A composable approach to design of newer techniques for large-scale denial-of-service attack attribution

Since its early days, the Internet has witnessed not only a phenomenal growth, but also a large number of security attacks, and in recent years, denial-of-service (DoS) attacks have emerged as one of the top threats. The stateless and destination-oriented Internet routing combined with the ability to harness a large number of compromised machines and the relative ease and low costs of launching such attacks has made this a hard problem to address. Additionally, the myriad requirements of scalability, incremental deployment, adequate user privacy protections, and appropriate economic incentives has further complicated the design of DDoS defense mechanisms. While the many research proposals to date have focussed differently on prevention, mitigation, or traceback of DDoS attacks, the lack of a comprehensive approach satisfying the different design criteria for successful attack attribution is indeed disturbing. Our first contribution here has been the design of a composable data model that has helped us represent the various dimensions of the attack attribution problem, particularly the performance attributes of accuracy, effectiveness, speed and overhead, as orthogonal and mutually independent design considerations. We have then designed custom optimizations along each of these dimensions, and have further integrated them into a single composite model, to provide strong performance guarantees. Thus, the proposed model has given us a single framework that can not only address the individual shortcomings of the various known attack attribution techniques, but also provide a more wholesome counter-measure against DDoS attacks. Our second contribution here has been a concrete implementation based on the proposed composable data model, having adopted a graph-theoretic approach to identify and subsequently stitch together individual edge fragments in the Internet graph to reveal the true routing path of any network data packet. The proposed approach has been analyzed through theoretical and experimental evaluation across multiple metrics, including scalability, incremental deployment, speed and efficiency of the distributed algorithm, and finally the total overhead associated with its deployment. We have thereby shown that it is realistically feasible to provide strong performance and scalability guarantees for Internet-wide attack attribution. Our third contribution here has further advanced the state of the art by directly identifying individual path fragments in the Internet graph, having adopted a distributed divide-and-conquer approach employing simple recurrence relations as individual building blocks. A detailed analysis of the proposed approach on real-life Internet topologies with respect to network storage and traffic overhead, has provided a more realistic characterization. Thus, not only does the proposed approach lend well for simplified operations at scale but can also provide robust network-wide performance and security guarantees for Internet-wide attack attribution. Our final contribution here has introduced the notion of anonymity in the overall attack attribution process to significantly broaden its scope. The highly invasive nature of wide-spread data gathering for network traceback continues to violate one of the key principles of Internet use today - the ability to stay anonymous and operate freely without retribution. In this regard, we have successfully reconciled these mutually divergent requirements to make it not only economically feasible and politically viable but also socially acceptable. This work opens up several directions for future research - analysis of existing attack attribution techniques to identify further scope for improvements, incorporation of newer attributes into the design framework of the composable data model abstraction, and finally design of newer attack attribution techniques that comprehensively integrate the various attack prevention, mitigation and traceback techniques in an efficient manner

Towards IP traceback based defense against DDoS attacks.

Lau Nga Sin.Thesis (M.Phil.)--Chinese University of Hong Kong, 2004.Includes bibliographical references (leaves 101-110).Abstracts in English and Chinese.Abstract --- p.iAcknowledgement --- p.ivChapter 1 --- Introduction --- p.1Chapter 1.1 --- Research Motivation --- p.2Chapter 1.2 --- Problem Statement --- p.3Chapter 1.3 --- Research Objectives --- p.4Chapter 1.4 --- Structure of the Thesis --- p.6Chapter 2 --- Background Study on DDoS Attacks --- p.8Chapter 2.1 --- Distributed Denial of Service Attacks --- p.8Chapter 2.1.1 --- DDoS Attack Architecture --- p.9Chapter 2.1.2 --- DDoS Attack Taxonomy --- p.11Chapter 2.1.3 --- DDoS Tools --- p.19Chapter 2.1.4 --- DDoS Detection --- p.21Chapter 2.2 --- DDoS Countermeasure: Attack Source Traceback --- p.23Chapter 2.2.1 --- Link Testing --- p.23Chapter 2.2.2 --- Logging --- p.24Chapter 2.2.3 --- ICMP-based traceback --- p.26Chapter 2.2.4 --- Packet marking --- p.28Chapter 2.2.5 --- Comparison of various IP Traceback Schemes --- p.31Chapter 2.3 --- DDoS Countermeasure: Packet Filtering --- p.33Chapter 2.3.1 --- Ingress Filtering --- p.33Chapter 2.3.2 --- Egress Filtering --- p.34Chapter 2.3.3 --- Route-based Packet Filtering --- p.35Chapter 2.3.4 --- IP Traceback-based Packet Filtering --- p.36Chapter 2.3.5 --- Router-based Pushback --- p.37Chapter 3 --- Domain-based IP Traceback Scheme --- p.40Chapter 3.1 --- Overview of our IP Traceback Scheme --- p.41Chapter 3.2 --- Assumptions --- p.44Chapter 3.3 --- Proposed Packet Marking Scheme --- p.45Chapter 3.3.1 --- IP Markings with Edge Sampling --- p.46Chapter 3.3.2 --- Domain-based Design Motivation --- p.48Chapter 3.3.3 --- Mathematical Principle --- p.49Chapter 3.3.4 --- Marking Mechanism --- p.51Chapter 3.3.5 --- Storage Space of the Marking Fields --- p.56Chapter 3.3.6 --- Packet Marking Integrity --- p.57Chapter 3.3.7 --- Path Reconstruction --- p.58Chapter 4 --- Route-based Packet Filtering Scheme --- p.62Chapter 4.1 --- Placement of Filters --- p.63Chapter 4.1.1 --- At Sources' Networks --- p.64Chapter 4.1.2 --- At Victim's Network --- p.64Chapter 4.2 --- Proposed Packet Filtering Scheme --- p.65Chapter 4.2.1 --- Classification of Packets --- p.66Chapter 4.2.2 --- Filtering Mechanism --- p.67Chapter 5 --- Performance Evaluation --- p.70Chapter 5.1 --- Simulation Setup --- p.70Chapter 5.2 --- Experiments on IP Traceback Scheme --- p.72Chapter 5.2.1 --- Performance Metrics --- p.72Chapter 5.2.2 --- Choice of Marking Probabilities --- p.73Chapter 5.2.3 --- Experimental Results --- p.75Chapter 5.3 --- Experiments on Packet Filtering Scheme --- p.82Chapter 5.3.1 --- Performance Metrics --- p.82Chapter 5.3.2 --- Choices of Filtering Probabilities --- p.84Chapter 5.3.3 --- Experimental Results --- p.85Chapter 5.4 --- Deployment Issues --- p.91Chapter 5.4.1 --- Backward Compatibility --- p.91Chapter 5.4.2 --- Processing Overheads to the Routers and Network --- p.93Chapter 5.5 --- Evaluations --- p.95Chapter 6 --- Conclusion --- p.96Chapter 6.1 --- Contributions --- p.96Chapter 6.2 --- Discussions and future work --- p.99Bibliography --- p.11

Defending against low-rate TCP attack: dynamic detection and protection.

Sun Haibin.Thesis (M.Phil.)--Chinese University of Hong Kong, 2005.Includes bibliographical references (leaves 89-96).Abstracts in English and Chinese.Abstract --- p.iChinese Abstract --- p.iiiAcknowledgement --- p.ivChapter 1 --- Introduction --- p.1Chapter 2 --- Background Study and Related Work --- p.5Chapter 2.1 --- Victim Exhaustion DoS/DDoS Attacks --- p.6Chapter 2.1.1 --- Direct DoS/DDoS Attacks --- p.7Chapter 2.1.2 --- Reflector DoS/DDoS Attacks --- p.8Chapter 2.1.3 --- Spoofed Packet Filtering --- p.9Chapter 2.1.4 --- IP Traceback --- p.13Chapter 2.1.5 --- Location Hiding --- p.20Chapter 2.2 --- QoS Based DoS Attacks --- p.22Chapter 2.2.1 --- Introduction to the QoS Based DoS Attacks --- p.22Chapter 2.2.2 --- Countermeasures to the QoS Based DoS Attacks --- p.22Chapter 2.3 --- Worm based DoS Attacks --- p.24Chapter 2.3.1 --- Introduction to the Worm based DoS Attacks --- p.24Chapter 2.3.2 --- Countermeasures to the Worm Based DoS Attacks --- p.24Chapter 2.4 --- Low-rate TCP Attack and RoQ Attacks --- p.26Chapter 2.4.1 --- General Introduction of Low-rate Attack --- p.26Chapter 2.4.2 --- Introduction of RoQ Attack --- p.27Chapter 3 --- Formal Description of Low-rate TCP Attacks --- p.28Chapter 3.1 --- Mathematical Model of Low-rate TCP Attacks --- p.28Chapter 3 2 --- Other forms of Low-rate TCP Attacks --- p.31Chapter 4 --- Distributed Detection Mechanism --- p.34Chapter 4.1 --- General Consideration of Distributed Detection . --- p.34Chapter 4.2 --- Design of Low-rate Attack Detection Algorithm . --- p.36Chapter 4.3 --- Statistical Sampling of Incoming Traffic --- p.37Chapter 4.4 --- Noise Filtering --- p.38Chapter 4.5 --- Feature Extraction --- p.39Chapter 4.6 --- Pattern Matching via the Dynamic Time Warping (DTW) Method --- p.41Chapter 4.7 --- Robustness and Accuracy of DTW --- p.45Chapter 4.7.1 --- DTW values for low-rate attack: --- p.46Chapter 4.7.2 --- DTW values for legitimate traffic (Gaussian): --- p.47Chapter 4.7.3 --- DTW values for legitimate traffic (Self-similar): --- p.48Chapter 5 --- Low-Rate Attack Defense Mechanism --- p.52Chapter 5.1 --- Design of Defense Mechanism --- p.52Chapter 5.2 --- Analysis of Deficit Round Robin Algorithm --- p.54Chapter 6 --- Fluid Model of TCP Flows --- p.56Chapter 6.1 --- Fluid Math. Model of TCP under DRR --- p.56Chapter 6.1.1 --- Model of TCP on a Droptail Router --- p.56Chapter 6.1.2 --- Model of TCP on a DRR Router --- p.60Chapter 6.2 --- Simulation of TCP Fluid Model --- p.62Chapter 6.2.1 --- Simulation of Attack with Single TCP Flow --- p.62Chapter 6.2.2 --- Simulation of Attack with Multiple TCP flows --- p.64Chapter 7 --- Experiments --- p.69Chapter 7.1 --- Experiment 1 (Single TCP flow vs. single source attack) --- p.69Chapter 7.2 --- Experiment 2 (Multiple TCP flows vs. single source attack) --- p.72Chapter 7.3 --- Experiment 3 (Multiple TCP flows vs. synchro- nized distributed low-rate attack) --- p.74Chapter 7.4 --- Experiment 4 (Network model of low-rate attack vs. Multiple TCP flows) --- p.77Chapter 8 --- Conclusion --- p.83Chapter A --- Lemmas and Theorem Derivation --- p.85Bibliography --- p.8

Trace malicious source to guarantee cyber security for mass monitor critical infrastructure

The proposed traceback scheme does not take into account the trust of node which leads to the low effectiveness. A trust-aware probability marking (TAPM) traceback scheme is proposed to locate malicious source quickly. In TAPM scheme, the node is marked with difference marking probability according to its trust which is deduced by trust evaluation. The high marking probability for low trust node can locate malicious source quickly, and the low marking probability for high trust node can reduce the number of marking to improve the network lifetime, so the security and the network lifetime can be improved in TAPM scheme