Countering DDoS Attacks with Multi-Path Overlay Networks

Distributed Denial of Service (DDoS) has emerged as a major threat to the operation of online network services [1, 2, 3]. Current forms of DDoS attacks implicate multiple groups of Internet machines that have been taken over and controlled by an attacker. These machines, called bots, are manipulated by the attacker to produce an excessive surge of traffic toward a target server, the victim. The target server is forced to processing and/or to link-capacity starvation, since malicious traffic is blended with normal traffic, making it difficult to weed out. Figure 1 depicts a DDoS attack and its impact on the target server

Countering DoS Attacks With Stateless Multipath Overlays

Indirection-based overlay networks (IONs) are a promising approach for countering distributed denial of service (DDoS) attacks. Such mechanisms are based on the assumption that attackers will attack a fixed and bounded set of overlay nodes causing service disruption to a small fraction of the users. In addition, attackers cannot eaves-drop on links inside the network or otherwise gain information that can help them focus their attacks on overlay nodes that are critical for specific communication flows. We develop an analytical model and a new class of attacks that considers both simple and advanced adversaries. We show that the impact of these simple attacks on IONs can severely disrupt communications. We propose a stateless spread-spectrum paradigm to create per-packet path diversity between each pair of end-nodes using a modified ION access protocol. Our system protects end-to-end communications from DoS attacks without sacrificing strong client authentication or allowing an attacker with partial connectivity information to repeatedly disrupt communications. Through analysis, we show that an Akamai-sized overlay can withstand attacks involving over 1.3M "zombie" hosts while providing uninterrupted end-to-end connectivity. By using packet replication, the system can resist attacks that render up to 40% of the nodes inoperable. Surprisingly, our experiments on PlanetLab demonstrate that in many cases end-to-end latency decreases when packet replication is used, with a worst-case increase by a factor of 2.5. Similarly, our system imposes less than 15% performance degradation in the end-to-end throughput, even when subjected to a large DDoS attack

Distributed Firewall For MANETs

Mobile Ad-hoc Networks (MANETs) are increasingly used in military tactical situations and in civil rapid-deployment networks, including emergency rescue operations and {\it ad hoc} disaster-relief networks. The flexibility of MANETs comes at a price, when compared to wired and basestation-based wireless networks: MANETs are susceptible to both insider (compromised node) and outsider attacks due to the lack of a well-defined perimeter in which to deploy firewalls, intrusion detection systems, and other mechanisms commonly used for network access and admission control. In this paper, we define a distributed firewall architecture that is designed specifically for MANETs. Our approach harnesses and extends the concept of a {\it network capability}, and is especially suited for environments where the communicating nodes have different roles and hence different communication requirements, such as in tactical networks. Our model enforces communication restrictions among MANET nodes and services, allowing hop-by-hop policy enforcement in a distributed manner. We use a ''deny-by-default'' model where compromised nodes have access only to authorized services, without the ability to disrupt or interfere with end-to-end service connectivity and nodes beyond their local communication radius. Our simulations show that our solution has minimal overhead in terms of bandwidth and latency, works well even in the presence of routing changes due to mobile nodes, and is effective in containing misbehaving nodes

LinkWidth: A Method to Measure Link Capacity and Available Bandwidth using Single-End Probes

We introduce LinkWidth, a method for estimating capacity and available bandwidth using single-end controlled TCP packet probes. To estimate capacity, we generate a train of TCP RST packets "sandwiched" between trains of TCP SYN packets. Capacity is computed from the end-to-end packet dispersion of the received TCP RST/ACK packets corresponding to the TCP SYN packets going to closed ports. Our technique is significantly different from the rest of the packet-pair based measurement techniques, such as CapProbe, pathchar and pathrate, because the long packet trains minimize errors due to bursty cross-traffic. Additionally, TCP RST packets do not generate additional ICMP replies, thus avoiding cross-traffic due to such packets from interfering with our probes. In addition, we use TCP packets for all our probes to prevent QoS-related traffic shaping (based on packet types) from affecting our measurements (eg. CISCO routers by default are known have to very high latency while generating to ICMP TTL expired replies). We extend the {\it Train of Packet Pairs technique to approximate the available link capacity. We use a train of TCP packet pairs with variable intra-pair delays and sizes. This is the first attempt to implement this technique using single-end TCP probes, tested on a range of networks with different bottleneck capacities and cross traffic rates. The method we use for measuring from a single point of control uses TCP RST packets between a train of TCP SYN packets. The idea is quite similar to the technique for measuring the bottleneck capacity. We compare our prototype with pathchirp, pathload, IPERF, which require control of both ends as well as another single end controlled technique abget, and demonstrate that in most cases our method gives approximately the same results if not better

LinkWidth: A Method to measure Link Capacity and Available Bandwidth Using Single-End Probes

