1 / 33

The Crossfire Attack

The Crossfire Attack. Min Suk Kang, Soo Bum Lee, Virgil D. Gligor ECE Department and CyLab Carnegie Mellon University. 2013 IEEE Symposium on Security and Privacy. Outline. INTRODUCTION THE CROSSFIRE ATTACK ATTACK PERSISTENCE AND COST EXPERIMENT SETUP AND RESULTS RELATED WORK

mali
Download Presentation

The Crossfire Attack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Crossfire Attack Min Suk Kang, Soo Bum Lee, Virgil D. Gligor ECE Department and CyLab Carnegie Mellon University 2013 IEEE Symposium on Security and Privacy

  2. Outline • INTRODUCTION • THE CROSSFIREATTACK • ATTACKPERSISTENCEANDCOST • EXPERIMENTSETUPANDRESULTS • RELATEDWORK CONCLUSION

  3. Outline • INTRODUCTION • THE CROSSFIREATTACK • ATTACKPERSISTENCEANDCOST • EXPERIMENTSETUPANDRESULTS • RELATEDWORK • CONCLUSION

  4. INTRODUCTION–Old DDoS • Typical attack: • floods server with HTTP, UDP, SYN, ICMP…… packets • Persistence: • Maximum: 2.5 days • Average: 1.5days • Adversary’s Challenge: • DDoS Attacks are either Persistent or Scalable to N Servers • N traffic to 1 server => high-intensity traffic triggers network detection • Detection not triggered => low-intensity traffic is insufficient for N srevers

  5. INTRODUCTION – Crossfire Attack • Link flooding by botnets cannot be easily countered • Spoofed IP addresses. • Can flood links without using unwanted traffic. • Launch an attack with low-intensity traffic flows that cross a targeted link at roughly the same time and flood it.

  6. INTRODUCTION – Crossfire Attack • A link-flooding attack that degrades/cuts off network connections of scalable N-server area persistently. • Scalable N-Server areas • N = small(e.g., 1-1000 servers), medium(e.g., all servers in a US state), large(e.g., the West Coast of the US) • Persistent: • Attack traffic is indistinguishable from legitimate • Low-rate, changing sets of flows • Attack is “ moving target ” for same N-server area • Changing target links before triggering alarms

  7. INTRODUCTION – Definitions

  8. INTRODUCTION – 1 link crossfire • Attack flows => Indistinguishable from legitimate

  9. INTRODUCTION – 1 link crossfire • Attack flows => Alarms not triggered link-failure detection latency, Interior Gateway Protocol(IGP) routers (OSPF) Default waiting time: 40sec, Failure detection: 217 sec Exterior Gateway Protocol(EGP) routers(BGP) Default waiting time: 180sec, Failure detection : 1,076 sec

  10. Outline • INTRODUCTION • THE CROSSFIREATTACK • ATTACKPERSISTENCEANDCOST • EXPERIMENTSETUPANDRESULTS • RELATEDWORK • CONCLUSION

  11. THE CROSSFIREATTACK

  12. THE CROSSFIREATTACK • Public servers : • To construct an attack topology centered at target area • Decoy servers: • To create attack flow

  13. ATTACK - Step 1 : Link Map Construction ( 72% ) (1) Traceroute ( B->S ) (2) Link-Persistence

  14. ATTACK - Step 2 : Attack setup DR: Degradation Ratio (1) Flow-Density Computation (2) Target-Link Selection

  15. ATTACK - Step 3 : Bot Coordination (1) Attack-Flow Assignment (2) Target-Link Flooding

  16. Outline • INTRODUCTION • THE CROSSFIREATTACK • ATTACKPERSISTENCEANDCOST • EXPERIMENTSETUPANDRESULTS • RELATEDWORK • CONCLUSION

  17. ATTACKPERSISTENCEANDCOST • Data-Plane-Only Attack : Indefinite Duration • Link failure detection • Traffic engineering • Proactive Attack Techniques : Rolling Attack • Maintaining the same target links • Changes bot and decoy servers • Maintaining the same target area • Changes target links

  18. ATTACKPERSISTENCEANDCOST • Attack bots available from Pay-per Install (PPI) markets [2011] In experiments : 49% in US or UK, 37% in Europe, 14% rest of the world 10 target links : can be as low as 107,200 bots. Cost approximately $9K

  19. Outline • INTRODUCTION • THE CROSSFIREATTACK • ATTACKPERSISTENCEANDCOST • EXPERIMENTSETUPANDRESULTS • RELATEDWORK • CONCLUSION

  20. EXPERIMENTSETUPANDRESULTS • Bots: • 1,072 traceroute nodes 620 PlanetLab nodes, 452 LG(Looking Glass) servers

  21. EXPERIMENTSETUPANDRESULTS • Decoy servers: • 552 institutions (i.e., universities and colleges ) on both the East Coast (10 states) and West Coast (7 states) of the US • 2737 public web servers within Univ1 in Pennsylvania • 7411 public web servers within Univ2 in Massachusetts

  22. EXPERIMENTSETUPANDRESULTS • Target Areas:

  23. EXPERIMENTSETUPANDRESULTS

  24. EXPERIMENTSETUPANDRESULTS • Link map • Run a traceroute six times to diagnose link persistence

  25. EXPERIMENTSETUPANDRESULTS

  26. EXPERIMENTSETUPANDRESULTS • Average rate when flooding 10 Target Links against Pennsylvania

  27. Outline • INTRODUCTION • THE CROSSFIREATTACK • ATTACKPERSISTENCEANDCOST • EXPERIMENTSETUPANDRESULTS • RELATEDWORK • CONCLUSION

  28. The Coremelt Attack

  29. “Spamhaus” Attack

  30. RELATEDWORK

  31. Outline • INTRODUCTION • THE CROSSFIREATTACK • ATTACKPERSISTENCEANDCOST • EXPERIMENTSETUPANDRESULTS • CONCLUSION

  32. CONCLUSION • Attack Characteristics • Undetectability at the Target Area. • Indistinguishability of Flows in Routers • Persistence • Flexibility • New DDoS Attack: The Crossfire Attack • Scalable & Persistent • Internet-scale experiment • Feasibility of the attack • High impact with low cost

  33. Q&A

More Related