This chapter, proposes Data Regulation Protocol (DRP), a hybrid (proactive as well as reactive) solution, to achieve packet filtering at the source end to mitigate distributed denial of service (DDoS). DRP is unique in a way, as it provides target controlled traffic regulation mechanism implemented at the source gateway. A capability based model using cryptographically secure hash functions is designed for the target to identify and filter malicious traffic. DRP provides the target the choice to opt out of communication with a non-adherent source network, any time it’s overloaded. The gateway of a source network is held accountable for all of the egress traffic leaving the network. This provides an incentive for a source network to ensure each of its users complies with DRP target’s requirements.
TopIntroduction
Despite a significant breadth of research, Distributed Denial of Service (DDoS) remains a huge problem even today. Highly sophisticated and automated tools such as TFN-2000, WinTrinoo, Mstream, Stacheldraht et. al. are freely available. These tools provide novice attackers the capability to perform a really sophisticated attack. There are two basic ways of carrying out a DDoS. A semantic attack involves a master node, which exploits system vulnerabilities in the operating system and the drivers, to recruit a large set of nodes (agent machines) over a wide periphery. Most of these machines have no knowledge of their role in the attack. The attacker then carries out a well co-ordinated assault in which each of the agent machines simultaneously overwhelm the victim’s (usually a server) resources. Another method involves source address spoofing wherein the attack is carried out by a single malicious node. It prepares a list of IP addresses belonging to nodes which may or may not exist and uses these as the source address for flooding the victim’s network. A more sophisticated attack will be to use a mixed strategy where in the master node configures each agent machine with a list of IP addresses to spoof the outgoing packets. This provides the actual attacker (master node) another layer of protection and hence making it really difficult to pin-point the real attacker.
Defense against such sophistication cannot solely depend on effective filtering around the target to ensure reliable operation of the services. Besides being a bottleneck scenario such a solution cannot identify malicious traffic only on the basis of known traffic patterns. Source address spoofing along with the use of innovative traffic patterns makes target filtering completely ineffective. IP traceback methods (Stone, 2000; Duanfeng, 2004) can be used to trace the actual IP address of the actual source of the received traffic without relying on the address mentioned in the header. Besides other issues, IP traceback is a reactive solution that requires identification of an attack to employ corrective measures. This is difficult as even simple attacks such as TCP syn flooding can easily be hidden from the victim (Savage, 2001).
Egress (filtering outgoing traffic at the source gateway) filtering based solutions have been suggested for more than a decade. Active filtering at the source can effectively mitigate a score of DDoS attacks. But due to a variety of reasons, egress solutions have found no practical implementation in real world routers. The main reason is being the source network has no incentive to invest in monitoring outgoing traffic. Also even though source filtering can be effective but the target still does not decide who it communicates with. In the absence of universal implementation target will still needs a mechanism to protect itself against malicious traffic.
Capability based marking schemes using core routers have been suggested to help filters at the receiver identify malicious traffic (Anderson, 2004; Yang, 2005; Yaar, 2004). Core routers operate on the Internet backbone and are used to mark transient traffic using a value called capability. The traffic reaching the target filters will be marked with a set of such capabilities, each uniquely belongs to the core router in the path. The knowledge that the source traffic was first marked by this core router can definitely provide a direction for investigation. But since each of these routers directly serves a number of ISPs it cannot pin point exactly the actual source or even the ISP to which a marked traffic belongs. Another problem is that the core routers have a huge amount of collated traffic passing through. Therefore, even a simple marking scheme can lead to severe performance degradations. As such again the Autonomous system governing these routers has no incentive to implement such a solution.
Mirkovic (2002) showed it is relatively much more efficient for a source based system to monitor local malicious traffic. But passive monitoring of traffic at the source, using a predefined statistical model cannot encompass the dynamic nature of these attacks. The target still needs to decide on an acceptable level of load that it can handle. Capabilities, if resistant to spoofing can be used by the target to regulate incoming traffic. Therefore, there must be an efficient marking algorithm at the source which undeniably indentifies source traffic. In addition any implementation at the source end will require additional investment by the source network. Thus an incentive for the source network must be clearly established. This can be done by assigning accountability to the source network for all the outgoing traffic.