1、 Vol.13, No.7 2002 Journal of Software 1000-9825/2002/13(07)1220-08 Using Adaptive Router Throttles Against Distributed Denial-of-Service Attacks LIANG Feng 1 , David Yau21 (Zhejiang Provincial Key Laboratory of F iber O ptical Communication Technology, Zhejiang University of Technology, Hangzhou 31
2、0014, China); 2 (Department of Computer Science, Purdue University, IN 47907, USA) E-mail: http:/ Received December 7, 2001; accepted April 29, 2002 Abstract: In this paper, an adaptive router throttle algorithm is presented to defend a server against distributed denial -of -service (DDoS) attacks.
3、 The key point of the algorithm is that the server asks selected upstream routers k hops away to install throttles on traffic flows destined for it so that the servers service capacity can be allocated among all flows with a max -min like fairness. The algorithm effectiveness is evaluated by using a
4、 realistic Internet topology and various models for attacker and good user distributions and behaviors. The results indicate that this server-centric router throttling is a promising approach to countering DDoS attacks. Key words: network security; DDoS; router; Internet; computer network In a distr
5、ibuted denial -of-service (DDoS) attack 1,2 , thousands of malicious or compromised hosts coordinate to send a large v olume of aggregate traffic to a victim. Network nodes near the victim will progressively become more vulnerable to resource overruns, as a node that is closer to the server most lik
6、ely has less service capacity while delivering a larger fraction of the attacking traffic. In particular, the victim itself is most vulnerable. Former works on against DDoS attacks either drop or reroute the attacking packets before they enter the victim 345 . For this kind of approach, the key prob
7、lem is that the DDoS attacking packets can be no different from normal packets, and as the packets source IP addresses are usually forged, its also difficult to distinguish the attacking flows from normal ones by traffic rates. Meanwhile, the protecting system itself and the routers on transmission
8、networks can also be incapacitated. IP traceback 6,7utilizes routers spare resources to trace back the paths from attackers to the server. The algorithm itself doesnt provide anything to cease the attack directly. As a fully deployment of IP traceback on every router of Internet is difficult, most p
9、robably, the traceback paths cant reach the attackers but routers several hops from the attackers, which leaves an open problem. To actively defend against attacks, analysis of routing information can enable a router to drop certain packets with spoofed source IP address 89 . This approach requires
10、sophisticated and potentially expensive routing table Supported by the Natural Science Foundation of Zhejiang Province of China under Grant No.697053 ( ); CERIAS, the National Science Foundation of US under Grant No.CCR-9875742 (CAREER) LIANG Feng was born in 1967. He is an associate professor and m
11、aster supervisor of the Telecommunication Department, Zhejiang University of Technology. His research interests are network security and multimedia communication. David Yau was born in 1967. He is an assistant professor and doctoral supervisor of the Computer Science Department, Purdue University. H
12、is current research areas is network, operating system architectures, algorithms for QoS provisioning, multimedia communication, software-programmable router technologies, database and information system. : 1221 analysis on a per-packet basis. Also, DDoS attackers can still launch an attack with rea
13、l IP source addresses. Mahajan et al. 10describe a general framework for identifying and controlling high bandwidth aggregates in a network. As an example solution against DDoS attacks, an aggregate can be defined based on destination IP address. To protect good user traffic from attacker traffic, t
14、hey study recursive pushback of max -min fair rate limits starting from the victim server to upstream routers, and define a global, cross-router notion of max -min fairness. However, the pushback mechanism al ways starts the resource sharing decision at the server, where good user traffic may aggreg
15、ate to a large volume and thus can be severely punished (see Section 5). Such aggregation of good user traffic has been observed to occur in practice 11 . The use o f network authentication mechanisms also helps defending against DDoS attacks, e.g. IPsec 12 . Gouda et al. 13propose a framework for p
16、roviding hop integrity in computer networks. Efficient and cheap algorithms for authentication and key exchanges are important research questions in this class of solutions. In this paper, we prohibit DDoS attacks by resource management: The servers service capacity is allocated among all incoming t
