Professional Documents
Culture Documents
Abstract 2. Approach
Under sponsorship of the Defense Advanced Research There are a variety of options for analyzing computer
Projects Agency’s (DARPA) Fault Tolerant Networks network attacks and mitigation strategies. Closed form
(FTN) program, The Johns Hopkins University Applied analysis may be the most desirable form, but can require
Physics Laboratory (JHU/APL) has been conducting the many simplifying assumptions. The resulting models
Distributed Denial of Service Defense Attack Tradeoff provide valuable first-order insights but detailed analysis
Analysis (DDOS-DATA). DDOS-DATA’s goal is to using them is limited. An alternative approach is a real
analyze Distributed Denial of Service (DDOS) attacks world test bed, which is an excellent approach to
and mitigation technologies to develop an understanding understand attack dynamics. However, a test bed can be
of how well mitigation technologies perform and how limited in its ability to vary key parameters (e.g., the
they can be combined to limit the potential attack space. packet forwarding speed of a router) and size limitations
This paper provides an overview of the DDOS-DATA can restrict the analysis of DDOS attacks that may use
project and discusses analysis results for the Proof of hundreds of nodes. Modeling and simulation provides an
Work, Rate Limiting, and Active Monitor mitigation approach with several advantages over closed form and
technologies considered both individually and when real world test bed analysis: the ability to vary key
deployed in combinations. parameters that may not be easily modifiable in a test
bed, the ability to easily repeat a given analysis scenario,
1. Introduction and the use of models without debilitating
simplifications. However, successfully using modeling
Distributed Denial of Service (DDOS) attacks disrupt and simulation requires model validation, which can be
and deny legitimate computer and network resource very time consuming. In addition, careful consideration
usage through compromised hosts that monopolize must be given to the trade between model fidelity and
resources. Mitigation technologies have been developed model run time.
to defend against DDOS attacks, but there is little Analysis using modeling and simulation requires an in
understanding of the fundamental relationships between depth understanding of how attacks and mitigation
DDOS attacks, mitigation strategies, and attacker technologies function. At JHU/APL we accomplished
performance. Without a solid understanding of these this through literature surveys, code examination, and
fundamental relationships, it is difficult to determine the experimentation in the JHU/APL Information Operations
ability of mitigation technologies to address the DDOS (IO) Laboratory. Through this process, key parameters
problem or how mitigation technologies can successfully and behaviors are identified that then drive model
be deployed together. requirements and design.
JHU/APL, under the sponsorship of DARPA’s FTN We use OPNET Modeler, a commercial discrete event
program [1], is currently analyzing DDOS attacks and network simulation package, for model development.
mitigation technologies. DDOS-DATA’s goal is to use Development requires enhancing existing OPNET
analysis to quantify how well mitigation technologies models (e.g., to build the target network model) or
work, how attackers can adapt to defeat mitigation creating models from scratch (e.g., to build the attack and
technologies, and how different mitigation technologies mitigation models). Because computer network attacks
can be combined. often exploit nuances in protocol implementations and
because existing OPNET models adhere to the protocol
3. The System
Proof-of-Work
This paper presents analysis results for a 500+ node Figure 2 Notional Mitigation Technology Deployment
target network, three mitigation technologies (discussed
below), and a specific attack scenario. Currently
underway, however, is construction of a larger 1000+ Active Monitors observe and classify traffic and then
node target network, additional mitigation technologies, free resources consumed by attacks. One example of an
and expanded attacker capabilities. This work is Active Monitor, which we have modeled, is the synkill
scheduled for completion in August 2003. software developed at Purdue CERIAS [4]. Synkill
observes traffic at a protected server to determine if TCP
3.1 Target Network connection initiation is being performed correctly. An
unsuccessful handshake (i.e., one where no response is
The 500+ node target network is based on a subset of received from the SYN-ACK packet) is an indication that
the JHU/APL Intranet. The network consists of five edge the initial SYN packet originated from an attacker instead
switches interfaced to a central switch. This core switch, of a legitimate client (which would have responded to the
in turn, connects to a router allowing the supported hosts SYN-ACK). All subsequent traffic from a BAD (i.e.,
to communicate with APL servers and the Internet. The attack) node is reset thereby freeing server resources for
target network model is constructed from OPNET node legitimate use.
models. Rate limiting, such as the committed access rate
Data collection and traffic analysis from the live (CAR) available in Cisco products, limits the flow of
network was used to guide traffic model development. predefined packet types. For example, the flow of SYN
The primary types of traffic flowing across the network packets can be limited to a subset of the available
are web access, e-mail, file sharing and transfer, and
1
These findings are applicable to other stateful resource attacks.
