An infrastructure to defend against distributed denial of service attack

Wan, Kwok-kin Kalman

Author:	Wan, Kwok-kin Kalman
Title:	An infrastructure to defend against distributed denial of service attack
Degree:	M.Sc.
Year:	2001
Subject:	Hong Kong Polytechnic University -- Dissertations Internet -- Security measures Computer networks -- Security measures Computer security Computer hackers Data protection
Department:	Multi-disciplinary Studies Department of Computing
Pages:	xi, 168 leaves : ill. ; 30 cm
Language:	English
Abstract:	Distributed denial of service (DDoS) attack was first seen in early 1998. This kind of attack overwhelms a target server with an immense volume of useless traffic from distributed and coordinated attack sources. In February 2000, a number of the World's largest e-commerce sites were brought offline for days by this kind of attack, even though they were designed to offer high availability. The outages had caused a huge economic loss to both the victim sites and their users. The Internet industry widely agrees that there is essentially nothing a site can do with current technology to prevent itself from becoming a victim of DDoS attacks. In this dissertation, I propose an infrastructure to solve this problem, which involves cooperation of different parties of the Internet to detect for DDoS attack and block the attack traffic well before the attack packets reach the target site. As a result, service interruption to the target can be minimized. This dissertation is the first research work I am aware of which proposes such an infrastructure in detail. It serves as a starting point to develop a complete solution against DDoS attack. I propose to install full-blown local detection systems (FLDS) at various strategic locations in the Internet. They communicate in peer-to-peer mode to detect for and respond to DDoS attack. Other nodes in the Internet can install minimal local detection systems (MLDS) to work with FLDSs to block attack traffic by hop-by-hop trace back of attack sources. Since an MLDS only responds to a confirmed attack, but does not detect for suspicious attack continuously, it requires much less computing resource than that of FLDS. An analysis of the Internet topology and traceroute results both show that backbone ISP gateway nodes, Internet Exchanges, and Network Access Points are suitable Internet nodes to install FLDSs because most cross-domain Internet traffic passes through these locations. Since the number of these locations is relatively small, the proposed system should be a cost-effective solution to the DDoS problem. I propose a component approach to design a LDS based on the Common Intrusion Detection Framework (CIDF). CIDF identifies four components for a typical intrusion detection system. They are E-box, A-box, D-box, and R-box. I add four more components to fulfill the specific requirements for handling DDoS attacks. They are S-box, P-box, M-box, and C-box. S-box is a load-balancing component which distributes IP datagrams sniffed or mirrored from the network switch at an Internet node to E-boxes and P-boxes for attack detection. This load-balancing feature is very important because the traffic volume flowing through a strategic location is very high. Therefore a FLDS must be highly scalable. The proposed S-box fulfills this requirement. E-box detects control packets of DDoS attack tools by matching IP datagrams with DDoS attack signatures. These control packets can provide clues to trace back to the actual attacker and provide evidence for later law enforcement. I also propose a new approach to specify and store attack signatures based on XML. P-box detects for suspicious DDoS attack, and suspicious interface where attack traffic comes from, based on traffic volume anomalies. Algorithms are designed to cater for the dynamic nature of traffic volume to different destinations and can adjust the threshold levels of traffic volume anomalies accordingly. A-box integrates information gathered by E-box, P-box, and remote LDSs to decide whether there is any DDoS attack in progess. The decision rules are designed to avoid false alarm but at the same time can detect DDoS attack effectively. D-box is a XML server which stores alerts and component statuses in XML format. It supports XML query language such that the stored information can be retrieved using standard query language. R-box uses three methods to block attack traffic, namely traffic rate limit filter, upstream LDS alert, and edge router ingress filter. It applies traffic rate limit filters to limit traffic destined for a confirmed victim at confirmed inbound interfaces of attack traffic. It also alerts an upstream LDS to detect for and respond to the attack, such that a hop-by-hop trace back of attack sources can be achieved. For a LDS at local ISP, its R-box can instruct the edge routers to install ingress filters to filter attack packets with spoofed source addresses received from the customer sites. M-box is the only component of a LDS with Internet connection. It communicates alert and status information with other LDSs through the Internet. It maintains a list of immediate neighbor LDSs, such that alerts and heartbeats are sent to all immediate neighbors from time to time. Alerts received from a neighbor are forwarded to the A-box for analysis and to this LDS's immediate neighbor LDSs. This propagation mechanism ensures that all LDSs promptly receive the same information. The protocol also caters for failure of individual LDS. C-box is the console for configuring various components and querying for alert and status information. I adopt and extend the Intrusion Detection Message Exchange Format (IDMEF) as the communication language among different components in a LDS and among different LDSs. Intrusion Alert Protocol (IAP) is used as the transport protocol which provides secure communication of IDMEF messages. I also integrate all components into a LDS network such that it can be treated as a single component to plug into the network of an Internet node. Finally, by running simulations, I find that the proposed system is very effective in detecting DDoS attack. Moreover, the false alarm rate is very low (actually, there is no confirmed false alarm in 60 independent simulation runs). The proposed system also increases the number of normal packets that the victim can receive and process when there is an ongoing DDoS attack. This effect is particularly significant when the daemon coverage (% of network nodes with daemon) is between 2.5% and 12%. It also avoids traffic congestion to the Internet as a whole when there is a large scale DDoS attack, as the proposed system can block over 85% of attack traffic early in the network.
Rights:	All rights reserved
Access:	restricted access

Files in This Item:

File	Description	Size	Format
b16681472.pdf	For All Users (off-campus access for PolyU Staff & Students only)	4.34 MB	Adobe PDF	View/Open

Copyright Undertaking

As a bona fide Library user, I declare that:

I will abide by the rules and legal ordinances governing copyright regarding the use of the Database.
I will use the Database for the purpose of my research or private study only and not for circulation or further reproduction or any other purpose.
I agree to indemnify and hold the University harmless from and against any loss, damage, cost, liability or expenses arising from copyright infringement or unauthorized usage.

By downloading any item(s) listed above, you acknowledge that you have read and understood the copyright undertaking as stated above, and agree to be bound by all of its terms.

Show full item record

Please use this identifier to cite or link to this item: https://theses.lib.polyu.edu.hk/handle/200/566