Transcript CNS Review
Minimizing Collateral
Damage by Proactive
Surge Protection
Jerry Chou, Bill Lin
University of California, San Diego
Subhabrata Sen, Oliver Spatscheck
AT&T Labs-Research
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007
Problem
• Large-scale bandwidth-based DDoS attacks can
quickly knock out substantial parts of the network
before reactive defenses can respond
• All traffic that share common route links will
suffer collateral damage even if OD pair is not
under direct attack
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 2
Problem
• Potential for large-scale bandwidth-based DDoS
attacks exist
• e.g. large botnets with more than 100,000 bots
exist today that, when combined with the
prevalence of high-speed Internet access, can
give attackers multiple tens of Gb/s of attack
capacity
• Moreover, core networks are oversubscribed (e.g.
some core routers in Abilene have more than 30
Gb/s incoming traffic from access networks, but
only 20 Gb/s of outgoing capacity to the core
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 3
Problem
• Router-based defenses like Random Early Drop
(RED, RED-PD, etc) can prevent congestion by
dropping packets early before congestion
But may drop normal traffic indiscriminately,
causing responsive TCP flows to severely
degrade
• Approximate fair dropping schemes aim to provide
fair sharing between flows
But attackers can launch many seemingly
legitimate TCP connections with spoofed IP
addresses and port numbers
• Both aggregate-based and flow-based router
defense mechanisms can be defeated
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 4
Problem
• Router-based defenses like Random Early Drop
(RED, RED-PD, etc) can prevent congestion by
dropping packets early before congestion
But may drop normal traffic indiscriminately,
causing responsive TCP flows to severely
degrade
In general, defenses based on
unauthenticated header information
• Approximate
fair
dropping and
schemes
aim
to provide
such
as
IP
addresses
port
numbers
fair sharing between flows
may not be reliable
But attackers can launch many seemingly
legitimate TCP connections with spoofed IP
addresses and port numbers
• Both aggregate-based and flow-based router
defense mechanisms can be defeated
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 5
Example Scenario
Seattle/NY:
3 Gb/s
Seattle
10G
10G
Kansas
City
10G
Sunnyvale
Sunnyvale/NY:
3 Gb/s
New York
Indianapolis
Houston
Atlanta
• Suppose under normal condition
Traffic between Seattle/NY + Sunnyvale/NY under
10 Gb/s
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 6
Example Scenario
Seattle/NY:
3 Gb/s
Seattle
10G
10G
Kansas
City
10G
Sunnyvale
Sunnyvale/NY:
3 Gb/s
New York
Indianapolis
Houston
Atlanta
Houston/Atlanta:
Attack 10 Gb/s
• Suppose sudden attack between Houston/Atlanta
Congested links suffer high rate of packet loss
Serious collateral damage on crossfire OD pairs
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 7
Impact on Collateral Damage
• OD pairs are classified into 3 types with respect to
the attack traffic
• Even a small percentage of attack flows can affect
substantial parts of the network
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 8
Our Solution
• Provide bandwidth isolation between OD pairs,
independent of IP spoofing or number of TCP/UDP
connections
• We call this method Proactive Surge Protection
(PSP) as it aims to proactively limit the damage
that can be caused by sudden demand surges,
e.g. sudden bandwidth-based DDoS attacks
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 9
Basic Idea: Bandwidth Isolation
Seattle/NY:
Limit: 3.5 Gb/s
Actual: 3 Gb/s
All admitted as High
Traffic received in NY:
Seattle: 3 Gb/s
Sunnyvale: 3 Gb/s
…
Seattle
10G
10G
Kansas
City
10G
Sunnyvale
Sunnyvale/NY:
Limit: 3.5 Gb/s
Actual: 3 Gb/s
All admitted as High
New York
Indianapolis
Houston
Atlanta
Houston/Atlanta:
Limit: 3 Gb/s
Actual: 10 Gb/s
High: 3 Gb/s
Low: 7 Gb/s
• Reserve bandwidth for expected OD pair demand
• Meter and tag packets on ingress as HIGH or LOW
• Drop LOW packets under congestion inside network
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 10
Basic Idea: Bandwidth Isolation
Seattle/NY:
Limit: 3.5 Gb/s
Actual: 3 Gb/s
All admitted as High
Traffic received in NY:
Seattle: 3 Gb/s
Sunnyvale: 3 Gb/s
…