3.3 The Attacker The second traffic validation test examines the traffic
processed by the central switch. Because this switch
The DDOS-DATA attack model provides a generic transfers all system and attack traffic, validating its load
attack generation capability. The attacker can generate ensures correct model traffic load. To perform
TCP, User Datagram Protocol (UDP), or Internet Control validation, we divided the modeled hour into small
Message Protocol (ICMP) packets with analyst specified windows and measured the switch load in each window.
field values (e.g., a SYN Packet) and timing. The attack Frequency of each switch load was measured and plotted.
start and end times are also configurable. Since the Figure 3 compares plots for each of the 24 hours of
analysis focus is on the mitigation technology and measured traffic (“Observed Network Traffic”) and 37
attacker performance, we have elected not to model the model runs (“Model Runs”) using a 0.1 second
DDOS zombie control channels or distribution, instead measurement window.
choosing to assume that the zombies have already been Figure 3 shows that model traffic, which was derived
deployed. from the busiest hour, provides a more evenly distributed
traffic flow (i.e., flatter graph) than the real data from
4. Verification and Validation which it was derived (“Busiest Hour”). The model has
generally more occurrences between 200 and 400 packets
Verification and validation activities were conducted per window, less from 600 to 700, and then more from
for all models developed by JHU/APL [2]. In addition, 700 to 800.
overall traffic loading of the network was validated.
5
10
Model
with OPNET models, no verification activities took 3 Runs
place. To validate target network traffic models, we 10
Busiest
compared live data with model traffic levels. We based Hour
the target network traffic load on the busiest hour in 24 10
2
37 model runs for the two key protocols: the file transfer 10
0 200 400 600 800 1000
Packets per second (0.1 second window)
1200 1400
3500
the connection by sending a TCP packet with the SYN bit
3000
set. The server receives this SYN packet, places an entry
2500 in the pending connection queue to record this event, and
2000
transmits a synchronize-acknowledge (SYN-ACK)
packet. If the client is legitimate, it then transmits an
1500
ACK packet. The server, upon receiving the ACK
1000
solaris 92
packet, considers the connection complete and removes
500
linux 91
linux 195 the connection from the pending connection queue.
linux 151
bsd 2 The TCP SYN Flood attack relies on the finite length
0
0 2 4 6 8 10
time (seconds)
12 14 16 18 20 of the TCP pending connection queue. If a SYN packet
is received while the pending connection queue is full, no
SYN-ACK packet is transmitted and a connection cannot
occur. This results in a denial of service.
Figure 7 Test bed Attacker Packet Transmissions
5000
5.2 Metrics
4500
1000
PDS = 1-(Number of Successful Connections)/(Number
solaris 92
500
linux 91
linux 195
of Attempts)
linux 151
bsd 2
0
50 55 60 65 70 75
time (seconds)
80 85 90 95 100 where an attempt is the initiation of a TCP socket (i.e.,
the transmission of one or more SYN packets from a
legitimate client) and a successful connection is the
Figure 8 Model Attacker Transmission Rates completion of the TCP three-way handshake.
Attacker effort measures the number of SYN packets
produced and the number of zombies necessary to
5. Analysis conduct the attack. This metric allows us to compare
attacks across mitigation technologies (e.g., determine
Analyzing the interaction between the target network,
the increase in required attacker resources to maintain
attackers and mitigation technologies begins by
PDS due to a newly deployed mitigation technology).
establishing the attack and the metrics. The sections
Mitigation technologies also have associated metrics
below present analysis results for the following cases:
depending on the system. For example, when multiple
baseline (no attack), no mitigation technology, single
mitigation technologies are activated in the network, the
mitigation technology, and mitigation technology
contribution of each mitigation technology to preventing
combinations.
the attack is computed. Another applicable metric is
differential impact (DI), which compares PDS for
Attack Start
0.4
Attack End
5.5 Active Monitor 0.3
0.2
To investigate the impact of adding an Active 0.1
Monitor, we again used a Pending Connection Queue of
0
39 and a TCP SYN flood attack of 1000 packets per 1
4000 4500 5000 5500 6000 6500 7000
second. The average PDS drops from 0.97 to 0.81 over A pending connection queue
Timeof 39 shows similar results.
(sec)
Attack End
completed handshake, the node is classified as BAD. 10
0.6 0.6
0.5 0.5
Attack Start
Attack Start
0.4
Attack End
0.4
Attack End
0.3 0.3
0.2 0.2
0.1 0.1
0 0
4000 4500 5000 5500 6000 6500 7000 4000 4500 5000 5500 6000 6500 7000
1
A pending connection queue of 39 shows similar results.
