sonia fahmy ness shroff students : roman chertov rupak sanjel

20
1 Sonia Fahmy Ness Shroff Sonia Fahmy Ness Shroff Students Students : Roman Chertov Rupak : Roman Chertov Rupak Sanjel Sanjel Center for Education and Research Center for Education and Research in Information Assurance and in Information Assurance and Security (CERIAS) Security (CERIAS) Purdue University Purdue University October 25 October 25 th th , 2004 , 2004 Experiments with DDoS Experiments with DDoS and Routing and Routing

Upload: brendan-wagner

Post on 01-Jan-2016

19 views

Category:

Documents


0 download

DESCRIPTION

Sonia Fahmy Ness Shroff Students : Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University October 25 th , 2004. Experiments with DDoS and Routing. Objectives. - PowerPoint PPT Presentation

TRANSCRIPT

1

Sonia Fahmy Ness ShroffSonia Fahmy Ness Shroff

StudentsStudents: Roman Chertov Rupak Sanjel: Roman Chertov Rupak SanjelCenter for Education and Research in Center for Education and Research in

Information Assurance and Security (CERIAS)Information Assurance and Security (CERIAS)Purdue UniversityPurdue University

October 25October 25thth, 2004, 2004

Experiments with DDoS and Experiments with DDoS and RoutingRouting

2

Objectives Design, integrate, and deploy a methodology and

tools for performing realistic and reproducible DDoS experiments: Tools to configure traffic and attacks Tools for automation of experiments, measurements, and

visualization of results Integration of multiple third-party software components

Understand the testing requirements of different types of third party detection and defense mechanisms

Gain insight into the phenomenology of attacks including their first-order and their second-order effects, and impact on defenses

3

Accomplishments

Designed and implemented experimental tools: Scriptable event system to control and synchronize

events at multiple nodes Automated measurement tools, log processing tools,

and plotting tools Automated configuration of interactive and replayed

background traffic, routing, attack parameters, and measurements

Generated requirements for DETER to easily support the testing of third party products (e.g., ManHunt, Sentivist)

4

Accomplishments (cont’d)

Analytical characterization, simulations, and experiments for low-rate TCP-targeted DDoS attacks

Preliminary analysis of BGP behavior during DDoS, and BGP impact on DDoS

5

TCP-Targeted Attacks

Varied: Attack burst length l and sleep period T-l A. Kuzmanovic and E. W. Knightly. Low-rate targeted denial of

service attacks. SIGCOMM 2003. M. Guirguis et al. Exploiting the transients of adaptation for

RoQ attacks on Internet resources. ICNP 2004. H. Sun et al. Defending against low-rate TCP attacks: Dynamic

detection and protection. ICNP 2004.

Objective: Understand attack effectiveness (damage versus effort) in

terms of application-level, transport-level, and network-level metrics at multiple nodes

T-l

ll

Time

Rate

R

6

Topology

7

Throughput

8

Web Clients/Server

Server Throughput

0

10

20

30

40

50

60

70

80

90

0 20 40 60 80

Burst Length (ms)

Mb

it/s

ec

Total Number of Pages Read

0

50000

100000

150000

200000

250000

300000

350000

0 20 40 60 80

Burst Length (ms)

Nu

mb

er

of

Pag

es

Average Client Throughput

0

0.5

1

1.5

2

2.5

0 20 40 60 80

Burst Length (ms)

Mb

it/s

ec

Average Respone Time

0

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0 20 40 60 80

Burst Length (ms)

Ave

rage

Res

pons

e Ti

me

(sec

)

9

Attack Parameters vs. RTT

0.38 Mbps without an attack 0.75 Mbps without an attack

Client with 63 ms RTT to the server

10

Short RTT

1.00 Mbps without an attack 1.40 Mbps without an attack

Client with 12.6 ms RTT to the server

11

Attack 100-1000 Unacked data during 5MB file transfer (31.97 sec = 160.16 KB/sec)

ttcp Experiments

12

Emulation vs. Simulation Effects of attack sleep period on the average congestion window of a single

TCP (SACK) from TTCP tool

The attack flow is multiplexed with the data flow

Attack Sleep Period Effect on Average Congestion Window

0

5

10

15

20

25

500 1000 1500 2000 2500 3000 3500 4000 4500

Attack Sleep Period (ms)

Cw

nd

(p

acke

t #)

Deter

NS

13

Routing

Need to understand magnitude of potential problems, causes, and defenses

14

Scenario

• At 222 sec, nodes 8, 11, and 14 attack node 9 (zebra router running BGP) for 400 seconds.

• No activity for 200 seconds. Allow all nodes to stabilize.

• Nodes 8, 11, and 14 attack node 9 for 400 seconds again. Node 36 attacks node 10 (neighbor of node 9) for 400 seconds.

15

# BGP update messages

16

Keep-alives at node 9

17

18

Lessons Learned Insights into sensitivity to emulation environment

Some effects we observe may not be observed on actual routers and vice versa (architecture and buffer sizes)

Emulab and DETER results significantly differ for the same test scenario (CPU speed)

Priority for routing packets in Cisco routers Limit on the degree of router nodes, delays, bandwidths

Difficulties in testing third party products Products (hardware or software) connect to hubs, switches, or routers

Layer 2/layer 3 emulation and automatic discovery/allocation can simplify DETER use for testing third party mechanisms

Due to licenses, we need to control machine selection in DETER Windows XP is required to test some products, e.g., Sentivist

administration interface Difficult to evaluate performance when mechanism is a black box

e.g., cannot mark attack traffic and must solely rely on knowledge of attack

19

Plans Continue development of experiment automation

and instrumentation/plotting tools and documentation

Design increasingly high fidelity experimental suites

Continue investigation of TCP-targeted DDoS attacks in more depth, and compare analytical and simulation results with DETER testbed results to identify artifacts

20

Plans (cont’d)

Investigate routing problems/attacks, and compare with DETER testbed results

Continue to collaborate with routing team and McAfee team to identify experimental scenarios and build tools for routing experiments