CompSci514 Computer Networks Lecture 20: Combating Denial ... · –Resilient to various attacks...

CompSci 514 Computer NetworksLecture 20: Combating Denial of

Service Attacks

Xiaowei Yang

How to Attack : Exhausting shared resources

• Flooding traffic to exhaust the bandwidth, memory, or CPU of a victim– Spoof addresses to hide

• Passport

– Distributed DoS (DDoS) to hide and to maximize damage• Multiple (weak) machines against (strong) victim

L

ISP network

Victim network

Bottleneck Link

Defending against bandwidth attacks is difficult

• Effective defense requires packets drop before the bottleneck– ISPs must drop flood packets before they reach the

victim networks – But only destinations know what packets are desired– Anti-distributed DoS services cost around $12,000

per month from carriers such as AT&T and MCI

L

Large Scale of Attacks

Arbor report, 2017

Frequency of attacks seen by ISPs

Defense paradigm• Capability-based approaches

– Ask before a sender can send• TVA

• Filter-based approaches– Block unwanted traffic

• Pushback, StopIt

• Overlay-based filtering– Protect specific servers

• Phalanx

TVA: A DoS-limiting Network Architecture

Capabilities are a promising approach

• Destination control– The destinations know better.

• Network filtering based on explicit and unforgeable packet state, i.e., capabilities– Only the network can shed load before the

damage has been made.

Sketch of the capability approach

1. Source requests permission to send.2. Destination authorizes source for limited transfer, e.g,

32KB in 10 secs• A capability is the proof of a destination’s authorization.

3. Source places capabilities on packets and sends them.4. Network filters packets based on capabilities.

Jcap

Capabilities alone do not effectively limit DoS

• Goal: minimize the damage of the arbitrary behavior of k attacking hosts.

– Non-goal: make DoS impossible• Problems

1. Request or authorized packet floods2. Added functionality in a router’s forwarding path 3. Authorization policies4. Deployment

• TVA addresses all of the above.

Challenges1.Counter a broad range of attacks, including

request and authorized packet floods

2.Router processing with bounded state and computation

3.Effective authorization policies

4. Incrementally deployable

Request packet floods

• Request packets do not carry capabilities.

Counter request packet floods (I)

• Rate-limit request packets

cap capcap

Counter request packet floods (II)

• Rate-limit request packets• Routers insert path identifier tags [Yarr03].• Hierarchically fair queue requests using the

most recent tags.

Per path-id queues1 2

1 1

Authorized packet floods

capcap cap

capcap

Counter authorized packet floods

• Per-destination queues• TVA bounds the number of queues.

cap

cap

cap cap

capcap

Challenges

1.Counter a broad range of attacks, including request packet floods and authorized packet floods



TVA’s implementation of capabilities

• Routers stamp pre-capabilities on request packets– (timestamp, hash(src, dst, key, timestamp))

• Destinations return fine-grained capabilities– (N, T, timestamp, hash(pre-cap, N, T))– send N bytes in the next T seconds, e.g. 32KB in 10

seconds

J

pre1 pre2

cap1 cap2

Validating fine-grained capabilities

1. A router verifies that the hash value is correct.2. Checks for expiration: timestamp + T · now3. Checks for byte bound: sent + pkt_len · N

J

cap1 cap2 data

N, T, timestamp, hash(pre-cap, N, T)

Bounded computation

• The main computation overhead is hash validation.

• On a Pentium Xeon 3.2GHz PC– Stamping pre-capabilities takes 460ns– Validating capabilities takes 1486ns

Bounded state

• Create a slot if a capability sends faster than N/T.• For a link with a fixed capacity C, there are at most

C/(N/T) flows• à Number of slots is bounded by C / (N/T)

J

cap1 cap2 data

N, T, timestamp, hash(pre-cap, N, T)

sent + pkt_len · N

Worst case byte bound is 2N in T seconds

Tt1 t2 t30

a slot is created a slot is expired

TTL average rate · N/T average rate · N/T

t · T

bytes · N

bytes · N

• When a packet with a valid capability arrives, a router will create a slot to track the number of bytes. The time-to-live value of the slot is set proportional to the packet length: TTL+ L/(N/T)

• If a slot expires, it indicates that a capability sends slower than N/T.

t4 t5

Bounded number of queues

• Tag space bounds the number of request queues.• Number of destination queues is bounded by C/R

path-identifier queue

Validate capability

requests

per-destination queueregular packets YN

low priority queuelegacy packets

Queue on most recent tags

Keeps a queue if a destination receives faster than a threshold rate R

Challenges

1.Counter a broad range of attacks, including request packet floods and authorized packet floods



Simple policies can be effective

• Fine-grained capabilities tolerate authorization mistakes.

• Client policy– Authorize requests that match outgoing ones

• Public server policy– Authorize all initial requests– Stop misbehaving senders– A server has control over its incoming traffic when

overload occurs.

Comments on TVA• Assume destinations can reliably

differentiate good and bad

• A lot of queues– Path identifier queues and per-destination

queues

• Denial of capability attacks– Unwanted requests can’t be blocked

Portcullis• A puzzle-based approach to protect the request

setup channel

• A global puzzle seed is distributed to all routers

• A sender solves different levels of puzzles to gain priority on the request channel– Solving a L+1 level puzzle requires twice as much

time than solving a L level puzzle– High priority requests sending rate exponentially

decreases à no congestion for high priority packets

To Filter or to Authorize:Network-Layer DoS Defense

against Multimillion-node Botnets

No Consensus on How to Combat DoS

• Capability-based approaches were criticized because of the setup channel vulnerability

• Two intriguing schools of thought– Filters– Capabilities

Filters or capabilities?

