DDoS Defense by Offense

Similar documents
DDOS - Fighting Fire with Fire Michael Walfish, Hari Balakrishnan, David Karger, and Scott Shenker.

DDoS Defense by Offense

Combining Speak-up with DefCOM for Improved DDoS Defense

TCP and BBR. Geoff Huston APNIC. #apricot

CSE 123A Computer Networks

Congestion? What Congestion? Mark Handley

TCP so far Computer Networking Outline. How Was TCP Able to Evolve

CS268: Beyond TCP Congestion Control

TCP and BBR. Geoff Huston APNIC

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

DENIAL OF SERVICE ATTACKS

Chapter 7. Denial of Service Attacks

The Case for Informed Transport Protocols

Congestion control in TCP

Congestion Control for High Bandwidth-delay Product Networks. Dina Katabi, Mark Handley, Charlie Rohrs

20: Networking (2) TCP Socket Buffers. Mark Handley. TCP Acks. TCP Data. Application. Application. Kernel. Kernel. Socket buffer.

An experimental study of the learnability of congestion control

Congestion Control In the Network

Distributed Quota Enforcement for Spam Control

CSE/EE 461 Lecture 16 TCP Congestion Control. TCP Congestion Control

Computer Networks. Sándor Laki ELTE-Ericsson Communication Networks Laboratory

Goals of Today s Lecture! Congestion Control! Course So Far.! Congestion Control Overview! It s Not Just The Sender & Receiver! Congestion is Natural!

CS519: Computer Networks. Lecture 5, Part 4: Mar 29, 2004 Transport: TCP congestion control

Congestion Control End Hosts. CSE 561 Lecture 7, Spring David Wetherall. How fast should the sender transmit data?

HighSpeed TCP for Large Congestion Windows draft-floyd-tcp-highspeed-00.txt

Confused, Timid, and Unstable: Picking a Video Streaming Rate is Hard

Distributed Denial of Service (DDoS)

COMPUTER NETWORK SECURITY

Congestion Control for High-Bandwidth-Delay-Product Networks: XCP vs. HighSpeed TCP and QuickStart

TCP and BBR. Geoff Huston APNIC

Outline 9.2. TCP for 2.5G/3G wireless

2020: Time to Shutdown DDoS?

6.033 Computer System Engineering

CS 43: Computer Networks. 19: TCP Flow and Congestion Control October 31, Nov 2, 2018

Performance Consequences of Partial RED Deployment

P2P Control for ISPs Dr. Lawrence G. Roberts Anagran Oct. 2008

Computer Networking

Lecture 21: Congestion Control" CSE 123: Computer Networks Alex C. Snoeren

Networking Past, Present and Future

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

Computer Network Fundamentals Spring Week 10 Congestion Control Andreas Terzis

Computer Science 461 Final Exam May 22, :30-3:30pm

Computer Security: Principles and Practice

Flow and Congestion Control

Congestion Control in the Network

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

Cloudflare Advanced DDoS Protection

CS 640 Lecture 4: 09/11/2014

Episode 4. Flow and Congestion Control. Baochun Li Department of Electrical and Computer Engineering University of Toronto

Page 1. Review: Internet Protocol Stack. Transport Layer Services. Design Issue EEC173B/ECS152C. Review: TCP

Transport Layer Congestion Control

TCP and BBR. Geoff Huston APNIC

Differential Congestion Notification: Taming the Elephants

Lecture 14: Congestion Control"

Denial of Service (DoS)

Multipath Transport, Resource Pooling, and implications for Routing

Lecture 14: Congestion Control"

Question. Reliable Transport: The Prequel. Don t parse my words too carefully. Don t be intimidated. Decisions and Their Principles.

