Link Flooding DDoS Attack

Group 6

Link Flooding Attack

Bot Decoy ServerTarget Area

Target Link

Contents

• Crossfire Attack

• CXPST Attack

• Coremelt Attack

3

Crossfire AttackThe Crossfire AttackM. Kang et al.

IEEE S&P 2013

4

Crossfire Attack-Definition

• Flood a small set of selected network links using low-rate flows from bots to publicly accessible servers and degrade connectivity of, and even disconnect, chosen end-point servers.

5

Crossfire Attack-Elements

• Target Area– A geographic region of the Internet that the att

ack is launched

• Target Link– Network links to be flood so that the target are

a is cut off from the rest of the Internet

• Decoy servers– Share the same links with target servers

6

7

Crossfire Attack-Elements

Decoy Servers (Traffic destination)

Target Servers

Target Link

The purpose of the attacker is to flood the shared link by the means of sending flow to the decoy servers.

Crossfire Attack-Steps

• Link Map Construction– Traceroute from Bots to Servers

• Use “Traceroute”

– Check Link-Persistence• Exclude the unstable links• 72% of the links are stable

8

Crossfire Attack-Steps

• Attack Setup– Flow-Density Computation

• Flow-Density• The higher, the better

– Target-Link Selection• Degradation ratio• Select the target links maximize degradation ratio

– Heuristic algorithm(Greedy algorithm)

9

Crossfire Attack-Steps

• Bot Coordination– Goal

•Keep flow rate appropriate to evade

the protection mechanisms

– Attack-Flow Assignment•Aggregate traffic rate slightly higher than bandwidth of ta

rget•Bots attack the target evenly

10

Key Factors Enable Crossfire

• Power Law of Flow-density Distribution– Flow Density

• # of persistent source-to-destination pairs• Good targets for attack for a particular area

– Distribution• Easy to find target links extremely high flow density

for a selected target area• Flow Density is not constant but varies depending o

n area

11

Key Factors Enable Crossfire

12

• East Coast • New York

Fit to diagonal lines, probability much higher than significance level (i.e., 0.68 to 0.96 to 0.05 as normal)

Crossfire Attack-Flow Density Distribution

•Target-area dependency– A target link that has overall high flow density

may have a very low density in some area– These links are extremely useless in an attack

targeted at such area

13

Crossfire Attack-Bot Distribution

• Links are dependent on area but Bots are NOT– Separate bots into subsets based on location– Select different subsets to form different distri

butions– Perform Crossfire attack to different locations– Analysis relation between distribution and perf

ormance

14

Bot Distribution Experiment

15

Distribution

Performance

overlap

Crossfire Attack-Bot Distribution

•Line selection matters

•Geographical position selection doesn’t matter, as long as the packets can get to the line

16

Conclusion : Crossfire

• Undetectability at the Target Area Use legitimate flows, not directly attacked

• Indistinguishable of Flows in Routers Low rate, different source and destination

• Persistence Rolling attack

• Flexibility Large Number of links and decoy servers

17

CXPST AttackLosing control of the internet: using the data plan

e to attack the control plane M. Schuchard et al.

ACM 2010

18

CXPST Attack-Definitions

• CXPST– Coordinated Cross Plane Session Termination

• Control Plane– route around connectivity outages– robustness to localized failure

19

CXPST Attack-Theory

• Weakness Exploited– Control plane and data plane share the same phys

ical media– No priority defined– Local events lead to global impact

• Main Theory– Data plane congestions trigger failure of links– Route withdrawal, re-calculate, broadcast– Route flapping– Overwhelm of routers’ calculation capacity

20

CXPST Attack-Strategy

• Select Target Link– BGP betweeness: number of routes passes th

rough the link– Select links with highest betweeness

• Counter Changing Topology– Avoid using routes passing two target links si

multaneously– Send more traffic than needed on each branc

h

21

CXPST Attack-Strategy

• Design Traffic Flow– Build two flow networks– Use max flow algorithm to select bots and des

tinations

• Thwart Defense– Against route damping– Keep an eye on disrupted paths– Remove links do not re-appear

22

22

CXPST Attack-Impact

• Overwhelm Routers on Target Links– Handle heavy traffic

• Impose Workload on Routers Globally– Compute new routes– Send/receive broadcast– Crippling the control plane

• Cause loss of Data– Traffic on routes will continue until its failure a

nnounced globally23

CXPST Attack-Defense

• Deployed Measures– BGP Graceful Restart: Not work– Route Flap Damping: No significant impact

• Stopping Session Failure– Focus: Stop it before updates generated– Disable hold timer functionality in routers– 10% implementation produce dramatic change

24

Coremelt AttackThe Coremelt Attack A. Studer, A. Perrig

ESORICS 2009

25

Coremelt Attack-Strategy

• Select Target Link • Identify Bots

– Pairs of subverted machines can generate traffic that traverse the target link

• Send traffic – between the pairs identified in step 2 to overl

oad the target link

26

Coremelt Attack-Advantage

• Wanted Traffic– Defense against DoS attack may eliminate

‘unwanted’ traffic– Both ends of the traffic are owned by attacke

r– The attacker know ‘wanted’ traffic of every re

ceiver– All traffic in the attack will be ‘legitimate’

27

Coremelt Attack-Defense

• Defense Mode– Trace Back System

• Administrators can turn off the port to stop the attack traffic.

• Can’t separate legitimate and attack traffic

– Capacity Based System• Give legitimate traffic priority• Bots will give permissions to each other

28

Coremelt Attack-Defense

• Puzzles– Increase the cost of the attacker. If the puzzl

e is large enough, the attacker will be unable to launch a successful attack.

– Computational capacity becomes the bottleneck

29

Coremelt Attack-Defense

• Fair Bandwidth Allocation Based on Source/Destination Pair

– Isolate legitimate traffic from attack traffic such that an attack flow can only use as much bandwidth as the non-attack flow.

– Distributed botnet means a fair share (O(N-2)) is much less than users typically experience

29

Reference• M.S. Kang, S.B. Lee, and V.D. Gligor, "The Crossfire Attack", ;in Proc. IEEE Symposium on Security and Privacy, 2013, pp.127-141

• M. Schuchard, A. Mohaisen, D. Foo Kune, N. Hopper, Y. Kim, and E. Y. Vasserman, “Losing control of the in- ternet: using the data plane to attack the control plane,” in Proceedings of NDSS 2011. ACM, 2010, pp. 726–728

• Y. Zhang, Z. M. Mao, and J. Wang, “Low-rate TCP-targeted DoS attack disrupts internet routing,” in Proc. 14th Annual Network & Distributed System Security Symposium, 2007

• A. Studer and A. Perrig, “The Coremelt attack,” in Proceed- ings of ESORICS’09. Berlin, Heidelberg: Springer-Verlag, 2009, pp. 37–52

30

Thank You!

Group Member– Yisi Lu– Hua Li– Hao Wu– Yuantong Lu– Yuchen Liu

31