![Page 1: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/1.jpg)
The Crossfire Attack
Min Suk Kang Soo Bum Lee Virgil D. Gligor
ECE Department and CyLab,
Carnegie Mellon University
May 20 2013
![Page 2: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/2.jpg)
Old: DDoS Attacks against Single Servers
2
Adversary’s Challenge:DDoS Attacks are either Persistent or Scalable to N Servers
N x traffic to 1 server => high-intensity traffic triggers network detection
detection not triggered => low-intensity traffic is insufficient for N servers
typical attack: floods server with HTTP, UDP, SYN, ICMP… packets
persistence
- maximum: 2.5 days (outlier: 81 days)
- average: 1.5 days
![Page 3: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/3.jpg)
3
Example: “Spamhaus” Attack (2013)
3
Adversary
- 100K open DNS recursors
Attack traffic
• Adversary: DDoS -> 1 Spamhaus Server3/16 – 3/18: ~ 10 Gbps
persistent: ~ 2.5 days
![Page 4: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/4.jpg)
4
Example: “Spamhaus” Attack (2013)
4
Adversary
- 100K open DNS recursors
`Anycast
• Spamhaus -> CloudFlare (3/19 – 3/22)
– non-scalable: -> 90-120 Gbps traffic
is diffused over N > 20 servers in 4 hours
Attack traffic
• Adversary: DDoS -> 1 Spamhaus Server3/16 – 3/18: ~ 10 Gbps
persistent: ~ 2.5 days
![Page 5: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/5.jpg)
5
Example: “Spamhaus” Attack (2013)
5
Adversary
- 100K open DNS recursors
IXP
Anycast• Adversary: DDoS -> 4 IXPs (3/23)
– scalable: regionally degraded connectivity
some disconnection
- non-persistent: attack detected, pushed back & legitimate traffic re-routed in ~ 1 - 1.5 hours
Attack traffic
![Page 6: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/6.jpg)
Persistent:
- attack traffic is indistinguishable from legitimate
- low-rate, changing sets of flows
- attack is “moving target” for same N-server area
- changes target links before triggering alarms
6
New: The Crossfire AttackA link-flooding attack that degrades/cuts off network connections of scalable N-server area persistently
Scalable N-Server areas
- N = small (e.g., 1 -1000 servers), medium (e.g., all servers in a US state),
large (e.g., the West Coast of the US)
![Page 7: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/7.jpg)
7
Definitions
• Target area Area containing chosen target servers
e.g., an organization, a city, a state, or a country
• Target link Network link selected for flooding
• Decoy server Publicly accessible servers surrounding the target area
chosen
servers
![Page 8: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/8.jpg)
BotsDecoy
Servers
8
1-Link Crossfire… …
Attack Flows => Indistinguishable from Legitimate
low-rate flows
40 Gbps
(4 Kbps x 10K bots x 1K decoys)
![Page 9: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/9.jpg)
BotsDecoy
Servers
9
1-Link Crossfire… …
Attack Flows => Indistinguishable from Legitimate
changing sets of flows
![Page 10: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/10.jpg)
link-failure detection latency, TdetIGP routers: 217 sec/80 Gbps – 608 sec/60 GbpsBGP routers: 1,076 sec/80Gbps – 11,119 sec/60 Gbps
BotsDecoy
Servers
10
1-Link Crossfire… …
suspend flows in t < Tdet sec & resume later
Attack Flows => Alarms Not Triggered
t = 40 – 180 sec => Alarms are Not Triggered
link-failure detection latency, TdetIGP routers: 217 sec/80 Gbps – 608 sec/60 GbpsBGP routers: 1,076 sec/80Gbps – 11,119 sec/60 Gbps
![Page 11: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/11.jpg)
11
n-Link Crossfire• n links traversed by a large number of persistent paths to a target area.
small n; e.g., 5 - 15 “Narrow Path Waist” (observed power law for Internet route paths)
“moving targets,” same N servers = suspend-resume flooding of different link sets
≥ 3 hops…
target link setGood
N servers
![Page 12: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/12.jpg)
12
n-Link Crossfire• n links traversed by a large number of persistent paths to a target area.
small n; e.g., 5 - 15 “Narrow Path Waist” (observed power law for Internet route paths)
“moving targets,” same N servers = suspend-resume flooding of different link sets
≥ 3 hops…
target link setAlternate
N servers
![Page 13: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/13.jpg)
13
n-Link Crossfire• n links traversed by a large number of persistent paths to a target area.
