Thursday, September 16, 2010

DDOS DDOS tracking the introduction and





Chain-level test (Link Testing)

Most of the tracking technologies are starting from the closest to the victim's router, and then began to check the upstream data link, until you find the origin of attack traffic hair. Ideally, this process can be recursive implementation of the attack until you find the source. This technique assumed attack remains active until the completion of tracking, it is difficult after the attack, intermittent attacks or attacks on the track adjustment to track. Including the following two chain-level testing:

1, Input debugging

Many routers offer Input debugging features, which allow administrators to filter certain number of exit data packets, and can decide who can reach the entrance. This feature was used as a traceback: First of all, victim was attacked in determining when all packets from the description of the attack packet flag. Through these signs in the upper reaches of the outlet manager configuration suitable Input debugging. This filter will reflect the relevant input port, the filtration process can continue in the upper class, until to reach the original source. Of course, a lot of this work by hand, some foreign ISP tools for the joint development of their network can automatically follow-up.

But the biggest problem with this approach is the management cost. Multiple ISP links and cooperation with them will take time. Therefore, this approach requires a lot of time, and almost impossible.

2, Controlled flooding

Burch and Cheswick proposed method. This method is actually manufactured flood attacks, by observing the state of the router to determine the attack path. First of all, there should be an upper road map, when under attack, they can start from the victim's upstream routers in accordance with road map on the upstream routers to control the flood, because the data packets with attack-initiated packet router also shared, thus increasing the possibility of the router packet loss. Through this continued up along the road map for, we can close the source of attacks launched.

This idea is very creative but also very practical, but there are several drawbacks and limitations. The biggest drawback is that this approach is itself a DOS attack, it will also carry out some of the trust path DOS, this shortcoming is also difficult procedure. Moreover, Controlled flooding requires an almost covers the entire network topology. Burch and Cheswick also pointed out that this approach could be used for DDOS attacks on the track. This method can only be effective on the ongoing situation in the attack.

CISCO router is CEF (Cisco Express Forwarding) is actually a kind of chain-level test, that is, to use CEF up to the final source, then the link on the router had to use CISCO routers, and support CEF. Must be Cisco 12000 or 7500 series router has. (Do not know how, do not check the latest CISCO document), but the use of this feature is very cost resources.

In the CISCO router (ip source-track support for the router) the IP source tracking in order to achieve the following steps:

1, when the purpose was found to be attacked, opened on the router the destination address of the track, enter the command ip source-track.

2, each Line Card was created to track the destination address specific CEF queue. The line card or port adapter with a specific ASIC for packet transformation, CEF queue is used to package into line card or port adapter's CPU.

3, each line card CPU collect information to track the purpose of communication

4, the timing data generated by export to the router. Be realistic summary of the flow of information, enter the command: show ip source-track summary. Each input interface to display more detailed information, enter the command show ip source-track

5, statistical tracking of IP addresses is a breakdown. This can be used to analyze the upstream router. You can close the current router IP source tracker, enter the command: no ip source-track. And then re-open at the upstream router on this feature.

6, repeat steps 1 through 5, until you find the attack source.

This almost answers securitytest to mention the bar.

Logging

Through this method to record the main data packet router, and then through the data collection techniques to determine the path packets through. While this approach can be used to track the data after the attack, it also has a Ming Xian's shortcomings, such Kenengyaoqiu Daliang of Zi Yuan (or sampling), a large number of data of Syndicated news Bingjuduifu problem.

ICMP tracking

This approach mainly rely on self-generated ICMP router tracking information. Each router has a very low probability (for example: 1 / 200000), the contents of the packet will be copied to an ICMP message in the package, and contains the information near the source address of the router. When the flood attacks beginning, victim can use ICMP messages to reconstruct the attacker path. In this way comparison with the above description, there are many advantages, but there are some disadvantages. For example: ICMP traffic may be filtered from the ordinary, and, ICMP messages should follow the same input debugging feature (the packet with the data packet input port and / or to get the MAC address associated capacity) related, but that in some router has no such function. At the same time, this approach also must be a way to deal with an attacker could send a forged ICMP Traceback message. In other words, we can approach this way, used in conjunction with other tracking mechanisms to allow more effective. (IETF iTrace)

This is the yawl that the IETF working group to study the content, when I made some comments to the Bellovin, but did not get an answer. For example:

1, although a random 1 / 20000 to track packages sent, but the package for forgery TRACEBACK cases, the efficiency of the router will have some effect.

2, track packages, and can not solve the counterfeit problem of authentication. To determine whether it is fake because the package, you must go to certification, and increased workload.

3, even with NULL authentication, also serve the purpose of (a certified case). And will not be much affected.

4, itrace purpose is to deal with the original DOS source of the problem of deception, but now the design seems to make us more concerned about the path and not the source. Is the path is more than the source of our problem to solve DOS useful?

So, there is a bunch of issues that I think iTrace will face the difficult issue.