Distributed Denial of Service

Outline Computer Networking. TCP slow start. TCP modeling. TCP details AIMD. Congestion Avoidance. Lecture 18 TCP Performance Peter Steenkiste

End-to-End Mechanisms for QoS Support in Wireless Networks

Overview. TCP & router queuing Computer Networking. TCP details. Workloads. TCP Performance. TCP Performance. Lecture 10 TCP & Routers

CSE 4215/5431: Mobile Communications Winter Suprakash Datta

6.033 Computer System Engineering

CSE 565 Computer Security Fall 2018

Exercises TCP/IP Networking With Solutions

Transmission Control Protocol. ITS 413 Internet Technologies and Applications

Fairness, Queue Management, and QoS

Congestion Control for High Bandwidth-delay Product Networks

NET ID. CS519, Prelim (March 17, 2004) NAME: You have 50 minutes to complete the test. 1/17

Congestion Control. Tom Anderson

Page 1. Review: Internet Protocol Stack. Transport Layer Services EEC173B/ECS152C. Review: TCP. Transport Layer: Connectionless Service

CS 268: Lecture 7 (Beyond TCP Congestion Control)

Mobile Communications Chapter 9: Mobile Transport Layer

Chapter 13 TRANSPORT. Mobile Computing Winter 2005 / Overview. TCP Overview. TCP slow-start. Motivation Simple analysis Various TCP mechanisms

Mobile Communications Chapter 9: Mobile Transport Layer

CS 138: Communication I. CS 138 V 1 Copyright 2012 Thomas W. Doeppner. All rights reserved.

Lecture 15: TCP over wireless networks. Mythili Vutukuru CS 653 Spring 2014 March 13, Thursday

CS644 Advanced Networks

Cloud e Datacenter Networking

TCP Tuning for the Web

Basic NAT Example Security Recitation. Network Address Translation. NAT with Port Translation. Basic NAT. NAT with Port Translation

Transport Layer TCP / UDP

CSE Computer Security (Fall 2006)

Resource Guide Implementing QoS for WX/WXC Application Acceleration Platforms

CSCI-1680 Transport Layer III Congestion Control Strikes Back Rodrigo Fonseca

Quick-Start for TCP and IP

Utilizing Datacenter Networks: Centralized or Distributed Solutions?

COSC 301 Network Management

Introduction to Security. Computer Networks Term A15

(DNS, and DNSSEC and DDOS) Geoff Huston APNIC

Appendix B. Standards-Track TCP Evaluation

Computer Networked games

Rob Sherwood Bobby Bhattacharjee Ryan Braud. University of Maryland. Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.

TCP Congestion Control

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

ECE 610: Homework 4 Problems are taken from Kurose and Ross.

CS244 Advanced Topics in Computer Networks Midterm Exam Monday, May 2, 2016 OPEN BOOK, OPEN NOTES, INTERNET OFF

Layer 4 TCP Performance in carrier transport networks Throughput is not always equal to bandwidth

CSCD 433/533 Advanced Networks Spring Lecture 22 Quality of Service

Transcription:

DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker, SIGCOMM 06 Presented by Nikki Benecke, Nov. 7 th, 2006, for CS577 DDoS: Defense by Offense 1

Outline Introduction Design Implementation Evaluation Concerns Conclusions DDoS: Defense by Offense 2

Introduction DDoS: Defense by Offense 3

Basic Idea Defense against application level DDoS attacks Way of dealing with attack as it occurs, not a prevention scheme DDoS: Defense by Offense 4

Application-level attacks Attacker sends proper looking requests to waste server s resources Overwhelms server, not access links Cheaper than link-level attacks (for the attacker) Attack traffic is harder to identify DDoS: Defense by Offense 5

Application-level attacks Current defenses focus on slowing down attackers/stopping the attack. But good clients are totally drowned out in these defense systems authors say it s time for them to speak-up. DDoS: Defense by Offense 6

3 Types of Defenses Overprovision computation resources massively Detect and block attackers Charge all clients a currency DDoS: Defense by Offense 7

Speak-up It s a currency-based defense that uses bandwidth as the currency Claim: attackers use most of their available bandwidth during attacks, victims don t Use encouragemen to make victims send more traffic so they are better represented at the server DDoS: Defense by Offense 8