We introduce LinkWidth, a method for estimating capacity and available bandwidth using single-end controlled TCP packet probes. To estimate capacity, we generate a train of TCP RST packets "sandwiched" between two TCP SYN packets. Capacity is obtained by end-to-end packet dispersion of the received TCP RST/ACK packets corresponding to the TCP SYN packets. Our technique is significantly different from the rest of the packet-pair-based measurement techniques, such as CapProbe, pathchar and pathrate, because the long packet trains minimize errors due to bursty cross-traffic. TCP RST packets do not generate additional ICMP replies preventing cross-traffic interference with our probes. In addition, we use TCP packets for all our probes to prevent some types of QoS-related traffic shaping from affecting our measurements. We extend the Train of Packet Pairs technique to approximate the available link capacity. We use pairs of TCP packets with variable intra-pair delays and sizes. This is the first attempt to implement this technique using single-end TCP probes, tested on a wide range of real networks with variable cross-traffic. We compare our prototype with pathchirp and pathload, which require control of both ends, and demonstrate that in most cases our method gives approximately the same results

Deny-by-Default Distributed Security Policy Enforcement in Mobile Ad Hoc Networks

Mobile Ad-hoc Networks (MANETs) are increasingly employed in tactical military and civil rapid-deployment networks, including emergency rescue operations and ad hoc disaster-relief networks. However, this flexibility of MANETs comes at a price, when compared to wired and base station-based wireless networks: MANETs are susceptible to both insider and outsider attacks. This is mainly because of the lack of a well-defined defense perimeter preventing the effective use of wired defenses including firewalls and intrusion detection systems. We introduce a novel distributed security policy enforcement architecture that is designed specifically for MANETs. Our approach harnesses and extends the concept of network capabilities and is especially suited for mobile and heterogeneous communication environments. Our model imposes communication restrictions between MANET nodes by enforcing hop-by-hop policies in a distributed manner. We use a deny-by-default principle, allowing compromised nodes to access only authorized services. This significantly limits their ability disrupt or even interfere with end-to-end connectivity and nodes beyond their local communication radius. In this short paper, we only present the overall architecture of the system

Exploiting the Structure in DHT Overlays for DoS Protection

Peer to Peer (P2P) systems that utilize Distributed Hash Tables (DHTs) provide a scalable means to distribute the handling of lookups. However, this scalability comes at the expense of increased vulnerability to specific types of attacks. In this paper, we focus on insider denial of service (DoS) attacks on such systems. In these attacks, nodes that are part of the DHT system are compromised and used to flood other nodes in the DHT with excessive request traffic. We devise a distributed lightweight protocol that detects such attacks, implemented solely within nodes that participate in the DHT. Our approach exploits inherent structural invariants of DHTs to ferret out attacking nodes whose request patterns deviate from "normal" behavior. We evaluate our protocol's ability to detect attackers via simulation within a Chord network. The results show that our system can detect a simple attacker whose attack traffic deviates by as little as 5\% from a normal request traffic. We also demonstrate the resiliency of our protocol to coordinated attacks by up to as many as 25\% of nodes. Our work shows that DHTs can protect themselves from insider flooding attacks, eliminating an important roadblock to their deployment and use in untrusted environments

Data Sanitization: Improving the Forensic Utility of Anomaly Detection Systems

Anomaly Detection (AD) sensors have become an invaluable tool for forensic analysis and intrusion detection. Unfortunately, the detection accuracy of all learning-based ADs depends heavily on the quality of the training data, which is often poor, severely degrading their reliability as a protection and forensic analysis tool. In this paper, we propose extending the training phase of an AD to include a sanitization phase that aims to improve the quality of unlabeled training data by making them as "attack-free" and "regular" as possible in the absence of absolute ground truth. Our proposed scheme is agnostic to the underlying AD, boosting its performance based solely on training-data sanitization. Our approach is to generate multiple AD models for content-based AD sensors trained on small slices of the training data. These AD "micro-models" are used to test the training data, producing alerts for each training input. We employ voting techniques to determine which of these training items are likely attacks. Our preliminary results show that sanitization increases 0-day attack detection while maintaining a low false positive rate, increasing confidence to the AD alerts. We perform an initial characterization of the performance of our system when we deploy sanitized versus unsanitized AD systems in combination with expensive host-based attack-detection systems. Finally, we provide some preliminary evidence that our system incurs only an initial modest cost, which can be amortized over time during online operation

gore: Routing-Assisted Defense Against DDoS Attacks

We present gore, a routing-assisted defense architecture against distributed denial of service (DDoS) attacks that provides guaranteed levels of access to a network under attack. Our approach uses routing to redirect all traffic destined to a customer under attack to strategically-located gore proxies, where servers filter out attack traffic and forward authorized traffic toward its intended destination. Our architecture can be deployed incrementally by individual ISPs, does not require any collaboration between ISPs, and requires no modifications to either server- or client- software. Clients can be authorized through a web interface that screens legitimate users from outsiders or automated zombies. Authenticated clients are granted limited-time access to the network under attack. The gore architecture allows ISPs to offer DDoS defenses as a value-added service, providing necessary incentives for the deployment of such defenses. We constructed a PC-based testbed to evaluate the performance and scalability of gore. Our preliminary results show that gore is a viable approach, as its impact on the filtered traffic is minimal, in terms of both end-to-end latency and effective throughput. Furthermore, gore can easily be scaled up as needed to support larger numbers of clients and customers using inexpensive commodity PCs