2011 International Conference on Advanced Technologies for Communications (ATC 2011) Distributed defense of Distributed DoS using Pushback and Communicate mechanism Nguyen Trung Hai Doan Cao Thanh, Nguyen Van Quan, Nguyen Thi Huyen Trang, Doan Minh Phuong University of Engineering and Technology Vietnam National University Hanoi, Vietnam nguyen.hai@vnu.edu.vn University of Engineering and Technology Vietnam National University Hanoi, Vietnam {s0420305, s0420333, s0420407}@coltech.vnu.vn, phuongdm@vnu.edu.vn users’ requests by checking each packet is impractical Second, the overwhelming quantity of packets is contributed by many agents taking part in DDoS attacks Thus, agents may not be not too powerful machines Another result is the traffic from each agent is too small to detect near the source Third, attackers are carefully hidden by using IP spoofing or hiding mechanism (with some intermediate agents) By those reasons, DDoS attacks are very difficult to detect Even when victim find the attackers, it will not prevent all of them because of the large number of agent networks as well as its large coverage Also, since core routers just concern about the destination address rather than the source one, then if attacker spoof the IP address of agents, it is harder to figure out the source of attack [6] Moreover, in perspective of packet’s content, each comes to victim is clearly legitimate, just the massive of packets in short time has caused the victim overloaded We can classify DDoS defense mechanism by time or location By time, there are two types: prevention (before attack happens) and reaction (react to occurring attack) Based on the location of defenses’ system, they can be divided into types: near the victim, near the attacker, in the middle and the combination of all Abstract— DDoS is one of the most dangerous methods to attack victim network because it uses a vast quantity of distributed agents to make victim paralyze This paper gives a DDoS defense method which is based on “pushback and communicate” idea (PaC method) When the gateway of victim detects DDoS attack, it has to listen on interfaces to define the neighbors from which DDoS packets come Those neighbors will receive DDoS information and same things the victim’s gateway does By repeating that work, PaC can find the exact way DDoS packets had passed through All routers then continue creating their own filters before sending DDoS information to their next neighbors Keywords: Denial of Service (DoS), Distributed Denial of Service (DDoS), distributed defense, push back, packet filtering, traffic monitoring I INTRODUCTION Denial-of-service (DoS) may interrupt victims with serving legitimate clients; prevent these clients to from accessing legal services by sending a massive of packets according some term to make victim server overload to handle those kinds of packets Distributed denial-of-service (DDoS) attack is DoS attack from multiple sources of attackers (those attackers may be located in wide area) There are some key terms which need to understand clearly such as victim, agent, handler, stepping stone and attacker Victim is the destination of DDoS packets which is expected that will be interrupted or failed down Agents are machines which directly send attack requests to victims Each DDoS attack is the result of a vast number of agents Agents receive control command from machines called handlers which are controlled by attacker Attacker is the real instigator In some cases, attacker and handler communicate via stepping stone to hide his real footprint He often chooses the stepping stone at the different country to reduce the risk, in technical perspective, as well as in law perspective [1] In fact, stepping stone is a handler in higher level When victim traces back, it often find out the agents, but it’s very difficult to know who real attacker is behind Because of distributed feature, DDoS attack becomes much more difficult to detect and prevent First, DDoS attacks use legitimate packets Therefore, distinguishing between DDoS requests and real 978-1-4577-1207-4/11/$26.00 ©2011 IEEE A Prevention and Reaction Prevention makes it impossible to perform a DDoS attack by preventing attackers from launching an attack (for example, limit the number of packets from some sources or run) or improving system power and processing threshold such as system performance or bandwidth But that way is impractical because of distributed characteristic For example, if administrator doubles system performance, the number of agents will be increased more than twice The cost of this method is also need to be considered In fact, administrators often choose reaction methods which solve problems after DDoS attack happened First, they try to find out what agent is exactly joining the current attack Then, some forbidden policies will be applied to decrease or stop traffics from those sources Reaction method is positive, thus the victim had to suffer serious damage before the attack was blocked However, it is generally used because it is more practical than prevention mechanism 178 control the traffic for the large networks, with additional DDoS traffic controlling, using the push back mechanism with input parameters, although this mechanism is still bulky and it doesn’t have mechanism to avoid exploiting and cheating B Location of defenses’ system Putting the defenses’ system near the victim is very simple as it