17、raffic flows (including attackers) with a max-min like fairness, which provides that the attackers can not gain more resource capacity than normal users by sending more traffic. To forestall the aggressive packets converging to overwhelm the victim and nearby intermediate routers, a proactive approa
18、ch is adopted: The victim asks selected upstream routers k hops away to install throttles which limit the forwarding rate of packets destined for it. The throttle is implemented as a leaky bucket to absorb the burst of traffic. Traffic that exceeds the rate limit will be dropped. T he appropriate th
19、rottle rate is negotiated dynamically between the victim and the throttle routers, such that all users can share the service capacity of S with fairness and the throttle can be adaptive to the change of demand distributions. 1 Network Model of DDoS Attack The entire network is represented as a conne
20、cted graph G=(V,E), where V is the set of nodes and E is the set of links. We have V=HR, where H is the set of hosts (leaf nodes) and R the set of routers. The victim is a host SH with a capacity U S . The set of attackers is H a H, and the set of good users is H g H. Notice that H aand H gare dynam
21、ic, but they are relatively static in a short time period. Assume during a certain short time period, theres m good users, H g =g 1 ,g 2 , ,g m , and n attackers, H a =a 1 ,a 2 , ,a n . The traffic rate from g ito S is r gi , and from a ito S is r ai . Assume the traffic rate of good user or attacke
22、r is relatively static during this period, then the aggregate traffic rates of attackers and good users are g m i gi g r m r T = = = 1anda n i ai a r n r T = = =1 , wherea randg rare theaverage rates of traffic from one good user or one attacker to S respectively. If the total arrival traffic rate o
23、f S, T S = T g +T a U S , the services for good users are not influenced. However, if T S U S , T S -U Sof the traffic will be dropped * , thus denial of service (DoS) occurs. We define the degree of DoS state on S, h, as the percentage of good user traffic being dropped by S. If S uniformly drops t
24、he overload traffic, the traffic from each user (either a good user or an attacker) is dropped with same percentage, and we have S S S S S T U T U T - = - = 1 h .Assume S is designed to serve a maximum of M users, g S r M U , then ) 1 ( 1 1 1 m M n r r r n r m r M T U g a a g g S S - - = + - = - = h
25、 h( 1) For a big scale server, M is a significantly large number. Assume the attackers capability of compromising a large * Assume each link in E has infinite bandwidth. This assumption can actually be relaxed for our throttle algorithm, as the routers can also be protected from overload. 1222 Journ
26、al of Software 2002,13(7) number of hosts is limited, so that M n. With these assumptions, Fig.1 shows that to reach a significant degree of DoS, a rmust be significantly higher than g r . This is the foundation of our throttle algorithm. 2 Router Throttle Algorithm 2.1 Level -k max-min fairness Whe
27、n S is under attack, it will initiate a throttle defense mechanism on a subset of the victims upstream routers, R(k), which contains all the routers k hops away from S and all the edge routers, which are directly connected to hosts, less than k hops away from S. For example, in the network topology
28、of Fig.2, the R(3) routers are shaded. The throttle rate is determined by allocate Ss capacity among R(k) with max -min fairness, which is called level-k max -min fairness. In the example shown in Fig.2, the number above a node denotes the rate at which the node delivers traffic to S before throttli
29、ng, and the numbers in parenthesis below R(3) routers indicate the throttled rates. As a result of the throttling, the load at S will be limited at 20.53 (we assume U s =20), which is the sum of the throttled rates. Notice that the throttled rate at a R(3) router is the routers max-min fair share of
30、 the achieved server load of 20.53. 2.2 Throttle negotiation algorithm Fig.3 specifies the throttle negotiation algorithm. When a DDoS attack on a server S begins, Ss load a increases and finally exceeds capacity U S . At this moment, S begins negotiating the throttle rate r Swith R(k) routers. At f
31、irst, r Sis initialized to U S /f(k), where f(k) is either some small constant, say 2, or an estimate of the number of throttle routers typically needed in R(k). After throttles of rate r Sare installed at R(k) routers and take effect, if a is still bigger than U S , then r Sis reduced to half of it
32、s current value. On the other hand, if a falls below a Fig.1 For m/M=0.5 (left) and m/M=0.75 (right), the ratio of a rto g rover h for M/n=20,10,5,1 Fig.2 Network topology illustrating R(3) deployment points of router throttle, and offered throttled rates : 1223 low-water-mark L SU S ) /* throttle n
33、ot strong enough */ r S:= r S/ 2; /* further restrict throttle rate */ elif (a L S ) /* throttle too strong */ if (a - a last ) e) /*no drop by throttle */ remove rate throttle from R(k); break; else /* try relaxing throttle by additive step */ a last:= a; r S:= r S+ d; fi; else break; fi; endwhile
