When the gateway of victim detects DDoS attack, it has to listen on interfaces to define the neighbors from which DDoS packets come.. When network administrator feels having DDOS attac
Trang 1Distributed defense of Distributed DoS using Pushback and Communicate mechanism
Nguyen Trung Hai University of Engineering and Technology
Vietnam National University
Hanoi, Vietnam nguyen.hai@vnu.edu.vn
Doan Cao Thanh, Nguyen Van Quan, Nguyen Thi
Huyen Trang, Doan Minh Phuong University of Engineering and Technology Vietnam National University Hanoi, Vietnam {s0420305, s0420333, s0420407}@coltech.vnu.vn, phuongdm@vnu.edu.vn
Abstract— DDoS is one of the most dangerous methods to
attack victim network because it uses a vast quantity of
distributed agents to make victim paralyze This paper gives a
DDoS defense method which is based on “pushback and
communicate” idea (PaC method) When the gateway of victim
detects DDoS attack, it has to listen on interfaces to define the
neighbors from which DDoS packets come Those neighbors
will receive DDoS information and do same things the victim’s
gateway does By repeating that work, PaC can find the exact
way DDoS packets had passed through All routers then
continue creating their own filters before sending DDoS
information to their next neighbors
Keywords: Denial of Service (DoS), Distributed Denial of
Service (DDoS), distributed defense, push back, packet filtering,
traffic monitoring
I INTRODUCTION Denial-of-service (DoS) may interrupt victims with
serving legitimate clients; prevent these clients to from
accessing legal services by sending a massive of packets
according some term to make victim server overload to
handle those kinds of packets Distributed denial-of-service
(DDoS) attack is DoS attack from multiple sources of
attackers (those attackers may be located in wide area)
There are some key terms which need to understand clearly
such as victim, agent, handler, stepping stone and attacker
Victim is the destination of DDoS packets which is expected
that will be interrupted or failed down Agents are machines
which directly send attack requests to victims Each DDoS
attack is the result of a vast number of agents Agents receive
control command from machines called handlers which are
controlled by attacker Attacker is the real instigator In some
cases, attacker and handler communicate via stepping stone
to hide his real footprint He often chooses the stepping stone
at the different country to reduce the risk, in technical
perspective, as well as in law perspective [1] In fact,
stepping stone is a handler in higher level When victim
traces back, it often find out the agents, but it’s very difficult
to know who real attacker is behind Because of distributed
feature, DDoS attack becomes much more difficult to detect
and prevent First, DDoS attacks use legitimate packets
Therefore, distinguishing between DDoS requests and real
users’ requests by checking each packet is impractical Second, the overwhelming quantity of packets is contributed
by many agents taking part in DDoS attacks Thus, agents may not be not too powerful machines Another result is the traffic from each agent is too small to detect near the source Third, attackers are carefully hidden by using IP spoofing or hiding mechanism (with some intermediate agents) By those reasons, DDoS attacks are very difficult to detect Even when victim find the attackers, it will not prevent all of them because of the large number of agent networks as well as its large coverage Also, since core routers just concern about the destination address rather than the source one, then if attacker spoof the IP address of agents, it is harder to figure out the source of attack [6] Moreover, in perspective of packet’s content, each comes to victim is clearly legitimate, just the massive of packets in short time has caused the victim overloaded
We can classify DDoS defense mechanism by time or location By time, there are two types: prevention (before attack happens) and reaction (react to occurring attack) Based on the location of defenses’ system, they can be divided into 4 types: near the victim, near the attacker, in the middle and the combination of all
A Prevention and Reaction
Prevention makes it impossible to perform a DDoS attack
by preventing attackers from launching an attack (for example, limit the number of packets from some sources or run) or improving system power and processing threshold such as system performance or bandwidth But that way is impractical because of distributed characteristic For example, if administrator doubles system performance, the number of agents will be increased more than twice The cost
