Scalable Networklayer Defense against Distributed Flooding Attacks - PowerPoint PPT Presentation

1 / 91

About This Presentation

Title:

Scalable Networklayer Defense against Distributed Flooding Attacks

Description:

Attacker compromises large number of hosts. Commands them to flood victim ... Betting sites. 100's attacked every day. 1 hour of downtime = $300,000 lost (eBay) ... – PowerPoint PPT presentation

Number of Views:62

Avg rating:3.0/5.0

Slides: 92

Provided by: ice82

Category:

more less

Transcript and Presenter's Notes

Title: Scalable Networklayer Defense against Distributed Flooding Attacks

1
Scalable Network-layer Defense against
Distributed Flooding Attacks

Katerina Argyraki
Stanford University

2
The DDoS problem
1
3
The DDoS problem
citi.com

Attacker compromises large number of hosts

1
4
The DDoS problem
citi.com

Attacker compromises large number of hosts
Commands them to flood victim with requests

1
5
The DDoS problem
citi.com

Attacker compromises large number of hosts
Commands them to flood victim with requests
Victim fails to respond to legitimate clients

1
6
Its a real problem

Akamai
flooded DNS servers
Yahoo, Google disrupted for hours
SCO
flooded web server, site down for weeks
changed domain name
Betting sites
100s attacked every day
1 hour of downtime 300,000 lost (eBay)

DDoS costs millions of dollars
2
7
The enemy

Groups of compromised hosts
typically DSL, dial-up hosts
Botnets 1,000 50,000 members
Worm-infected populations
Code Red 350,000
MyDoom 500,000
Near future millions of attack sources
Stanisford 03

Solution must scale to millions of sources
3
8
Outline

Problem statement
Prior work
Scalable distributed filtering
basic mechanism
analysis performance, resources, scalability
Internet deployment
compromised routers
abusive filtering requests
spoofed recorded routes
Evaluation
Future work

4
9
Outline

Problem statement
Prior work
Scalable distributed filtering
basic mechanism
analysis performance, resources, scalability
Internet deployment
compromised routers
abusive filtering requests
spoofed recorded routes
Evaluation
Future work

5
10
Easiest target tail-circuit bandwidth

Flood tail circuit with normal-looking traffic
Legitimate clients back off, goodput drops to 0

Must block attack traffic before tail-circuit
6
11
Filtering
V
A

Filter piece of state that stores an access rule
Example block all traffic with IP src A IP dst
V
Already widely deployed throughout Internet

7
12
Filtering flooding attack traffic

Ideally block traffic from each attack source
Without affecting legitimate traffic

Need millions of filters per attacked client
8
13
Filters are a scarce resource

We only have a few thousand per client
e.g., Cisco 16-port 100baseT module 4,000
filters per port
Expensive technology
typically stored in TCAM
high power consumption
1 chip per linecard
200 per chip

Filtering close to the victim is insufficient
9
14
Outline

Problem statement
Prior work
Scalable distributed filtering
basic mechanism
analysis performance, resources, scalability
Internet deployment
compromised routers
abusive filtering requests
spoofed recorded routes
Evaluation
Future work

10
15
Taxonomy of related work

White-listing solutions
allow legitimate clients deny all the rest
VPNs, secure overlays Keromytis 02, Andersen 03
capabilities Anderson 03, Yaar 04, Yang 05
Hop-by-hop filter propagation
push filtering into the Internet core
Pushback Mahajan 01
Path Identifier Yaar 03

11
16
White-listing solutions

Works when you talk to few hosts
And you know in advance which ones

Doesnt work for public-access sites
12
17
Hop-by-hop filter propagation
A
13
18
Hop-by-hop filter propagation
A
13
19
Hop-by-hop filter propagation
A
13
20
Hop-by-hop filter propagation
A
13
21
Hop-by-hop filter propagation
A

Requires Internet-wide deployment
including core routers
Introduces end-to-end filtering state into core
each filtering request blocks source A to dst V

13
22
End-to-end state into the core
14
23
End-to-end state into the core

filtering requests attack sources ? victims
Per-client resources grow at least quadratically
with Internet size

Hop-by-hop filter propagation does not scale
14
24
Active Internet Traffic Filtering

Thousands of routers billions of filters on
attack path
Located close to attack sources
Must get to them, bypassing the core

Manage the resources close to attack sources
15
25
Thesis

The IP layer of the Internet can provide
scalable,
deployable filtering, which enables edge-nodes to
preserve a significant percentage of their
tail-circuit
bandwidth in the face of distributed flooding
attacks.

