A Blockchain-based Architecture for Collaborative DDoS Mitigation with Smart Contracts

Transcription

1 A Blockchain-based Architecture for Collaborative DDoS Mitigation with Smart Contracts Bruno Rodrigues 1, Thomas Bocek 1, David Hausheer 2, Andri Lareida 1, Sina Rafati 1, Burkhard Stiller 1 1 Communication Systems Group (CSG) Department of Informatics (IfI) University of Zurich (UZH) 2 P2P System Engineering Lab Department of Electrical Engineering and Information Technology TU Darmstadt

2 DDoS Recent s

3 s are getting bigger DDoS s (1) Akamai Q3/2016 Akamai reports a 138% yearly increase in total DDoS attacks larger than 100 Gbps; 71% in total DDoS attacks. IoT News Nov Bleeping Computer (Leet bootnet) Dec

4 DDoS s (2) s are becoming more sophisticated and more frequent Akamai Q3/2016 In a DNS amplification attack, an attacker can send 1 Gbps of initial traffic, and 100 Gbps is delivered to the target Incapsula Identifying layer 7 attacks requires an understanding of the underlying application. It also requires proper differentiation between malicious bot traffic, regular bot traffic (such as search engine bots), and human traffic Imperva 2016

5 DDoS Mitigation Traditional scenario of DDoS mitigation Defense in a single domain AS3 detect the attack but gets overloaded er AS1 AS2 AS3 Victim DDoS Defense mechanism AS1 and AS2 do not detect the attack er er s are getting bigger and more sophisticated Opportunity for collaborative-defense mechanisms

6 Collaborative DDoS Defense Gossip-based protocol AS1 AS2 AS3 Send/receive info Defense capabilities Benefits: Allows to combine defense capabilities of different ASes Reduce the burden of detection/mitigation in a single domain Allows to block malicious traffic near its source Can reduce response time

7 Collaborative DDoS Defense IETF (draft) DOTS (DDoS Open Threat Signaling): standardization of an architecture and protocol covering both intra-organization and inter-organization communications for advertising DDoS attacks. IETF 2016 Steinberger et al., proposes an advertising protocol based on FLEX (Flow-based Event exchange) to simplify the protocol integration and deployment into existing equipment. NOMS 2016 Sahay et al., SDN-based collaborative framework which allows the customers to request DDoS mitigation from ASes. Requires an SDN controller at customer side interfaced with the AS. NDSS (Network and Distributed System Security) 2015 CoFence, cooperation between domains that implements VNFs to alleviate DDoS attacks by redirecting and reshaping excessive traffic to other collaborating domains for filtering. CNSM

8 Collaborative DDoS Defense IETF DOTS: Architecture for inter-organization DDoS protection Complex architecture and deployment Main asset: standardization power Ongoing IETF DOTS drafts 1 - DOTS requirements 2 - DOTS proposal 3 - DOTS architecture

9 Blockchain and Smart Contracts Decentralized and immutable ledger; no central repository or single administrator. Full decentralization, enabling trust among non-trusted peers. Holds and reports numbers of every transaction ensuring transparency. Available to everybody, so transactions are public. Smart contracts are a piece of software made to facilitate the negotiation or performance a contract, being able to be executed, verified or enforced on its own. Self-executing and immutable code stored on the blockchain

10 Blockchain and Smart Contracts Block Block Block Header Header Header Hash previous block header Hash previous block header Hash previous block header 5. Broadcast data 4. solve PoW Miners 2. collect transactions Proof of Work (PoW) Miners Pool of Transactions 3. execute smart contract Miners Transactions Transactions Transactions Transactions 1. submit transactions Blockchain Users

11 Blockchain and Smart Contracts Applied To Collaborative DDoS Mitigation Blockchain users: Autonomous Systems (ASes or customers) Transaction: composed by a list of addresses either to be explicitly allowed (whitelist) or blocked (blacklist) d immutable code stored on the blockchain Smart contracts: comprises the logic to report IP addresses in the blockchain and proof the authenticity of the entity is reporting the IP list. For the customer the certificate can be created with an automated challengeresponse system. Transaction ASes Customers Report Header List of addresses Collect Miner Smart Contract Broadcast Blockchain Retrieve

12 Blockchain-based Collaborative Defense Block Block Block Block Block Block Block Block AS1 AS2 AS3 Send/receive attack info Customer Advantages: Public and already available technology Appliances to read/write in the blockchain are easy to integrate to existing solutions Can be used as an additional security mechanism without modifying existing ones Independent of security policies and mechanisms Customer can also report attacks

13 Blockchain-based Collaborative Defense Ethereum blockchain A new block is mined at every 14 seconds in Ethereum Either ASes and verified customers can report/retrieve IP addresses to the blockchain Ether black and whitelisted IP addresses are supported The gossip-logic is implemented in Smart Contracts

14 Blockchain-based Collaborative Defense Either the AS or customers can create contracts; customers need to be certified in order to report addresses. Smart contracts are linked using a registry-type entry so whenever a new list is reported, other contracts are updated. Smart contract data can use an URL to point to a list of addresses

15 Smart Contract code: Collaborative approach with a few lines of code

16 Summary and Future Work Summary Blockchains reduce the complexity of collaborative DDoS mitigation approaches by replacing existing gossip-based architectures/protocols by an already available infrastructure. Solution presents low development complexity (less than 100 lines of code). Easy to integrate, it can be deployed as an additional security mechanism. Existing security mechanisms and policies do not need to be modified in ASes. Future work Investigate detection and enforcement details based on the combination of SDN and NFV technologies. SDN enables the enforcement of customizable security policies and services. NFV-enabled blockchain appliance able to report and retrieve IP addresses and request traffic changes to an SDN controller

17 Discussion Reasonable approach? Could this be deployed at an ISP? Fed4Fire?

18 References K. Nishizuka, L. Xia, J. Xia, D. Zhang, L. Fang, and C. Gray Inter-organization cooperative DDoS protection mechanism. Draft. IETF Draft. Steinberger, J., Kuhnert, B., Sperotto, A., Baier, H., Pras, A. (2016, April). Collaborative DDoS defense using flow-based security event information. In Network Operations and Management Symposium (NOMS), 2016 IEEE/IFIP (pp ). Bahman Rashidi and Carol Fung CoFence: A Collaborative DDoS Defence Using Network Function Virtualization. In 12th International Conference on Network and Service Management (CNSM), IEEE. Sahay, R., Blanc, G., Zhang, Z., & Debar, H. (2015). Towards Autonomic DDoS Mitigation using Software Defined Networking. NDSS Workshop on Security of Emerging Networking Technologies, Feb 2015, San Diego, Ca, United States