To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets. Xiaowei Yang Duke Unversity

Similar documents
CPS Computer Security Lecture 11: IP Traceback and Source Address Authentication. Xiaowei Yang

TVA: A DoS-limiting Network Architecture L

NetFence: Preventing Internet Denial of Service from Inside Out

Various Anti IP Spoofing Techniques

Inter-domain routing validator based spoofing defence system

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

dfence: Transparent Network- based Denial of Service Mitigation

SENSS Against Volumetric DDoS Attacks

Interdomain Routing Design for MobilityFirst

Rule-Based Forwarding

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

APT: A Practical Transit-Mapping Service Overview and Comparisons

Leveraging SDN for Collaborative DDoS Mitigation

arxiv: v2 [cs.ni] 30 Aug 2012

BGP. Daniel Zappala. CS 460 Computer Networking Brigham Young University

Initial motivation: 32-bit address space soon to be completely allocated. Additional motivation:

/15/$ IEEE

Analysis of Attacks and Defense Mechanisms for QoS Signaling Protocols in MANETs

Inter-Domain Routing: BGP

Software Systems for Surveying Spoofing Susceptibility

Illegitimate Source IP Addresses At Internet Exchange Points

Slide 1. Slide 2. Slide 3. Technological Advantages of Mobile IPv6. Outline of Presentation. Earth with 2 Billion Mobile devices

SENSS: Software-defined Security Service

Preventing IP Source Address Spoofing: A Two-Level, State Machine-Based Method *

Techological Advantages of Mobile IPv6

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

Securing BGP. Geoff Huston November 2007

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks

Routing Security Security Solutions

Lecture 6: Overlay Networks. CS 598: Advanced Internetworking Matthew Caesar February 15, 2011

CSCE 715: Network Systems Security

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

CNT Computer and Network Security: BGP Security

A Survey of BGP Security Review

Routing Support for Wide Area Network Mobility. Z. Morley Mao Associate Professor Computer Science and Engineering University of Michigan

Wireless Network Security Spring 2015

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 16, 2017

SDN-based Network Obfuscation. Roland Meier PhD Student ETH Zürich

Combining Speak-up with DefCOM for Improved DDoS Defense

Routing Basics. ISP Workshops. Last updated 10 th December 2015

Routing in the Internet

Denial of Service prevention in the IoT

CompSci 356: Computer Network Architectures. Lecture 13: Dynamic routing protocols: Link State Chapter 3.3.3, Xiaowei Yang

Honeypot back-propagation for mitigating spoofing distributed Denial-of-Service attacks

NETLMM Security Threats on the MN-AR Interface draft-kempf-netlmm-threats-00.txt

Realizing a Source Authentic Internet

On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets

Overview. Problem: Find lowest cost path between two nodes Factors static: topology dynamic: load

The Interconnection Structure of. The Internet. EECC694 - Shaaban

Basic Idea. Routing. Example. Routing by the Network

A DoS-limiting Network Architecture

Introduction to IP Routing. Geoff Huston

J. A. Drew Hamilton, Jr., Ph.D. Director, Information Assurance Laboratory and Associate Professor Computer Science & Software Engineering

Wireless Network Security Spring 2016

Design and development of the reactive BGP peering in softwaredefined routing exchanges

Routing by the Network

Inter-AS routing. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

Routing Basics ISP/IXP Workshops

The Transition to BGP Security Is the Juice Worth the Squeeze?

Cloudflare Advanced DDoS Protection

Small additions by Dr. Enis Karaarslan, Purdue - Aaron Jarvis (Network Engineer)

Software Systems for Surveying Spoofing Susceptibility

Security in Mobile Ad-hoc Networks. Wormhole Attacks

Bootstrapping evolvability for inter-domain routing with D-BGP. Raja Sambasivan David Tran-Lam, Aditya Akella, Peter Steenkiste

CS 43: Computer Networks. 24: Internet Routing November 19, 2018

Link State Routing & Inter-Domain Routing

On the State of the Inter-domain and Intra-domain Routing Security

A Survey of BGP Security: Issues and Solutions

Deployable Filtering Architectures Against Large Denial-of-Service Attacks

Computer Science 461 Final Exam May 22, :30-3:30pm

Inter-networking. Problem. 3&4-Internetworking.key - September 20, LAN s are great but. We want to connect them together. ...

