Pi: A Path Identification Mechanism to Defend Against DDoS Attacks
description
Transcript of Pi: A Path Identification Mechanism to Defend Against DDoS Attacks
![Page 1: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/1.jpg)
Pi: A Path Identification Mechanism to Defend Against
DDoS Attacks
Abraham Yaar, Adrian Perrig, Dawn SongCarnegie Mellon University
{ayaar, perrig, dawnsong}@cmu.eduPresented and Edited by Yongdae Kim
![Page 2: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/2.jpg)
Outline
DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion
![Page 3: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/3.jpg)
DDoS Review Attackers compromise
network hosts, flood victim with packets• Overload packet
processing capacity
• Saturate network bandwidth
Spoofed source IP addresses evade network filters
![Page 4: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/4.jpg)
RFC 3514
Security flag in IP header• By Steven Bellovin
• Attackers must set evil bit in malicious packets
• Receivers can filter out evil packets
Challenge: deployment April fools joke Pi achieves similar property!
![Page 5: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/5.jpg)
IP Traceback Defense
Victim reconstructs attack tree from address fragments
Disadvantages:• Slow reconstruction
• Multi-path reconstruction
• Assumes upstream ISP collaboration
![Page 6: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/6.jpg)
Other Strategies
Source Path Isolation Engine (SPIE)• Routers store packet hashes, recursive query to
reconstruct path
• Disadvantage–Per-packet state at routers
Pushback Framework• Routers identify attack packet characteristics,
install upstream filter
• Disadvantage–Difficult to distinguish attack/user packets
![Page 7: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/7.jpg)
Outline
DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion
![Page 8: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/8.jpg)
Goals – Ideal DDoS Defense Fast
• Defense after single attack packet Victim filters traffic
• No dependency on upstream ISPs Overhead
• Minimal computation/state at routers and victims Interoperability
• Supports IP Fragmentation Incrementally deployable
• Additional deployment increases performance
![Page 9: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/9.jpg)
Main Idea
Path “fingerprints”• Entire fingerprint in
each packet
• Incrementally constructed by routers along path
Victim rejects packets with attacker fingerprints (Pi-marks)
![Page 10: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/10.jpg)
Main Idea
Path “fingerprints”• Entire fingerprint in
each packet
• Incrementally constructed by routers along path
Victim rejects packets with attacker fingerprints (Pi-marks)
![Page 11: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/11.jpg)
Main Idea
Path “fingerprints”• Entire fingerprint in
each packet
• Incrementally constructed by routers along path
Victim rejects packets with attacker fingerprints (Pi-marks)
![Page 12: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/12.jpg)
Main Idea
Path “fingerprints”• Entire fingerprint in
each packet
• Incrementally constructed by routers along path
Victim rejects packets with attacker fingerprints (Pi-marks)
![Page 13: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/13.jpg)
Outline
DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion
![Page 14: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/14.jpg)
Pi Marking Scheme
Marking Scheme
• Each router marks n bits into IP Identification field
Marking Function
• Last n bits of hash (eg. MD5) of router IP address
Marking Aggregation
• Router pushes marking into IP Identification field
![Page 15: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/15.jpg)
Queue-based marking• Routers “push” marking into IP Identification
field
• Note: Victim’s local routers (in general, 3, 4 hopes) do not mark.
