Post on 12-Jan-2016
DaaS: DDoS Mitigation-as-a-Service
2011 IEEE/IPSJ International Symposium on Applications and the Internet
Author: Soon Hin Khor & Akihiro NakaoSpeaker: 101065511 沈祈恩
1
2
Outline
• INTRODUCTION • DESIGN• ARCHITECTURE• EVALUATION• CONCLUSION
3
Outline
• INTRODUCTION • DESIGN• ARCHITECTURE• EVALUATION• CONCLUSION
4
INTRODUCTION
• DaaS is a service that protects a server against all 3 types of Distributed Denial-of-Service (DDoS)– Arbitrary packet (Network Layer)– Legit user-mimicking (Application Layer)– Economic attacks (EDDoS).
5
INTRODUCTION
• Most research concur that using widely distributed Internet-edge or core intermediaries that possess more resource than DDoS bots, receive traffic on behalf of a server is an effective technique to overcome the three issues.
6
INTRODUCTION
• For defense against application-layer DDoS, a Proof-of Work (PoW) mechanism empowers legit clients (legits, forshort) to attain differentiated service based on the difficulty of PoW "puzzles" solved.
7
Outline
• INTRODUCTION • DESIGN• ARCHITECTURE• EVALUATION• CONCLUSION
8
DESIGN
On-Demand Idle Resource Pool :– DaaS’s framework can recruit any existing or
future system/service as an intermediary.– Ex: IRC, Amazon’s S3, forums
9
DESIGN
Ephemeral Initial Channels :– Channels:
a named entity on an intermediary. EX: a channel name on IRC, a storage bucket in S3.
– I-Channel: Ephemeral initial channels.
– C-Channel:Communication channels.
10
DESIGN
Prioritize traffic:– Prioritize existing connection traffic over initial
connection request traffic. – Prioritize among the initial connection requests
using sPoW(self-proof-of-work). Prioritizing by puzzle difficulty.
11
Outline
• INTRODUCTION • DESIGN• ARCHITECTURE• EVALUATION• CONCLUSION
12
ARCHITECTURE
• DaaS consists of a framework and sPoW.• Implemented as DaaS name servers, client-
side and server-side components
13
ARCHITECTURE
14DaaS utilizes highly scalable Cloud #1 as a metered intermediary to protect a metered-server in Cloud #2.
15
A client that wants to contact the server performs a DNS resolution to obtain the location of the client-side component on the CDN
16
Proceeds to download it together with the server-side component’s public key embedded in its SSL certificate
17
The client-side component then performs a DaaS name resolution, specifying the server host name and the puzzle difficulty, k, to obtain a crypto-puzzle for the server.
18
The DaaS name server forwards the puzzle request to the server-side puzzle generator
19
The server side component randomly creates an ephemeral i-channel
20
Server encrypts the channel details and sends back both the encrypted details and the encryption key with k bits undisclosed as the crypto-puzzle.
21
The client-side component brute-forces and recovers the i-channel details, submits an initial connection request includes a randomly generated secret key, encrypted using the server-side component’s public key through i-channel.
22
If the initial connection request is not handled within a timeout period, it can request for a more difficult crypto-puzzle and re-submit the connection request through the higher priority i-channel.
23
The server-side component receives the initial connection request
24
Server creates a c-channel
25
Server encrypts the channel details using the client generated secret key and sends the information back to the client-side component
26
Server also informs the name server to invalidate the cached puzzle associated with that consumed i-channel.
27
ARCHITECTURE
Hide DaaS server detail:– Using intermediary and multipath stack of
client/server side component.
28
ARCHITECTURE
Enable any system/service to be used as an intermediary:– Using different intermediary plug-in to enable
communication between client and server.
29
ARCHITECTURE
sPoW Threats :– Puzzle Generation Resource Exhaustion:
Bots request a lot of puzzles without solving them. leads to:1. processing power exhaustion2. network connectivity exhaustion
– Solution:Channel Sharing.
30
ARCHITECTURE
sPoW Threats :– PoW Violation with Channel Sharing:
Clients can obtain high priority service by reusing high priority channels discovered by others.
– Solution:Only the quickest puzzle solver being successful in connection request submission.
31
ARCHITECTURE
sPoW Threats :– Puzzle Level Inflation:
attckers can inflate puzzle difficulty by repeatedly requesting for the most difficult puzzles results in clients having to solve unnecessarily high-level puzzles to submit connection
– Solution:requires the algorithm to track puzzle resolution capacity of the user-base (legits and bots) within a designated period.
32
ARCHITECTURE
Puzzle Level Inflation:– Detecting algorithm:
if the sum of required capacity to solve all open puzzles in the current period exceeds the user-base puzzle resolution capability estimated in the last period—a possible attack indicator.
33
• C: Server capacity for i-channle handling• rt: capacity required to solve all unique puzzles for open i-
channels in the current period.• st-1: estimated user-base capacity in the previous period.• k_lowest: the lowest protection level of the channel
34
Outline
• INTRODUCTION • DESIGN• ARCHITECTURE• EVALUATION• CONCLUSION
35
Average transmission time of various file sizes through different intermediary types
36
Average transmission time of various file sizes through I3 and IRC when different percentages of multipaths fail due to congestion.
37
Tardiness=
38
Tardiness=
39
Outline
• INTRODUCTION • DESIGN• ARCHITECTURE• EVALUATION• CONCLUSION
40
CONCLUSION
• Contribution:Employs sPoW, a unique scheme to enable legits to compete and reduce indistinguishable DDoS.
• Advantage:1. Shield the location of server2. sPoW frees a server from traffic verification burden.
• Disadvantage:1. Didn’t give a clear explanation of how to utilize systems as intermediaries.2. Have to implements many kinds of intermediaries plug-in.3. Clients have to install many plug-in of intermediaries.4. Cost burden to other system/service.
Thank youQ&A
41