Minimizing Collateral Damage by Proactive Surge Protection

Transcription

1 Minimizing Collateral Damage by Proactive Surge Protection Jerry Chou, Bill Lin University of California, San Diego Subhabrata Sen, Oliver Spatscheck AT&T Labs-Research ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007

2 Problem Large-scale bandwidth-based DDoS attacks can quickly knock out substantial parts of the network before reactive defenses can respond All traffic that share common route links will suffer collateral damage even if OD pair is not under direct attack ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 2

3 Problem Potential for large-scale bandwidth-based DDoS attacks exist e.g. large botnets with more than 100,000 bots exist today that, when combined with the prevalence of high-speed Internet access, can give attackers multiple tens of Gb/s of attack capacity Moreover, core networks are oversubscribed (e.g. some core routers in Abilene have more than 30 Gb/s incoming traffic from access networks, but only 20 Gb/s of outgoing capacity to the core ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 3

4 Problem Router-based defenses like Random Early Drop (RED, RED-PD, etc) can prevent congestion by dropping packets early before congestion But may drop normal traffic indiscriminately, causing responsive TCP flows to severely degrade Approximate fair dropping schemes aim to provide fair sharing between flows But attackers can launch many seemingly legitimate TCP connections with spoofed IP addresses and port numbers Both aggregate-based and flow-based router defense mechanisms can be defeated ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 4

5 Problem Router-based defenses like Random Early Drop (RED, RED-PD, etc) can prevent congestion by dropping packets early before congestion But may drop normal traffic indiscriminately, causing responsive TCP flows to severely degrade In general, defenses based on unauthenticated header information Approximate such fair dropping schemes aim to provide fair as sharing IP addresses between and flows port numbers may not be reliable But attackers can launch many seemingly legitimate TCP connections with spoofed IP addresses and port numbers Both aggregate-based and flow-based router defense mechanisms can be defeated ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 5

6 Example Scenario Seattle/NY: 3 Gb/s Seattle New York Sunnyvale Kansas City Indianapolis Sunnyvale/NY: 3 Gb/s Houston Atlanta Suppose under normal condition Traffic between Seattle/NY + Sunnyvale/NY under 10 Gb/s ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 6

7 Example Scenario Seattle/NY: 3 Gb/s Seattle New York Sunnyvale Kansas City Indianapolis Sunnyvale/NY: 3 Gb/s Houston Atlanta Houston/Atlanta: Attack 10 Gb/s Suppose sudden attack between Houston/Atlanta Congested links suffer high rate of packet loss Serious collateral damage on crossfire OD pairs ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 7

8 Impact on Collateral Damage OD pairs are classified into 3 types with respect to the attack traffic Even a small percentage of attack flows can affect substantial parts of the network ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 8

9 Our Solution Provide bandwidth isolation between OD pairs, independent of IP spoofing or number of TCP/UDP connections We call this method Proactive Surge Protection (PSP) as it aims to proactively limit the damage that can be caused by sudden demand surges, e.g. sudden bandwidth-based DDoS attacks ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 9

10 Basic Idea: Bandwidth Isolation Seattle/NY: Limit: 3.5 Gb/s Actual: 3 Gb/s All admitted as High Traffic received in NY: Seattle: 3 Gb/s Sunnyvale: 3 Gb/s Seattle New York Sunnyvale Kansas City Indianapolis Sunnyvale/NY: Limit: 3.5 Gb/s Actual: 3 Gb/s All admitted as High Houston Atlanta Houston/Atlanta: Limit: 3 Gb/s Actual: 10 Gb/s High: 3 Gb/s Low: 7 Gb/s Reserve bandwidth for expected OD pair demand Meter and tag packets on ingress as HIGH or LOW Drop LOW packets under congestion inside network ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 10

11 Basic Idea: Bandwidth Isolation Seattle/NY: Limit: 3.5 Gb/s Actual: 3 Gb/s All admitted as High Traffic received in NY: Seattle: 3 Gb/s Sunnyvale: 3 Gb/s Unlike conventional admission control, Seattle New York Unlike conventional admission control, Kansas packets are permitted into City the network even when Sunnyvale reserved bandwidth has Indianapolis been exceeded when reserved bandwidth has been exceeded Sunnyvale/NY: Limit: 3.5 Gb/s Actual: 3 Gb/s All admitted as High Houston Atlanta Houston/Atlanta: Limit: 3 Gb/s Actual: 10 Gb/s modern routers High: 3 Gb/s Low: 7 Gb/s Proposed mechanism readily available in Reserve bandwidth for expected OD pair demand Meter and tag packets on ingress as HIGH or LOW Drop LOW packets under congestion inside network ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 11

12 Architecture Forecaster Forecaster Forecast Matrix Bandwidth Bandwidth Allocator Allocator forwarded packets Bandwidth Allocation Matrix Deployed at Network Routers Preferential Preferential Dropping Dropping tagged packets Differential Differential Tagging Tagging Policy Plane Data Plane arriving packets dropped packets Deployed at Network Perimeter High priority Low priority ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 12

13 Forecasting and Allocation We use historical network measurements as a forecast of expected normal traffic e.g. average weekday traffic demand at 3pm EDT over past 2 months More sophisticated forecasting methods (e.g. Bayesian schemes) possible, but already good results with simple forecasting To account for forecasting inaccuracies and to provide headroom for traffic burstiness, proportionally scale forecast matrix to fully allocate available network capacity ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 13

14 Proportional Scaling Iteratively scale bandwidth allocation in water-filling manner A B C A B C BW Forecast Matrix AB A B C st round BC CB Links 1 1 BA Bandwidth Allocation A B C BW AB A B C nd round BC CB Links 4 BA ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 14

15 Networks Abilene US public academic network 11 nodes, 14 links (b/s) Traffic data: 10/01/06-12/06/06 US Backbone US Private ISP tier1 backbone network 700 nodes, 2000 links (1.5Mb/s b/s) Traffic data: 09/01/06-11/17/06 Europe Backbone Europe private ISP tier1 backbone network 900 nodes, 3000 links (1.5Mb/s b/s) Traffic data: 11/18/06-12/18/06 ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 15

16 DDoS Attack Data Abilene Bottleneck links Denver, Kansas City, Indianapolis Chicago (5G each) US Backbone Commercial anomaly detection alarm Pick the alarm with most flows, and scale their demand by 1000x Europe Backbone Seattle Synthetic attack flow generator Chicago New York Sunnyvale Denver Los Angeles Indianapolis Kansas City Washington Houston Atlanta Randomly generate attack flows among 0.1% OD pairs. ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 16

17 Packet Drop Rate Comparison Abilene ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 17

18 Packet Drop Rate Comparison US ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 18

19 Packet Drop Rate Comparison Europe ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 19

20 Behavior Under Scaled Attacks Packet drop rate under attack demand scaled by factor 0 to 3x Abilene PSP provides greater improvement as attack scale increases ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 20

21 Behavior Under Scaled Attacks Packet drop rate under attack demand scaled by factor 0 to 3x US PSP provides greater improvement as attack scale increases ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 21

22 Behavior Under Scaled Attacks Packet drop rate under attack demand scaled by factor 0 to 3x Europe PSP provides greater improvement as attack scale increases ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 22

23 Summary of Contributions Proposed proactive solution provides network operators with first line of defense when sudden DDoS attacks occur Solution not dependent on unauthenticated header information, thus robust to IP and TCP sproofing Minimize collateral damage by providing bandwidth isolation between traffic Solution readily deployable using existing router mechanism Simulation results show up to 95.5% of network could suffer collateral damage Solution reduced collateral damage by % ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Slide 23

24 Questions? ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007