Download - The Crossfire Attack
![Page 1: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/1.jpg)
The Crossfire Attack
MIN SU K KAN G, SO O B UM L EE , V IR GIL D. GLIG OR
EC E DE PARTME N T A N D C YLAB
C ARN EG IE MELLO N U N IV ERS ITY
2013 IEEE Symposium on Security and Privacy
![Page 2: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/2.jpg)
2
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION
![Page 3: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/3.jpg)
3
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION
![Page 4: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/4.jpg)
4
INTRODUCTION – Old DDoSTypical attack:
floods server with HTTP, UDP, SYN, ICMP…… packets
Persistence:Maximum: 2.5 daysAverage: 1.5days
Adversary’s Challenge:DDoS Attacks are either Persistent or Scalable to N Servers
N traffic to 1 server => high-intensity traffic triggers network detectionDetection not triggered => low-intensity traffic is insufficient for N srevers
![Page 5: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/5.jpg)
5
INTRODUCTION – Crossfire AttackLink flooding by botnets cannot be easily counteredSpoofed IP addresses.Can flood links without using unwanted traffic.Launch an attack with low-intensity traffic flows that cross a
targeted link at roughly the same time and flood it.
![Page 6: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/6.jpg)
6
A link-flooding attack that degrades/cuts off network connections of scalable N-server area persistently.Scalable N-Server areas
N = small(e.g., 1-1000 servers), medium(e.g., all servers in a US state), large(e.g., the West Coast of the US)
Persistent:Attack traffic is indistinguishable from legitimate
Low-rate, changing sets of flowsAttack is “ moving target ” for same N-server area
Changing target links before triggering alarms
INTRODUCTION – Crossfire Attack
![Page 7: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/7.jpg)
7
INTRODUCTION – Definitions
![Page 8: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/8.jpg)
8
Attack flows => Indistinguishable from legitimate
INTRODUCTION – 1 link crossfire
![Page 9: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/9.jpg)
9
Attack flows => Alarms not triggered
INTRODUCTION – 1 link crossfire
link-failure detection latency, Interior Gateway Protocol(IGP) routers (OSPF)
Default waiting time: 40sec, Failure detection: 217 secExterior Gateway Protocol(EGP) routers(BGP) Default waiting time: 180sec, Failure detection : 1,076 sec
![Page 10: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/10.jpg)
10
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION
![Page 11: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/11.jpg)
11
THE CROSSFIRE ATTACK
![Page 12: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/12.jpg)
12
Public servers : To construct an attack topology centered at target area
Decoy servers: To create attack flow
THE CROSSFIRE ATTACK
![Page 13: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/13.jpg)
13
ATTACK - Step 1 : Link Map Construction
( 72% )
(1) Traceroute ( B->S )(2) Link-Persistence
![Page 14: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/14.jpg)
14
ATTACK - Step 2 : Attack setup
(1) Flow-Density Computation(2) Target-Link Selection
DR: Degradation Ratio
![Page 15: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/15.jpg)
15
ATTACK - Step 3 : Bot Coordination
(1) Attack-Flow Assignment(2) Target-Link Flooding
![Page 16: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/16.jpg)
16
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION
![Page 17: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/17.jpg)
17
ATTACK PERSISTENCE AND COSTData-Plane-Only Attack : Indefinite Duration
Link failure detectionTraffic engineering
Proactive Attack Techniques : Rolling AttackMaintaining the same target links
Changes bot and decoy serversMaintaining the same target area
Changes target links
![Page 18: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/18.jpg)
18
Attack bots available from Pay-per Install (PPI) markets [2011]
ATTACK PERSISTENCE AND COST
In experiments : 49% in US or UK, 37% in Europe, 14% rest of the world10 target links : can be as low as 107,200 bots. Cost approximately $9K
![Page 19: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/19.jpg)
19
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION
![Page 20: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/20.jpg)
20
EXPERIMENT SETUP AND RESULTSBots:
1,072 traceroute nodes 620 PlanetLab nodes, 452 LG(Looking Glass) servers
![Page 21: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/21.jpg)
21
EXPERIMENT SETUP AND RESULTSDecoy servers:
552 institutions (i.e., universities and colleges ) on both the East Coast (10 states) and West Coast (7 states) of the US
2737 public web servers within Univ1 in Pennsylvania7411 public web servers within Univ2 in Massachusetts
![Page 22: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/22.jpg)
22
EXPERIMENT SETUP AND RESULTSTarget Areas:
![Page 23: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/23.jpg)
23
EXPERIMENT SETUP AND RESULTS
![Page 24: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/24.jpg)
24
EXPERIMENT SETUP AND RESULTS Link map
Run a traceroute six times to diagnose link persistence
![Page 25: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/25.jpg)
25
EXPERIMENT SETUP AND RESULTS
![Page 26: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/26.jpg)
26
EXPERIMENT SETUP AND RESULTSAverage rate when flooding 10 Target Links against Pennsylvania
![Page 27: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/27.jpg)
27
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK CONCLUSION
![Page 28: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/28.jpg)
28
The Coremelt Attack
![Page 29: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/29.jpg)
29
“Spamhaus” Attack
![Page 30: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/30.jpg)
30
RELATED WORK
![Page 31: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/31.jpg)
31
Outline INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS CONCLUSION
![Page 32: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/32.jpg)
32
CONCLUSIONAttack CharacteristicsUndetectability at the Target Area.Indistinguishability of Flows in RoutersPersistenceFlexibility
New DDoS Attack: The Crossfire AttackScalable & Persistent
Internet-scale experimentFeasibility of the attackHigh impact with low cost
![Page 33: The Crossfire Attack](https://reader035.vdocuments.mx/reader035/viewer/2022081503/56816163550346895dd0ee9d/html5/thumbnails/33.jpg)
33
Q&A