Transcript CNS Review
Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks Jerry Chou, Bill Lin University of California, San Diego Subhabrata Sen, Oliver Spatscheck AT&T Labs-Research USENIX Security Symposium, San Jose, USA, July 30, 2008 Outline • Problem • Approach • Experimental Results • Summary USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 2 Motivation Seattle Chicago Sunnyvale Los Angeles New York Denver Indianapolis Washington Kansas City Atlanta Houston • Large-scale bandwidth-based DDoS attacks can quickly knock out substantial parts of a network before reactive defenses can respond • All traffic that share common route links will suffer collateral damage even if it is not under direct attack USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 3 Motivation • Potential for large-scale bandwidth-based DDoS attacks exist • e.g. large botnets with more than 100,000 bots exist today that, when combined with the prevalence of highspeed Internet access, can give attackers multiple tens of Gb/s of attack capacity • Moreover, core networks are oversubscribed (e.g. some core routers in Abilene have more than 30 Gb/s incoming traffic from access networks, but only 20 Gb/s of outgoing capacity to the core USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 4 Example Scenario Seattle/NY: 3 Gb/s Seattle 10G 10G Kansas City 10G Sunnyvale Sunnyvale/NY: 3 Gb/s New York Indianapolis Houston Atlanta • Suppose under normal condition Traffic between Seattle/NY + Sunnyvale/NY under 10 Gb/s USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 5 Example Scenario Seattle/NY: 3 Gb/s Seattle 10G 10G Kansas City 10G Sunnyvale Sunnyvale/NY: 3 Gb/s New York Indianapolis Houston Atlanta Houston/Atlanta: Attack 10 Gb/s • Suppose sudden attack between Houston/Atlanta Congested links suffer high rate of packet loss Serious collateral damage on crossfire OD pairs USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 6 Impact on Collateral Damage US Europe • OD pairs are classified into 3 types with respect to the attack traffic Attacked: OD pairs with attack traffic Crossfire: OD pairs sharing route links with attack traffic Non-crossfire: OD pairs not sharing route links with attack traffic • Collateral damage occurs on crossfire OD pairs • Even a small percentage of attack flows can affect substantial parts of the network USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 7 Related Works • Most existing DDoS defense solutions are reactive in nature • However, large-scale bandwidth-based DDoS attacks can quickly knock out substantial parts of a network before reactive defenses can respond • Therefore, we need a proactive defense mechanism that works immediately when an attack occurs USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 8 Related Works (cont’d) • Router-based defenses like Random Early Drop (RED, RED-PD, etc) can prevent congestion by dropping packets early before congestion But may drop normal traffic indiscriminately, causing responsive TCP flows to severely degrade • Approximate fair dropping schemes aim to provide fair sharing between flows But attackers can launch many seemingly legitimate TCP connections with spoofed IP addresses and port numbers • Both aggregate-based and flow-based router defense mechanisms can be defeated USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 9 Previous Solutions (cont’d) • Router-based defenses like Random Early Drop (RED, RED-PD, etc) can prevent congestion by dropping packets early before congestion But may drop normal traffic indiscriminately, causing responsive TCP flows to severely degrade In general, defenses based on • Approximate fair dropping schemes aim to provide fair unauthenticated header information such as sharing between flows and port numbers IP addresses But attackers can launch many seemingly legitimate may not be reliable TCP connections with spoofed IP addresses and port numbers • Both aggregate-based and flow-based router defense mechanisms can be defeated USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 10 Outline • Problem • Approach • Experimental Results • Summary USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 11 Our Solution • Provide bandwidth isolation between OD pairs, independent of IP spoofing or number of TCP/UDP connections • We call this method Proactive Surge Protection (PSP) as it aims to proactively limit the damage that can be caused by sudden demand surges, e.g. sudden bandwidth-based DDoS attacks USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 12 Basic Idea: Bandwidth Isolation Seattle/NY: Limit: 3.5 Gb/s Actual: 3 Gb/s All admitted as High Traffic received in NY: Seattle: 3 Gb/s Sunnyvale: 3 Gb/s … Seattle 10G 10G Kansas City New York 10G Sunnyvale Indianapolis Proposed mechanism proactively drop attack Sunnyvale/NY: traffic immediately when attacks occur Houston Atlanta Houston/Atlanta: Limit: 3.5 Gb/s Actual: 3 Gb/s All admitted as High Houston/Atlanta: Limit: Limit: 3 3 Gb/s Gb/s Actual: 10 Gb/s Actual: 2 Gb/s High: 3 Gb/sas High All admitted Low: 7 Gb/s • Meter and tag packets on ingress as HIGH or LOW priority Based on historical traffic demands and network capacity • Drop LOW packets under congestion inside network USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 13 Architecture Traffic Data Collector Traffic Measurement Bandwidth Allocator Bandwidth Allocation Matrix Policy Plane Proposed mechanism readily available in Data Plane Deployed at routers Network modern Routers forwarded packets dropped packets Preferential Dropping tagged packets Differential Tagging arriving packets Deployed at Network Perimeter High priority Low priority USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 14 Allocation Algorithms • Aggregate traffic at the core is very smooth and variations are predictable • Compute a bandwidth allocation matrix for each hour based on historical traffic measurements e.g. allocation at 3pm is computed by traffic measurements during 3-4pm in the past 2 months Source: Roughan’03 on a Tier-1 US Backbone USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 15 Allocation Algorithms • To account for measurement inaccuracies and provide headroom for traffic burstiness, we fully allocate the entire network capacity as an utility max-min fair allocation problem Mean-PSP: based on the mean of traffic demands CDF-PSP: based on the Cumulative Distribution Function (CDF) of traffic demands • Utility Max-min fair allocation Iteratively allocate bandwidth in “water-filling” manner Each iteration maximize the common utility of all flows Remove the flows without residual capacity after each iteration USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 16 Utility Max-min Fair Bandwidth Allocation Utility functions AB BC 100 80 60 40 20 AC 100 80 60 40 20 Utility(%) Utility(%) Utility(%) 100 80 60 40 20 1 2 3 4 5 BW 1 2 3 4 5 BW Network 1 2 3 4 5 BW Allocation 5 A B 5 5 5 C BW 5 4 3 2 1 0 1st round AB BC Links BW 5 4 3 2 1 0 2nd round AB BC Links USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 17 Mean-PSP (Mean-based Max-min) • Use mean traffic demand as the utility function fij ( Bij ) Bij dij /# m easurem ent • Iteratively allocate bandwidth in “waterfilling” manner 10G A 10G B 10G C 10G Mean Demand BW Allocation Bij A B C A - 1.5 1 B 0.5 - C 1.5 1 BW 10 8 6 4 2 0 A B C A - 6 4 0.5 B 4 - 6 - C 6 4 - 1st round AB BC CB BA Links BW 10 8 6 4 2 0 2nd round AB BC CB BA Links USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 18 CDF-PSP (CDF-based Max-min) • Explicitly capture the traffic variance by using a Cumulative Distribution Function (CDF) model as utility functions fij ( Bij ) PROB[dij Bij ] • Maximize utility is equivalent to minimizing the drop probabilities for all flows in a max-min fair manner E.g : dij (1,1,1, 3, 5) Utility(%) 100 80 60 40 20 When allocated 3 unit bandwidth, drop probability is 20% 1 2 3 4 BW 5 USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 19 Outline • Problem • Approach • Experimental Results • Summary USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 20 Networks • US Backbone Large tier1 backbone network in US ~700 nodes, ~2000 links (1.5Mb/s – 10Gb/s) 1-minute traffic traces: 07/01/07-09/03/07 • Europe Backbone Large tier1 backbone network in Europe ~900 nodes, ~3000 links (1.5Mb/s – 10Gb/s) 1-minute traffic traces: 07/01/07-09/03/07 USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 21 Evaluation Methodology • NS2 Simulation • Normal traffic: Based on actual traffic demands over 24 hour period for each backbone • Attack traffic: US Backbone: highly distributed attack scenario • Based on commercial anomaly detection systems • From 40% ingress routers to 25% egress routers Europe Backbone: targeted attack scenario • Created by synthetic attack flow generator • From 40% ingress routes to only 2% egress routers USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 22 Packet Loss Rate Comparison US Europe • Both PSP schemes greatly reduced packet loss rates • Peak hours have higher packet loss rates USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 23 Relative Loss Rate Comparison US Europe • PSP reduced packet loss rates by more than 75% USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 24 Behavior Under Scaled Attacks • Packet drop rate under attack demand scaled by factor up to 3x US Europe • Under PSP, the loss remains small throughout the range ! USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 25 Summary of Contributions • Proactive solution for protecting networks that provides a first line of defense when sudden DDoS attacks occur • Very effective in protecting network traffic from collateral damage • Not dependent on unauthenticated header information, thus robust to IP spoofing • Readily deployable using existing router mechanisms USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 26 Questions? USENIX Security Symposium, San Jose, USA, July 30, 2008