is not affected by other objects This method was used to perform reaction after victim was attacked It needs high system performance because it operates while suffering from attacking Near the attacker’s defense system is a good choice for DDoS defending DDoS attack flow can be detected as soon as it starts blowing It also can detect the IP spoofing if any However, it requires a powerful system for faster detection There are so far three methods implemented this approach [4] D-WARD is the most significant method follows this idea It solves problem independently and takes significant effects (preventing 70% TCP, ICMP attack and supporting UDP protocols in avoiding DDoS attack) [5] DDoS defense center also is put in the middle However, it is not good choice because changing Internet’s core requires much of cost and has to be agreed all over the world For this reason, it is theoretical and impractical Finally, the best choice is combination which means victims detect the attack and try to find help from far nodes in Internet, in some cases it is pushed to the location near the attacker That way decreases victim system’s duty, thus it is chosen by many DDoS defense researchers III A Key terms + Filter: Filter is a collection of rules which is installed for each router (it may be different between other routers) Those filters will determine whether a packet is transferred or stopped [2] In PaC, filters prevent DDoS packets which have source’s IP address is like agent’s IP address and destination’s IP address is victim’s IP address Each filter exists in constant and limited time The final filter (the filter which is located nearest the attacker) lives in a longer time than other ones + Router/Gateway: In this paper, “router” means a machine or device which can route and execute PaC protocol “Gateway” is used in its pure meaning In PaC protocol, there are two types of gateway: victim’s gateway and agent’s one As network has NAT mechanism, it is hard to trace directly to the computer inside the local network that joins the DDoS attack In term of that, we consider the source which forwards the IP packets to perform attacking as agent’s gateway In normal case, this kind of gateway transit packets between local network and the Internet using NAT mechanism, but when one machine joins attacking DDoS, this gateway will act as agent’s gateway In special case, the attacking machine has static IP or uses proxy server to perform attacking In that case, we call agent which has static IP or the proxy server agent’s gateway For Victim gateway, the concept is the same, except for no proxy server for Victim + Poisoned neighbors: One router R has many neighbors Some of R’s neighbors, for example A and B, accept DDoS packets go through them to R R does not receive any DDoS packets from others such as C and D In this paper, we call A and B poisoned neighbors C Introduction to PaC mechanism PaC is a new method to prevent DDoS attack which belongs to combination method It bases on principles: Using filters in routers to stop DDoS packets -Pushing back and communicating to require the help from routers near the attacker Because using not only IP address but interface to perform pushing back, PaC can prevent any IP spoofing attacks Moreover, supervisor and inspection mechanism before filtering help PaC detect cheating and exploiting II PAC MECHANISM RELATED WORKS AITF - Active Internet Traffic Filter [3] is a mechanism for blocking highly distributed denial-of-service attacks In order to prevent attacks, this method uses notion “Route Record” that allows to write router’s IP address on each packet it forwards As a result, each packet carries identity of a sub-list of the border routers that forwarded it When network administrator feels having DDOS attack, he send immediately signal to router that nearest (V_GW) for creating filter that blocks attacks Then AITF protocol will determine router that nearest attacker (A_GW) and connect to it for stopping attacks If A_GW cooperates then it will block attacks In contrast, this method will escalate One of most effective system to defend and react to DDoS attack is D-WARD [5] as it can self-regulate with received packets It includes three components: observation, rate-limiting and traffic- policing components and each component has private functional The traffic-policing component must be part of source router while the observation and rate-limiting components can be obtained traffic statistics by interacting with source router and then installing rate-limit rules In term of general control the network traffic, Aggregate-Based Congestion Control (ACC) and Pushback [7] is aimed to B PaC Mechanism PaC stands for “pushback and communicate”, and is used to call both method and protocol PaC method can spread filters through routers and push back to the source by communicating When an IP address is determined as attacker’s source, victim’s gateway will activate its own filter and listen to determine what interfaces DDoS packets go from Then, victim’s gateway sends requests through that interface to require its poisoned neighbors create filters Those poisoned neighbors create filters, listen and continuously send requests to their poisoned neighbors This recursive rule will be stop when we find the nearest router from the agent By this method, we can determine the root cause router which broadcast DDoS packets, whether this router is spoofed