SECURE ROUTING PROTOCOLS IN AD HOC NETWORKS

Leveraging SDN for Collaborative DDoS Mitigation

An Incrementally Deployable Protocol for Learning the Valid Incoming Direction of IP Packets

CS BGP v4. Fall 2014

Routing Basics. Routing Concepts. IPv4. IPv4 address format. A day in a life of a router. What does a router do? IPv4 Routing

Lecture 19: Network Layer Routing in the Internet

Chapter IV: Network Layer

SDN Use-Cases. internet exchange, home networks. TELE4642: Week8. Materials from Prof. Nick Feamster is gratefully acknowledged

BTEC Level 3 Extended Diploma

Routing Basics. Campus Network Design & Operations Workshop

Routing Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols

SCION: A Secure Multipath Interdomain Routing Architecture. Adrian Perrig Network Security Group, ETH Zürich

Network Policy Enforcement

REMINDER course evaluations are online

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Routing Basics. ISP Workshops

IPv6: An Introduction

Introduction to Computer Networks

Top-Down Network Design

Understanding Layer 2 Encryption

Verified Secure Routing

CS244a: An Introduction to Computer Networks

Lecture 6: Securing Distributed and Networked Systems. CS 598: Network Security Matthew Caesar March 12, 2013

Reliable Broadcast Message Authentication in Wireless Sensor Networks

CSCI Computer Networks

On the State of IP Spoofing Defense

Routing Basics ISP/IXP Workshops


Transcription:

To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets Xiaowei Yang Duke Unversity

Denial of Service (DoS) flooding attacks Send packet floods to a targeted victim Exhaust shared resources Bandwidth, memory, or CPU time

Most newsworthy weakness of the Internet

Anyone can be a victim

Lucrative May 2005 Buyout is cheaper

No Consensus on How to Combat DoS Many proposals to mitigate DoS flooding attacks Mayday, AITF, Flow-Cookies, Phalanx, SOS, Pushback, dfence, Portcullis, OverDoSe, CenterTrack, Defense-by-Offense, FastPass, SIFF, TVA, Two intriguing schools of thought Filters Capabilities

Filter-based Approach 1. Anyone can send to anyone by default 2. A receiver requests the network to install filters A Filter (A,V) V

Capability-based Approach [TVA] 1. Source requests permission to send 2. Destination authorizes source for limited transfer 3. Source places capabilities on packets and sends them 4. Network filters packets based on capabilities U REQ CAP CAP Capabilities CAP V A

Goal of This Work capabilities are neither sufficient nor necessary to combat DoS. by K. Argyraki, et al. We strongly disagree: a simple and highly efficient network-based defense can prevent DoC attacks. by A. Perrig, et al. To design a DoS-resistant network architecture, should we use filters, capabilities, neither, or both?

Our Approach We believe in: rough consensus and running code. -- David Clark 1. Design an effective filter-based system Existing filter systems have several limitations Loss of control messages Filter exhaustion attacks Damage when filters fail to install 2. Compare the effectiveness of filter-based and capability-based systems under various attacks

Design Goals of StopIt Effective with little collateral damage Do not block legitimate communications Resilient to a wide range of strategic attacks E.g.: impersonation attacks, filter exhaustion attacks Fail-safe Limit the damage when filters fail to install Incentivizing deployment Early adopters should benefit immediately

Design Premises Similar to capability-based systems Simplifying assumptions End systems can distinguish attack traffic Both routers and hosts can be upgraded Securable intra-as communications Practical constraints No special hardware E.g.: no tamper-proof hardware, no line-speed per-packet public key operations Both hosts and routers may be compromised

Overview of an Ideal Filter System AS 1 AS 3 R s AS2 bottleneck Rd Block (A,V) A V Scalable: no per-flow state in the network core

Secure the Basic Design Problems Source address spoofing attacks Impersonation attacks Solutions Authenticate source addresses with Passport [NSDI 08] Authenticate filter requests with standard authentication techniques Filter exhaustion attacks Control channel DoS attacks Filters fail to install Incentives to deploy Confirm attacks before accepting filter requests; avoid filters against compliant sources; catch and punish misbehaving sources Source-based fair queuing Closed control channel

