Abstract
A major disturbance for network providers in recent years have been Distributed Reflective Denial-of-Service (DRDoS) attacks. In such an attack, the adversary spoofs the IP address of a victim and sends a flood of tiny packets to vulnerable services. The services then respond to spoofed the IP, flooding the victim with large replies. Led by the idea that an attacker cannot fabricate the number of hops a packet travels between amplifier and victim, Hop Count Filtering (HCF) mechanisms that analyze the Time-to-Live (TTL) of incoming packets have been proposed as a solution.
In this paper, we evaluate the feasibility of using HCF to mitigate DRDoS attacks. To that end, we detail how a server can use active probing to learn TTLs of alleged packet senders. Based on data sets of benign and spoofed NTP requests, we find that a TTL-based defense could block over 75 % of spoofed traffic, while allowing 85 % of benign traffic to pass. To achieve this performance, however, such an approach must allow for a tolerance of ±2 hops.
Motivated by this, we investigate the tacit assumption that an attacker cannot learn the correct TTL value. By using a combination of tracerouting and BGP data, we build statistical models which allow to estimate the TTL within that tolerance level. We observe that by wisely choosing the used amplifiers, the attacker is able to circumvent such TTL-based defenses. Finally, we argue that any (current or future) defensive system based on TTL values can be bypassed in a similar fashion, and find that future research must be steered towards more fundamental solutions to thwart any kind of IP spoofing attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We assume that the amplifiers have deployed HCF to protect against amplification attacks, therefore “valid” protocol requests are those with matching TTL value.
- 2.
Exploratory Data Analysis is not a method or a technique, but rather a philosophy for data analysis that employs a variety of techniques.
- 3.
A neighbor (or peering) autonomous system is the one that the AS directly interconnect with in order to exchange traffic.
- 4.
Peering ASes are ASes which directly interconnect with each other. We obtain this information from the available BGP data.
- 5.
Statistics [3] show that average length of AS-level paths is 4, therefore we bound the subpath examination to 2 levels, i.e., we can examine paths of at least 6 hops.
References
Default TTL values in TCP/IP. http://www.map.meteoswiss.ch/map-doc/ftp-probleme.htm
Functional requirements for broadband residential gateway devices. https://www.broadband-forum.org/technical/download/TR-124.pdf
RIPE Atlas: Internet data collection system. https://atlas.ripe.net/
RIPE Atlas: Statistics and network coverage. https://atlas.ripe.net/results/maps/network-coverage/
Technical details behind a 400Gbps NTP amplification DDoS attack. https://goo.gl/j7zWEp
Augustin, B., Cuvellier, X., Orgogozo, B., Viger, F., Friedman, T., Latapy, M., Magnien, C., Teixeira, R.: Avoiding traceroute anomalies with Paris traceroute. In: Internet Measurement Conference (2006)
Beitollahi, H., Deconinck, G.: Analyzing well-known countermeasures against distributed denial of service attacks. Comput. Commun. 35, 1312–1332 (2012)
Durumeric, Z., Bailey, M., Halderman, J.A.: An internet-wide view of internet-wide scanning. In: USENIX Security Symposium (2014)
Gregori, E., Improta, A., Lenzini, L., Rossi, L., Sani, L.: On the incompleteness of the AS-level graph: a novel methodology for BGP route collector placement. In: Internet Measurement Conference (2012)
Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: an effective defense against spoofed DDoS traffic. In: Proceedings of the 10th ACM Conference on Computer and Communications Security. ACM (2003)
Katz-Bassett, E., Madhyastha, H.V., Adhikari, V.K., Scott, C., Sherry, J., van Wesep, P., Anderson, T.E., Krishnamurthy, A.: Reverse traceroute. In: USENIX NSDI (2010)
Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? Reducing the impact of amplification DDoS attacks. In: USENIX Security Symposium (2014)
Mao, Z.M., Rexford, J., Wang, J., Katz, R.H.: Towards an accurate AS-level traceroute tool. In: Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication (2003)
Mirkovic, J., Reiher, P.L.: A taxonomy of DDoS attack and DDoS defense mechanisms. Comput. Commun. Rev. 34, 39–53 (2004)
Mukaddam, A., Elhajj, I., Kayssi, A.I., Chehab, A.: IP spoofing detection using modified hop count. In: International Conference on Advanced Information Networking and Applications (2014)
Oliveira, R.V., Pei, D., Willinger, W., Zhang, B., Zhang, L.: The (in)completeness of the observed internet AS-level structure. IEEE/ACM Trans. Netw. 18(1), 109–122 (2010)
Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. Comput. Commun. Rev. 31(3), 38–47 (2001)
Pepelnjak, I., Durand, J., Doering, G.: BGP operations and security. RFC 7454, RFC Editor (2015). https://tools.ietf.org/html/rfc7454
Postel, J.: Internet protocol specification. RFC 791, RFC Editor (1981). https://tools.ietf.org/html/rfc791
Postel, J.: Character generator protocol. RFC 864, RFC Editor (1983). https://tools.ietf.org/html/rfc864
Rosen, E.C., Viswanathan, A., Callon, R.: Multiprotocol label switching architecture. RFC 3031, RFC Editor, January 2001. http://tools.ietf.org/html/rfc3031
Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: NDSS (2014)
Ryba, F.J., Orlinski, M., Wählisch, M., Rossow, C., Schmidt, T.C.: Amplification and DRDoS attack defense-a survey and new perspectives. arXiv preprint arXiv:1505.07892 (2015)
Specht, S.M., Lee, R.B.: Distributed denial of service: taxonomies of attacks, tools, and countermeasures. In: International Conference on Parallel and Distributed Computing Systems (2004)
Acknowledgments
This work was supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA) as well as through the BMBF grant 01IS14009B (“BDSec”).
The authors would like to thank Sven Bugiel for his comments on an earlier version of the paper. Additionally, we are grateful for the feedback from our shepherd Roberto Perdisci as well as those of our anonymous reviewers.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Backes, M., Holz, T., Rossow, C., Rytilahti, T., Simeonovski, M., Stock, B. (2016). On the Feasibility of TTL-Based Filtering for DRDoS Mitigation. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-45719-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45718-5
Online ISBN: 978-3-319-45719-2
eBook Packages: Computer ScienceComputer Science (R0)