Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Abstract— Distributed Denial of Service (DDoS) attack is a is performed by a subject-matter expert to identify and
critical threat to the Internet. Currently, most ISPs merely rely characterize the attacking packets. New filtering rules/ access
on manual detection of DDoS attacks after which offline fine- control list are then constructed and installed manually to the
grain traffic analysis is performed and new filtering rules are routers according to the outcome of attack characterization.
installed manually to the routers. The need of human The need of human intervention results in poor response time
intervention results in poor response time and fails to protect the and fails to protect the victim before severe damages are
victim before severe damages are realized. The expressiveness of realized. This procedure also lacks adaptability and renders the
existing filtering rules is also too limited and rigid when system vulnerable towards fast-varying DDoS attacks. Further,
compared to the ever-evolving characteristics of the attacking
the expressiveness of existing rule-based filtering is too
packets. Recently, we have proposed a DDoS defense architecture
that supports distributed detection and automated on-line attack
limited as it requires an explicit specification of all types of
characterization. In this paper, we will focus on the design and packets to be discarded. As the difference between legitimate
evaluation of the automated attack characterization, selective and attacking packets become increasingly subtle, the number
packet discarding and overload control portion of the proposed of required filtering rules as well as the number of packet
architecture. Our key idea is to prioritize packets based on a per- attributes included in each rule explode. Increase in rule-set
packet score which estimates the legitimacy of a packet given the complexity also poses serious scalability problems for high-
attribute values it carries. Special considerations are made to speed implementation of rule-based filtering.
ensure that the scheme is amenable to high-speed hardware
Recently, the DDoS problem has attracted much attention
implementation. Once the score of a packet is computed, we
perform score-based selective packet discarding where the
from the research community. So far, the focus has been on
dropping threshold is dynamically adjusted based on (1) the score the design of traffic marking and traceback protocols [Be01,
distribution of recent incoming packets and (2) the current level Pa01, Sa01, Sn01] which enable downstream routers to
of overload of the system. determine and notify the upstream routers of the attacking
packets. Most of the work emphasizes the backward
Keywords - System design, Simulations, Denial-of-Service compatibility of protocol support for traceback under the
Attack, Security, Overload Control, Selective Packet Discarding, existing Internet infrastructure. Once the upstream sources of
Traffic characterization the attack have been identified, proposed pushback
mechanisms [Io02, Ya02] are used to contain the damage of
I. MOTIVATION the attack. However, the effectiveness of such an approach is
contingent upon the ability to extract a precise characterization
One of the major threats to cyber security is Distributed of the attacking packets. Without such characterization, the
Denial-of-Service (DDoS) attack in which the victim network legitimate traffic within the suspicious flows will be equally
element(s) are bombarded with high volume of fictitious, affected by the pushback mechanism. While there has been
attacking packets originated from a large number of machines. recent work by the data-mining research community to
The aim of the attack is to overload the victim and render it recognize intrusion patterns using offline machine-learning
incapable of performing normal transactions. DDoS attacks approaches [Le98, Ma99], these schemes are mostly offline-
can be categorized into end-point attacks and infrastructure oriented. An exception to this trend is the D-WARD approach
attacks. In an end-point attack, the victim can be an individual [Mi02], which does perform limited statistical traffic profiling
end-host or, more typically, an entire customer stub-network at the edge of the networks to perform online detection of new
served by an Internet Service Provider (ISP). In an types of DDoS attacks. By monitoring the nominal per-
infrastructure attack, high volume of attacking packets are destination type traffic arrival and departure rate of TCP,
forced through a port of an ISP router to create one or more UDP, ICMP packets, as well as any abnormal asymmetrical
choke-points within the ISP infrastructure based on the behavior of the two-way traffic at the edge router connecting
knowledge of the routing pattern within the domain. Currently, to a stub-network, D-WARD aims at stopping DDoS attacks
most ISPs merely rely on manual detection of DDoS attacks. near their sources, i.e., the ingress routers. While such "source-
Once an attack is reported, an offline fine-grain traffic analysis side" tackling approach is attractive in terms of having less
*
Corresponding Authors: yoohwan@ieee.org, lau@bell-labs.com demanding operating-speed and scalability requirements, its
**
The work was done while Professor Chuah was with Bell Labs.