or not PaC protocol applies rules and messages for all routers on the network Other routers which don’t implement PaC protocol will be transparent This mechanism is implemented through six steps: 179 1) Step Victim detects DDoS packet from an agent with IP address a.b.c.d, send “start PaC protocol” request to its gateway (V_GW) with parameters are its own IP address and agent’s IP address Victim and V_GW use an asynchronous bi-directional authentication method to ensure that “start PaC protocols” request is not faked In case of Victim using static IP, it will take a role of V_GW 2) Step V_GW creates a filter to prevent packets from a.b.c.d in the time tstart 3) Step V_GW checks agent’s IP address to determine whether it is faked or not by pinging to a.b.c.d.: + If there is no response, agent often fakes IP, go to step The time for waiting response is called tno-response + If there is any response in tresponse, V_GW determines that is agent’s gateway (A_GW) V_GW will soon forward the filter role to A_GW 4) Step First, V_GW looks for two nearest routers from agent which were installed PaC protocol For example in Figure 1, Router Y is the nearest router from agent, then Router X) In best case, Router Y is agent’s gateway (A_GW) Router Y must stop DDoS traffic, and router X supervises router Y V_GW send request to A_GW to ask if A_GW has installed PaC protocol or not If yes, we look for the preceding router of A_GW to give it the role to supervise A_GW Time for looking those two routers is tsearch + Searching approach is following: V_GW traces the route to a.b.c.d by sending ICMP packets which have TTL increasing from Routers within the route to A_GW will response sequentially ICMP time exceeded packet V_GW then establish reliable connection to each of those routers to ask if it supports PaC protocol or not Two earliest routers response “Yes” will be RouterY and RouterX respectively If A_GW have already supported PaC then we need only one more + Next step, RouterX and RouterY perform reserve checking whether V_GW is gateway of victim or not If victim has the same IP address with V_GW, we skip this step In other cases, RouterX and RouterY check if V_GW proceeds of victim or not, by sending ping command with TTL h+1 and h to V_GW and victim, respectively, in which h is the hop number from V_GW to sending router If router doesn’t receive valid response, which is ICMP time exceeded from victim and V_GW, it will deny and disconnect V_GW Otherwise, we jump to step The total time for authenticating each other is tauthen 5) Step + V_GW requests RouterY setup FilterY in tY, and sends DDoS traffic R1 from a.b.c.d it received + V_GW establishes reliable connection to RouterX, and then requests it to build ShadowX to inspect DDoS flow from a.b.c.d in ∆t, and then terminate the connection + RouterY, after setting up FilterY in tY, it performs two actions: stop DDoS traffic forwarding to it, as well as count this traffic as R2: Figure 1: PaC model - If R1 >> R2, agent has spoofed IP a.b.c.d, RouterY eliminates FilterY, sends R2 to V_GW V_GW compares with R1, disconnects RouterY, and then performs step - If R1≈ R2, agent is attacking, RouterY responses back to V_GW, V_GW acknowledges then terminate connection RouterY now performs step as role of V_GW (called “relative pushing back”) - Time for checking R1, R2 is called tcheck + If RouterX monitors RouterY in time ∆t without finding the significant decrement of DDoS traffic, that means RouterY cannot stop the DDoS traffic Thus, RouterX will setup FilterFinal in time tlong Process finishes 6) Step V_GW executes “push back and communicate”: V_GW turns on the filter in tstart, sends requests to neighbor routers Each neighbor will setup the same filter, recursively forward the request to set up filter to their nearby neighbors The time to perform filtering in each router is ttmp, if one router receives more than one request to setup the filter; it just resets ttmp to zero + In ttmp, if router still receives DDoS traffic sent through its neighbor router, it should re-send the requests up to three times After that time without significant result in reducing DDoS traffic, it is clearly that neighbor routers had failed to finish the mission (they maybe didn’t installed PaC protocol) In this case, original router will setup the filter by itself in tlong Process finishes + Other routers wait for the time out of ttmp to stop filtering, build the shadow file to perform supervising nearby succeeding routers in tsupervise In this time, if DDoS traffic still is transferred, they turn on the filter in tlong Process finishes C Avoid cheating Attacker may take control of a router in the path where PaC is executing, forbid to setup the filter as neighbor’s router requests Moreover, he may control A_GW, when neighbor router requests, it pretends as already setup the filter tlong, but just in tcheat > 2* RtbTtb This waiting time was often set to constant as threshold in V_GW’s configuration + Time to push back the request message in the whole network tY = Rtb*Wtb*Ttb In which Wtb was average waiting time from router received request to setup filter until receiving the DDoS flow, then sending the request to its neighbor + The total time should be T2 = tno-response + Rtb*Wtb*Ttb 3) If all routers didn’t support PaC protocol, except for V_GW, all agents were spoofed V_GW checked for spoofing first, then sent request to its neighbor, after