Pi Marking
![Page 16: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/16.jpg)
Legacy routers do not mark
Extensions• Detect upstream legacy router• Mark for previous legacy router• Write-ahead improvement
Legacy Routers
![Page 17: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/17.jpg)
Path marking vs. Edge Marking Collision in path marking
• path(AC) = mamc, path(BC) = mbmc
• With probability 1/2n, ma = mb
Edge marking• path(AC) = ma’mc1, path(BC) = mb’mc2
• where mc1 = h(IPC || IPA), mc2 = h(IPC || IPB)
• Still probability of collision is 1/2n
• But, new probability of having identical marks for two paths joining at the same node becomes 1/22n
![Page 18: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/18.jpg)
Pi Marking - IP Fragmentation
Problem• Using deterministic values in IP Identification
field breaks fragmentation
Solution (suggested by Vern Paxson)• Don’t mark packets that may ever get
fragmented, or are fragments themselves–Packets with DFT bit set
–Packets smaller than smallest MTU
• During DDoS attack, drop packets that do not have DFT bit set
![Page 19: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/19.jpg)
Outline
DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion
![Page 20: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/20.jpg)
Pi Filtering – Basic Scheme
Basic Scheme• Drop all packets with Pi marks matching that of
any attack packets
Assumption• Victim can identify attack packets
Implementation Overhead• Memory: Bit vector of length 216 (8kB)
– if (BitVec[PiMark] == 0) then accept() else drop();
• Simple per packet lookup
![Page 21: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/21.jpg)
Pi Filtering - Thresholds Problem
• Single attacker causes multiple users’ rejections
Solution• Assume, for a particular Pi mark, i:
–ai= number of attack packets
–ui= number of legitimate users’ packets
• Victim chooses threshold, t, such that if:
then packets with Pi mark i are kept
ii
i
ua
at
![Page 22: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/22.jpg)
Outline
DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion
![Page 23: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/23.jpg)
Exp. Results – Attack Model
Two phase DDoS model• Phase 1: Learning Phase
–Omniscient victim, Filter Bootstrapping
–Limited Length (3 packets per endhost)
• Phase 2: Attack Phase–Pi filter deployed
–“Unlimited” Length (3 packets simulated)
Results presented for phase 2
![Page 24: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/24.jpg)
Exp. Results - Setup
Two Internet Topologies• Internet Map Project
–81,953 unique endhosts
• CAIDA Skitter Map–171,472 unique endhosts
5,000 Legitimate Users, 100-10,000 Attackers n = 2 bits 4 router non-marking ISP perimeter
• Victim ISP marks unnecessary/undesirable
![Page 25: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/25.jpg)
Exp. Results - Metrics
Filter Errors• False Positive: User packet dropped
• False Negative: Attacker packet accepted
Acceptance Ratio• Percent packets accepted by victim of total
packets sent
• Attacker Acceptance Ratio = false negative rate
• User Acceptance Ratio = (1 – false positive rate)
![Page 26: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/26.jpg)
Exp. Results – Basic Filter
DDoS protection• Accepted (with
10,000 unique attack paths):
– 60% of user traffic
– 17% attacker traffic
Downward slope due to “marking saturation”• All markings
flagged as attacker
![Page 27: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/27.jpg)
Exp. Results – 50% Threshold Filter Performance
Thresholds Work!• Accepted (with
10,000 unique attack paths):
– 82% of user traffic
– 22% attacker traffic
Increased attack severity requires increased threshold
![Page 28: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/28.jpg)
Exp. Results – Legacy Routers
50% threshold used Performance
degradation is gradual
Some filtering accuracy even at 50% legacy routers• 0 = random selection
• 1 = perfect filter
![Page 29: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/29.jpg)
Exp. Results – Limited Capacity Constraint
• Limit maximum number of packets accepted.
Strategy• Accept lowest attack
traffic Pi marks first.
Performance• 60% server capacity
for legitimate packets when total attack traffic 170X of user traffic. *Note: Each Attacker sends 10X
traffic over legitimate user.
![Page 30: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/30.jpg)
Outline
DDoS Attack/Defense Review Goals/Main Idea Pi Marking Pi Filtering Experimental Results Discussion Conclusion
![Page 31: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/31.jpg)
Other Applications
Help other anti-DDoS techniques• Pushback
–Filters that mask individual IP addresses can be very long
–Upstream path information improves filtering accuracy
• IP traceback path reconstruction• IDS
ISPs use Pi to detect IP address spoofing
![Page 32: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/32.jpg)
Discussion: Deployment Incentives
Lack of incentive for ingress filtering Pi provides incentive for ISP
• Customers benefit from Pi marking
Attackers within ISP cause blocking of other ISP customers• ISP has incentive to block attack
• Incentives for ingress filtering
Market pressures drive Pi deployment• Large-scale Internet sites > ISP > router manufacturer
![Page 33: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/33.jpg)
Future Work Advanced marking schemes
• Use combination of exor and shift
Advanced dynamic filters
• Problems:–“Nearby” attackers always have attacker
initialized bits in markings
–Route changes cause Pi mark variations
• Solution: Machine learning techniques identify marking commonalities–(ie. Longest prefix matching for nearby attackers)
![Page 34: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/34.jpg)
Related Work
IP traceback itrace SPIE PEIP – Path Enhanced IP CS3-Inc.
• Adds 16 bytes path to each packet
• Router marks within 16 bytes path
![Page 35: Pi: A Path Identification Mechanism to Defend Against DDoS Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070404/56813bd7550346895da4ff36/html5/thumbnails/35.jpg)
Pi: Conclusions Disadvantages of current DDoS defenses
• Slow
• High overhead
• Assumes ISP collaboration
Pi provides DDoS protection• After first identified attack packet
• Minimal overhead at routers and endhosts
• Maintains IP Fragmentation
• No inter-ISP cooperation
• Great incremental deployment properties