Packet Marking

The technology concept (because there is no practical) is to the existing agreement on the basis of changes, and changes very little, not like the idea of iTrace, think better than iTrace. There are many details of this tracking study, the formation of a variety of labeling algorithm, but the best is compressed edge sampling algorithm.

Principle of this technique is a change in IP header, in which the identification heavy domain. That is, if not used to the identification domain, then this field is defined as the tag.

The 16bit of idnetification into: 3bit the offset (allows 8 slice), 5bit the distance, and the edge of 8bit slice. 5bit the distance allows 31 routes, which for the current network is already enough.

Marking and path reconstruction algorithm is:

Marking procedure at router R: let R''= BitIntereave (R, Hash (R)) let k be the number of none-overlappling fragments in R''for each packet w let x be a random number from [0 .. 1 ) if xlet o be a random integer from [0 .. k-1] let f be the fragment of R''at offset o write f into w.frag write 0 into w.distance wirte o into w.offset else if w . distance = 0 then let f be the fragment of R''at offset w.offset write f? w.frag into w.frag increment w.distance
Path reconstruction procedure at victim v:
let FragTbl be a table of tuples (frag, offset, distance) let G be a tree with root v let edges in G be tuples (start, end, distance) let maxd: = 0 let last: = v for each packet w from attacker FragTbl.Insert (w.frag, w.offset, w.distance) if w.distance> maxd then maxd: = w.distance for d: = 0 to maxd for all ordered combinations of fragments at distance d construct edge z if d! = 0 then z: = z? last if Hash (EvenBits (z)) = OddBits (z) then insert edge (z, EvenBits (z), d) into G last: = EvenBits (z); remove any edge (x, y, d) with d! = distance from x to v in G extract path (Ri.. Rj) by enumerating acyclic paths in G


Under laboratory conditions only victim of such markers can be caught from 1000 to 2500 package will be able to reconstruct the entire path, and should be said that the result is good, but not put to practical, mainly manufacturers and ISP router support needed .

Ip traceback's been almost a practical technology and laboratory techniques, or inanimate, on the main these, although there are other.

For a long time did not engage in a DDOS against it, and the domestic like product have a black hole, previously know some foreign, such as floodguard, toplayer, radware so. Prompted by securitytest also learned riverhead, I immediately look at their white paper.

Bigfoot made since the previous main ip traceback subject, securitytest also went to the defense. DDOS problem for ip traceback and Mitigation is not the same, ip traceback main track, mainly because of DDOS spoof, which is difficult to determine the real source of attack, and if the attack is easy to find the real source, not just to deal with DDOS, attacks against the other is also helpful, such as legal issues. And Mitigation is the angle from the victims, because the victim is generally unable to investigate the whole network, to identify source, and even be able to find the source, there must be a legal means of communication or to source stop (the attack source and not the source of the attacker), this means that a lot of communication, inter-ISP, across other similar non-technical issues, it is often difficult to handle. But from the victim's point of view, have to be a solution, so we need to Mitigation.

This in turn happens to be my previous scope of the study, therefore, will say a lot. For Mitigation, in fact, the fundamental technology is to a large number of flows from the attack packets and legitimate packets will be separated out, the attack packets discarded out for the approval of the legal package. This is not, so the actual use of technology is to identify how the attack packets as possible, but as small as possible to affect the normal package. This is again to analyze the DDOS (or DOS) of the methods and principles. Basic has the following forms:

1, the system hole formation DOS. This feature fixed, detection and prevention are also easy to

2, protocol attacks (some deal with system-related, some related with the agreement). Such as SYN FLOOD, debris, etc.. Features Fortunately, the detection and prevention is relatively easy. Such as SYN COOKIE, SYN CACHE, debris can be discarded. Such as land attack, smurf, teardrop, etc.

3, bandwidth FLOOD. Waste flow plug-bandwidth, feature poor recognition, defense is not easy

4, the basic legal FLOOD. More difficult than three, such as distribution of Slashdot.

Real DDOS, usually combining a variety of ways. For example SYNFLOOD, may also be bandwidth FLOOD.

The main factors that affect the defense is to see whether the features available, such as 1,2 relatively easy to solve, some of the basic does not affect the use of the FLOOD, it can well be abandoned, such as ICMP FLOOD. However, the attack packets if contracting tools to better package disguised as legitimate, it is difficult to identify out.

Mitigation methods in general is:

1, Filter. For obvious characteristics, such as some worms, the router can handle that. Of course, the filter is the ultimate solution, as long as the identification of the attack packets, it is to filter out these packets.

2, random packet loss. Associated with the random algorithm, a good algorithm can make the legitimate packets are less affected

3, SYN COOKIE, SYN CACHE other specific defensive measures. For some regular means of defense and attack filtering. For example ICMP FLOOD, UDP FLOOD. SYN COOKIE are all to avoid spoof, at least there are three TCP handshake, so better to judge SPOOF

4, passive neglect. It can be said to be deceived is also a way to confirm that. The normal connection fails will try again, but the attackers generally do not try. So can temporarily abandoned for the first time the connection request and a second or third connection request.