small n; e.g., 5 - 15 “Narrow Path Waist” (observed power law for Internet route paths)
“moving targets,” same N servers = suspend-resume flooding of different link sets
≥ 3 hops…
target link setRelatively good
N servers
![Page 14: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/14.jpg)
0 5 10 15 20 25 30 35 40 45 500
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Number of target links
Deg
radat
ion R
atio
Univ1
Univ2
New York
Pennsylvania
Massachusetts
Virginia
East Coast (US)
West Coast (US)
0 5 10 15 20 25 30 35 40 45 500
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Number of target links
Deg
radat
ion R
atio
Univ1
Univ2
New York
Pennsylvania
Massachusetts
Virginia
East Coast (US)
West Coast (US)
Univ1Univ2New YorkPennsylvaniaMassachusettsVirginiaEast Coast (US)West Coast (US)
n target links
Deg
rad
atio
n r
atio
• Flooding a few target links causes high degradation (DR*)– 10 links => DR: 74 – 90% for Univ1 and Univ2
– 15 links => DR: 53% (33%) for Virginia (West Coast)14
Degraded Connectivity
* Degradation Ratio (target link set) = # degraded bot-to-target area paths# all bot-to-target area paths
Smalltarget
Mediumtarget
Large target
![Page 15: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/15.jpg)
Attack Steps
&
Experiments
15
![Page 16: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/16.jpg)
Only persistent links are targeted
16
Attack Step 1: Link-Map Construction
traceroute
traceresults
servers
transient links
persistent
……
…
…
…
…
target area
Internet
vs.routers
![Page 17: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/17.jpg)
Goal:
Find n links whose failure maximizes DR
=> maximum coverage problem
17
Attack Step 2: Target-Link Selection
Select n Target Links
…
serversInternet
target area
![Page 18: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/18.jpg)
Low send/receive rates
~ 1 Mbps
18
Attack Step 3: Bot Coordination
Commands Attack Flows
decoyserver
……
…
…
…
…
…
…
…Internetservers
…
target area
![Page 19: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/19.jpg)
• 1,072 traceroute nodes
–620 PlanetLab nodes + 452 Looking Glass servers
19
ExperimentsGeographical Distribution of Traceroute Nodes
PlanetLab node Looking Glass server
![Page 20: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/20.jpg)
20
ExperimentsTarget Areas
Target Areas• Univ1• Univ2• New York• Pennsylvania• Massachusetts• Virginia• East Coast • West Coast
small
medium
large
![Page 21: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/21.jpg)
• Flooding a few target links causes high degradation (DR*)– 10 links => DR: 74 – 90% for Univ1 and Univ2
– 15 links => DR: 53% (33%) for Virginia (West Coast)
21
Degraded Connectivity
0 5 10 15 20 25 30 35 40 45 500
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Number of target links
Deg
radat
ion R
atio
Univ1
Univ2
New York
Pennsylvania
Massachusetts
Virginia
East Coast (US)
West Coast (US)
0 5 10 15 20 25 30 35 40 45 500
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Number of target links
Deg
radat
ion R
atio
Univ1
Univ2
New York
Pennsylvania
Massachusetts
Virginia
East Coast (US)
West Coast (US)
Univ1Univ2New YorkPennsylvaniaMassachusettsVirginiaEast Coast (US)West Coast (US)
Deg
rad
atio
n r
atio
n target links
![Page 22: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/22.jpg)
Setting:
Experiments using
6 different bot distributions
Result:
No significant difference in attack performance
22
Effective Independence of Bot Distribution
< Bot distribution on the map >
n target links
Deg
rad
atio
n r
atio
BaselineDistr1Distr2Distr3Distr4Distr5Distr6
Univ1
Pennsylvania
East Cost (US)
BaselineDistributionDistr 123456
![Page 23: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/23.jpg)
23
More bots => Lower “Send” Flow Rate
Average rate when flooding 10 Target Links against Pennsylvania
1 2 3 40
1
2
3
Ave
rage
se
nd
/rec
eive
rat
e (M
bp
s)
Rates
Per-Bot Send-Rate (100K bots)
Per-Bot Send-Rate (200K bots)
Per-Bot Send-Rate (500K bots)
Per-Decoy Receive-Rate (350K decoys)
![Page 24: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/24.jpg)
• Attack bots available from Pay-Per Install (PPI) markets [2011]
– 10 target link flooding
» 500 K bots => $46K
» 100 K bots => $9K
• State-/corporate-sponsored attacks use 10 – 100 x more bots
• Zero cost; e.g., harvest 100 – 500 K bots for 10 links
24
Cost
Region Price per thousand bots
US / UK $100 - $180
Continental Europe $20 - $60
Rest of the world < $10
![Page 25: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/25.jpg)
25
Crossfire vs. Other Attacks
Design GoalOld
DDoSCoremelt
(2009)
“Spamhaus”Attack(2013)
Crossfire(2013)
Persistence
Scalable choiceof N server targets
Not a Goal
Indistinguishabilityfrom Legitimate flows
Bot distribution independence
Not a Goal
Reliance on wanted flows only
![Page 26: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/26.jpg)
• Any countermeasure must address (at least one of)i. the existence of the “narrow path waist”
ii. slow network & ISP reaction
• Cooperation among multiple ISPs becomes necessary for detection
• Application-layer overlays can route around flooded links
• Additional measures– Preemptive or retaliatory disruption of bot markets
– International agreements regarding prosecution of telecommunication-infrastructure attacks
26
Possible Countermeasures
![Page 27: The Crossfire Attack - Carnegie Mellon Universityminsukk/papers/crossfire-slides.pdf · The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie](https://reader031.vdocuments.us/reader031/viewer/2022020303/5b14ebda7f8b9a4e2c8ca320/html5/thumbnails/27.jpg)
• New DDoS attack: the Crossfire attack
– Scalable & Persistent
• Internet-scale experiments
– Feasibility of the attack
– High impact with low cost
• Generic Countermeasures
– Characterization of possible solutions
27
Conclusion