Main challenges of Passport Secure Lightweight Adoptable Ingress filtering Digital signature Passport Ingress filtering One weak link allows spoofing Spoofer shows ~20% of the Internet can spoof An early adopter can t protect its own address space Digital signature PKI, time-consuming to stamp and verify, large header overhead

Passport mechanisms Symmetric key cryptography Efficient, secure Use routing to distribute keys Bootstrap, efficient, simple AS-level (autonomous system) fate sharing Scalable, incentive compatible

AS-level fate sharing AS 1 AS 2 AS 3 Passport prevents AS-level spoofing One AS cannot spoof other ASes addresses An AS is responsible to prevent internal spoofing Ingress filters An irresponsible AS only harms its own hosts Scalable, incentive compatible

Efficient symmetric key cryptography (AS 1, AS 2 ) (AS 1, AS 3 ) (AS 1, AS 2 ) (AS 1, AS 3 ) AS 1 AS 2 AS 3 srcdst src Passport dst Passport Payload Payload MAC 1,2 MAC 1,3 MAC 1,3 Source border router stamps Message Authentication Codes (MACs) into a Passport header Obtain AS paths from BGP Other border routers verify corresponding MACs Demote or discard invalid Passports

How to obtain shared secret keys (AS 1, AS 2 ) (AS 1, AS 2 ) (AS 2, AS 3 ) (AS 1, AS 3 ) (AS 2, AS 3 ) (AS 1, AS 3 ) AS 1 AS 2 AS 3 Problems Bootstrap: chicken-and-egg Efficiency: must obtain shared keys with ~30K ASes

A Diffie-Hellman key exchange via routing 10.0.0.1/16 10.0.0.1/16 via AS 1 via d 1 AS 10.0.0.1/16 1 d 1 via AS via 1 AS d 12 AS 1 d 1 10.0.0.1/16 10.0.0.2/16 10.0.0.3/16 AS 1 AS 2 AS 3 (r 1, d 1 ) (r 2, d 2 ) (r 3, d 3 ) (AS 1, AS 2 ) (AS 1, AS 3 ) d i r i = g mod p g, p are system-wide parameters r2 r1 ( AS, AS ) = ( d1) mod p ( d ) 1 2 = r3 r1 ( AS, AS ) = ( d1) mod p ( d ) 1 3 = 2 3 mod p mod p

A Diffie-Hellman key exchange via routing 10.0.0.2/16 via AS 2 d 2 10.0.0.3/16 via AS 3 d 3 10.0.0.1/16 10.0.0.2/16 10.0.0.3/16 AS 1 AS 2 AS 3 (r 1, d 1 ) (r 2, d 2 ) (r 3, d 3 ) (AS 1, AS 2 ) (AS 1, AS 2 ) (AS 1, AS 3 ) (AS 1, AS 3 ) (AS 2, AS 3 ) (AS 2, AS 3 )

Secure key distribution via routing 10.0.0.2/16 d 2 10.0.0.2/16 d 2 10.0.0.2/16 AS 1 AS 2 Accept d received from the next hop AS Secure routing secure source authentication

Routing helps a lot Bootstrap and secure key exchange Efficient Send one announcement, establish all pair keys DoS-resistant High priority forwarding

Other design issues Incremental deployable 1. Transparent to hosts 2. Inter-operate with legacy ASes 3. Downstream legacy ASes can also benefit BGP optional and transitive attributes A shim layer Encapsulation Secure under host, monitor, and router attackers Seamless rekey Resistant to sniff-and-replay: bound to a path Handle path changes Demote at the intermediate ASes

Secure the Basic Design Problems Source address spoofing attacks Impersonation attacks Solutions Authenticate source addresses with Passport [NSDI 08] Authenticate filter requests with standard authentication techniques Filter exhaustion attacks Control channel DoS attacks Filters fail to install Incentives to deploy Confirm attacks before accepting filter requests; avoid filters against compliant sources; catch and punish misbehaving sources Source-based fair queuing Closed control channel

Closed Control Channel Filter requests StopIt Server are exchanged between known peers AS 1 AS2 bottleneck AS 3 StopIt Server addresses are published in BGP BGP Prefix Announcement 10.1.0.0/16 StopIt Server Address

