Galeta Vitaliy, Zharova Olena, Oleksandr Kukri
Department of Telecommunication Systems, National
Aviation University, Ukraine, prosp. Komarova, 1, E-mail: vitaliy@galeta.org
Network-Layer DoS Defense Against Botnets
1. INTRODUCTION
Large-scale
denial of service (DoS) attacks remain a serious threat to the reliability of
the Internet. Despite much improved software security, botnets are still
getting bigger. In March 2007, the number of bot-infected machines tracked by a
single group was estimated to reach 1.2 million. In June 2007, a presentation
from Support Intelligence Inc. reported 48 million infected IP addresses observed
in a six month period. In September 2007, the estimated size of the Storm
botnet alone reached 50 million. It is a distressing fact that the dark side
possesses this vast amount of computing power: if each bot sends one full-sized
packet per second (1500 bytes), the aggregated attack traffic from a
10-million-node botnet would exceed 120 Gbps, sufficient to take down anyone on
the Internet. The recent attacks on Estonia are perhaps only the tip of the
iceberg on what attackers are capable of.
Many
solutions have been proposed to battle the DoS problem. Yet there lacks a consensus
on how to build a DoS-resistant network architecture. Among various proposals,
two schools of thought are particularly intriguing: the capability-based
approach and the filter-based approach. Both advertise to enable a receiver to
control the traffic it receives, but differ significantly in methodology. The
capability approach proposes to let a receiver explicitly authorize the traffic
it desires to receive, while the filter approach proposes to let a receiver
install dynamic network filters that block the traffic it does not desire to
receive. Advocates of filters have argued that “capabilities are neither
sufficient nor necessary to combat DoS”, while proponents of capabilities
“strongly disagree”.
As a
first step towards reaching a consensus, we aim to understand the roles of
filters and capabilities: which one is a more effective DoS defense mechanism?
Ideally, to answer this question, one can systematically compare filter-based
designs and capabilitybased ones. Unfortunately, this simple approach is not
viable because capability-based systems have been improved much in the past few
years, yet there lacks a comprehensive filterbased architecture to compare
with. The most complete work on filters, AITF, has a few limitations that
prohibit a fair comparison between filters and capabilities. For instance, AITF
verifies the legitimacy of a filter request using a three-way handshake. If the
flooded link is outside a victim’s AS, the three-way handshake may not complete
because the handshake packets traverse the same flooded link as the attack
traffic, and filters may not be installed. Another filter-based system,
Pushback, does not completely block attack traffic. Instead, it aims to rate
limit the attack traffic to its fair share of bandwidth.
To
address this issue, we first design and implement a secure and effective
filter-based DoS defense architecture StopIt. StopIt employs a novel
closed-control and open-service architecture to combat various strategic
attacks at the defense system itself, and to enable any receiver to block the
undesired traffic it receives. Unlike previous work, StopIt is resistant to
strategic filter exhaustion attacks (§ 4) and bandwidth flooding attacks that
aim to prevent the timely installation of filters. We implement the StopIt design
on Linux using Click and evaluate it on Deterlab. Our experiments suggest that
StopIt enables a receiver to block the undesired traffic from a few millions of
attackers in tens of minutes; routers with 256K hardware filters and less than
200MB DRAM can block the attack traffic from misbehaving hosts without inflicting
damage to legitimate traffic.
The
StopIt design demonstrates the feasibility of a filter-based approach and
enables a systematic comparison between filters and capabilities. We compare
StopIt with two well-known capabilitybased systems (TVA and Portcullis)
together with previous filter-based designs (AITF and Pushback) using ns-2
simulations. We simulate how different systems perform under various DoS
attacks. The simulation results show that StopIt outperforms AITF and Pushback
in all types of attacks in terms of protecting legitimate communications from
being disrupted. This is because it is designed to be resistant to strategic
attacks, and filters can still be installed under those attacks, while other
systems either fail to install filters or do not entirely block attack traffic.
However, StopIt does not always outperform a capability-based system. In the
case that the attack traffic does not reach a victim, but congests a link
shared by the victim, for instance, if the attack traffic reaches a
non-upgraded receiver, or the TTLs of the attack traffic expire before it
reaches the victim, filters are not installed and a capability-based system
outperforms StopIt. This is because capabilities robustly enable a destination
to control the bulk of a link’s bandwidth even if the attack traffic does not
reach it.
These
results suggest that both filters and capabilities are viable choices to build
a DoS-resistant network architecture, although neither is more effective than
the other in all types of attacks. A DoS-resistant network architecture is
likely to incorporate multiple mechanisms. We suspect that the combination of
StopIt and capabilities would be the most effective solution, but it may be too
expensive in terms of deployment cost. On the other hand, the combination of
source address authentication, per-AS bandwidth fairness, capabilities, and
moderate bandwidth provision would be the most cost-effective solution due to
the robustness of capabilities and the relative simplicity of a capability-based
design. It is our future work to validate these hypotheses.
