Baseline - A Passive Approach to Tolerate and Detect DoSDDoS Attacks

Baseline - A Passive Approach to Tolerate and Detect DoS/DDoS Attacks JIN Shu Computer Science Department Nanjing University of Sci & Tech Nanjing, Jiangsu, P.R.China LIU Fengyu Computer Science Department Nanjing University of Sci & Tech Nanjing, Jiangsu, P.R.China XU Manwu State Key Software Tech Lab Nanjing University Nanjing, Jiangsu, P.R.China Abstract - As many approaches have been suggested recently to address the problem of distributed denial-of-service (DDoS) attacks, yet few of them pay enough attention to the quality of service (QoS) requirements of the communication processes running on the victim-end systems, especially when they are under DDoS attacks. By employing a novel communication service surveillance algorithm called “ Shepherd” , we present in this paper a DDoS detection architecture named Baseline - a passive approach due to its different perspective with respect to many other DDoS detection methods. Baseline can be installed on any host in the Internet communication environment wi th trivial effort and the running system consists only of a low weight daemon that efficiently performs Shepherd algorithm on the registered communication processes. Through adding plug -able modules to the actuator of the daemon, Baseline can be easily integrated with intrusion detection systems (IDS). While compared with previous work, our approach does not require traffic analysis or packets content filtering, which entails an always-running process with high CPU overhead; nor does it require any modification to the existing router systems, which is simply considered impractical economically. Moreover, Baseline achieves zero false positive to some extent, as we show in the paper. Keywords: Baseline Service, Availability Surveillance, DoS/DDoS Attacks Detection 1 Introduction As the wide spread use of email, web shopping, instant messaging, searching and all the other daily life services, Internet is playing an more and more important role both socially and economically. Along with providing the connectivity to anyone from any place at any time, the Internet brings some severe security problems as well even back to the days of its birth when the first connection between computers in the ARPAnet resulted a crash in the receiving system due to some bugs in the communication software [1]. Among all the security problems, distributed denial of service (DDoS) attack is considered to be the most intractable one. Lots of security incidents have been reported to be caused by the DDoS attacks. Some recent occurrences of such attacks that bring much attention are shown as follows: in the year 2000, a DDoS attack took Yahoo.com down for three hours and got EBay, Amazon and Buy.com out of service for a considerable period of time which cost millions; in year 2001, a worm called “ Code Red” attack on www.whitehouse.gov and only by being moved to a different host could the Whitehouse website get back to service. According to the press, it is estimated that corporations globally lost over $1.39 trillion in revenue due to security breaches in 2000, and of which, over 60% was due to viruses and DoS/DDoS attacks [2]. For some reasons, such as the unwillingness to admit the incompetence in doing businesses, not every DDoS attack incident may be revealed to the public, what we have known from the media is just a tip of the iceberg. According to today’s trend of initiating DDoS attacks with easily- get and user-friendly tools, we may conclude that, remaining to be a great problem to solve, DDoS attacks are still on the rise in the foreseeable future. To address the problem of DDoS attacks, of which several typical kinds such as Smurf, SYN-Flooding and TFN2k have been identified and investigated [3, 4, 5], we must investigate the underlying Internet infrastructure first. The Internet is designed and implemented with the sole consideration of speed and functionality, unfortunately not security, in the mind. Such design decisions are reasonable in the early times of the Internet when all of the users, most of them were researchers, elaborated to share their knowledge on the basis of mutual trust. While being widely used in the world, some vulnerabilities of the Internet infrastructure are discovered by people and organizations with malicious intentions, namely attackers, and further be abused to service their selfish needs. Some of such vulnerabilities exploited by the attackers are as follows. When a host is connected, it can generate and then inject into the Internet almost any number packets and any kind of packets at will at any time, which give rise to the intrusions such as port-scanning and protocol abusing. All protocols of the Internet protocol (IP) suite deliver their respective payload over the IP packet through the Internet routing infrastructure. When a packet is forwarded by a router, only the destination IP address is used, with a hint that any source address may be just ok, which directly results the problem of IP Spoofing (sending IP packets with arbitrarily forged source addresses) and thus make it more difficult, if not impossible, to identify the source of the spoofed IP packet. Bearing in mind only the speed and efficiency considerations, routers in the Internet pay no attention to the problem of authorization and authentication, thus make the Internet open to any incoming IP packet flow and of which many are malicious. Routers almost never log, which make the Internet stateless. Querying routers with the information of passing packets is extremely difficult. Any hardware or software system may have some holes or bugs included, an attacker may exploit them to compromise the whole system, we will ignore such a problem in this paper by assuming that all the hardware and software systems we mentioned just work properly. Although a perfect solution to defend against the DDoS attack can never be achieved in the current Internet Infrastructure according to the nature and the underlying routing mechanisms of the Internet previously discussed, many solutions have been suggested to address the problem. For example: Ingress Filtering [6]/Egress Filtering [7] can sieve out the spoofed packets even before they are injected to the Internet; IP traceback [1] and ICMP traceback [8] are introduced to find out the sources of the DDoS attacks; Aggregate-based congestion control (ACC) [9] is introduced to detect and thwart DDoS attack streams through the mechanism of Pushback [10], which