16
26
Contributions

Scalable distributed filtering
bounded per-client resources
that grow linearly with Internet size
Deployable in the real Internet
requires modest per-client resources
secure, incrementally deployable
Cannot do significantly better with any reactive
filtering solution

17
27
Outline

Problem statement
Prior work
Scalable distributed filtering
basic mechanism
analysis performance, resources, scalability
Internet deployment
compromised routers
abusive filtering requests
spoofed recorded routes
Evaluation
Future work

18
28
Assumption
Agw
Vgw
A
V
V A

Record route Argyraki 04
subset of border routers record their address on
packets

19
29
Assumption
Agw
Vgw
A
V
V Agw A

Record route Argyraki 04
subset of border routers record their address on
packets

19
30
Assumption
Agw
Vgw
A
V
V Vgw Agw A

Record route Argyraki 04
subset of border routers record their address on
packets

Victim can identify distinct undesired flows
V Vgw Agw A or V Vgw Agw
Routers can filter packets by path

19
31
Assumption
Agw
Vgw
A
V
Victims gateway
Attack gateway

Record route Argyraki 04
subset of border routers record their address on
packets

Victim can identify distinct undesired flows
V Vgw Agw A or V Vgw Agw
Routers can filter packets by path

19
32
Basic mechanism (1)
Agw
Vgw
A
V
20
33
Basic mechanism (1)
Agw
Vgw
A
V
20
34
Basic mechanism (1)
block A?V for T
Agw
Vgw
A
V
20
35
Basic mechanism (1)
Agw
Vgw
A
V
20
36
Basic mechanism (1)
Agw
Vgw
A
V
20
37
Basic mechanism (1)
Agw
Vgw
A
V
20
38
Basic mechanism (1)
Agw
Vgw
A
V

No permanent filters in routers
temporary filters until next entity takes over
No hop-by-hop propagation
victims gateway talks directly to attack gateway

20
39
Basic mechanism (2)
Agw
Vgw
A
V
A to V

Attack gateway logs filtering request in DRAM for
T

21
40
Basic mechanism (2)
Agw
Vgw
A
V
A to V

Attack gateway logs filtering request in DRAM for
T

21
41
Basic mechanism (2)
Agw
Vgw
A
V
A to V

Attack gateway logs filtering request in DRAM for
T

If attack source does not comply,
it gets disconnected

log disconnection inexpensive filtering
21
42
Performance bandwidth loss
victims bandwidth
batt
time

batt attack flow bandwidth
Tblock round-trip time across the tail circuit

22
43
Performance bandwidth loss
victims bandwidth
batt
time
Tblock
Natt
blost batt
T

batt attack flow bandwidth
Tblock round-trip time across the tail circuit
Natt number of attack sources

22
44
Performance bandwidth loss

Bandwidth consumed by attack
Fraction of victims bandwidth consumed

Tblock
Natt
blost batt
T
Tblock
batt
Natt
loss
T
bv

batt attack flow bandwidth
Tblock round-trip time across the tail circuit
Natt number of attack sources
bv victims bandwidth

23
45
The filtering window T
block A?V for T
Vgw
Agw
V
A

T is the interval for which the attack gateway
remembers each undesired flow

Affects memory required on attack gateway
Agw needs more memory to remember flows longer

Larger T ? more bandwidth more memory
24
46
Resources attack gateway memory
Agw
A
f1 fi fi1 fM-1 fM

If A attacks more than M victims within T,
disconnect A
e.g., M 1,000 requires 10 KB per client
M R T
R max filtering request rate per client

Requires a few KB per attack source
25
47
Scalability
26
48
Scalability

Bandwidth loss

assume bv and batt grow at the same rate

26
49
Scalability

Bandwidth loss

assume bv and batt grow at the same rate

26
50
Scalability

Bandwidth loss

assume bv and batt grow at the same rate
T must grow at the same rate with Natt

Attack gateway memory per client M R T

M must grow at the same rate with T
to maintain same policy R

Per-client memory O(attack population size)
26
51
Evolution of memory cost
Memory cost halves every 18 months
27
52
Evolution of AITF cost

Depends on attack population growth relative to
Moores law
If botnets grow slower, cost decreases
Otherwise
attack gateways must employ stricter policy
to keep cost stable

28
53
Outline

Problem statement
Prior work
Scalable distributed filtering
basic mechanism
analysis performance, resources, scalability
Internet deployment
compromised routers
abusive filtering requests
spoofed recorded routes
Evaluation
Future work

29
54
Assumptions so far

Attack gateway cooperates
may be compromised
no incentive
Filtering requests are legitimate
may be malicious
seeking to disrupt communication between victims
The recorded route corresponds to the real route
may be spoofed
similar to source address spoofing

30
55
Problem non-cooperating Agw
block A-V
Agw
Vgw
A
V
31
56
Solution escalation
Agw
Vgw
V

Attack gateway becomes the attack source
Blocks all traffic from attack gateway to victim

32
57
Solution escalation
block Agw-V
Agw
Vgw
V

Attack gateway becomes the attack source
Blocks all traffic from attack gateway to victim
Escalates request to next border router on attack
path

Responds or risk connectivity to victim
32
58
Problem malicious filtering requests
Agw
Vgw
A
V

Edge-to-edge filter propagation prone to spoofing

33
59
Solution 3-way handshake
block F
block F
F, nonce
F, nonce
34
60
Solution 3-way handshake
block F
block F
F, nonce
F, nonce

Ensures requester is on path to alleged victim
No state at Agw nonce hash(F, local key)

Eliminates spoofing by off-the-path nodes
34
61
Cant a core router still spoof?

Sure

But then were in big trouble anyway

Trust only whats on the path
35
62
Problem path spoofing
Agw
Vgw
A
V
M
V AgwA
36
63
Problem path spoofing
Agw
Vgw
A
V
A Agw VgwV
M

Malicious node M spoofs path from Agw to V
Causes all traffic from Agw to V to be blocked
Vgw misclassifies Agw as compromised

Cannot trust recorded path
36
64
Solution unpredictable marking
Agw
Vgw
A
V
A AgwN V
M
A Agw? V

Agw records unpredictable number N on packet
No state at Agw N hash(destination, local key)

Can prevent path spoofing by off-the-path nodes
37
65
Solution unpredictable marking

Agw rejects requests with the wrong N
and communicates the correct N to V

Blocks flows with invalid path
38
66
Deployment summary

Escalation deals with non-cooperating gateways
cooperate or lose connectivity to victim
3-way handshake deals with malicious requests
by off-the-path nodes
trust what is on the path
Unpredictable marking deals with path spoofing
by off-the-path nodes

39
67
Outline

Problem statement
Prior work
Scalable distributed filtering
basic mechanism
analysis performance, resources, scalability
Internet deployment
compromised routers
abusive filtering requests
spoofed recorded routes
Evaluation
Future work

40
68
Simulation

Scalable Simulation Framework DaSSF 02
Real Internet domain topology
BGP tables from RouteViews
run Gaos algorithm for inferring domain
relations Gao 00
Uniformly distributed attack populations
Parameters
Tblock 10 msec
T 20 min

41
69
Scenario 1 MyDoom

Attack characteristics MyDoom 03
Natt 500,000 attack sources
batt 128 Kbps
5,000 attack sources at a time
maximum flooding of tail circuit

42
70
MyDoom
Victims bandwidth (Mbps)
Time (sec)
43
71
MyDoom with AITF
Victims bandwidth (Mbps)
Time (sec)
44
72
MyDoom with AITF
Victims bandwidth (Mbps)
Time (sec)
Victim preserves 94 of its bandwidth
45
73
Scenario 2 Shrew attack

Attack characteristics
Natt 100,000 attack sources
batt 128 Kbps
sources coordinate to induce spikes every 1 sec

46
74
Shrew
Victims bandwidth (Mbps)
Time (sec)
47
75
Shrew with AITF
Victims bandwidth (Mbps)
Time (sec)
Victim preserves 98 of its bandwidth
48
76
Escalation
Victims bandwidth (Mbps)
Time (sec)
Victim recovers goodput from coop. networks
49
77
Can we do better?

Block attack traffic faster?
AITF Tblock round-trip time across
tail-circuit
best any reactive solution can do
Block attack traffic longer?
view Internet as filtering server
requests in server arrival rate
? T
best solution accommodates the most cheapest
filtering state

50
78
Filtering state
51
79
Filtering state

Close to the victim
available resources victims ? wire-speed
filters per client

51
80
Filtering state

Close to the victim
available resources victims ? wire-speed
filters per client
At the core ?

51
81
Filtering state

Close to the victim
available resources victims ? wire-speed
filters per client
At the core ?
Close to the attack sources
attack sources ? DRAM slots per client
disconnection

51
82
Filtering state in AITF
Efficiently leverages all available filtering
resources
52
83
Outline

Problem statement
Prior work
Scalable distributed filtering
basic mechanism
analysis performance, resources, scalability
Internet deployment
compromised routers
abusive filtering requests
spoofed recorded routes
Evaluation
Future work

54
84
Future work

Maximize goodput
simplest policy block non-cooperating gateways
next compare benefit of blocking vs. benefit of
allowing
Maximize communication value
simplest policy disconnect persistent attack
source
what if attack source is an entire network?
next compare value of communication to victim
vs. value of communication to attack source

55
85
Conclusions