Two conditions to make it work Adequate Link Bandwidth: there must be enough spare bandwidth to allow for speak-up inflated traffic Adequate Client Bandwidth: the aggregate bandwidth of all good clients must be on the same order as the attackers DDoS: Defense by Offense 9

Three conditions where it wins No predefined clientele: Makes filtering impossible, so use speak-up. Non-human clientele: Makes human tests (type in the word, etc) impossible, so use speak-up. Unequal requests or spoofing or smart bots: No method for dealing with the first, can t use methods for the second two use speak-up!!! DDoS: Defense by Offense 10

Design DDoS: Defense by Offense 11

Design Goal Allocate resources to competing clients in proportion to bandwidth [math] DDoS: Defense by Offense 12

3 Required Mechanisms 1. Way to limit the total requests to the server to its max, c 2. Mechanism to reveal available bandwidth/provide encouragement 3. Proportional allocation mechanism let clients in proportional to delivered bandwidth Hence, the thinner appears. DDoS: Defense by Offense 13

Explicit Payment Channel Thinner wants to pad client traffic with dummy bytes, but how many should we pad with? We don t want to need to know that information! DDoS: Defense by Offense 14

Explicit Payment Channel When server is overloaded, thinner asks clients to open separate payment channels Client sends bytes on this channel, becomes a contender Thinner tracks how much each contender sends When server is free, thinner admits the highest bidder and closes the channel DDoS: Defense by Offense 15

Heterogeneous requests Charging the same amount for unequal requests gives unfair advantage to attacker So charge per chunk instead of per request DDoS: Defense by Offense 16

Heterogeneous requests Instead of closing the bid channel after accepting a client, keep it open until request is served Every unit of service time, reopen the auction DDoS: Defense by Offense 17

Heterogeneous requests 1. At time t, v is active connection, u is the highest contender 2. u > v, SUSPEND v, ADMIT (RESUME) u 3. v > u, let v continue sending, but reset its payment counter for time t+1 4. ABORT requests that have been suspended too long DDoS: Defense by Offense 18

Implementation DDoS: Defense by Offense 19

Implementation Clients send by Poisson process, limited windows (open requests) Deterministic service time (all reqs equal) Bad clients send faster, and have bigger windows Good client: = 2, w = 1 Bad client: = 40, w = 20 DDoS: Defense by Offense 20

Implementation Max. number of clients limited to 50 by testbed Small scale for representing DDoS However, they think it ll still work on a larger scale DDoS: Defense by Offense 21

Evaluation DDoS: Defense by Offense 22

Evaluation Validating the thinner s allocation Latency and byte cost Adversarial advantage Heterogeneous network conditions Good and bad clients sharing bottlenecks Impact of speak-up on other traffic DDoS: Defense by Offense 23

Validating the thinner s allocation Question 1: Do groups get service in proportion to bandwidth? Setup: 50 clients over 100 Mb/s LAN Each gets 2Mb/s c = 100 req/s Vary f, the fraction of good clients DDoS: Defense by Offense 24

Validating the thinner s allocation DDoS: Defense by Offense 25

Validating the thinner s allocation Speak-up defended clients are always a little behind ideal Gaming Always fare better than undefended DDoS: Defense by Offense 26

Validating the thinner s allocation Question 2: What happens when we vary the capacity of the server? Setup: 25 good clients, 25 bad clients cid = 100 c = 50, 100, 200 DDoS: Defense by Offense 27

Validating the thinner s allocation DDoS: Defense by Offense 28

Validating the thinner s allocation DDoS: Defense by Offense 29

Validating the thinner s allocation Good clients do best when the server has ability to process all requests (i.e., large c) Service proportional to bandwidth even when server can t process all requests DDoS: Defense by Offense 30

Latency cost Same setup as last experiment Measures the length of time clients spend uploading dummy bytes DDoS: Defense by Offense 31

Latency cost DDoS: Defense by Offense 32

Latency cost With a large c, cost isn t very high Even with a small c, worst added delay is 1s. Pretty bad, but not as bad as getting no service during an attack, right? DDoS: Defense by Offense 33

Byte Cost Still the same setup Measure the average number of bytes uploaded for served requests DDoS: Defense by Offense 34

Byte Cost DDoS: Defense by Offense 35

Byte Cost Bad clients do end up paying more than good clients But do they pay significantly more? DDoS: Defense by Offense 36

Heterogeneous Network Conditions First, look at varied bandwidth 5 client categories, 10 clients in each category Bandwidth for category i = 0.5i Mbps (1 <= i <= 5) All clients are good clients c = 10 DDoS: Defense by Offense 37

Heterogeneous Network Conditions DDoS: Defense by Offense 38

Heterogeneous Network Conditions Roughly proportional to bandwidth of clients Close to ideal DDoS: Defense by Offense 39

Heterogeneous Network Conditions Now look at effect of varied RTT 5 client categories, with 10 clients in each RTT for category i = 100i ms (1 <= i <= 5) Bandwidth per client = 2 Mbps c = 10 Run with all good or all bad clients DDoS: Defense by Offense 40

Heterogeneous Network Conditions DDoS: Defense by Offense 41

Heterogeneous Network Conditions Good clients with long RTTs do worse than any bad clients Effect is limited No one gets > 2*ideal No one gets < 1/2*ideal DDoS: Defense by Offense 42

Good and Bad Sharing a Bottleneck 30 clients, each with 2 Mbps, connect to thinner through link l l s bandwidth = 40 Mbps 10 good, 10 bad clients, each with 2Mbps, connect directly to thinner C = 50 req/s Vary number of good/bad behind l DDoS: Defense by Offense 43

Good and Bad Sharing a Bottleneck DDoS: Defense by Offense 44

Good and Bad Sharing a Bottleneck Clients behind l capture half of the server s capacity Good behind l suffer some, especially with greater number of bad clients Effect on good clients greater when bottleneck is smaller DDoS: Defense by Offense 45

Impact of speak-up on other traffic Bottleneck, m, shared between speakup clients and TCP endpoint, H Run with H as a sender, m is shared fairly Run with H as a receiver, H s ACKs will get lost, H s requests will be delayed DDoS: Defense by Offense 46

Impact of speak-up on other traffic Experimented specifically with H as a receiver 10 good speak-up clients, 1 HTTP client downloading with wget m = 1Mbps, rest = 2Mbps c = 2 DDoS: Defense by Offense 47

Impact of speak-up on other traffic DDoS: Defense by Offense 48

Impact of speak-up on other traffic Huge impact on H Pessimistic result according to authors Only happens during attack, might be worth it to help defend the Internet DDoS: Defense by Offense 49

Concerns DDoS: Defense by Offense 50

Concerns/Cautions/Objections Does speak-up hurt small sites? Yes, for current sized botnets But this might get better with smaller botnets Does speak-up hurt the whole Internet? Not really Only for servers under attack Core overprovisioning dampens the effect Congestion control will keep speak-up under control DDoS: Defense by Offense 51

Concerns/Cautions/Objections Bandwidth envy Only more better off during attacks ISPs could offer high bw proxies to low bw clients Variable bandwidth costs Again, offer a high bw proxy Or let customers decide whether or not to bid DDoS: Defense by Offense 52

Concerns/Cautions/Objections Incentives for ISPs The basic goodness of society will protect us!!! Solving the wrong problem Cleaning up botnets is good, but we need to do something in the meantime Flash crowds Reasonable to treat them as attacks Wouldn t effect low bw sites in the first place DDoS: Defense by Offense 53

Conclusions DDoS: Defense by Offense 54

Conclusions Not sure who wants/needs speak-up Survey to find out Speak-up does what it proposes to do DDoS: Defense by Offense 55

Conclusions Main advantages Network elements don t need to change Only need to modify servers and add thinners Main disadvantages Everyone floods, so harder to detect bad clients Hurts edge networks Rendered useless if access links to thinner are saturated DDoS: Defense by Offense 56

My Questions Are speak-up s assumptions reasonable? DDoS: Defense by Offense 57

Questions? DDoS: Defense by Offense 58

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback