Transcript Lecture 5
Defending Against DDoS Attacks Using
Max-min Fair Server Centric Router
Throttles
David K.Y. Yau
CS Dept, Purdue University
Operating System Concepts
1.1
John C.S. Lu
CS&E Dept,CUHK
Motivations
Internet is an open and democratic environment
increasingly used for mission-critical work and
commercial applications.
Many security threats are present or appearing
Easy to launch, even for naïve users.
need effective and flexible defenses to
detect/trace/counter attacks
Goals:
protect innocent users;
prosecute criminals
Operating System Concepts
1.2
Ambitious goals
Network Denial-of-service Attacks
Some attacks quite subtle
securing protocols and intrusion detection
(e.g., BGP, TCP-syn attack)
at routing infrastructure, malicious dropping
of packets, etc (low-rate TCP)
Others by brute force:
- flooding (e.g., UDP, valid Web Request)
Cripples victim:
- precludes any sophisticated defense at
victim site
Philosophical question: what is an “attacker”?
Viewed as resource management problem
Operating System Concepts
1.3
Flooding Attack
Server
Operating System Concepts
1.4
Server-centric Router Throttle
Installed by server when under stress,
at a set deployment routers
can be sent by multicast
Specifies leaky bucket rate at which
router can forward traffic to the server
aggressive traffic for server dropped before
reaching server
rate determined by a feedbak control
algorithm
Issues: (1) Which set of routers?
(2) What is the “proper” dropping rate?
Operating System Concepts
1.5
Router Throttle
Securely
installed by S
Aggressive flow
Throttle
for S
To S
Throttle
for S’
To S’
Deployment router
C: Each victim has a leaky bucket for rate limit.
Small memory and computationoverhead!
Operating System Concepts
1.6
Key Design Problems
Resource allocation: who is entitled to
what?
need to keep server operating within load limits
notion of fairness, and how to achieve it?
Need global, rather than router-local,
fairness
How to respond to network and user
dynamics (e.g., fluctuation of traffic)?
Feedback control strategy is needed
Operating System Concepts
1.7
What is being fair?
Baseline approach of dropping a fraction
“f”, say ½, of traffic for each flow
won’t work well
a flow can cause more damage to other flows simply
by being more aggressive!
Rather, no flow should get a higher rate
than another flow that has unmet
demands
this way, we penalize “aggressive” flows only, but
protect the well-behaving ones
Operating System Concepts
1.8
Level-k Deployment Points
Deployment points parameterized by an
integer k
R(k) -- set of routers that are either k
hops away from server S, or less than k
hops away from S but are directly
connected to a host
Fairness across global routing points R(k)
Operating System Concepts
1.10
Level-3 Deployment
Server
Operating System Concepts
1.11
Feedback Control Strategy
Hysteresis control
high and low water marks for server load, to
strengthen or relax router throttle
Additive increase/multiplicative decrease
rate adjustment
increases when server load exceeds US, and
decreases when server load falls below LS
throttle removed when a relaxed rate does
not result in significant server load increase
Operating System Concepts
1.12
Fairness Definition
A resource control algorithm
achieves level-k max-min fairness
among the routers R(k) if the
allowed forwarding rate of traffic
for S at each router is the router’s
max-min fair share of some rate r
satisfying LS r US
Operating System Concepts
1.13
Fair Throttle Algorithm
Operating System Concepts
1.14
Example Max-min Rates (L=18, H=22)
18.23
6.65
24.88
6.25
0.22
0.22
14.1
15.51
59.9
0.01
6.25
17.73
Server
6.25
0.61
20.53
1.40
17.73
0.95
0.95
Operating System Concepts
1.15
0.61
Interesting Questions
Can we preferentially drop attacker
traffic over good user traffic?
Can we successfully keep server
operating within design limits, so that
good user traffic that makes it gets
acceptable service?
How stable is such a control algorithm?
How does it converge?
Operating System Concepts
1.16
Algorithm Evaluation
Control-theoretic analysis (fluid analysis)
algorithm stability and convergence under
different system parameters
Packet network simulations (packet level
analysis)
Test under UDP and TCP traffic. Also test
with Web traces
System implementation (the real thing,
baby !!!)
deployment costs
Operating System Concepts
1.17
Control-theoretic Model
Throttle signal from victim
Step size
Adjusted traffic from source i
When throttle signal is high, server is underloaded.
When throttle signal is low, server is overloaded.
ANALOGY!!!
Operating System Concepts
1.18
Feedback Control Model (Us=1750;Ls=1650)
Constant
Source of 20
Constant
Source of 30
Constant
Source of 25
Constant
Source of 4000
Constant
Source of 2800
Operating System Concepts
1.19
Output for good traffic (total from source 1)
Operating System Concepts
1.20
Output for attack traffic (total from source 5)
Operating System Concepts
1.21
Output for attack traffic (total from source 6)
Operating System Concepts
1.22
Total traffic to server (Us=1750;Ls=1650)
Operating System Concepts
1.23
Case 2: variable attack traffic
(Us=1750,Ls=1650)
Square Pulse
Operating System Concepts
1.24
Output of attack traffic 1
Operating System Concepts
1.25
Output of attack traffic 2
Operating System Concepts
1.26
Total traffic to server (Us=1750;Ls=1650)
Operating System Concepts
1.27
Feedback Control Model
(sources and server)
Operating System Concepts
1.28
Feedback Control Model
(server throttle signal)
Operating System Concepts
1.29
Feedback Control Model
(sources process throttle)
Operating System Concepts
1.30
Throttle Rate (L=900; U=1100)
Operating System Concepts
1.31
Server Load (L = 900; U = 1100)
Operating System Concepts
1.32
Throttle Rate (U = 1100)
Operating System Concepts
1.33
Server Load (U = 1100)
Operating System Concepts
1.34
Throttle Rate (L=1050;U=1100)
Operating System Concepts
1.35
Server Load (L=1050; U=1100)
Operating System Concepts
1.36
NS2: UDP Simulation Experiments
Global network topology reconstructed
from real traceroute data
AT&T Internet mapping project: 709,310 traceroute paths,
single source to 103,402 other destinations
randomly select 5,000 paths, with 135,821 nodes of which
3879 are hosts
Randomly select x% of hosts to be
attackers
good users send at rate [0,r], attackers at rate [0,R]
Operating System Concepts
1.37
20% Evenly Distributed Aggressive (10:1)
Attackers
Operating System Concepts
1.38
40% Evenly Distributed Aggressive (5:1)
Attackers
Operating System Concepts
1.39
Evenly
Operating System Concepts
Distributed “meek” Attackers
1.40
Deployment Extent
Operating System Concepts
1.41
NS2: TCP Simulation Experiment
Clients access web server via HTTP 1.0 over
TCP Reno
Simulated network subset of AT&T traceroute
topology
85 hosts, 20% attackers
Web clients make request probabilistically with
empirical document size and inter-request time
distributions
Operating System Concepts
1.42
Web Server Protection
Operating System Concepts
1.43
Web Server Traffic Control
Operating System Concepts
1.44
System Implementation
On Linux router
loadable kernel module
CPU resource reservation
Deployment platform
Pentium 4/2G Hz PC
multiple 10/100 Mb/s Ethernet
interfaces
Operating System Concepts
1.45
System Implementation: cont
OPERA: An Open-Source Extensible Router
Architecture
http://www.cse.cuhk.edu.hk/~cslui/ANSRlab/software/opera/
A Linux-based package for implementing a software
programmable router architecture with the aim to
facilitate networking experiments for the research
community. Using this architecture, one can dynamically
load new extension and services into the programmable
router. Some interesting extensions include QoS support
and traceback of DDoS attacks.)
Dynamic module loading
Resource reservation
General extension framework
Secured Communication
Operating System Concepts
1.46
Future Work
Offered load-aware control algorithm for
computing throttle rate
impact on convergence and stability
Policy-based notion of fairness
heterogeneous network regions, by size,
susceptibility to attacks, tariff payment
Selective deployment issues
Impact on real user applications
Defense for other forms of DDoS like the
reflector attack, BGP cascading
failure..etc.
Operating System Concepts
1.48
Conclusions
Extensible routers can help improve network
health
Presented a server-centric router throttle
mechanism for DDoS flooding attacks
can better protect good user traffic from aggressive
attacker traffic
can keep server operational under an ongoing attack
has efficient implementation
Operating System Concepts
1.49