Thursday, July 21, 2011

Deep Packet Inspection vs. Granular Packet Inspection for DDoS Mitigation

Introduction

Deep Packet Inspection (DPI) is a capability to look within the application payload of a packet or traffic stream and make decisions based on the content of that data, in the network. This is achieved using signature-matching technology. Known attack signatures are used to determine future attacks.
Distributed Denial-of-service attacks overwhelm critical resources with a flood of attack traffic. To accomplish this, an attacker must be able to generate high-rate packet floods; this is usually done by recruiting a large number of machines through a remote compromise and instructing them to flood the target. Early DDoS attacks employed small number of compromised machines that generated large UDP or ICMP packets at a maximum rate, aiming to overwhelm a target’s bandwidth.  These limited number of sources used spoofing techniques to appear as a larger number of IP addresses. Recent attacks are more sophisticated. The attack traffic today is usually legitimate service request traffic (such as HTTP requests), and is sent from tens of thousands of compromised BotNet machines.
Because the traffic appears legitimate and is critical to business operation, it is very difficult to detect and filter attack packets while allowing access to legitimate user traffic. Further, since each attack machine sends traffic at a low rate, its behavior is not suspicious and therefore it is difficult to identify and blacklist such machines. DDoS attacks are a realistic threat to businesses, regardless of their size.
It is therefore necessary to inspect the intent of the attack rather than the content.
While most IPS appliances work on content inspection or deep packet inspection, for DDoS, using content inspection is futile.

Granular Packet Inspection (GPI) and Why Is It Important for DDoS Mitigation

If BotNets mimic legitimate users using scripts and content inspection cannot be used for discrimination between real traffic and attack traffic then what can be used. The answer lies in the methods the attackers use to launch such attacks.
To understand intent under a flood, one has to understand behavioral anomalies at micro and macro levels. Behavioral anomalies represent deviation from the past behavior. It is therefore important to gather information over past behavior and store it so that one can predict what the future behavior should be. This requires understanding the average, trends and seasonality of the traffic in a very granular way.
To achieve attack mitigation using behavioral anomaly, you must first understand the attack types used by BotNets. They can be broadly categorized in two kinds:
·          Non-Service attacks:
These are attacks that happen on ports, protocols or other network parameters not primarily used by the network. E.g. attacks such as SQL-slammer overloaded a rarely-used port.
 
·          Service attacks: 
These are attacks that are actually trying to mimic the legitimate users. E.g. if a website uses HTTP protocol, the attacks would target the open TCP port 80 and valid URLs.
 
 
First kind of attacks can be simply blocked by behaviorally blocking non-service ports/protocols etc. E.g. if your network rarely sees fragmented traffic and you suddenly get an overload of fragments, you can rate limit the fragmented packets to a rate that you had seen in the past. Same can be done for non-service protocols such as ICMP, UDP etc. and non-service ports. They may even be blocked for the duration of attacks at the perimeter to avoid collateral damage. Granular thresholds help here. Directionality helps here.  E.g. if you get x Mbps inbound traffic normally and y Mbps outbound, the rate-limiting can be different in two directions. Partitioning of network helps here to isolate issues. E.g. one of your subnets sees SSL traffic while the other does not, you can have different thresholds for rates of SSL traffic.
Second kind of attacks is tricky to stop using simple granular threshold on ports or protocols etc. You need more behavioral techniques.
BotNets attacks are primarily scripted attacks – that means they are bot-programs which are launching attacks. The behavior of these scripts is very different from a human clicking links on browsers or typing URL names. The rates are unusual. The rate of connection establishment for a single IP address is much higher for a scripted attack. Similarly one or more of the following behavioral rates are abnormal during such attacks:
    • Total number of concurrent connections/destination IP address
    •  Total number of concurrent connections/source IP address
    •  Total number of SYN packets/second per partitioned network
    •  Rate of packets/second/source
    •  Rate of packets/second/destination
    • Rate of TCP connection establishment

Such behavioral anomalies can be caught using granular inspection which monitors individual IP addresses, protocols, ports, etc. Baseline thresholds adjusted over time for seasonality for such granular characteristics can be used to block abnormal behavior.

Granular Inspection Technology

Custom hardware design can monitor thresholds for all traffic it sees on Layers 2, 3, 4 and 7 and measure packet rates, state transitions, fragments, checksum, flags, new connections, and address pairs, etc. Thresholds can be set on any of these network parameters to rate limit traffic for particular systems or applications.

First Level of Granularity: Compartmentalization of Business/Network

To partition networks logically, DDoS mitigation device provide support for partitioning the network. Through the use of Virtual Identifiers (VID), the appliances can segment the traffic into up to eight zones. These zones can each be a server, subnet or network, whether on-site or remote. This allows one gateway to secure eight network segments and thus leverage the cost over a large infrastructure. When the gateway is placed in front of a router and firewall this can substantially reduce duplicated these other network elements. VLAN tags, IP, or MAC addresses identify zones.
The logical portioning allows these VID zones to have their own set of parameters and policies. Each of the 200,000 plus parameters and their corresponding thresholds are automatically monitored to spot malicious traffic. As different zones should be expected to have unique traffic patterns, the use of VIDs improves accuracy and prevents false positives.

Second Level of Granularity: Directionality

Traffic in network has directionality and each direction has different behavior. DDoS Mitigation appliances allow you to set independent parameters in two dirctions. E.g. incoming rate of packets on port 80 and outgoing rate are usually different and should be controlled differently.

Third Level of Granularity: Time

Traffic in network has seasonality and growth over time. DDoS mitigation appliances allow you to set threshold once and they adjust the thresholds adaptively and continuously based on the time of the day and week.

Fourth Level of Granularity: Granular Packet Rate Thresholds

DDoS mitigation appliances monitor network parameters to analyze subtle changes in the behavior of network traffic rate to recognize and prevent attack and be able to differentiate between attack traffic and legitimate traffic and maintain service during denial of service attacks and respond like a circuit-breaker within 2 seconds.
DDoS mitigation appliances build a baseline model of legitimate network traffic at levels 2, 3, 4 and  7, measuring byte and packet counts, state transitions, fragments, flag distribution, IP address distribution, new connection establishment rate, and numerous other parameters. Counters for each parameter are implemented on chip – thus the measurement occurs at the packet forwarding rate of 200Mbps/2Gbps., Such design introduces no monitoring overhead, no filtering bottleneck, and high-granularity counters are supported. For example, traffic to one Million source IP and one Million destination IP addresses can be traced, as well as for any of 65536 ports on source or destination hosts, and for any of 256 possible protocol numbers.
Layer 2 Granularity ARP, RARP, Multicast, Broadcast, VLAN, Double Encapsulated VLAN floods
Layer 3 Granularity Protocol Flood (all 256), Options Flood (32), Fragment Flood, Source Flood, Destination Flood, TOS (all 256),  Network Scan, Dark Address Scan
Layer 4 Granularity TCP Ports  (all 64K), UDP Ports (all 64K), ICMP Type/Codes (all 64K),. TCP Options (32),  Port Scan, Connection Flood, SYN Flood,
Excessive SYNs/Source/Second, Excessive Connections Establishment/second, Zombie Flood, Excessive Connection/Source flood, Excessive Connections/Destination flood, TCP state violation floods
Layer 7     Granularity
URLs, User-Agent, Host, Referer, Cookie etc.
(Translates into excessive URL accesses/second, URL access/source/second etc.)

This granularity is important because it supports building of a complex and detailed legitimate traffic model facilitating detection of sophisticated attacks that attempt to mimic legitimate traffic. Since the attacker cannot learn or infer the baseline model, the generated attack will inevitably breach some of the fine thresholds, regardless of attack sophistication. At the same time, fine granularity supports precise traffic filtering, minimizing collateral damage to legitimate traffic during an attack

A network administrator can set up thresholds on individual monitored parameters or their combinations, to describe allowed fluctuations in network traffic.  
Attacks that generate traffic floods are by comparing the current traffic measurements with a predicted trend for each monitored parameter. The predicted trend is derived from the baseline, taking into account a historical weighted average of the packet and byte counts with a certain parameter value (thus later measurements carry more importance), the traffic trend (dynamics of the parameter change) and the traffic seasonality. If a measured value exceeds the predicted value by more than the threshold set for this parameter, an attack will be detected. When a traffic parameter exceeds its minimum threshold, the smaller of the estimated and maximum thresholds will be used for filtering. An administrator can control the extent to which an estimated threshold may exceed the baseline by setting one of the five threat levels – higher threat levels lead to a tighter threshold setup.

Additional Prevention Mechanisms

 In addition to deploying a behavior modeling approach for attack detection, a DDoS mitigation appliance can detect anomalous traffic at the packet and the connection level. These techniques include:
    • SYN Proxy
    • Connection Limiting
    • Aggressive Aging
    • Source Rate Limiting
    • Dynamic Filtering
    • Active Verification through Legitimate IP Address Matching
    • Anomaly Recognition
    • Protocol Analysis
    • Rate Limiting
    • White-list, Black-list, Non-tracked sources
    • State Anomaly Recognition
    • Stealth Attack filtering
    • Dark address scan prevention

Conclusion

While deep packet inspection (DPI) is useful for secure perimeters, it is not sufficient to handle DDoS attacks. Granular Packet Inspection (GPI) done in silicon combined with behavioral modeling can provide the network security administrator with the right tools to thwart new generation of attacks.
http://knol.google.com/k/deep-packet-inspection-vs-granular-packet-inspection-for-ddos-mitigation