Cyber-Security Product

CYBER-SECURITY PRODUCT
DRS-ADAM
Saurabh Verma, Ali Hamieh, Jun Huh Ho, Siva Raj Rajagopalan, Maciej Korczynski, Nina Fefferman.
Jun Ho Huh
Honeywell ACS Labs

© 2016 by Honeywell International Inc. All rights reserved.
1
Motivation
money talks!
8% 8%
26%
16%
42%
LESS THAN $1000 $1001-10,000 $10,000-50,000 $50,000-100,000 MORE THAN
$100,000
2013 COST PER HOUR FOR DDOS
ATTACKS

2
It’s becoming very serious!
(disrupting the internet)

3
What’s the problem?
Amplified DNS DDOS (ADD) Attack
Amplified using DNS resolvers
(could be a open DNS resolver,
open DNS proxies authorative
DNS servers , unknown)
1 Gbps connection
x10
10 compromised
trigger machines with
1Gbps
1 Mbps connection
Amplification factor of
50x
Attacker with 1Mbps
500 Gbps hits target machine from amplifiers

4
Let’s see the existing solutions first...
• Detect attack either by tracking count of DNS responses or keep a
map of DNS request to DNS response (sun et.al, kambourakiset.al).
• Drop packets.
• Won’t work in this age due to large attack size!
Solutions
deployed
on victim
server
• Create machine learning models to detect local patterns of ADD
attacks (rastegari et.al, deshpande et.al).
• Machine learning didn’t work because of lack of influential
features.
• Problem is legitimate request can have same patterns. High false
positive rate!
• Source IP validation which includes authentication-based methods,
trace-back methods or filtering-based methods.
• All these methods are practically limited due to requirement in
fundamental change of internet infrastructure.
• For example, Ingress filtering allows routers to drop packets with
source but adds a measurable delay in router’s which is
unacceptable at high-speed links. Deployment remains a major
issue as well.
Solutions
deployed
on DNS
server

5
Things to realize (design goals)…
There is little victim can do. Attack must be crushed at the source (DNS resolver).
This is really happening now and so solution must be as practical as
possible.
You can’t ask to change internet infrastructure. Wait you can! because it’s a
internet design flaw but you need to be smart about it.
Avoid expensive authentication techniques!
Should be a UDP based solution!
Should be scalable and deployable!
Should not demand a separate infrastructure!
Should be computationally less expensive!
Above all, it should mitigate ADD attacks before target goes down i.e. keep
the ADD attack below victim’s sustainable bandwidth.

6
Key Idea 1
What’s one thing we need to detect
ADD attacks at the source (dns
resolver) with high confidence?
Answer: Accumulated DNS query
rates hitting the target server from all
resolvers!

7
How to get accumulated DNS query
rates before target goes down?
Answer: Share DNS query rates of
target among resolvers involved in
attack.
Key Idea 2

8
Quick look at existing protocols for aggregate
computation
• Gossip protocols – Push-Pull sum protocol, A1/ A2
(Mehyar et.al. ). Converges to true aggregate value in
O(𝑁𝑙𝑜𝑔𝑁) messages in O(𝑙𝑜𝑔𝑁) rounds.
• Problem is most of them requires weak synchronous
communication and “N” should be known in advance,
which is not possible in our case.
• Nevertheless, these existing protocols supports the
theoretical motivation for our approach.

9
We present you DRS-ADAM
Two assumptions of
DRS-ADAM
• We assumed that DNS
resolvers and target hosts
are all discoverable and
connected to global
internet.
• Our second weak
assumption is that the
collected DNS query rates
do not change much
during ADD attack period.

10

11
Iterative Query Rate Sharing Algorithm
𝑆𝐷𝑅 𝑛
𝐷 𝑛+1
𝐷 𝑛 𝐷𝐼𝑃𝑛+1
𝐷𝑛𝑠𝐿𝑖𝑠𝑡𝐷 𝑛
𝐷 𝑛+1
𝐷𝐼𝑃𝑛+1
𝐷 𝑛
𝐷1
𝐷𝐼𝑃𝑛−1
𝐷 𝑛
𝐷 𝑛−1
𝐷𝐼𝑃𝑛+1
𝐷 𝑛
𝐷2

12
Complexity, LAD
• O(N) w.r.t each resolver.
• Overall complexity of our algorithm is
O(𝑁2
). Possible to reduce to O(N) but
have to sacrifice robustness.
• LAD performs threat assessment.
• LAD threat bandwidth= accumulated
DNS query rate × amplification factor ×
average query size. This is self
sufficient to detect attacks
• To save computation, we avoid creating
machine learning models, here.

Economic incentives for network operators
• With DRS-ADAM installed, all resolvers involved in an ADD attack
will consume bandwidth in KBps for a few seconds
- Bandwidth consumed is small compared to 10-300 Gbps consumed
during an ADD attack
- Such network bandwidth costs can be avoided with DRS-ADAM
• An ADD attack could incur network costs up to $1.8M per month
- Cost shared among network operators involved in the attack
- ADD attacks are rapidly growing in size and frequency
- Network operators will benefit from installing DRS-ADAM
13

14
Prototype Implementation
Type Reserved [0] Length
Target IP
Query Rate (IEEE 754 single/binary 32 float)
Resolver 1 IP
Resolver N IP
0 1 2 3
Target Agent
Resolver
Agent
Resolver
Detector
LAD
Resolver
Agent
Resolver
Detector
LAD
Query rate,
DNS IP
DNS
Resolver
DNS
Resolver
Target Host
DRS-ADAM Packet Structure

Security Product Deployment strategies
• DRS-ADAM security product is a pair of small software packages
• First victim package should be small
- Our prototype had just 250 lines of codes
- Should not require frequent updates
• Second package deployed on an existing DNS software
- BIND already provides real-time statistics about DNS queries
- Deploy DRS-ADAM through a single upgrade
- Same manner in which RRL was deployed on BIND
• Fewer challenges than DNSSEC that rely on digital signatures
- DRS-ADAM does not add any complex key management or hardware
upgrade
15

16
Experiment and Results
Emulated Topology

17

18

19

20
Discussion and Conclusion
Satisfying design goals.
Generalization: Can stop NTP
amplification attack.
Theoretical motivation: From Gossip-
based Push-Sum Protocol (GBPS).

Cyber-Security Product

Recommended

Recommended

More Related Content

What's hot

What's hot (7)

Similar to Cyber-Security Product

Similar to Cyber-Security Product (20)

Recently uploaded

Recently uploaded (20)

Cyber-Security Product