34、Fig.3 Throttle algorithm specification 1224 Journal of Software 2002,13(7) performance of algorithms is shown by remaining percentage of attacking and good user traffic over the throttling level k. We plot the average results over ten independent experimental runs, (the attackers, good users and the
35、ir rates are rechoosed for each run), and show the standard deviation as an error bar around the average. For a comparison, in each simulation experiment, we also p rovides results for a fully pushback max -min fairness as described in Ref.10, which deploys to the same depth of k. Figure 4 compares
36、the performance of two algorithms for evenly distributed attackers, where each host in the network is independently chosen to be an attacker with probability p, and a good user with probability 1-p. Figure 5 compares the performance of two algorithms for unevenly distributed attackers. The attackers
37、 distributions have different concentration properties. Specifically, we pick five disjoint subtrees of G, of which properties are shown in Table 1. We then define four concentration configurations, 0-3, for the attackers (see Table 2). The intention is for attacker concentration to increase as we g
38、o from configurations 0 to 3. Should a malicious entity be able to recruit or compromise many hosts to launch an attack, then each of these hosts behaving like a normal user can still together bring about denial of service. For example, we model evenly distributed attacker by r a =2, p=30%, and U S
39、=2800. Results in Fig.6 shows both algorithms fail to distinguish between the good users and the attackers, and punish both classes of hosts equally. To compare the cost of two algorithms, Fig.7 plots the percentage of routers involved in throttling over k. Fig.4 Performance comparing for evenly dis
40、tributed attackers: r a =20 and p=0.2 (left) and r a =10 and p=0.4 (right) Fig.5 Performance comparing for unevenly distributed attackers: our algorithm (left) and pushback (right) : 1225 (For the level -k approach, we count both throttling routers and the routers between S and R(k) routers which de
41、liver throttle messages.) Notice that the two approaches basically require a comparable number of deployment points. Figure 8 investigates the effects of user dynamics (for both good users and attackers) on level -15 throttle algorithm. 20% of the hosts in G are chosen to be attackers, and the rest
42、are good users. The attackers are evenly distributed over G. We measure time in units of maximum round trip delay between S and a router in R(15). As attackers and good users vary their sending rates, we notice that good user traffic is still protected from attacker traffic. Fig.9 shows how the thro
43、ttle rate r Sevolves over time. Fig.6 Performance comparing for evenly distributed attackers of r a =2, p=30% Fig.7 Number of participating routers as a function of the deployment depth Fig.9 Evolution of throttle rate r Sover time Fig.8 Algorithm response to attacker and good user dynamics Table 1
44、Properties of subtrees 15 Table 2 Configured concentrations of attackers Subtree No. of nodes No. of hosts Roots distance from S (hops) Configuration Attackers uniformly chosen from 1 1712 459 4 0 G 2 1126 476 6 1 all the five subtrees 3 1455 448 7 2 subtrees 1 & 3 4 1723 490 8 3 subtrees 4 & 5 5 15
45、33 422 8 1226 Journal of Software 2002,13(7) To evaluate our scheme on protecting a web server under DDoS attack, we use the Network Simulator NS -2 developed at Lawrence Berkeley Laboratory (LBL) and UC Berkeley. The simulated network topology is also from the AT&T traceroute, however because of th
46、e limit of computation ability, we only chose a small graph with 85 hosts, 17 of which are attackers. Every good user is simulated by an http traffic generator (http:/www.tomh.org/ software/httptrafficgen.tar), which connects S with HTTP 1.0 over TCP Reno/IP. The attackers generate UDP traffic at 6k
47、 bps to S. We model U S =10 kBps, and make L S =8 kBps. The throttles are set in level -10 routers. Figure 14 shows the experiment result. The attack starts at time t=10s. Notice that the throttle negotiation algorithm effectively keeps the actual server load between L Sand U S , and the traffic dro
48、pping is most on the attackers traffic. 4 Discussions Several observations are in order about the practical deployment of our defense mechanism. First, to ensure reliability in installing router throttles, throttle messages must be authenticated before an edge router (assumed to be trusted) admits them into the network, and must be efficiently and reliably delivered from source to destination. Second, to ensure that the throttle mechanism remains operational when the server transiently experience resource overload, we can deploy a helper machine to monitor the traffic