3D-R values, (6) IP/TCP header length4, (7) TCP flag patterns. We
3D-R
are also interested in the fraction of packets which (8) use IP
R
fragmentation and (9) bear incorrect IP/TCP/UDP checksums.
R
DCS
It is worthwhile to consider the joint distribution of the
fraction of packets having various combinations of (10)
packet-size and protocol-type, (11) server port number and
3D-R R
R 3D-R
protocol-type, as well as (12) source IP prefix and TTL value.
DDoS Attack
VIctim To validate our claim of the relatively “invariant” nature of
Victim's Stub Network the distribution of the above packet attributes, we have
conducted extensive statistical analysis on real-life Internet
Stub Network 1
DCS
traces collected from the traffic archive of the WIDE-project
y 3D-R : Detection, Differenciation, Discard Router
[WIDE]. Fig. 2(a)-(d) show the time variation of the
DDoS Control
Information y DCS : DDos Control Server
Exchange y R: Regular Routers
distribution of various packet attributes values observed from a
moderately loaded wide area network link. For each attribute,
Figure 1: Deployment of 3D-Rs and DCSs to tackle DDoS the relative frequency of its values are computed every 10
Attacks minutes for the period between May 10, 1999 8:00pm and May
11, 2:00pm for a total of 108 non-overlapping periods. Fig. 2(a)
III. DETAILED PACKETSCORE METHODOLOGIES shows the time-variation of the distribution of TTL values. In
particular, the ends of the error-bar correspond to the maximum
In this section, we first discuss the design issues as well as and minimum fraction observed for the given TTL value over
implementation details related to the packet differentiation, the aforementioned 18-hour interval and the black-dot
selective packet discarding and overload control the proposed represents the average. The corresponding time-varying
scheme. distributions for protocol-type, packet-size, TCP-flag pattern,
server port number and 16-bit source IP prefix are shown in
A. Packet Differentiation via Fine-grain Traffic Profile Fig. 2 (b)-(f) respectively. Notice from Fig. 2 that while the
Comparison fraction of an attribute value does vary over the 18-hour period,
Once a DDoS attack is detected, the next step is to the variation is always within a few percentage of the total
distinguish the attacking packets from the legitimate ones number of packets arrived over a 10-minute window. Due to
amongst the suspicious traffic. Our approach is to perform the overwhelming volume of DDoS attack packets compared to
online profiling of the suspicious traffic and compare the normal ones, the formers are expected to increase the fraction
findings with the nominal traffic profile of the victim. The of particular attribute values they carry by more than a few
viability of this approach is based on the premise that there are percentage and change the overall distribution substantially.
some traffic characteristics that are inherently stable during Furthermore, the variability of nominal attribute value
normal network operations of a target network, in the absence distribution can be substantially reduced if hourly time-of-the-
of DDoS attacks. day profiles are used.
A disproportional increase in the relative frequency of a One may argue that it is relatively straightforward for a
particular packet attribute value is an indication that the sophisticated attacker to learn the approximated distribution of
attacking packets also share the same value for that particular some attributes, e.g. protocol-type, TCP-flag pattern and
attribute. The greater the disproportional increase, the stronger packet-size, based on publicly available data on Internet traffic
the indication. The more "abnormal" attribute values a packet characteristics, and thus be able to generate the attribute
possesses, the higher the probability that the packet is an distributions for the attacking packets accordingly to
attacking packet. For example, if it is found via that the circumvent our profile-based differentiation scheme.
suspicious packets contain abnormally high percentage of (1)
UDP packets and (2) packets of size S and (3) packets with
TTL value T, then UDP packets of size S and TTL value T
destined to the DDoS victim should be treated as prime
suspects and given lower priority upon selective packet
2
discarding during overload. We employ the heuristics of taking the server port number to be
the minimum of the source and destination port numbers carried by
Candidate packet attributes considered to be used for the packet. This eliminate the need of identifying whether the packet
traffic profiling include: the marginal distributions of the is client-bound or server-bound. Also, since client port number is
fraction1 of recently arrived packets having various (1) IP usually selected in random by the client operating system, it does not
meet the “invariant” criteria to be used for profiling.
