Lecture 5

Download Report

Transcript Lecture 5 

Defending Against DDoS Attacks Using
Max-min Fair Server Centric Router
Throttles
David K.Y. Yau
CS Dept, Purdue University
Operating System Concepts
1.1
John C.S. Lu
CS&E Dept,CUHK
Motivations
 Internet is an open and democratic environment
 increasingly used for mission-critical work and
commercial applications.
 Many security threats are present or appearing
 Easy to launch, even for naïve users.
 need effective and flexible defenses to
detect/trace/counter attacks
 Goals:
protect innocent users;
 prosecute criminals
Operating System Concepts
1.2
Ambitious goals
Network Denial-of-service Attacks
 Some attacks quite subtle
 securing protocols and intrusion detection
(e.g., BGP, TCP-syn attack)
 at routing infrastructure, malicious dropping
of packets, etc (low-rate TCP)
 Others by brute force:
- flooding (e.g., UDP, valid Web Request)
 Cripples victim:
- precludes any sophisticated defense at
victim site
 Philosophical question: what is an “attacker”?
 Viewed as resource management problem
Operating System Concepts
1.3
Flooding Attack
Server
Operating System Concepts
1.4
Server-centric Router Throttle
 Installed by server when under stress,
at a set deployment routers
 can be sent by multicast
 Specifies leaky bucket rate at which
router can forward traffic to the server
 aggressive traffic for server dropped before
reaching server
 rate determined by a feedbak control
algorithm
Issues: (1) Which set of routers?
(2) What is the “proper” dropping rate?
Operating System Concepts
1.5
Router Throttle
Securely
installed by S
Aggressive flow
Throttle
for S
To S
Throttle
for S’
To S’
Deployment router
C: Each victim has a leaky bucket for rate limit.
Small memory and computationoverhead!
Operating System Concepts
1.6
Key Design Problems
 Resource allocation: who is entitled to
what?
 need to keep server operating within load limits
 notion of fairness, and how to achieve it?
Need global, rather than router-local,
fairness
 How to respond to network and user
dynamics (e.g., fluctuation of traffic)?
 Feedback control strategy is needed
Operating System Concepts
1.7
What is being fair?
 Baseline approach of dropping a fraction
“f”, say ½, of traffic for each flow
won’t work well
 a flow can cause more damage to other flows simply
by being more aggressive!
 Rather, no flow should get a higher rate
than another flow that has unmet
demands
 this way, we penalize “aggressive” flows only, but
protect the well-behaving ones
Operating System Concepts
1.8
Level-k Deployment Points
 Deployment points parameterized by an
integer k
 R(k) -- set of routers that are either k
hops away from server S, or less than k
hops away from S but are directly
connected to a host
 Fairness across global routing points R(k)
Operating System Concepts
1.10
Level-3 Deployment
Server
Operating System Concepts
1.11
Feedback Control Strategy
 Hysteresis control
 high and low water marks for server load, to
strengthen or relax router throttle
 Additive increase/multiplicative decrease
rate adjustment
 increases when server load exceeds US, and
decreases when server load falls below LS
 throttle removed when a relaxed rate does
not result in significant server load increase
Operating System Concepts
1.12
Fairness Definition
 A resource control algorithm
achieves level-k max-min fairness
among the routers R(k) if the
allowed forwarding rate of traffic
for S at each router is the router’s
max-min fair share of some rate r
satisfying LS  r  US
Operating System Concepts
1.13
Fair Throttle Algorithm
Operating System Concepts
1.14
Example Max-min Rates (L=18, H=22)
18.23
6.65
24.88
6.25
0.22
0.22
14.1
15.51
59.9
0.01
6.25
17.73
Server
6.25
0.61
20.53
1.40
17.73
0.95
0.95
Operating System Concepts
1.15
0.61
Interesting Questions
 Can we preferentially drop attacker
traffic over good user traffic?
 Can we successfully keep server
operating within design limits, so that
good user traffic that makes it gets
acceptable service?
 How stable is such a control algorithm?
How does it converge?
Operating System Concepts
1.16
Algorithm Evaluation
 Control-theoretic analysis (fluid analysis)
 algorithm stability and convergence under
different system parameters
 Packet network simulations (packet level
analysis)
 Test under UDP and TCP traffic. Also test
with Web traces
 System implementation (the real thing,
baby !!!)
 deployment costs
Operating System Concepts
1.17
Control-theoretic Model
Throttle signal from victim
Step size
Adjusted traffic from source i
When throttle signal is high, server is underloaded.
When throttle signal is low, server is overloaded.
ANALOGY!!!
Operating System Concepts
1.18
Feedback Control Model (Us=1750;Ls=1650)
Constant
Source of 20
Constant
Source of 30
Constant
Source of 25
Constant
Source of 4000
Constant
Source of 2800
Operating System Concepts
1.19
Output for good traffic (total from source 1)
Operating System Concepts
1.20
Output for attack traffic (total from source 5)
Operating System Concepts
1.21
Output for attack traffic (total from source 6)
Operating System Concepts
1.22
Total traffic to server (Us=1750;Ls=1650)
Operating System Concepts
1.23
Case 2: variable attack traffic
(Us=1750,Ls=1650)
Square Pulse
Operating System Concepts
1.24
Output of attack traffic 1
Operating System Concepts
1.25
Output of attack traffic 2
Operating System Concepts
1.26
Total traffic to server (Us=1750;Ls=1650)
Operating System Concepts
1.27
Feedback Control Model
(sources and server)
Operating System Concepts
1.28
Feedback Control Model
(server throttle signal)
Operating System Concepts
1.29
Feedback Control Model
(sources process throttle)
Operating System Concepts
1.30
Throttle Rate (L=900; U=1100)
Operating System Concepts
1.31
Server Load (L = 900; U = 1100)
Operating System Concepts
1.32
Throttle Rate (U = 1100)
Operating System Concepts
1.33
Server Load (U = 1100)
Operating System Concepts
1.34
Throttle Rate (L=1050;U=1100)
Operating System Concepts
1.35
Server Load (L=1050; U=1100)
Operating System Concepts
1.36
NS2: UDP Simulation Experiments
 Global network topology reconstructed
from real traceroute data
 AT&T Internet mapping project: 709,310 traceroute paths,
single source to 103,402 other destinations
 randomly select 5,000 paths, with 135,821 nodes of which
3879 are hosts
 Randomly select x% of hosts to be
attackers
 good users send at rate [0,r], attackers at rate [0,R]
Operating System Concepts
1.37
20% Evenly Distributed Aggressive (10:1)
Attackers
Operating System Concepts
1.38
40% Evenly Distributed Aggressive (5:1)
Attackers
Operating System Concepts
1.39
Evenly
Operating System Concepts
Distributed “meek” Attackers
1.40
Deployment Extent
Operating System Concepts
1.41
NS2: TCP Simulation Experiment
 Clients access web server via HTTP 1.0 over
TCP Reno
 Simulated network subset of AT&T traceroute
topology
 85 hosts, 20% attackers
 Web clients make request probabilistically with
empirical document size and inter-request time
distributions
Operating System Concepts
1.42
Web Server Protection
Operating System Concepts
1.43
Web Server Traffic Control
Operating System Concepts
1.44
System Implementation
 On Linux router
loadable kernel module
CPU resource reservation
 Deployment platform
Pentium 4/2G Hz PC
multiple 10/100 Mb/s Ethernet
interfaces
Operating System Concepts
1.45
System Implementation: cont
 OPERA: An Open-Source Extensible Router
Architecture
http://www.cse.cuhk.edu.hk/~cslui/ANSRlab/software/opera/
 A Linux-based package for implementing a software
programmable router architecture with the aim to
facilitate networking experiments for the research
community. Using this architecture, one can dynamically
load new extension and services into the programmable
router. Some interesting extensions include QoS support
and traceback of DDoS attacks.)
 Dynamic module loading
 Resource reservation
 General extension framework
 Secured Communication
Operating System Concepts
1.46
Future Work
 Offered load-aware control algorithm for
computing throttle rate
 impact on convergence and stability
 Policy-based notion of fairness
 heterogeneous network regions, by size,
susceptibility to attacks, tariff payment
 Selective deployment issues
 Impact on real user applications
 Defense for other forms of DDoS like the
reflector attack, BGP cascading
failure..etc.
Operating System Concepts
1.48
Conclusions
 Extensible routers can help improve network
health
 Presented a server-centric router throttle
mechanism for DDoS flooding attacks
 can better protect good user traffic from aggressive
attacker traffic
 can keep server operational under an ongoing attack
 has efficient implementation
Operating System Concepts
1.49