CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks

Similar documents
CoDef: Collaborative Defense Against Large-Scale Link-Flooding Attacks

Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures. ECE Department and CyLab, Carnegie Mellon University

Early detection of Crossfire attacks using deep learning

SENSS: Software-defined Security Service

To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets. Xiaowei Yang Duke Unversity

Introduction to IP Routing. Geoff Huston

Combining Speak-up with DefCOM for Improved DDoS Defense

Check Point DDoS Protector Simple and Easy Mitigation

Network Policy Enforcement

Sanctuary Trail: Refuge from Internet DDoS Entrapment

Chapter 10: Denial-of-Services

On the State of the Inter-domain and Intra-domain Routing Security

Data Plane Protection. The googles they do nothing.

SENSS Against Volumetric DDoS Attacks

Distributed Denial of Service

Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures

Routing Security We can do better!

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

FortiDDoS Deployment Guide for Cloud Signaling with Verisign OpenHybrid

Distributed Denial-of-Service Attack Prevention using Route-Based Distributed Packet Filtering. Heejo Lee

DDoS Protection in Backbone Networks

Link State Routing & Inter-Domain Routing

August 14th, 2018 PRESENTED BY:

Unicast Reverse Path Forwarding Loose Mode

The Transition to BGP Security Is the Juice Worth the Squeeze?

BGP Routing and BGP Policy. BGP Routing. Agenda. BGP Routing Information Base. L47 - BGP Routing. L47 - BGP Routing

Inter-Domain Routing: BGP

Inter-Domain Routing: BGP

Comprehensive datacenter protection

On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets

Jumpstarting BGP Security. Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Department of Computer and IT Engineering University of Kurdistan. Computer Networks II Border Gateway protocol (BGP) By: Dr. Alireza Abdollahpouri

XCA EDGE Use case MIXED IPSEC / MPLS-VPN NETWORK OPTIMIZATION

dfence: Transparent Network- based Denial of Service Mitigation

Security Baseline Data Model for Network Infrastructure Device draft-xia-sacm-nid-dp-security-baseline-00 draft-dong-sacm-nid-cp-security-baseline-00

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

Internet services are vulnerable to denial-of-service

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

STRIDE: Sanctuary Trail Refuge from Internet DDoS Entrapment

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Routing Basics ISP/IXP Workshops

Securing Online Businesses Against SSL-based DDoS Attacks. Whitepaper

Mutually Agreed Norms for Routing Security NAME

Chapter 7. Denial of Service Attacks

Overview. Problem: Find lowest cost path between two nodes Factors static: topology dynamic: load

CS 640: Introduction to Computer Networks. Intra-domain routing. Inter-domain Routing: Hierarchy. Aditya Akella

A Survey of Defense Mechanisms Against DDoS Flooding A

Routing Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols

OpenFlow DDoS Mitigation

Various Anti IP Spoofing Techniques

BGP. Daniel Zappala. CS 460 Computer Networking Brigham Young University

StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense

MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž

Routing Basics. Routing Concepts. IPv4. IPv4 address format. A day in a life of a router. What does a router do? IPv4 Routing

FLoc: Dependable Link Access for Legitimate Traffic in Flooding Attacks

Network Security: Routing security. Aapo Kalliola T Network security Aalto University, Nov-Dec 2012

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

Preventing IP Source Address Spoofing: A Two-Level, State Machine-Based Method *

BTEC Level 3 Extended Diploma

DDoS Detection&Mitigation: Radware Solution

PROVIDING SECURE INTERNET SERVICES ARBOR TMS INTEGRATION

DDoS Defense Mechanisms for IXP Infrastructures

Collective responsibility for security and resilience of the global routing system

Overlay and P2P Networks. Introduction and unstructured networks. Prof. Sasu Tarkoma

Routing Basics ISP/IXP Workshops

Distributed Denial of Service (DDoS)

EFFECTIVE SERVICE PROVIDER DDOS PROTECTION THAT SAVES DOLLARS AND MAKES SENSE

Important Lessons From Last Lecture Computer Networking. Outline. Routing Review. Routing hierarchy. Internet structure. External BGP (E-BGP)

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine

Security Issues In Mobile Ad hoc Network Routing Protocols

Interdomain Routing Design for MobilityFirst

Global DDoS Measurements. Jose Nazario, Ph.D. NSF CyberTrust Workshop

Carnegie Mellon Computer Science Department Spring 2015 Midterm Exam

Internet Architecture and Experimentation

Inter-AS routing. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley

Neighbor-specific BGP: An algebraic exploration

Computer Science 461 Final Exam May 22, :30-3:30pm

CSE Computer Security (Fall 2006)

VFence: A Defense against Distributed Denial of Service Attacks using Network Function Virtualization

Bamboozling Certificate Authorities with BGP

Back to basics J. Addressing is the key! Application (HTTP, DNS, FTP) Application (HTTP, DNS, FTP) Transport. Transport (TCP/UDP) Internet (IPv4/IPv6)

Cisco DDoS Solution Clean Pipes Architecture

APT: A Practical Transit-Mapping Service Overview and Comparisons

Security for SIP-based VoIP Communications Solutions

Advanced Techniques for DDoS Mitigation and Web Application Defense

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

Preventing Traffic with Spoofed Source IP Addresses in MikroTik

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

SCION: Scalability, Control and Isolation On Next-Generation Networks

CMSC 417. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala October 9, 2018 (a) October 18 October 9,

Collective responsibility for security and resilience of the global routing system

GARR customer triggered blackholing

Imperva Incapsula Product Overview

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Advanced BGP using Route Reflectors

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

Correlation Based Approach with a Sliding Window Model to Detect and Mitigate Ddos Attacks

Path Probing Relay Routing for Achieving High End-to-End Performance

SDN Use-Cases. internet exchange, home networks. TELE4642: Week8. Materials from Prof. Nick Feamster is gratefully acknowledged

Transcription:

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee *, Min Suk Kang, Virgil D. Gligor CyLab, Carnegie Mellon University * Qualcomm Dec. 12, 2013

Large Scale Link-Flooding Attacks Massive DDoS attacks against chosen targets in Internet Infrastructure GIG C2 ISR Logistics flooding scalable impact Smart Electric Grid dropped legitimate packets Financial Services 2

3 Real World Example: Spamhaus Attack (2013) flooding few links in 4 IXPs scalable impact: regionally degraded connectivity but easily mitigated: attack flows are distinguished from legitimate flows and filtered => lasted only ~ 1-1.5 hours Adversary Attack traffic IXP flooding

4 Typical Defenses against Link-Flooding Attacks Distinguish attack flows from legitimate ones e.g., flow filtering, pushback, anti-spoof filtering, capability-based solutions But, advanced link-flooding attacks can easily circumvent the typical defenses

5 Crossfire Attack (S&P 13) use bot to public server attack flows N bots flooding M public servers (e.g., HTTP web server) O(NM) flows indistinguishable attack flows from legitimate flows many, low-rate, diverse source/destination addresses, protocol conforming, destination-wanted

6 Coremelt Attack (ESORICS 09) use bot to bot colluding attack flows N bots Our adversary model: flooding indistinguishable link-flooding attacks O(N 2 ) flows

Problems I. Identify the indistinguishable attack flows? - force the adversary s untenable choice by conformance tests target I m gonnamake him an offer he can t refuse II. Avoid collateral damage to legitimate flows? - route separation (i.e., providing detours for legitimate flows) III. Prevent the attack from being dispersed and causing unanticipated damage to legitimate flows? - pin down potential attack flows 7

8 CoDef: Collaborative Defense 1. Collaborative Rerouting Target AS sends reroute requests to source ASes => provides detours around the flooded link Okay! Pls. avoid me! Source AS Link flooding Target AS

9 CoDef: Collaborative Defense 2. Collaborative Rate Control Target AS sends rate-control requests to source ASes => allows source AS to prioritize flows Okay! Pls. slow down! Source AS Link flooding Target AS

10 Motivations of Collaborative Defense Target AS Has no way to distinguish attack flows by itself Has limited control over the incoming traffic Source AS e.g., end-to-end AS-paths, traffic rate Has no idea about the flooding at the remote target Has good reason for collaboration to circumvent flooding Transit ASes Has no incentive/motivation for changing (optimized/complex) routing policies

11 CoDef Architecture CoDef adds complementary routing functions route controllers, secure route-control channels route-controller route-controller autonomous system router route-control channel

Collaborative Rerouting C is flooded and A s packets to G are dropped (1) C sends re-route message to A: Please avoid me (i.e., C) A R1 R2 D B A ABCG* ADEFG B D * : default route CG* BCG* CFG BFG CBFG DEFG* DABCG E EFG* EDABCG C F FG * FCG Flooding G G* 12

Collaborative Rerouting C is flooded and A s packets to G are dropped (1) C sends re-route message to A: Please avoid me (i.e., C) (2) A refers to its routing table and finds alternate route: ADEFG A R1 R2 D B A ABCG* ADEFG B D * : default route CG* BCG* CFG BFG CBFG DEFG* DABCG E EFG* EDABCG C F FG * FCG Flooding G G* 13

Collaborative Rerouting C is flooded and A s packets to G are dropped (1) C sends re-route message to A: Please avoid me (i.e., C) (2) A refers to its routing table and finds alternate route: ADEFG (3) A changes Import Policy of its BGP router (i.e., R2) A R1 R2 D B A ABCG* ADEFG B D * : default route CG* BCG* CFG BFG CBFG DEFG* DABCG E EFG* EDABCG C F FG * FCG Flooding G G* 14

Collaborative Rerouting C is flooded and A s packets to G are dropped (1) C sends re-route message to A: Please avoid me (i.e., C) (2) A refers to its routing table and finds alternate route: ADEFG (3) A changes Import Policy of its BGP router (i.e., R2) What if domain A is single-homed exclusively to B? => rerouting at B A ABCG* ADEFG B D * : default route CG* BCG* CFG BFG CBFG DEFG* DABCG reroutingrequest E EFG* EDABCG C F FG * FCG Flooding G G* 15

16 Rerouting Conformance Test Link Flooding

17 Rerouting Conformance Test Okay! Link Flooding Okay!

Rerouting Conformance Test 18

19 Rerouting Conformance Test oh wait flooding has stopped! let s create new attack flows! identify attack flows Link Flooding

20 Rerouting Conformance Test oh wait flooding has stopped! let s create new attack flows! identify attack flows Link Flooding Adversary s untenable choice: give up the attack (by conforming to the test) or be detected (by creating new attack flows)

21 Path Pinning identify attack flows! Link Flooding CoDef fixes attack paths to the target to prevent unanticipated damages

22 Evaluation of Collaborative Rerouting Internet AS topology 40K+ ASes and their business relationships from CAIDA (e.g., customer-provider, peer-peer) 538 attack ASes selected based on real spam bot distribution Forwarding path decision model preference: (i) cheaper paths; (ii) shorter paths

23 Evaluation of Collaborative Rerouting evaluate the availability of alternate paths from legitimate ASes to a destination conservative attack scenario all ASes on the attack paths (i.e., paths from attack ASes to destination) are the flooding targets Finding alternate paths: avoid target ASes three evaluation policies strict viable flexible S P 1 P 2 path exists? P 3 P 4 D

Connection Ratio (%) 24 Availability of Alternate Paths 100 80 60 40 20 Destination ASes AS Series1 20144 AS Series2 297 AS Series3 7500 AS Series4 27 AS Series5 2149 AS Series6 29216 0 1 2 3 strict viable flexible

25 Ease of Deployment No significant deployment cost no changes to existing systems (e.g., BGP and OSPF) honors routing policies of individual ASes requires no disclosure of internal topology/policies Significant deployment incentives technical advantage detects and mitigates large-scale link-flooding attacks economical advantages provides premium services

26 Conclusion CoDef: a practical mechanism for defending against large-scale link-flooding attacks Test to identify the attack flows exploiting adversary s untenable choices Significant deployment incentives

Thank You 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback