy
• Design Traffic Flow– Build two flow networks– Use max flow algorithm to select bots and des
tinations
• Thwart Defense– Against route damping– Keep an eye on disrupted paths– Remove links do not re-appear
22
22
CXPST Attack-Impact
• Overwhelm Routers on Target Links– Handle heavy traffic
• Impose Workload on Routers Globally– Compute new routes– Send/receive broadcast– Crippling the control plane
• Cause loss of Data– Traffic on routes will continue until its failure a
nnounced globally23
CXPST Attack-Defense
• Deployed Measures– BGP Graceful Restart: Not work– Route Flap Damping: No significant impact
• Stopping Session Failure– Focus: Stop it before updates generated– Disable hold timer functionality in routers– 10% implementation produce dramatic change
24
Coremelt AttackThe Coremelt Attack A. Studer, A. Perrig
ESORICS 2009
25
Coremelt Attack-Strategy
• Select Target Link • Identify Bots
– Pairs of subverted machines can generate traffic that traverse the target link
• Send traffic – between the pairs identified in step 2 to overl
oad the target link
26
Coremelt Attack-Advantage
• Wanted Traffic– Defense against DoS attack may eliminate
‘unwanted’ traffic– Both ends of the traffic are owned by attacke
r– The attacker know ‘wanted’ traffic of every re
ceiver– All traffic in the attack will be ‘legitimate’
27
Coremelt Attack-Defense
• Defense Mode– Trace Back System
• Administrators can turn off the port to stop the attack traffic.
• Can’t separate legitimate and attack traffic
– Capacity Based System• Give legitimate traffic priority• Bots will give permissions to each other
28
Coremelt Attack-Defense
• Puzzles– Increase the cost of the attacker. If the puzzl
e is large enough, the attacker will be unable to launch a successful attack.
– Computational capacity becomes the bottleneck
29
Coremelt Attack-Defense
• Fair Bandwidth Allocation Based on Source/Destination Pair
– Isolate legitimate traffic from attack traffic such that an attack flow can only use as much bandwidth as the non-attack flow.
– Distributed botnet means a fair share (O(N-2)) is much less than users typically experience
29
Reference• M.S. Kang, S.B. Lee, and V.D. Gligor, "The Crossfire Attack", ;in Proc. IEEE Symposium on Security and Privacy, 2013, pp.127-141
• M. Schuchard, A. Mohaisen, D. Foo Kune, N. Hopper, Y. Kim, and E. Y. Vasserman, “Losing control of the in- ternet: using the data plane to attack the control plane,” in Proceedings of NDSS 2011. ACM, 2010, pp. 726–728
• Y. Zhang, Z. M. Mao, and J. Wang, “Low-rate TCP-targeted DoS attack disrupts internet routing,” in Proc. 14th Annual Network & Distributed System Security Symposium, 2007
• A. Studer and A. Perrig, “The Coremelt attack,” in Proceed- ings of ESORICS’09. Berlin, Heidelberg: Springer-Verlag, 2009, pp. 37–52
30
Thank You!
Group Member– Yisi Lu– Hua Li– Hao Wu– Yuantong Lu– Yuchen Liu
31