3
In our study, we have used the 16-bit IP prefix as an
1
Profiling against relative frequency of different attribute values approximation of the IP subnet. In practice, we can extract the actual
(instead of absolute packet arrival rates) helps to alleviate the prefix-length of the subnet from routing tables and/or route-server
difficulties caused by the expected fluctuation of nominal traffic databases.
4
arrival rates due to time-of-the-day and day-of-the-week behavior. This is to detect possible abuse of IP/TCP options.
Fraction
0.1 0.3
Fraction
0.08 0.2
0.06
0.1
0.04
0.02 0
100
1
10
19
28
37
46
55
64
73
82
91
0
1
17
33
49
65
81
97
113
129
145
161
177
193
209
225
241
Server Port
TTL
Figure 2 (e): Server Port distribution
Figure 2 (a): Time variation of TTL value distribution
0.14
1
0.12
0.9
0.8
0.7
0.1
Fraction
0.6
Fraction
0.5 0.08
0.4
0.3 0.06
0.2
0.1 0.04
0
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61 65 69 73 77 81 85 89 0.02
Protocol Type 0
1
2265
4529
6793
9057
11321
13585
15849
18113
20377
22641
24905
27169
29433
31697
Figure 2 (b): Time variation of Protocol Type distribution
16-bit IP prefix
0.6
Figure 2 (f): Source IP prefix distribution
0.5
0.4 Figure 2: Time Variation of Packet Attribute Values Distribution
Fraction
0.3
0.2 Note however that distributions of other attributes such as
0.1 TTL and source IP-prefixes, and to a lesser extent, server-port
0
distribution, are expected to be site-dependent (or link/port
dependent) and thus more difficult for an outside attacker to
1
11
21
31
41
51
61
71
81
91
101
111
121
131
141
151
0.6
Control
scheme will set Φ to zero.
Update CDF of Scores
Path
Attr 2 score
...
per-packet
alone setting via simulation. Unless stated otherwise, the
Scorebooks port 21 0.06
port 80 0.37
... ...
+ score
If yes,
default settings for the simulation is summarized in Table 1.
discard the
Attack Type Generic attack in Section IV A
.....
packet
Optional
Sampling
Scorebook/ Every 60 seconds
Update upon scorebook changes CDF Update
Real-Time Traffic Profiling Interval
Generate Baseline Profile Five 10-minute windows of traffic, collected
Update
Iceberg-style
Scorebooks
(periodically Nominal
between 8:00pm to 8:10pm, Monday through
Histograms or upon Traffic
Profile
Friday, in the week of May 10, 1999, by the
(for suspicious substantial
traffic profile) profile WIDE project [WIDE].
changes)
Target Max. Set to the maximum incoming load of the
Load ( ρ target ) baseline profile observed over any 10-minute
period. This corresponds to 1660 pps for the
Figure 3: Packet Differentiation and Overload Control default baseline profile.
Legitimate Use a trace of the same link, collected between
Once the required packet-discarding percentage, Φ , is traffic 8:00pm to 10:00pm, Tue, May 11, 1999. Its
average arrival rate is 900pps.
determined, the corresponding CLP discarding threshold, Thd, Attack Intensity 10 times the nominal arrival rate
is looked up from a recent snapshot of the CDF of the CLP Scoring Option 5 in Section IV D
values of all suspicious packets. The use of a snapshot version Strategy
of the CDF (instead of the most up-to-date one) eliminates Iceberg Thd 90%-adaptive-coverage scheme in Section IV E
possible race-conditions between discarding threshold updates Table 1: Default Simulation Settings
and CDF changes upon new packet arrivals. The snapshot is
updated periodically or upon significant changes of the packet Performance Criteria: First, we examine the differences in
score distribution. The adjustment of the CLP discarding the score distribution for attack and legitimate packets. Such
threshold, as well as the load-shedding algorithm, are expected differences are quantified using 2 metrics, namely, RA and RL
to operate at a time-scale which is considerably longer than the as illustrated in Fig. 4.
packet arrival time-scale.