calls for the cooperation of the routers in the path of packets forwarding from the source to the destination; Overlay networks [11] are used by the service providers to hide their Internet servers, and still some approaches try to detect DDoS attacks simply through the measurement of some specific variables such as the network throughput or the packet loss rate of the supervised host. These solutions, if applied to the hosts and routers in the Internet, will greatly reduce the risk of been attacked by the DDoS attacks. The more detailed analysis of these approaches is given in section 2. Baseline service – the approach present in this paper tries to address the problem of DDoS attacks from a different perspective, which is often neglected by other approaches that: what effect the DDoS attack may cause to the network communication processes on the hosts? As the problem of DDoS attacks cannot be easily and totally resolved, if it doesn’t hider the data communication of the running processes or only degrade the service to an acceptable extent, why not just tolerate and monitor on it instead of being over-alert? The philosophy that sits in the heart of our solution is: “ If it ain't broken, don't fix it” , Baseline service thus takes a passive attitude toward the possible DDoS attack traffic. The only thing that is cared by the Baseline daemon deployed in the host is the service availability status of the currently running communication processes, are they properly running with enough bandwidth to service their clients or peers? Or have already been DDoSed to a halt? Baseline service takes care of it as will be described in Section 3. The rest of this paper is organized as follows: In Section 2, we give a brief introduction to the related work concerning on the same problem of DDoS attacks. After giving a thorough description of the Baseline service architecture in Section 3, the Shepherd algorithm of DDoS detection, which is our core contribution, is described in Section 4. Then comes Section 5, in this section we discusses in detail the implementation issues of Baseline service. Section 6 is an in-depth analysis of the whole approach. Finally, we conclude our paper with some future work suggested in Section 7. 2 Related work In literature, many efforts have been dedicated to the detection, mitigation, defense and even prevention of the distributed denial-of-service attacks. We classify them into four classes according to their specific perspective in solving the problem and give a brief introduction to each of them in the remainder of this section. 2.1 Identification/Detection (IDS) Most of the DDoS detection methods fall into these three categories: communication throughput measurement, packet loss ratio statistics, and attack pattern matching. The first type of DDoS detection methods monitors the traffic on the networked devices (hosts and routers) and raises a DDoS attack alert when the throughput goes beyond a predefined threshold. As is always chosen from the experience acquired through a long time of network administration and maintenance in the specific network environment, the threshold value may be considered a mythical number, which makes these approaches hard to adapt elsewhere. Although to decide whether or not the host/router is under a DDoS attack from the packet loss ratio can be implemented efficiently and entails only trivial overhead, the fact is that packet loss may be caused by lots of other reasons besides the DoS/DDoS attacks, thus results a high false positive rate. Pattern matching may be the most popular technique used in the IDS systems. Only known DDoS attacks will be detected through packet content filtering but not the unknown types, which makes the approach susceptible to a high false negative rate. Baseline service presented in this paper is a DDoS detection mechanism, which passively monitors on the service availability of the running communication processes. Judging DDoS attacks through the health status of the processes that performs network communications, Baseline may identify any DDoS attack that really matters with no priori knowledge and offers a zero false positive rate in the ideal situation while tolerating the possible DDoS attacks that cause little or no damages. 2.2 Mitigation Among all of the approaches that elaborate to mitigate the damage caused by the DDoS attacks, aggregated-based congestion control (ACC)[9] is a typical one, which tries to defend the DDoS attacks through the cooperation of routers in the Internet routing infrastructure. When a flow of traffic with a high throughput is identified by the victim (or some dedicated hosts that perform aggregate detection) as an aggregate, which denote for the streams of packets flow from different sources with some identical traits (usually the same destination IP address and port number), the routers upstream will be queried respectively about their part of bandwidth contributing to the aggregate and then asked to drop a considerable percentage of these packets. With Pushback [9, 10] mechanism introduced, routers may request their upstream counterparts iteratively in order to stop the aggregate traffic nearest to its source. To protect the legitimate traffic that coincidentally bears the same identification with the aggregate, namely the packets send by the "poor" hosts stated in [9], the rate limiter of any ACC-enhanced router will not filter out all of such packets. Given the fact that the algorithm for the discrimination of these packets is yet to be devised, the ACC-pushback approach can only mitigate the problem of bandwidth abuse cause by DDoS attacks and cannot stop the DDoS attacks without disturbing the communication of some legitimate users. 2.3 Counteraction Beyond just detect or mitigate the damage of the DDoS attacks, some projects like ICMP Traceback [8] and IP Traceback [1] went even farther. When forward a packet to a specific destination, the ICMP traceback-enhanced router will send a packet called ICMP traceback message along with it to its destination due to a low probability (1/20000 is chosen [8]). Having collected enough packets send by the routers along the way from different sources to the host, the victim may reconstruct the attack graph of the whole DDoS attack and thus trace the attackers to their respective networks or hosts. IP traceback approaches use some more advanced techniques [12, 13, 14] in order to reduce the number of traceback packets generated and improve the reliability and efficiency of the reconstruction of the DDoS attack paths. Another way of DDoS counteraction, namely XenoService, is suggested in [15]. In the approach a DDoS attack is detected through the steep fall of service quality, as a measure of counteraction, the service provider will inform the cache servers distributed throughout the Internet with the same content mirrored to start the same service to the public and thus disperse the energy of the DDoS attack and make the attacked server(s) seem unblockable to the hackers. While to flood all these distributed servers to a halt in the same time may be far beyond the reach of a single DDoS attack, the only problem remained of the approach is the cost ensured to deploy and maintain multiple replication sites. 2.4 Prevention IP spoofing makes it almost impossible to trace a specific packet to its source and without using the spoofed source IP addresses; any packet can be easily traced to its source of origin in the Internet. P.Ferguson and D.Senie address this problem by introducing enhanced routers to ISPs' access points [6]. In their approach with the name "Ingress Filtering", routers that bridge between the users' hosts and the Internet (edge routers) perform an source IP address checking, which allows only the packets with a valid source IP address among the user's specific subnet (LAN) to pass through and thus be injected into the Internet. With all the edge routers enhanced to perform Ingress Filtering, the Internet will never see a single spoofed packet again except for hardware failures. The benefit is two fold: For the attackers, afraid of being caught and subject to some possible litigation or other punishment, no one may take the risk of participating in a DDoS attack; For all the other administrators of the networked hosts, it's also important to take good care of their systems in order not to be compromised by the attackers and thus be used as a DDoS attack daemon. However, due to some economic reasons such as the cost for upgrade the routers and the fact that Ingress Filtering brings little, if not nothing, concrete benefit to the ISPs themselves, the approach is yet to be widely employed. As is the fate of Egress Filtering [7], which performs IP source address checking at the point where the packet leaves a LAN (egress point) by only allowing packets with a valid IP address in the LAN to be forwarded to the Internet, prevents all the hosts in the LAN from initiating anonymous attacks. Ingress Filtering and Egress Filtering are proven to be effective in preventing IP spoofing and both need to be deployed in a larger scale. 3 Baseline service 3.1 Overview Compared with approaches such as [9] and [6], which are proactive in the defending of the DDoS attacks, and some other solutions like [11] and [22], which is considered to be reactive, Baseline takes a somewhat passive attitude toward the DDoS attacks. With the creed that "if in ain't broken, don't fix it", Baseline service runs silently in the background and monitors on the running communication processes, if the availability of any such process is degraded to a certain degree, which is defined in the configuration of the process, a possible DDoS attack may be identified and thus further actions may be taken due to the decision made by the Baseline actuator. Figure 1. Baseline service architecture Running as a background daemon, Baseline service architecture contains five building components as shown in Figure 1. They are namely Configuration, Register, Table, Shepherd and Actuator. Any process that engaged in data communication (TCP/IP based here) within the Internet may set their respective requirements of service quality in the Baseline Configuration. When started, the Shepherd of the Baseline daemon monitors all the communication operations performed by such registered processes continuously and if the required service quality cannot be ensured, the Shepherd will inform Actuator the situation and thus further actions may be taken due to a decision making procedure of the Actuator. Detailed descriptions of these components that constitute the Baseline service are given in the following chapters. 3.2 Configuration We base our approach on the point that whether denied services or not, the processes themselves know best. Thus the communication processes may provide their specific definitions of denial of service by set them in the Baseline Configuration. This strategy makes Baseline service different from many other DDoS Detection methods, which make decisions on whether there are DDoS attacks going on without even query the status of the running network services. When a possible DDoS attack is identified through a noticeable degradation (defined in the Configuration) in the service quality of a supervised communication process, Baseline service will make decisions for the proper reactions to be taken, which is supported by the Baseline Configuration. Variables that associated with the quality of service for instance timeout, max timeout times, minimum bandwidth required, maximum bandwidth required and many others may be specified in the Configuration and hence be used to define the normal service status and support the decision making process of the Baseline Actuator. With no specific service quality requirements provided in the Configuration, a communication process may be only monitored on its timeout and timeout time’s count, which is considered a universally applicable mechanism and can be efficiently implemented. In order to be applied by the Baseline service, more complex strategies need to be specified by the owners of the processes in the Baseline Configuration. As shown in Figure 1, current version of the Baseline service architecture uses timeout and timeout counts to measure the availability of certain communication processes. If flooded by a DDoS attack, the processes monitored by the Baseline daemon may be deprived of their legitimate bandwidth occupation and their send/receive calls encounter timeouts; the Actuator will analyze the situation provided by the Shepherd then and take further actions. 3.3 Table Baseline Table is the specific storage allocated by Baseline daemon to record the brief QoS information of every send/receive call invocated by the communication processes that registered with Baseline service, which resides in the memory and may be dynamically appended by the Register and modified by the Shepherd. When a send/receive operation is invocated, the Register forges a new entry with the service quality requirements