A Dynamic Path Identification Mechanism to Defend

A Dynamic Path Identification Mechanism to Defend Against DDoS Attacks GangShin Lee1 , Heeran Lim2 , Manpyo Hong2 , and Dong Hoon Lee1 1

2

Center for Information Security Technologies(CIST), Korea University, Seoul, Korea [email protected] [email protected] Internet Immune System Laboratory, Ajou University, Suwon, Korea [email protected] [email protected]

Abstract. Many Researchers have tried to design mechanisms to resist Distributed Denial of Service(DDoS) attacks. Unfortunately, any of them has not been satisfactory. Recently, Yaar et al.[1] suggested Pi (short for Path Identifier) marking scheme as one of solutions to thwart DDoS attacks, which is fast and effective in dropping the false positive and negative packets from users and attackers. They make use of the IP Identification field of which length is 16 bits as marking section. Every router en-route to the victim marks 1-bit or 2-bits by wrapping method sequentially. The victim drops the false positive and negative packets according to the attack markings list. The performance of Pi is measured for marking bit size of 1 or 2 bits. This paper suggests the method to decide the marking bit size dynamically in accordance with the number of hop counts. The performance is quite improved, compared with the existing one.

1

Introduction

Many Researchers have tried to design mechanisms to resist Distributed Denial of Service(DDoS) attacks[1,3,4,5,6,7,8]. In the 25th of January, 2003, the MSSQL Slammer worm impacts on Korea backbone networks heavily because of the high speed networks, the absence of DNS root servers, and the appliance of the inappropriate packet filtering techniques, etc. According to the CAIDA report, 90% of the vulnerable MS-SQL servers was plagued in 10 minutes worldwide[9]. So, this type of attack must be blocked quickly. There are several methods to defend against DDoS attracks. For example, IP traceback[7,10,11,12,13,14] , pushback[8,15], etc. But these methods have a shortcoming not to drop attack packets immediately because these need much time to collect the enough packets and to reconstruct the path. A. Yaar et al. suggested the new method to drop the attack packets on a per packet basis immediately using the static marking scheme[1]. Better performance can be expected if the Pi marking scheme suitable for every packet is applied to the routers en-route to the victim respectively. This C. Kim (Ed.): ICOIN 2005, LNCS 3391, pp. 806–813, 2005. c Springer-Verlag Berlin Heidelberg 2005


A Dynamic Path Identification Mechanism to Defend Against DDoS Attacks

807

paper suggests the dynamic bit marking scheme. The remainder of the paper is organized as follows : in Section 2 we review and analysis previous researches and propose the new idea. In Section 3 we design the dynamic Pi marking scheme, each router’s marking algorithms, and the filtering scheme in a given network topologies. In Section 4 we compare the results from the A. Yaar et al.’s and the dynamic marking bit scheme. In Section 5 there are conclusion and future works.

2

Previous Researches

Three papers about the Pi marking and filtering scheme are published by now[1,6, 16]. In the first paper[1], the method is based on a per packet, not a per flow, and not a per network basis. Every router marks 1 bit or 2 bits on the 16 bit IP Identification field of packets en-route using TTL. By using the deterministic characteristics - all packets traversing the same path carry the same marking value, the victim can drop the attack packets from the upstream router immediately. The paper concludes that the 2 bit marking scheme is better than the 1 bit one in the performance of filtering packets in the average 15 hop count network topology. But this scheme is surmised less effective because of the static properties. In the second paper [6], the author tries to find the most proper marking size n (=1, 2, and so on) for the given Internet data set from CAIDA’s Skitter Map because the marking size n is the most important parameter. It is concluded that, for less than 13 hop counts, 2-bit marking scheme’s false ratio is lower than 1-bit. This scheme is fixed also even if the appropriate number of hop counts is tried to be found to decide the scheme. In the third paper [16], the Pi marking scheme not using TTL is experimented. In the case of using TTL, there are garbage basically on the marked position of the Pi Identification field of the packets because legacy routers don’t mark the ones en-route. It turns out to raise false positive. In this paper, only the routers of this scheme mark the Pi value of the router’s IP address on the right bit of the Identification field of the packets after shifting Pi value to the left direction. This paper results in better performance. But the static scheme is applied also. If we can decide the marking scheme n=1 or 2 according to the distance from the source to the destination, we can expect better Pi packet filtering performance. In this paper, the dynamic Pi marking scheme is applied for the better performance, and the differences between this scheme and the existing scheme is analyzed.

3 3.1

Design Schemes Assumptions

This paper assumes the followings. (1) Every router has the same marking scheme or not in order to experiment to the legacy ratio. (2) The initial value of TTL is affordable to 255 because the TTL field length is 8 bits. (3) There are no changes in the network topologies for experiment because the appropriate hop count x must be fixed after x is acquired dynamically.

808

GangShin Lee et al.

3.2

Pi Marking Scheme

The Basic Scheme The left 1 bit of the 16 bit IP Identification field is used to register the decided marking scheme - “1” for the 1 bit marking scheme and “00” for the 2 bit marking scheme because of the usefulness to modulate TTL with even number. We use the wrapping method3 as a marking one basically. Therefore the limited marking space causes routers close to the victim to overwrite the markings of routers farther away from the victim. In the case of n=1, the maximum number of markings is 15 if no rewriting occurs. It is reason that the marking starts at the 2nd bit from the left. The position to be marked is decided to the value of TTL modulo 15. In this case, the marking space is 215 = 32768 because the possible marking bit size is 15. This marking scheme can be more [double] exploitable to the saturation attack than in 16-bit marking space. The position to be marked is TTL modulo 15 In the case of n=2, the right 14-bits is used for marking except the left 2-bits because of multiple by 2. The maximum number of markings is 7 if no rewriting occurs. It is reason that the marking starts at the 3rd bit from the left. The position to be marked is (TTL modulo (14/2)) * 2 In this case, the marking space is 214 = 16384, which is 1/4 of 216 . So, this marking scheme can be more exploitable to the saturation attack than in 16-bit marking space. Less the marking space, higher the possibility of rewritings. Algorithm to Find the Appropriate Hop Count Deciding the Pi Marking Scheme Let’s discuss the dynamic bit marking scheme. It is necessary to find the appropriate hop count x deciding the Pi scheme in a given network topology. Because network topology is not changed frequently, x can be used for a long time as long as the network topology is unchanged. Precisely, x can be managed as a global parameter. To find x, we must calculate the false rate when n=1 and n=2 as A. Yaar et al. experimented. Maybe, the false rate for n=1 is higher than for n=2 under x. On the contrary, the false rate for n=2 is higher than for n=1. By applying the curve fitting method to the false rate, we can acquire the appropriate polynomials for n=1 and 2. Also, we can find the real number x such that a1 xk + a2 xk−1 + · · · + ak (if n = 1) = b1 xj + b2 xj−1 + · · · + bj (if n = 2)(See Fig.1). It is not good that x is approximated to the nearest natural number because it is not easy to decide which marking scheme is more appropriate when the approximated natural number is the same to the later traceroute results. For example, if x is the one of 9.7 or 10.3, then x will be 10. To send any packet, we do traceroute and have the hop count 10 as the distance. In this case, we can not decide the marking scheme. To find the initial value of x, it is necessary to create some data set to be analyzed because there are no data set at first. Therefore any meaningless value is assigned to x initially. Later, we find the appropriate x using Fig.1 after analyzing the data set collected for some period. So, the source host writes the value of the Pi marking scheme on the left 1-bit of the Identification field of packets which will be sent. 3

According to the TTL modulation, the marking position is moved to the right, at the end, moved to the first position. The marking position is circulated.

A Dynamic Path Identification Mechanism to Defend Against DDoS Attacks

false rate

809

n=2

n=1

x

H op counts

Fig. 1. The appropriate hop count deciding Pi marking scheme n=1 or 2 /∗ Algorithm to Initialize Pi and to decide the value of the Pi marking scheme ∗/ Pts= Pi mark of the packets InitializeOfPiMark(Pts, hop cnt) /∗ x : the appropriate hop count ∗/ { extern x; Pts = 0; /∗ initialize ∗/ if ((real)hop cnt > x) Pts = (1  (16 - 1)); /∗ in the case of n=1 ∗/ };

To find x, 10,000 packets are made from CAIDA’s Skitter Map. Then, false ratio is found for every hop count for n=1, 2 respectively. We know that x is about 10.3.

Fig. 2. False ratio of 1-bit and 2-bit for every hop count

Router’s Pi Marking Algorithm The routers en-route confirm the value of the Pi marking scheme and mark its marking value on the Identification field of incoming packets. The position to be marked is decided according to TTL modulo. The marking router hashes its IP address with MD5, accepts the right n-bits, and marks the value of the

810

GangShin Lee et al.

right n-bits on the appropriate position of the Identification field of the incoming packets to the right as many [18]. MD5 is used to solve the problem that the distribution of the right n-bits of the IP addresses of the routers can be highly skewed[18]. Pts= Pi mark of the packets n = number of bits each router marks Pimark(Pts, TTL, Cur IP) { z = (Pts ≫ 15); /∗ the bits leftside are filled with ‘0’ ∗/ if (z = 0) { n = 2; y = 14; } else { n = 1; y = 15;} m = 2n - 1; b = markingbits(Curr IP) & m; /∗ markingbits(Curr IP) = MD5(Curr IP) to normalize the distribution ∗/ bitpos = (TTL mod [y/n]) n; b  bitpos; m  bitpos; return((Pts & ∼m) | b); }

Filtering Scheme This section describes how the victim can make use of the Pi marks to filter incoming packets during DDoS attacks. Here, two methods are applied. • Basic Filtering Scheme This scheme is to record the markings of identified attack packets and to drop subsequent incoming packets matching any of those markings. It has some characteristics as follows [1]. (1) This filter provides little flexibility to the victim. (2) This filter has very fast attack reaction time. (3) This filter requires few memory resources : 215 + 214 bits. (4) The victim has two vectors. The one is in the case of n=1. The i-th value of a bit-vector of length 215 is 0 if packets with the i-th Pi mark are to be accepted, 1 if packets with the i-th Pi mark are to be dropped. The other is in the case of n=2. The i-th value of a bit vector of length 214 is 0 if packets with the i-th Pi mark are to be accepted, 1 if packets with the i-th Pi mark are to be dropped. • Threshold Filtering Scheme If the marking saturation attacks come in the basic filtering scheme, the victim misrecognizes the normal packets for attack packets and drops the normal ones. Therefore the packets must be dropped above the some level of attack packet ratio. This is only the threshold(Ti ). The threshold is as follows: Ti = ai /(ai + ui ) where ai is the number of attack packets and ui is the number of user packets for 0 < i < 215 if n=1 and 0 < i < 214 if n=2. The packet filtering on the dynamic Pi scheme environment can be deployed not only on the ISP’s side of the last hop link, but also at end-host in the ISP4 . 4

In the Kim et al.’s paper, it is suggested that it is appropriate to apply 2 bit marking scheme on the ISP’s side because the distance(hop counts en-route) is short [16].

A Dynamic Path Identification Mechanism to Defend Against DDoS Attacks

4

811

Simulation and Results

4.1

Experiment

The followings are experimented for n=1, 2, and the proposed scheme respectively. (1) We choose 5,000 paths at random from one of our Internet data sets of CAIDA’s Skitter Map. (2) Each end-host at a path sends three packets to the victim in learning phase [1]. (3) The victim makes the attack markings list. (4) Each end-host at a path sends one packet to the victim in attack phase [1]. 4.2

Simulation

For the marking scheme n=1, 2, and the dynamic Pi marking scheme, we represent user acceptance ratio and attacker acceptance ratio in graphs. We can see acceptance ratio gap for each scheme in graphs. The acceptance ratio gap should be found for the threshold 0, 0.25. We can choose the appropriate Pi marking scheme according to the threshold values. The properties and performance of the marking schemes will be compared each other. 4.3

Results

Fig.3 describes the user(normal) and attacker(attack) acceptance ratio for each scheme. We see that the ratio gap of the proposed scheme is bigger than the n=1, n=2. We know that the drop ratio is high for abnormal packets and low for normal packets (user packets). It means that the filtering performance of the proposed scheme is high. In Fig.4 the acceptance ratio gap is presented when the routers are legacy rate 0.25.

5

Conclusion

In A. Yaar et al’s paper, the static marking scheme is proposed. It has demerits which can not reflect the variation of the distance from the source host to the victim. On the other hand, this paper shows that if the appropriate marking scheme is adopted dynamically according to the network properties and the distance distribution we can expect better results. In this paper, there are some problems to be solved. First, the router’s traceroute service is prohibited occasionally against hacker’s attacks. As a result, we cannot count the distance. The acceptance ratio will be studied in the network topology including the routers which don’t provide traceroute service. Second, it is necessary to study the method using the left 2-bits for registering the Pi marking scheme. For example, “00”,“01”,“10”,“11” can be registered on the left 2-bits of the Identification field of packets. Assume that only “01” and “10” are used for Pi marking. Then it has a merit that “00” and “11” packets5 are dropped absolutely but demerit that the marking space is 5

The bits for registering the Pi marking scheme can be filled with “00” for legacy router and “11” for the routers which don’t provide traceroute service. In this case, the value of the Pi marking scheme registering bits can not be used to decide whether the packets are normal or not any more.

812

GangShin Lee et al.

(a) n=1

(b) n=2

(c) proposed Fig. 3. Pi Filtering with 0% threshold

Fig. 4. the Pi filtering performances of Pi marking schemes for legacy ratio

A Dynamic Path Identification Mechanism to Defend Against DDoS Attacks

813

small. Last, it is necessary to study deeply the relationship between the marking space and the performance. The fact that the marking space is small means that the possibility of the same valued marking packets is high. The drop rate against attack packets is smaller as long as the acceptance ratio gap is smaller.

References 1. Yaar, A., Perrig, A., Song, D.: Pi: A Path Identification Mechanism to Defend against DDoS Attacks. Proceeding of Symposium on Security and Privacy 2003. (2003) 93-107. 2. H. Burch and B. Cheswick. Internet watch: Mapping the Internet. Computer, 32(4):97-98, Apr. 1999. 3. Denial of Service Attacks, CERT (1997). 4. XiaoFeg Wang, Michael K. Reiter. Defending Against Denial-of-Service Attacks with Puzzle Auctions, In Proceedings of the 2003 Security and Privacy Symposium, May 2003. 5. Ryan naraine, Massive. DDoS Attack Hit DNS Root Servers, eSecurityPlanet.com (Oct 2002) http://www.esecurityplanet.com/trends/article.php/10751 1486981 6. Heeran Lim, Manpyo Hong, Effective Packet Marking Approach to Defend Against DDoS Attack, In Proceeding of ICCSA 2004. 2004. 7. Chen, Z., Lee, M.: An IP traceback technique against denial-of-service attacks. In Proceeding of 19th Annual Computer Security Applications Conference, 96-104, 2003. 8. J. Ioannidis and S. M. Bellovin. Implementing Pushback:Router-based defense against DDoS attacks, In Proceeding of the Symposium on Network and Distributed Systems Security (NDSS 2002), Feb. 2002. 9. Caida, Inside the Slammer Worm, http://www.caida.org/outreach/papers/2003/sapphire2/ 10. M. Adler. Tradeoffs in probabilistic packet marking for IP traceback. In Proceeding of 34th ACM Symposium on Theory of Computing (STOC), 2002. 11. D. Dean, M. Franklin, and A. Stubblefield. An algebraic approach to IP traceback. ACM Transactions on Information and System Security, May 2002. 12. A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer. Single-packet IP traceback. IEEE/ACM Transactions on Networking (ToN), 10(6), Dec. 2002. 13. A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer. Hash-based IP traceback. In Proceeding of the ACM SIGCOMM 2001 Conference, pages 3-14, Aug. 2001. 14. D. X. Song and A. Perrig. Advanced and authenticated marking schemes for IP traceback. In Proceedings of IEEE INFOCOMM 2001, April 2001. 15. R. Mahajan, S. M. Bellovin, S.Floyd, J. Ioannidis, V. Paxon, S. Shenker. Controlling high bandwidth aggregates in the network. CCR, 32(3):62-73, July 2002. 16. Soon-Dong Kim, Man-Pyo Hong, Dong-Kyoo Kim, A Study on Marking Bit Size for Path Identification Method: Developing the Pi Filter at the End Host, In Proceeding of ICCSA 2004. 2004. 17. Caida. Skitter. http://www.caida.org/tools/measurement/skitter/, 2004. 18. R. L. Rivest. The MD5 message digest algorithm. RFC 1321, Internet Activities Board, Internet Privacy Task Force, Apr. 1992.