times failure, V_GW setup filter itself in the time: T3 = tno-response + 2*tstart 4) Review DDoS boosts it performance by distributing the agent further, it makes Gtb increase, and that means performance index of PaC increases This is one of advantages of PaC mechanism for defending DDoS Figure 2: Use Shadow to avoid cheating D Avoid exploiting One router G may pretend as victim of DDoS to stop the access from network H to network K G will broadcast that H is attacker to K, then send requests to execute PaC to stop all the traffics from H to K There are two ways for G to do: + G acts of gateway of K (V_GW), connects to gateway of H (acts as A_GW) to request setting up PaC filter to stop traffic to K + G acts of gateway in the middle between H and K, running PaC protocol and requesting G’s neighbor to setup filter to stop traffic from H to K To avoid this, in first case, when G connects to gateway of H network, it must be reliable connection without faking IP After that, H’s gateway still checks if G stays in front of H or not by double pinging If no, H declines to setup filter In second one, it is nearly impossible to stop traffic from H to K, by three reasons First, routers in the core of Internet were managed carefully by ISP, almost inaccessible Second, core routers are much simpler than machines, with fewer applications to be exploited Last, the Internet architecture is packet switching, the route from H to K is not static, but dynamic time by time The cost to trace all the routes from H to K will be much more than the final target IV ANALYSIS A Time and filtering effectiveness Let suppose Rtb is the average number of routers that one packet go through one host to another, Ttb is the average number of routers that one packet go through one node to another is Ttb Rtb*Ttb may be considered as constant for each host, called acceptable response time Suppose Ftb is the average number of filters setup in each interface of each router (according to [3], Ftb has approximately value of 10.000), Gtb is the number of agents attacking is A and the number of A_GW defending, in which the value of Atb=A/Gtb is called the average number of agents which A_GW must defend against If Atb is equal or less than Ftb then our defense system is effective Therefore, we consider 1/Atb as performance index of PaC protocol When this index is getting bigger, PaC protocol works more effective B Analysis of PaC mechanism 1) Advantages + PaC mechanism doesn’t consume Internet traffic too much in comparison of AITF [3], it is activated only when victim detects the attack AITF always insert Route Record to IP packet whether attack is happened or not, which makes overhead of IP packet increases significantly + V_GW tries to forward the role of filterer to router near agent, soon stops the DDoS traffic early, reduce the bottleneck for victim 181 ACKNOWLEDGMENT This work was supported by the Vietnam National Foundation for Science and Technology Development (NAFOSTED) for a Basic Research Project (No 102.01.25.09) + PaC can prevent IP faking, cheating and exploiting + It is effective to stop DDoS even there are many routes from attacker to victim with dynamic routes updated constantly + PaC is implemented in network layer; it is transparent for the routers in the middle which don’t have PaC installed + PaC works outperformed even when attacking network is highly distributed 2) Disadvantages + It is better to request core routers to setup the filter, but that may cause overhead in the whole network + If attacker rotates faking IP, A_GW must setup many filters for one IP respectively, which may make the performance slower V REFERENCES [1] [2] [3] CONCLUSION PaC is mechanism to prevent DDoS by setting up the “reaction” behavior, combine many kinds of location to perform distributed defending However, it is just model need to be verified in reality In the next time, we want to implement this mechanism in Cisco-based routers to evaluate the performance with the real and public DDoS data provided by ISP [4] [5] [6] 182 Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher Internet Denial of Service: Attack and Defense Mechanisms Prentice Hall PTR 2004 Access list configuration in Cisco's Gigabit Ethernet Interface http://cisco.com/en/US/products/hw/switches/ps5304/prod_configurat ion_guides_list.html Katerina Argyraki, David R Cheriton Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks Proceedings of the USENIX annual technical conference 2005 Vicky Laurens, Abdulmotaleb El Saddik, Pulak Dhar and Vineet Srivastava Detecting distributed denial of service attack traffic at the Agent machines IEEE CCECE 2006 J Mirkovic D-WARD: Source-End Defense Against Distributed Denial-of-Service Attacks Ph.D dissertation, University of California, Los Angeles 2003 J Postel RFC 791 - Internet Protocol  ... types of gateway: victim’s gateway and agent’s one As network has NAT mechanism, it is hard to trace directly to the computer inside the local network that joins the DDoS attack In term of that,... network traffic, Aggregate-Based Congestion Control (ACC) and Pushback [7] is aimed to B PaC Mechanism PaC stands for pushback and communicate , and is used to call both method and protocol PaC method... having DDOS attack, he send immediately signal to router that nearest (V_GW) for creating filter that blocks attacks Then AITF protocol will determine router that nearest attacker (A_GW) and connect