Time (sec) Time (sec)
Figure 12 Average PDS with Outbound Rate Limiting Figure 13 Average PDS as a Function of Time for
and 1000 pps Attack Inbound Rate Limiting (All Hosts)
Attack End
Figure 13 shows that PDS, calculated over 1 second 0.3
windows, varies between 0 and 1 during the attack. To 0.2
explain this change, PDS was re-calculated for two cases.
0.1
The first (Figure 14) was for hosts that used the same
router interface as the attacker. These hosts had a PDS of 0
4000 4500 5000 5500 6000 6500 7000
1.0 during the attack. The second (Figure 15) is for hosts Time (sec)
using other interfaces. These hosts had a PDS of 0.0 for
the attack. This finding suggest that while the Rate
Figure 14 Average PDS for Clients Sharing an
Limiter, in this configuration, may increase the denied
Interface with the Attacker
service of legitimate traffic that shares the network path
used by the attacker, it does protect users who do not
share this path. 5.7 Proof of Work
0.9
41 Runs 0.9
8192 Connection Queue 40 Runs
Average Probability of Denied Service
0.6 0.6
0.5 0.5
Attack Start
0.4
Attack End
0.4
0.3 0.3
0.2 0.2
0.1 0.1
0
4000 4500 5000 5500 6000 6500 7000 0
4000 4500 5000 5500 6000 6500 7000
Time (sec) Time (sec)
Figure 15 Average PDS for Clients that do not Share Figure 16 Average PDS for Distributed Proof of Work
the Attacker’s Interface Attacker (8192 Pending Connection Queue)
5.8 Active Monitor and Rate Limiter
We first subjected the internal web server, equipped
with Proof of Work, to the 1000 SYN per second SYN
Our results show that the Active Monitor, by itself,
flood attack previously described. Since the attacker
reduces PDS to 0.01 from 0.68 during a 1000-pps SYN
does not know about the Proof of Work protocol, they are
flood. Although PDS is reduced, the attacker bandwidth
not properly requesting permission to use the server and
remains unconstrained. To investigate the impact of
their SYN packets are simply dropped. This results in a
increasing bandwidth allocated to this service while
PDS of zero for this attack.
another mitigation technology is present, the Active
If the attacker is aware of the Proof of Work process,
Monitor and the Rate Limiter were activated and the Rate
they would modify their attack. The simplest
Limiter normal traffic rate was varied. Figure 17 shows
modification is to attempt a SYN flood while accounting
average PDS as a function of the Rate Limiter normal
for the Proof of Work protocol. The attacker, in this
rate for the Rate Limiter, by itself, and with the Active
case, asks for permission to use the server and, if
Monitor. In both scenarios, average PDS remains above
necessary, will attempt to solve the puzzle. Examination
0.99 until the normal rate reaches 100,000 (312.5 SYN
of the model output for this case reveals zero PDS. The
packets per second). However, as the normal rate reaches
attacker will initially fill up the pending connection
100,000, PDS drops more sharply in the multiple-
queue as it is given approval to submit requests for
mitigation case (average PDS drops to 0.68, as compared
resources. However, when only defense threshold slots
to 0.84). In both scenarios, the effect of the Rate Limiter
remain available, the server begins to request that puzzles
lessens as normal rate increases and the effect of the Rate
be solved before resources can be requested. The
Limiter on PDS disappears when the normal rate exceeds
attacker is then required to solve many puzzles (one for
the attack rate (i.e., the Rate Limiter passes all attack
each request) and their CPU becomes increasingly
packets). In the multiple-mitigation case, the PDS
overwhelmed. Our analysis shows that the attacker’s
limiting value is the average PDS shown previously for
ability to send attack packets decreases, lightening the
the Active Monitor case (average PDS of 0.01).
attack, and allowing service to continue for legitimate
The effect of combining the two mitigations illustrates
clients (i.e., PDS is zero).
the tradeoff between reduced PDS and restricted attacker
Since the puzzle process overwhelms the attacker’s
bandwidth. In particular, reducing attacker bandwidth by
ability to send packets, an attacker would seek to solve
about one-third introduces a PDS of 0.4, and reducing
the puzzles more quickly perhaps by distributing the
attacker bandwidth by about two-thirds introduces a PDS
work load across multiple systems. To examine this, the
of 0.68. The latter case produces an average PDS
model was configured to use 450 low rate attackers each
comparable to the nominal value with no mitigation
producing an attack every 0.45 seconds (for a net attack
technology in place. Thus, the advantage of reduced
of 1000 packets per second). The results of this attack
attacker bandwidth is gained without decreasing the level
are shown in Figure 16. The average PDS is 0.66, which
of available service. Of course, the attacker could
is comparable to the 0.68 for the baseline attack.
increase the attack rate, filling the available bandwidth. If
this occurred, then this scenario reduces to the Rate
Limiter one attacker case previously analyzed.
0.6
8. References
0.5