of this method is also need to be considered In fact, administrators often choose reaction methods which solve problems after DDoS attack happened First, they try to find out what agent is exactly joining the current attack Then, some forbidden policies will be applied to decrease or stop traffics from those sources Reaction method is positive, thus the victim had to suffer serious damage before the attack was blocked However, it is generally used because it is more practical than prevention mechanism
2011 International Conference on Advanced Technologies for Communications (ATC 2011)
Trang 2B Location of defenses’ system
Putting the defenses’ system near the victim is very
simple as it is not affected by other objects This method was
used to perform reaction after victim was attacked It needs
high system performance because it operates while suffering
from attacking Near the attacker’s defense system is a good
choice for DDoS defending DDoS attack flow can be
detected as soon as it starts blowing It also can detect the IP
spoofing if any However, it requires a powerful system for
faster detection There are so far three methods implemented
this approach [4] D-WARD is the most significant method
follows this idea It solves problem independently and takes
significant effects (preventing 70% TCP, ICMP attack and
supporting 7 UDP protocols in avoiding DDoS attack) [5]
DDoS defense center also is put in the middle However, it is
not good choice because changing Internet’s core requires
much of cost and has to be agreed all over the world For this
reason, it is theoretical and impractical Finally, the best
choice is combination which means victims detect the attack
and try to find help from far nodes in Internet, in some cases
it is pushed to the location near the attacker That way
decreases victim system’s duty, thus it is chosen by many
DDoS defense researchers
C Introduction to PaC mechanism
PaC is a new method to prevent DDoS attack which
belongs to combination method It bases on 2 principles:
-Using filters in routers to stop DDoS packets -Pushing back
and communicating to require the help from routers near the
attacker Because using not only IP address but interface to
perform pushing back, PaC can prevent any IP spoofing
attacks Moreover, supervisor and inspection mechanism
before filtering help PaC detect cheating and exploiting
AITF - Active Internet Traffic Filter [3] is a mechanism
for blocking highly distributed denial-of-service attacks In
order to prevent attacks, this method uses notion “Route
Record” that allows to write router’s IP address on each
packet it forwards As a result, each packet carries identity of
a sub-list of the border routers that forwarded it When
network administrator feels having DDOS attack, he send
immediately signal to router that nearest (V_GW) for
creating filter that blocks attacks Then AITF protocol will
determine router that nearest attacker (A_GW) and connect
to it for stopping attacks If A_GW cooperates then it will
block attacks In contrast, this method will escalate One of
most effective system to defend and react to DDoS attack is
D-WARD [5] as it can self-regulate with received packets It
includes three components: observation, rate-limiting and
traffic- policing components and each component has private
functional The traffic-policing component must be part of
source router while the observation and rate-limiting
components can be obtained traffic statistics by interacting
with source router and then installing rate-limit rules In
term of general control the network traffic, Aggregate-Based
Congestion Control (ACC) and Pushback [7] is aimed to
control the traffic for the large networks, with additional DDoS traffic controlling, using the push back mechanism with 6 input parameters, although this mechanism is still bulky and it doesn’t have mechanism to avoid exploiting and cheating
III PAC MECHANISM
A Key terms
+ Filter: Filter is a collection of rules which is installed for each router (it may be different between other routers) Those filters will determine whether a packet is transferred
or stopped [2] In PaC, filters prevent DDoS packets which have source’s IP address is like agent’s IP address and destination’s IP address is victim’s IP address Each filter exists in constant and limited time The final filter (the filter which is located nearest the attacker) lives in a longer time than other ones
+ Router/Gateway: In this paper, “router” means a machine or device which can route and execute PaC protocol “Gateway” is used in its pure meaning In PaC protocol, there are two types of gateway: victim’s gateway and agent’s one As network has NAT mechanism, it is hard
to trace directly to the computer inside the local network that joins the DDoS attack In term of that, we consider the source which forwards the IP packets to perform attacking as agent’s gateway In normal case, this kind of gateway transit packets between local network and the Internet using NAT mechanism, but when one machine joins attacking DDoS, this gateway will act as agent’s gateway In special case, the attacking machine has static IP or uses proxy server to perform attacking In that case, we call agent which has static
IP or the proxy server agent’s gateway For Victim gateway, the concept is the same, except for no proxy server for Victim
+ Poisoned neighbors: One router R has many neighbors Some of R’s neighbors, for example A and B, accept DDoS packets go through them to R R does not receive any DDoS packets from others such as C and D In this paper, we call
A and B poisoned neighbors
B PaC Mechanism
PaC stands for “pushback and communicate”, and is used
to call both method and protocol PaC method can spread filters through routers and push back to the source by communicating When an IP address is determined as attacker’s source, victim’s gateway will activate its own filter and listen to determine what interfaces DDoS packets
go from Then, victim’s gateway sends requests through that interface to require its poisoned neighbors create filters Those poisoned neighbors create filters, listen and continuously send requests to their poisoned neighbors This recursive rule will be stop when we find the nearest router from the agent By this method, we can determine the root cause router which broadcast DDoS packets, whether this router is spoofed or not PaC protocol applies rules and messages for all routers on the network Other routers which don’t implement PaC protocol will be transparent This mechanism is implemented through six steps:
Trang 31) Step 1
Victim detects DDoS packet from an agent with IP
address a.b.c.d, send “start PaC protocol” request to its
gateway (V_GW) with parameters are its own IP address and
agent’s IP address Victim and V_GW use an asynchronous
bi-directional authentication method to ensure that “start PaC
protocols” request is not faked In case of Victim using static
IP, it will take a role of V_GW
2) Step 2
V_GW creates a filter to prevent packets from a.b.c.d in
the time tstart
3) Step 3
V_GW checks agent’s IP address to determine whether it
is faked or not by pinging to a.b.c.d.:
+ If there is no response, agent often fakes IP, go to step
6 The time for waiting response is called tno-response
+ If there is any response in tresponse, V_GW determines
that is agent’s gateway (A_GW) V_GW will soon forward
the filter role to A_GW
4) Step 4
First, V_GW looks for two nearest routers from agent
which were installed PaC protocol For example in Figure 1,
Router Y is the nearest router from agent, then Router X) In
best case, Router Y is agent’s gateway (A_GW) Router Y
must stop DDoS traffic, and router X supervises router Y
V_GW send request to A_GW to ask if A_GW has installed
PaC protocol or not If yes, we look for the preceding router
of A_GW to give it the role to supervise A_GW Time for
looking those two routers is tsearch
+ Searching approach is following: V_GW traces the
route to a.b.c.d by sending ICMP packets which have TTL
increasing from 0 Routers within the route to A_GW will
response sequentially ICMP time exceeded packet V_GW
then establish reliable connection to each of those routers to
ask if it supports PaC protocol or not Two earliest routers
response “Yes” will be RouterY and RouterX respectively If
A_GW have already supported PaC then we need only one
more
+ Next step, RouterX and RouterY perform reserve
checking whether V_GW is gateway of victim or not If
victim has the same IP address with V_GW, we skip this
step In other cases, RouterX and RouterY check if V_GW
proceeds of victim or not, by sending ping command with
TTL h+1 and h to V_GW and victim, respectively, in which
h is the hop number from V_GW to sending router If router
doesn’t receive valid response, which is ICMP time
exceeded from victim and V_GW, it will deny and
disconnect V_GW Otherwise, we jump to step 5 The total
time for authenticating each other is tauthen
5) Step 5
+ V_GW requests RouterY setup FilterY in tY, and sends
DDoS traffic R1 from a.b.c.d it received
+ V_GW establishes reliable connection to RouterX, and
then requests it to build ShadowX to inspect DDoS flow