Steps to Block Attack Traffic R s AS 1 AS2 bottleneck AS 3 Block (S,V) Rd V: Block S S V: Block S V ACK: Block (S,V) End-to-end requests before submitting filter requests Attack confirmation on R d to mitigate filter exhaustion attacks Use source address and IP-ASN mapping to locate source AS Request-ACK between S and R s to mitigate filter exhaustion attacks

Confirm that Attack Traffic Exists Goal: prevent attackers installing filters against non-existent traffic Confirm attack traffic with flow cache Access routers use flow cache to record recent src-dst pairs Filter requests against traffic not in the flow cache are discarded

Confirm Source is Non-compliant Goal: prevent malicious destinations installing filters against compliant sources on source access routers Mitigate filter exhaustion: secure filter swapping R d Confirmation Filter Table (A2,X,TTL,Hash kd (msg)) (A2,X,TTL) A1 (A3,Z,TTL) pkt R d X A2 Y (A1,Y,TTL)

Source-side Filter Exhaustion Attack R s Filter Table with F s Slots A,V A,X A,Y N a Attack-triggered filter requests A V Random filter replacement: P caught =(1-1/F s ) Na E.g.: if Fs=1k and Na=1k, Pcaught=36.8% Aggregate misbehaving sources filters Quota on filter requests to limit attacker capacity

Secure the Basic Design Problems Source address spoofing attacks Impersonation attacks Solutions Authenticate source addresses with Passport [NSDI 08] Authenticate filter requests with standard authentication techniques Filter exhaustion attacks Control channel DoS attacks Filters fail to install Incentives to deploy Confirm attacks before accepting filter requests; avoid filters against compliant sources; catch and punish misbehaving sources Source-based fair queuing Close the control channel

Two-level Hierarchical Fair Queuing First-level fair queuing: source AS Limit damage of attack traffic when filters fail to install Incentivize deployment Second-level fair queuing: source address Give inter-domain filter requests guaranteed bandwidth Filter Requests from StopIt Servers AS 1 Bottleneck Link AS 2

Evaluate StopIt Prototype implemented on Linux using Click Evaluated on Deterlab Block various number of attackers with destination-side filter exhaustion Source-side filter exhaustion attack Main Results Block 10M attackers in 1658 seconds With 10M filter slots and 10M daily quota on filter requests, on average an attacker can at most attack a victim 2.4 times per day

Compare Filters & Capabilities: Settings DoS Mitigation Systems Filter-based: StopIt, AITF, Pushback Capability-based: TVA, TVA+(Passport), Portcullis Topology a branch of AS-level topology from RouteViews Scale-down factor: 1/20 E.g., bottleneck bandwidth: 1Gbps(simulated) = 50Mbps(real) Metrics of effectiveness Ratio of successful file transfers Default file size: 20KB Average file transfer time Default simulated bottleneck bandwidth: 1Gbps

Compare Filters & Capabilities: Attacks Users Partial AS-level topology bottleneck Victim Non-responsive Host Attackers Colluders Destination flooding attacks One-way link flooding attacks Two-way link flooding attacks

Destination Flooding Attacks StopIt When filters can be installed: Filters > Capabilities TVA+ StopIt TVA+ Block attack traffic completely Not good with small bottlenecks

One-Way Link Flooding Attacks StopIt When filters fail to install: Filters < Capabilities TVA+ StopIt TVA+ No filters installed; fail-safe More effective when file size increases

Two-Way Link Flooding Attacks StopIt StopIt TVA+ Filters and capabilities may both fail in extreme cases TVA+ No filters installed; degraded to per-source FQ Attackers get capabilities; degraded to per-destination FQ Under the specific settings, per-src FQ > per-dst FQ

Compare Filters & Capabilities: Summary Low High Effectiveness Filters become ineffective when they cannot be installed Both work, but Filters > Capabilities Low Filters Capabilities Attack Power Capabilities become ineffective when attackers can get capabilities Both become ineffective, fail-safe mechanisms needed High

Conclusion It s feasible to design an effective filter system Resilient to various attacks Fail-safe Filters v.s. Capabilities Filters are more effective if they can be installed Capabilities are more robust against attacks Capability systems tend to be simpler Capabilities + Per-AS fairness: might be the most cost-effective solution

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback