PhD Interview – Ruhr-University Bochum          DDoS mitigation     through a collaborative trust-based request prioritiza...
Layer 7 DDoSDavide Paltrinieri   DDoS mitigation through a collaborative     Davide Paltrinieri     trust-based request pr...
Layer 7 DDoSDavide Paltrinieri                          22/03/2012                 3   DDoS mitigation through a collabora...
Layer 7 DDoSDavide Paltrinieri                          22/03/2012                 4   DDoS mitigation through a collabora...
Layer 7 DDoSDavide Paltrinieri                          22/03/2012                 5   DDoS mitigation through a collabora...
DDoS Trends                                                                                   Types of DDoS attacksArbor N...
CoMiFin: case studyFramework for critical data exchange betweenfinancial institutions   Objective:       •     Business co...
Existing solutions approaches•    Detection       •     Anomaly:          - Distribution/Volume in the traffic            ...
Existing solutions approaches•    Detection       •     Anomaly:          - Distribution/Volume in the traffic            ...
Existing solutions approaches•    Detection       •     Anomaly:          - Distribution/Volume in the traffic            ...
Existing solutions approaches•    Detection       •     Anomaly:          - Distribution/Volume in the traffic            ...
Existing solutions approaches•    Detection       •     Anomaly:          - Distribution/Volume in the traffic            ...
Victim model                                                         Typical server                                       ...
Attacker Model•    Request Flooding Attack: incremental requests     sent to the target server.•    Asymmetric Workload At...
Building Requests•    Frantic Crawler: set of requests to cover all links     coming from the given URL.•    Cloned Legiti...
Proposed solution DDoS mitigation through a collaborative     Davide Paltrinieri   trust-based request prioritization    R...
Request processing     NO              Is There                     session                             Request           ...
Request processing     NO              Is there                     session                             Request           ...
Request processing     NO              Is There                     session                             Request           ...
Request processing     NO              Is There                     session                             Request           ...
Request processing     NO              Is There                     session                             Request           ...
Request processing     NO              Is There                     session                             Request           ...
Request processing     NO              Is There                     session                             Request           ...
Request processing     NO              Is There                     session                             Request           ...
Request processing     NO              Is There                     session                             Request           ...
Request processing     NO              Is There                     session                             Request           ...
Request processing    NO              Is There                    session                                 Request         ...
Requests Prioritization DDoS mitigation through a collaborative     Davide Paltrinieri   trust-based request prioritizatio...
Prototype DDoS mitigation through a collaborative     Davide Paltrinieri   trust-based request prioritization    Ruhr Univ...
DETERlabDavide Paltrinieri                          22/03/2012                 30   DDoS mitigation through a collaborativ...
SPOFF      Davide Paltrinieri   22/03/2012   31
SPON     Davide Paltrinieri   32
Test results         Small Botnet:           Mid Botnet:       Large Botnet:(1) Percentage of completed sessions (coming f...
ADL - Auditing•      WebAnalytics tools       •     Open Web Analytics (OWA)•      Mouse tracking:       •     Simple Mous...
ADL – Auditing• SMT2Davide Paltrinieri   22/03/2012                35
ADL - AuditingOWA  Davide Paltrinieri   22/03/2012              36
Conclusion•    First steps integrating:     •  Fine-grain requests priority     •  Shared trust     •  Tools for auditing ...
Next steps•    Automatically extract cloned session’s attack sources.•    Differentiating tests with high workload from lo...
Upcoming SlideShare
Loading in …5
×

DDoS mitigation through a collaborative trust-based request prioritization

179
-1

Published on

Phd interview at Ruhr-university in Bochum for the Sys­tems Se­cu­ri­ty group chaired by Prof. Dr. Thorsten Holz

Published in: Technology, Design
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
179
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DDoS mitigation through a collaborative trust-based request prioritization