5, take the initiative to send a RST. Against SYN FLOOD, such as on a number of IDS. Of course, the real is not valid.

6, statistical analysis and fingerprints. It would have been the main content, but in the end the algorithm into a dead end, because the main problem is an algorithm. Through statistical analysis point of view to get the fingerprint, and then to abandon the attack fingerprint package is also a anomaly detection technology. Very simple, but it is not easy to affect the legal package, and will not become a random packet loss. (In fact it was considered too complex, have to be a detailed analysis of the attack packets and legitimate packets, the actual need, as long as the attack packets to filter out enough, even to attack packets through, but as long as not to cause DOS on it.) This is also a lot of The main subject of the researchers, the purpose is identifying attack packets.

Now back to securitytest mentioned riverhead. On the riverhead of the technology, I have just learned from their white paper on, but based on my analysis methods did not exceed the above-mentioned range.

riverhead's core program is the detection of Detection, transfer Diversion and mitigation Mitigation, which is to detect attacks, and then transferred to the traffic guard on their products, and then guard for Mitigation.

Its implementation steps are:

Because there is no map, we first define what can be said clearly:

# Source close to distributed denial of service for the remote router routers

# Close to the victim's router to router proximal

# Riverhead's Guard equipment subsidiary subsidiary router router installed

Defense steps

1, first detected in a DDOS place and understand the victim

2, Guard Notice to the remote router to send BGP (BGP circular set in the victim's prefix, and get higher than the original priority notice BGP), said the victim from the remote router to have a new route, and routed to the loopback Guard interface, all to the victim's have been transferred to the subsidiary Guard on the router

3, Guard inspection flow, and remove one of the attack traffic, and then forwarded to the traffic safety sub router, in the back victim

The core is the Guard, technology is described in the MVP architecture white paper (Multi-Verification Process), which is five levels below

Filter (Filtering): This module contains the static and dynamic DDOS filtering. Static filtering, blocking non-essential traffic, which can be user-defined or default riverhead provided. Dynamic filtering is based on the details of behavior analysis and flow analysis, by increasing the flow of the recognition of suspicious or malicious traffic blocking has been confirmed to be real-time updates

Anti-cheat (Anti-Spoofing): This module verify whether the packet into the system to be deceived. Guard uses a unique, patented source verification mechanism to prevent cheating. Also adopted a mechanism to confirm the legitimate flow of legitimate data packets to be discarded to eliminate

Anomaly detection (Anomaly Recognition): The module monitors all anti-cheat has not been filtered and discard the flow module, the flow records with the normal baseline behavior, it is found abnormal. The idea is that through pattern matching, different from the black-hat and the difference between legitimate communications. The principle used to identify the attack source and type, and proposed guidelines for interception of such traffic.

Anomaly detection include: attacks on the size of packet size and flow rate of the distribution of packet arrival time of the port distribution of the number of concurrent flow characteristics of a high-level agreement, the rate of entry
Traffic Category: Source IP Source port destination port protocol type connection capacity (daily, weekly)

Protocol Analysis (Protocol Analysis): The anomaly detection module processing found in the application of suspicious attacks, such as http attack. Protocol analysis also detected a number of agreements misconduct.

Traffic restrictions (Rate Limiting): mainly those who consume too many resources dealing with the source of traffic.

So, in fact the most important content is in the statistical analysis of anomaly detection, but it seems not much to see from the above special place, but must have a good algorithm. Such as FILTER, actually deal with some very familiar features of obvious attacks, anti-cheating is against syn flood like this, perhaps also a syn cookie module, but may have more patented technologies. Protocol analysis should in fact is relatively weak, but can be common agreement on some specific attacks, protocol error detection and identification of some acts simply agreed to check that this is very simple. Traffic restrictions are that a random packet loss, the most helpless way, so the final level.

Because this product is mainly for Mitigation, not ip traceback. But can be determined or there are important issues, such as:

1, how to deal with the real bandwidth flood. If the router is gigabit, but attacks have accounted for 90% of the traffic, only to shed 10% of the legitimate use, the router has first started with random packet loss of the Guard. (No way, this is the bottleneck of all defense technology)

2, the real attack. The real attack is difficult or not identifiable. For example, the same basic form with the normal, if and statistics are very similar, it is difficult to distinguish. Some attacks, such as reflective of the e-mail attacks, it is perfectly legal, but very hard to classify them.







Recommended links:



Compare Personal Interest



xbox 360 AVCHD



Zhang Feng: NAS Really How It?



PERFORMANCE appraisal process may wish to "quick" point



"Nobunaga's Ambition 12 Innovation" 82 Hokkaido start a battlefield report



M4v



When The "vision" Into A "trap"



convert avi to mp4 online



3g2 to Mpg



Infomation File And Disk Management



Good efficacy is the Man Manao out



Vb6 how to dynamically add controls



Official Air Strike 2 Cheats



No comments:

Post a Comment