When a suspicious packet8 arrives, the following tasks are
A tta c k P a c k e t L e g itim a te P a c k e t
performed in parallel: S c o re D is trib u tio n S c o re D is trib u tio n
PDF
the fine-grain traffic profile, i.e. measured histograms, of Figure 4: Characterizing difference in Score Distribution between
the suspicious traffic. legitimate and attacking packets
(3) The CLP-based score is computed for the arriving Let MinL (MaxA ) be the lowest (highest) score observed
packet using frozen scorebooks generated from a recent for the incoming legitimate (attacking) packets. Define RA
snapshot of suspicious traffic profile. (RL) to be the fraction of attacking (legitimate) packets which
Once the score of an arriving packet is computed, the score have a score below MinL (above MaxA). The closer of the
CDF is updated. The packet is then discarded if its score is values of RA and RL to 100%, the better the score-
below the current discarding threshold, Thd. Notice that the differentiation power. In practice, the score distributions
use of frozen scorebooks is essential for the parallelization of usually have long but thin tails due to very few outliner
packets with extreme scores. To avoid the masking effect of
such outliers, we have taken MinL (MaxA) to be the 1st (99th)
8
For endpoint attacks, the suspicious packets are the ones which percentile of the score distribution of legitimate (attacking)
destinate to the victim subnet. For infrastructure attacks, all the packets. A typical set of score distributions for the attacking
packets passing through the victim choke-point are considered to be and legitimate packets are shown in Fig 5.
suspicious.
16667 trace). Since the incoming traffic rate for the Thursday and
8333 Friday traces are significantly greater than the Monday one,
10000
1664 such default choice of ρ target inadvertently forces the system to
900 899 897 896 896 discard a significant portion of legitimate packets. As shown in
1000
754 753 747 742 736 Table 4, the poor performance due to the mismatch among
different daily legitimate traffic profile and ρ target can be
100
x1
1 x2 5 x310 x420 x525 overcome by using the default weekly profile as described in
Table 1.
Attack Intensity
D. Different Scoring Strategies
Figure 6: Effect of Increasing Attack Intensity In this subsection, we explore the trade-offs of using
different combinations of marginal and joint attribute
Conversely, this reveals a limitation of the PacketScore distributions in establishing the nominal profile. Table 5
approach: it is designed to protect against DDoS attacks which describes the options for baseline profile/scorebook
create their damage by overloading the victim with their sheer- generation. Fig. 7 shows the differentiation performance and
volume of traffic. PacketScore is not effective against attacks storage requirements of these five scoring options. As
which are based on very-low traffic volume, e.g. in Tear-Drop expected, among the five options, (5) yields the best scoring/
or Ping-of-Death attacks where a single carefully crafted differentiation performance at the expense of increased storage
packet is used to crash the entire system. Signature-based
size for baseline-profile and scorebook, while (1) has the
filtering would be more appropriate for such types of attacks.
smallest baseline-profile/ scorebook footprint. The
performance improvement of (2) over (1), (as well as (4) over
C. Nominal Profile Sensitivity
(3)) is due to the exploit of dependency among packet-size,
In this subsection, we study the effect of the choice of protocol-type and server-port number.
nominal profile.
Normalized. Storage
25
(in %)
{ }
[Mazu] Mazu Networks Inc. http://www.mazunetworks.com
i
[Mi02] J. Mirkovic, G. Prier, P. Reiher, “Attacking DDoS at the Source,” Ψ i = max min Ψ 0 ∏ φ j ,1 , Ψ min .
ICNP, Nov. 2002. j =1
[Pa01] K. Park and H. Lee, “On the Effectiveness of Probabilistic Packet
Marking for IP Traceback under Denial of Service Attack,” Infocom, 2001.