2. DESIGN SPACE
Before
we dive into the design details of the StopIt architecture, we describe the
threat model the design aims to combat, the assumptions we make, and the design
goals.
2.1 Threat Model
The key
threat we are concerned with is the network resource exhaustion attacks, in
which compromised machines send packet floods to exhaust shared network
resources such as link bandwidth and routers’ memory or CPU.
We
assume both routers and hosts can be compromised, but useradministered hosts
are more likely to be compromised than operatoradministered routers and
servers. Our design places more trust in routers and servers managed by the
network than end systems. We also assume that an Autonomous System (AS) is a
fate sharing and trust unit. If one component in an AS (e.g., a router) is
compromised, we consider the AS as compromised. A compromised host can inject
arbitrary traffic into the network. A compromised AS can not only inject
traffic, but also eavesdrop, modify, or discard the traffic that it forwards. A
compromised AS that is on the forwarding path from a source to a destination is
referred to as an on-path attacker or otherwise an off-path attacker.
While
we cannot foresee all types of DoS flooding attacks, we focus on two general
ones:
Destination Flooding Attacks: Attackers send
traffic floods to a destination in order to disrupt the destination’s
communications.
Link Flooding Attacks: This type of
attack aims to congest a link and disrupt the legitimate communications that
share the link. The destinations of the attack traffic will not attempt to stop
the attack traffic. This could happen in many scenarios such as: 1) the attack
traffic is diffused among a large set of destinations, each receiving only a
small amount that is not worth blocking; 2) the attack traffic’s TTLs expire
before it reaches the destinations; 3) no hosts are residing at the destination
addresses; 4) the destinations have not deployed a DoS defense system; 5) or the
destinations are compromised machines that coordinate the attacks.
3. CONCLUSION
This works
aims to understand the effectiveness of filters and capabilities in battling DoS
attacks. In the paper, we present the design and evaluation of StopIt, a filter-based
DoS defense system. StopIt enables a receiver to install a network filter that blocks
the undesired traffic it receives. Its design uses a novel closed-control and open-service
architecture to battle strategic attacks that aim to prevent filters from being
installed and to provide the StopIt service to any host on the Internet. We implement
the design and evaluate its performance using both simulations and emulations. We
then compare its performance with other capability-based and filter-based DoS defense
systems. Our evaluation shows that StopIt outperforms existing filter-based designs,
and is highly effective in providing non-interrupted communications under a wide
range of DoS attacks. However, we discover that it does not always outperform a
capability-based system. If the attack traffic does not reach a victim, but congests
a link shared by the victim, a capability-based design is more effective. From this
study, we conclude that both filters and capabilities are highly effective DoS defense
mechanisms, but neither is more effective than the other in all types of DoS attacks.
It is our future work to study how to build a DoS-resistant network architecture
using the most cost-effective combination of various DoS defense mechanisms.
4. REFERENCES
[1] IEEE Standard 802.1X. http://www.ieee802.org/1/pages/802.1x.html,
2001.
[2] D. Andersen, H. Balakrishnan, N. Feamster, T. Koponen, D. Moon, and
S. Shenker. Holding the Internet Accountable. In ACM HotNets-VI, 2007.
3] M. Casado, P. Cao, A. Akella, and N. Provos. Flow-Cookies: Using
Bandwidth Amplification to Defend Against DDoS Flooding Attacks. In IWQoS,
2006.
[4] Deterlab. http://www.deterlab.net/.
[5] C. Dixon, A. Krishnamurthy, and T. Anderson. Phalanx: Withstanding
Multimillion-node Botnets. In USENIX/ACM NSDI, 2008.
[6] P. Ferguson and D. Senie. Network Ingress Filtering: Defeating
Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827,
2000.
[7] K. Foster. Application of BGP Communities. The Internet Protocol
Journal, 6(2), 2003.
[8] E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The
Click Modular Router. ACM TOCS, 18(3), 2000.
[9] T. Krovetz. Software-Optimized Universal Hashing and Message
Authentication. UC Davis Ph.D. Dissertation, 2000.
[10] E. Larkin. Storm Worm’s Virulence may Change Tactics.
http://www.networkworld.com/news/2007/
080207-black-hat-storm-worms-virulence.html, 2007.
[11] R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and
S. Shenker. Controlling High Bandwidth Aggregates in the Network. SIGCOMM CCR,
32(3), 2002.
[12] A. Mahimkar, J. Dange, V. Shmatikov, H. Vin, and Y. Zhang. dFence:
Transparent Network-based Denial of Service Mitigation. In NSDI, 2007.
[13] P. McKenny. Stochastic Fairness Queueing. In IEEE INFOCOM, 1990.
[14] J. Nazario. Estonian DDoS Attacks -A Summary to Date.
http://asert.arbornetworks.com/2007/05/ estonian-ddos-attacks-a-summary-to-date/,
2007.