Seattle
New York
Unlike
conventional admission
10G control,
Kansas
packets are permitted
into the network even
City
10G
10G
when
reserved bandwidth has been
exceeded
Sunnyvale
Indianapolis
Sunnyvale/NY:
Limit: 3.5 Gb/s
Actual: 3 Gb/s
All admitted as High
Houston
Atlanta
Houston/Atlanta:
Proposed mechanism readily Limit:
available
in
3 Gb/s
Actual: 10 Gb/s
modern routers High: 3 Gb/s
Low: 7 Gb/s
• Reserve bandwidth for expected OD pair demand
• Meter and tag packets on ingress as HIGH or LOW
• Drop LOW packets under congestion inside network
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 11
Architecture
Forecaster
Forecast
Matrix
Bandwidth
Allocator
Bandwidth Allocation Matrix
Data Plane
Deployed at
Network Routers
forwarded
packets
dropped
packets
Preferential
Dropping
Policy Plane
tagged
packets
Differential
Tagging
arriving
packets
Deployed at
Network Perimeter
High priority
Low priority
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 12
Forecasting and Allocation
• We use historical network measurements as a
forecast of expected normal traffic
e.g. average weekday traffic demand at 3pm
EDT over past 2 months
More sophisticated forecasting methods (e.g.
Bayesian schemes) possible, but already good
results with simple forecasting
• To account for forecasting inaccuracies and to
provide headroom for traffic burstiness,
proportionally scale forecast matrix to fully
allocate available network capacity
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 13
Proportional Scaling
• Iteratively scale
bandwidth allocation
in “water-filling”
manner
10G
A
10G
B
10G
Forecast Matrix
Bandwidth Allocation
A
B
C
A
B
C
A
1
1.5
1
A
∞
6
4
B
0.5
2
0.5
B
4
∞
6
C
1.5
1
1
C
6
4
∞
C
10G
BW
10
8
6
4
2
0
1st round
AB BC CB BA
Links
BW
10
8
6
4
2
0
2nd round
AB BC CB BA
Links
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 14
Networks
• Abilene
US public academic network
11 nodes, 14 links (10Gb/s)
Traffic data: 10/01/06-12/06/06
• US Backbone
US Private ISP tier1 backbone network
700 nodes, 2000 links (1.5Mb/s – 10Gb/s)
Traffic data: 09/01/06-11/17/06
• Europe Backbone
Europe private ISP tier1 backbone network
900 nodes, 3000 links (1.5Mb/s – 10Gb/s)
Traffic data: 11/18/06-12/18/06
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 15
DDoS Attack Data
• Abilene
Seattle
Bottleneck links
• Denver, Kansas City,
Indianapolis
Sunnyvale
Los Angeles
Denver
Indianapolis
Kansas City
Chicago (5G each)
• US Backbone
New York
Chicago
Washington
Atlanta
Houston
Commercial anomaly detection alarm
• Pick the alarm with most flows, and scale their demand
by 1000x
• Europe Backbone
Synthetic attack flow generator
• Randomly generate attack flows among 0.1% OD pairs.
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 16
Packet Drop Rate Comparison
Abilene
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 17
Packet Drop Rate Comparison
US
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 18
Packet Drop Rate Comparison
Europe
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 19
Behavior Under Scaled Attacks
• Packet drop rate under attack demand scaled by
factor 0 to 3x
Abilene
• PSP provides greater improvement as attack
scale increases
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 20
Behavior Under Scaled Attacks
• Packet drop rate under attack demand scaled by
factor 0 to 3x
US
• PSP provides greater improvement as attack
scale increases
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 21
Behavior Under Scaled Attacks
• Packet drop rate under attack demand scaled by
factor 0 to 3x
Europe
• PSP provides greater improvement as attack
scale increases
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 22
Summary of Contributions
• Proposed proactive solution provides network
operators with first line of defense when sudden
DDoS attacks occur
• Solution not dependent on unauthenticated header
information, thus robust to IP and TCP sproofing
• Minimize collateral damage by providing bandwidth
isolation between traffic
• Solution readily deployable using existing router
mechanism
• Simulation results show up to 95.5% of network
could suffer collateral damage
• Solution reduced collateral damage by 60.5-97.8%
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 23
Questions?
ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007