from a.b.c.d in ∆t, and then terminate the connection
+ RouterY, after setting up FilterY in tY, it performs two
actions: stop DDoS traffic forwarding to it, as well as count
this traffic as R2:
- If R1 >> R2, agent has spoofed IP a.b.c.d, RouterY eliminates FilterY, sends R2 to V_GW V_GW compares with R1, disconnects RouterY, and then performs step 6
- If R1≈ R2, agent is attacking, RouterY responses back to V_GW, V_GW acknowledges then terminate connection RouterY now performs step 6 as role of V_GW
(called “relative pushing back”)
- Time for checking R1, R2 is called tcheck + If RouterX monitors RouterY in time ∆t without finding the significant decrement of DDoS traffic, that means RouterY cannot stop the DDoS traffic Thus, RouterX will setup FilterFinal in time tlong Process finishes
6) Step 6
V_GW executes “push back and communicate”: V_GW turns on the filter in tstart, sends requests to neighbor routers Each neighbor will setup the same filter, recursively forward the request to set up filter to their nearby neighbors The time
to perform filtering in each router is ttmp, if one router receives more than one request to setup the filter; it just resets ttmp to zero
+ In ttmp, if router still receives DDoS traffic sent through its neighbor router, it should re-send the requests up to three times After that time without significant result in reducing DDoS traffic, it is clearly that neighbor routers had failed to finish the mission (they maybe didn’t installed PaC protocol) In this case, original router will setup the filter by itself in tlong Process finishes
+ Other routers wait for the time out of ttmp to stop filtering, build the shadow file to perform supervising nearby succeeding routers in tsupervise In this time, if DDoS traffic still is transferred, they turn on the filter in tlong Process finishes
C Avoid cheating
Attacker may take control of a router in the path where PaC is executing, forbid to setup the filter as neighbor’s router requests Moreover, he may control A_GW, when neighbor router requests, it pretends as already setup the filter tlong, but just in tcheat << tlong, or suspend the attack, then resume when the neighbor eliminate the filter Or when V_GW does handshaking with A_GW, A_GW pretends already setup filer, waits for V_GW closing the connection (or tstart elapsed) then resume the attack
To prevent cheating, RouterX must become a shadow router to inspect the PaC execution of RouterY by using a shadow called ShadowX, as shown in Figure 2 When
Figure 1: PaC model
Trang 4V_GW does handshaking with A_GW, V_GW also does
handshaking with preceding router of A_GW (in this case
Router X); this router will take the role to monitor the
activity of A_GW Shadow router performs monitoring by
sending request after three times (in step 5 and 6) will avoid
router in the middle and A_GW from cheating not setup
filter or temporarily setup in very short time
Figure 2: Use Shadow to avoid cheating
D Avoid exploiting
One router G may pretend as victim of DDoS to stop the
access from network H to network K G will broadcast that
H is attacker to K, then send requests to execute PaC to stop
all the traffics from H to K There are two ways for G to do:
+ G acts of gateway of K (V_GW), connects to gateway
of H (acts as A_GW) to request setting up PaC filter to stop
traffic to K
+ G acts of gateway in the middle between H and K,
running PaC protocol and requesting G’s neighbor to setup
filter to stop traffic from H to K
To avoid this, in first case, when G connects to gateway
of H network, it must be reliable connection without faking
IP After that, H’s gateway still checks if G stays in front of
H or not by double pinging If no, H declines to setup filter
In second one, it is nearly impossible to stop traffic from H
to K, by three reasons First, routers in the core of Internet
were managed carefully by ISP, almost inaccessible
Second, core routers are much simpler than machines, with
fewer applications to be exploited Last, the Internet
architecture is packet switching, the route from H to K is not
static, but dynamic time by time The cost to trace all the
routes from H to K will be much more than the final target
IV ANALYSIS
A Time and filtering effectiveness
Let suppose Rtb is the average number of routers that one
packet go through one host to another, Ttb is the average
number of routers that one packet go through one node to
another is Ttb Rtb*Ttb may be considered as constant for each
host, called acceptable response time Suppose Ftb is the
average number of filters setup in each interface of each
router (according to [3], Ftb has approximately value of
10.000), Gtb is the number of agents attacking is A and the
number of A_GW defending, in which the value of
Atb=A/Gtb is called the average number of agents which
A_GW must defend against If Atb is equal or less than Ftb
then our defense system is effective Therefore, we consider
1/Atb as performance index of PaC protocol When this index
is getting bigger, PaC protocol works more effective
1) If all routers have already setup PaC and attacking from agent was not spoofed, victim and V_GW had the same
IP address
The total time is calculated as below:
+ One time to ping to a.b.c.d, for two connections V_GW to A_GW and RouterX to setup filter and perform supervision, the total time should be:
T1 = tresponse+ tsearch + tauthen
+ As searching method was based on trace route to a.b.c.d, all routers supported PaC protocol, and it was needed to search for one shadow router, then
tsearch = 2*(Ttb + 2*Ttb + 3*Ttb +…+ Rtb*Ttb) + 2* Rtb*Ttb + The waiting time for response:
tresponse = 2*(Rtb-1)*Ttb
+ Victim and V_GW had the same IP address:
tauthen = 0 + Total time should be:
T1 = tresponse+ tsearch+ tauthen = (Rtb2 + 3 Rtb – 1) * Ttb
2) If all routers have already setup PaC, attacking traffic from agent A was spoofed, and V, V_GW had the same IP address
T2 = tno-response + tY
+ The waiting time but no response:
tno-response >> 2* RtbTtb
This waiting time was often set to constant as threshold
in V_GW’s configuration
+ Time to push back the request message in the whole network
tY = Rtb*Wtb*Ttb
In which Wtb was average waiting time from router received request to setup filter until receiving the DDoS flow, then sending the request to its neighbor
+ The total time should be
T2 = tno-response + Rtb*Wtb*Ttb
3) If all routers didn’t support PaC protocol, except for V_GW, all agents were spoofed
V_GW checked for spoofing first, then sent request to its neighbor, after 3 times failure, V_GW setup filter itself
in the time:
T3 = tno-response + 2*tstart
4) Review
DDoS boosts it performance by distributing the agent further, it makes Gtb increase, and that means performance index of PaC increases This is one of advantages of PaC mechanism for defending DDoS
B Analysis of PaC mechanism 1) Advantages
+ PaC mechanism doesn’t consume Internet traffic too much in comparison of AITF [3], it is activated only when victim detects the attack AITF always insert Route Record
to IP packet whether attack is happened or not, which makes overhead of IP packet increases significantly
+ V_GW tries to forward the role of filterer to router near agent, soon stops the DDoS traffic early, reduce the bottleneck for victim
Trang 5+ PaC can prevent IP faking, cheating and exploiting
+ It is effective to stop DDoS even there are many routes
from attacker to victim with dynamic routes updated
constantly
+ PaC is implemented in network layer; it is transparent
for the routers in the middle which don’t have PaC installed
+ PaC works outperformed even when attacking network
is highly distributed
2) Disadvantages
+ It is better to request core routers to setup the filter, but
that may cause overhead in the whole network
+ If attacker rotates faking IP, A_GW must setup many
filters for one IP respectively, which may make the
performance slower
V CONCLUSION PaC is mechanism to prevent DDoS by setting up the
“re-action” behavior, combine many kinds of location to perform
distributed defending
However, it is just model need to be verified in reality In
the next time, we want to implement this mechanism in
Cisco-based routers to evaluate the performance with the real
and public DDoS data provided by ISP
ACKNOWLEDGMENT This work was supported by the Vietnam National Foundation for Science and Technology Development (NAFOSTED) for a Basic Research Project (No 102.01.25.09)
REFERENCES
[1] Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher Internet Denial of Service: Attack and Defense Mechanisms Prentice Hall PTR 2004
[2] Access list configuration in Cisco's Gigabit Ethernet Interface http://cisco.com/en/US/products/hw/switches/ps5304/prod_configurat ion_guides_list.html
[3] Katerina Argyraki, David R Cheriton Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks Proceedings of the USENIX annual technical conference 2005 [4] Vicky Laurens, Abdulmotaleb El Saddik, Pulak Dhar and Vineet Srivastava Detecting distributed denial of service attack traffic at the Agent machines IEEE CCECE 2006
[5] J Mirkovic D-WARD: Source-End Defense Against Distributed Denial-of-Service Attacks Ph.D dissertation, University of California, Los Angeles 2003
[6] J Postel RFC 791 - Internet Protocol