On the Feasibility of TTL-based Filtering for DRDoS Mitigation

Backes, Michael and Holz, Thorsten and Rossow, Christian and Rytilahti, Teemu and Simeonovski, Milivoj and Stock, Ben
(2016) On the Feasibility of TTL-based Filtering for DRDoS Mitigation.
In: RAID 2016, 19th International Symposium on Research in Attacks, Intrusions and Defenses.
Conference: RAID The International Symposium on Research in Attacks, Intrusions and Defenses (was International Symposium on Recent Advances in Intrusion Detection)

Full text not available from this repository.

Abstract

One of the major disturbances for network providers in recent years have been Distributed Reflective Denial-of-Service (DRDoS) attacks. In such an attack, the attacker spoofs the IP address of a victim and sent a flood of tiny packets to vulnerable services which then respond with much larger replies to the victim. Led by the idea that the attacker cannot fabricate the number of hops between the amplifier and the victim, Hop Count Filtering (HCF) mechanisms that analyze the Time to Live of incoming packets have been proposed as a solution. In this paper, we evaluate the feasibility of using Hop Count Filtering to mitigate DRDoS attacks. To that end, we detail how a server can use active probing to learn TTLs of alleged packet senders. Based on data sets of benign and spoofed NTP requests, we find that a TTL-based defense could block over 75% of spoofed traffic, while allowing 85% of benign traffic to pass. To achieve this performance, however, such an approach must allow for a tolerance of +/-2 hops. Motivated by this, we investigate the tacit assumption that an attacker cannot learn the correct TTL value. By using a combination of tracerouting and BGP data, we build statistical models which allow to estimate the TTL within that tolerance level. We observe that by wisely choosing the used amplifiers, the attacker is able to circumvent such TTL-based defenses. Finally, we argue that any (current or future) defensive system based on TTL values can be bypassed in a similar fashion, and find that future research must be steered towards more fundamental solutions to thwart any kind of IP spoofing attacks.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Additional Information: pub_id: 1008 Bibtex: backes_ttl:16 URL date: None
Uncontrolled Keywords: networks,security
Divisions: Michael Backes (InfSec)
Christian Rossow (System Security Group, SysSec)
Ben Stock (Secure Web Applications Group, SWAG)
Conference: RAID The International Symposium on Research in Attacks, Intrusions and Defenses (was International Symposium on Recent Advances in Intrusion Detection)
Depositing User: Sebastian Weisgerber
Date Deposited: 26 Jul 2017 10:31
Last Modified: 18 Jul 2019 12:10
Primary Research Area: NRA3: Threat Detection and Defenses
URI: https://publications.cispa.saarland/id/eprint/674

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.