  1. 1. PhD Interview – Ruhr-University Bochum DDoS mitigation through a collaborative trust-based request prioritizationMaster thesis defended at University of Rome ”La Sapienza” on January 26, 2011Davide Paltrinieri davide.paltrinieri@gmail.com http://it.linkedin.com/in/davidepaltrinieri Davide Paltrinieri 1 June 22, 2012
  2. 2. Layer 7 DDoSDavide Paltrinieri DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 2
  3. 3. Layer 7 DDoSDavide Paltrinieri 22/03/2012 3 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 3
  4. 4. Layer 7 DDoSDavide Paltrinieri 22/03/2012 4 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 4
  5. 5. Layer 7 DDoSDavide Paltrinieri 22/03/2012 5 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 5
  6. 6. DDoS Trends Types of DDoS attacksArbor Networks DDoS Summary H2 2011 Davide Paltrinieri 22/03/2012 6 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 6
  7. 7. CoMiFin: case studyFramework for critical data exchange betweenfinancial institutions Objective: • Business continuity • Resilience from DDoS• The challenge: taking effort from ”the community” for reaching those objectives. → Proactive DefenseDavide Paltrinieri 22/03/2012 7 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 7
  8. 8. Existing solutions approaches• Detection • Anomaly: - Distribution/Volume in the traffic - Signatures • Statistical• Classification • Flash-Crowds scenario • Solving Quiz (ex. CAPTCHA)• Countermeasure • Drop • RedirectionDavide Paltrinieri 22/03/2012 8 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 8
  9. 9. Existing solutions approaches• Detection • Anomaly: - Distribution/Volume in the traffic - Signatures • Statistical• Classification • Flash-Crowds scenario • Solving Quiz (ex. CAPTCHA)• Countermeasure • Drop • RedirectionDavide Paltrinieri 22/03/2012 9 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 9
  10. 10. Existing solutions approaches• Detection • Anomaly: - Distribution/Volume in the traffic - Signatures • Statistical• Classification • Flash-Crowds scenario • Solving Quiz (ex. CAPTCHA)• Countermeasure • Drop • RedirectionDavide Paltrinieri 22/03/2012 10 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 10
  11. 11. Existing solutions approaches• Detection • Anomaly: - Distribution/Volume in the traffic - Signatures • Statistical• Classification • Flash-Crowds scenario • Solving Quiz (ex. CAPTCHA)• Countermeasure • Drop • RedirectionDavide Paltrinieri 22/03/2012 11 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 11
  12. 12. Existing solutions approaches• Detection • Anomaly: - Distribution/Volume in the traffic - Signatures • Statistical• Classification • Flash-Crowds scenario • Solving Quiz (ex. CAPTCHA)• Countermeasure • Drop • RedirectionDavide Paltrinieri 22/03/2012 12 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 12
  13. 13. Victim model Typical server web/farm architectureDDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 13
  14. 14. Attacker Model• Request Flooding Attack: incremental requests sent to the target server.• Asymmetric Workload Attack: Sending random, well-chosen sessions request to exhaust server resources.• Repeated One-Shot Attack: Sending single well- chosen requests to exhaust server resources.Davide Paltrinieri 14 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 14
  15. 15. Building Requests• Frantic Crawler: set of requests to cover all links coming from the given URL.• Cloned Legitimate Recorded Session: pre-saved ”legitimate” browsing session performed by each bot.• Randomized Legitimate Recorded Session: pre- saved ”legitimate” browsing session performed by each bot poisoned with random actions. DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 15
  16. 16. Proposed solution DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 16
  17. 17. Request processing NO Is There session Request ID? Yes NO IS ID Reduce trust level of the client valid? Yes Client has NO Get data from client to build Fingerprint his fingerprint ? Yes Extract fromdal DB il trustlevel Preleva DB the trust associatoclient of the al client Putting request in the Forward request to the server if appropriate queue there are sufficient resources DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 17
  18. 18. Request processing NO Is there session Request ID? Yes NO IS ID Reduce trust level of the client valid? Yes Client has NO Get data from client to build Fingerprint his fingerprint ? Yes Extract fromdal DB il trustlevel Preleva DB the trust associatoclient of the al client Putting request in the Forward request to the server if appropriate queue there are sufficient resources DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 18
  19. 19. Request processing NO Is There session Request ID? Yes NO IS ID Reduce trust level of the client valid? Yes Client has NO Get data from client to build Fingerprint his fingerprint ? Yes Extract fromdal DB il trustlevel Preleva DB the trust associatoclient of the al client Putting request in the Forward request to the server if appropriate queue there are sufficient resources DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 19
  20. 20. Request processing NO Is There session Request ID? Yes NO IS ID Reduce trust level of the client valid? Yes Client has NO Get data from client to build Fingerprint his fingerprint ? Yes Extract fromdal DB il trustlevel Preleva DB the trust associatoclient of the al client Putting request in the Forward request to the server if appropriate queue there are sufficient resources DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 20
  21. 21. Request processing NO Is There session Request ID? Yes NO IS ID Reduce trust level of the client valid? Yes Client has NO Get data from client to build Fingerprint his fingerprint ? Yes Extract fromdal DB il trustlevel Preleva DB the trust associatoclient of the al client Putting request in the Forward request to the server if appropriate queue there are sufficient resources DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 21
  22. 22. Request processing NO Is There session Request ID? Yes NO IS ID Reduce trust level of the client valid? Yes Client has NO Get data from client to build Fingerprint his fingerprint ? Yes Extract fromdal DB il trustlevel Preleva DB the trust associatoclient of the al client Putting request in the Forward request to the server if appropriate queue there are sufficient resources DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 22
  23. 23. Request processing NO Is There session Request ID? Yes NO IS ID Reduce trust level of the client valid? Yes Client has NO Get data from client to build Fingerprint his fingerprint ? Yes Extract fromdal DB il trustlevel Preleva DB the trust associatoclient of the al client Putting request in the Forward request to the server if appropriate queue there are sufficient resources DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 23
  24. 24. Request processing NO Is There session Request ID? Yes NO IS ID Reduce trust level of the client valid? Yes Client has NO Get data from client to build Fingerprint his fingerprint ? Yes Extract fromdal DB il trustlevel Preleva DB the trust associatoclient of the al client Putting request in the Forward request to the server if appropriate queue there are sufficient resources DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 24
  25. 25. Request processing NO Is There session Request ID? Yes NO IS ID Reduce trust level of the client valid? Yes Client has NO Get data from client to build Fingerprint his fingerprint ? Yes Extract fromdal DB il trustlevel Preleva DB the trust associatoclient of the al client Putting request in the Forward request to the server if appropriate queue there are sufficient resources DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 25
  26. 26. Request processing NO Is There session Request ID? Yes NO IS ID Reduce trust level of the client valid? Yes Client has NO Get data from client to build Fingerprint his fingerprint ? Yes Extract fromdal DB il trustlevel Preleva DB the trust associatoclient of the al client Putting request in the Forward request to the server if appropriate queue there are sufficient resources DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 26
  27. 27. Request processing NO Is There session Request ID? Yes NO IS ID Reduce trust level of the client valid? Yes Client has NO Get data from client to build Fingerprint his fingerprint ? Yes Extract fromdal DB il trustlevel Preleva DB the trust associatoclient of the al client Putting request in the Forward request to the server if appropriate queue there are sufficient resources Davide Paltrinieri Ruhr University of Bochum Page 27
  28. 28. Requests Prioritization DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 28
  29. 29. Prototype DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 29
  30. 30. DETERlabDavide Paltrinieri 22/03/2012 30 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 30
  31. 31. SPOFF Davide Paltrinieri 22/03/2012 31
  32. 32. SPON Davide Paltrinieri 32
  33. 33. Test results Small Botnet: Mid Botnet: Large Botnet:(1) Percentage of completed sessions (coming from legitimate client) Davide Paltrinieri 22/03/2012 33 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 33
  34. 34. ADL - Auditing• WebAnalytics tools • Open Web Analytics (OWA)• Mouse tracking: • Simple Mouse Tracking (SMT2)• Third-party database: • WOMBAT API (WAPI)Davide Paltrinieri 22/03/201 34 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Pagina 34
  35. 35. ADL – Auditing• SMT2Davide Paltrinieri 22/03/2012 35
  36. 36. ADL - AuditingOWA Davide Paltrinieri 22/03/2012 36
  37. 37. Conclusion• First steps integrating: • Fine-grain requests priority • Shared trust • Tools for auditing cloned sessions• Results: • Emulation beats simulation – thanks to DETERlab. • Business continuity against large botnet ( up to 150 physical PC) attacks: • Coming from known botnets. • Coming from know and unknown botnets • Low latency detected on legitimate clientsDavide Paltrinieri 22/03/2012 37 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 37
  38. 38. Next steps• Automatically extract cloned session’s attack sources.• Differentiating tests with high workload from lower one.• Implement and test client fingerprint attribution.• Test the prototype on a critical server to collect data on trusted client.Davide Paltrinieri 38 DDoS mitigation through a collaborative Davide Paltrinieri trust-based request prioritization Ruhr University of Bochum Page 38
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×