To design a DoS-resistant network architecture, should we use filters,

capabilities, neither, or both?“…capabilities are neither sufficient nor necessaryto combat DoS.”

by K. Argyraki, et al.

“We strongly disagree: … a simple and highly efficient network-based defense … can prevent DoC attacks.”

by A. Perrig, et al.

Filter-based Approach1. Anyone can send to anyone by default2. A receiver requests the network to install filters

A

V

Filter (A,V)

StopIt

1. Design an effective filter-based system– Existing filter systems have several limitations

• Loss of control messages• Filter exhaustion attacks• Damage when filters fail to install

2. Compare the effectiveness of filter-based and capability-based systems under various attacks

“We believe in: rough consensus and running code.”-- David Clark

Design Goals of StopIt• Effective with little collateral damage

– Do not block legitimate communications

• Resilient to a wide range of strategic attacks– E.g.: impersonation attacks, filter exhaustion attacks

• Fail-safe– Limit the damage when filters fail to install

• Incentivizing deployment– Early adopters should benefit immediately

Design Premises• Similar to capability-based systems

• Simplifying assumptions– End systems can distinguish attack traffic– Both routers and hosts can be upgraded– Securable intra-AS communications

• Practical constraints– No special hardware

• E.g.: no tamper-proof hardware, no line-speed per-packet public key operations

– Both hosts and routers may be compromised

Overview of an Ideal Filter System

Scalable: no per-flow state in the network core

bottleneckAS1

AS2

AS3

RdRs

A V

Block (A,V)

Filters fail to install

Secure the Basic DesignProblems Solutions

Source address spoofing attacks

Impersonation attacks

Filter exhaustion attacks

Control channel DoS attacks

Incentives to deploy

Authenticate source addresses with Passport [NSDI’08]

Authenticate filter requests with standard authentication techniques

Confirm attacks before accepting filter requests; avoid filters against

compliant sources; catch and punish misbehaving sources

Closed control channel

Source-based fair queuing

Closed Control Channel

bottleneckAS1

AS2

AS3

StopIt Server

StopIt Server addresses are published in BGP

10.1.0.0/16 StopIt Server AddressBGP Prefix Announcement

Filter requests are exchangedbetween known peers

Steps to Block Attack Traffic

V: Block S

bottleneckAS1

AS2

AS3

RdRs

S VV: Block S

Block (S,V)

ACK: Block (S,V)

End-to-end requests before submitting filter requestsAttack confirmation on Rd to mitigate filter exhaustion attacksUse source address and IP-ASN mapping to locate source ASRequest-ACK between S and Rs to mitigate filter exhaustion attacks

Confirm that Attack Traffic Exists

• Goal: prevent attackers installing filters against non-existent traffic

• Confirm attack traffic with flow cache– Access routers use flow cache to record

recent src-dst pairs– Filter requests against traffic not in the flow

cache are discarded

Confirm Source is Non-compliant

Rd

X

Y

Rd Confirmation Filter Table

A1

A2

(A2,X,TTL)

(A1,Y,TTL)

(A2,X,TTL,Hashkd(msg))(A3,Z,TTL)

• Goal: prevent malicious destinations installing filters against compliant sources on source access routers

• Mitigate filter exhaustion: secure filter swapping

Source-side Filter Exhaustion Attack

A

Rs Filter Tablewith Fs Slots

A,V

V

…Na Attack-triggered

filter requests

…A,XA,Y

• Random filter replacement: Pcaught=(1-1/Fs)Na

– E.g.: if Fs=1k and Na=1k, Pcaught=36.8%• Aggregate misbehaving sources’ filters• Quota on filter requests to limit attacker

capacity

Filters fail to install

Secure the Basic DesignProblems Solutions

Source address spoofing attacks

Impersonation attacks

Filter exhaustion attacks

Control channel DoS attacks

Incentives to deploy

Authenticate source addresses with Passport [NSDI’08]

Authenticate filter requests with standard authentication techniques

Confirm attacks before accepting filter requests; avoid filters against

compliant sources; catch and punish misbehaving sources

Close the control channel

Source-based fair queuing

Two-level Hierarchical Fair Queuing

• First-level fair queuing: source AS– Limit damage of attack traffic when filters fail to install– Incentivize deployment

• Second-level fair queuing: source address– Give inter-domain filter requests guaranteed bandwidth

Bottleneck Link

AS1

AS2

Filter Requestsfrom StopIt Servers

Evaluate StopIt

• Prototype implemented on Linux using Click

• Evaluated on Deterlab

– Block various number of attackers with destination-

side filter exhaustion

– Source-side filter exhaustion attack

• Main Results

– Block 10M attackers in 1658 seconds

– With 10M filter slots and 10M daily quota on filter

requests, on average an attacker can at most attack a

victim 2.4 times per day

Compare Filters & Capabilities: Settings

• DoS Mitigation Systems– Filter-based: StopIt, AITF, Pushback– Capability-based: TVA, TVA+(Passport), Portcullis

• Topology– a branch of AS-level topology from RouteViews

• Scale-down factor: 1/20– E.g., bottleneck bandwidth: 1Gbps(simulated) =

50Mbps(real)• Metrics of effectiveness

– Ratio of successful file transfers– Average file transfer time

• Default simulated bottleneck bandwidth: 1Gbps

Default file size: 20KB

Compare Filters & Capabilities: Attacks

• Destination flooding attacks• One-way link flooding attacks• Two-way link flooding attacks

Partial AS-leveltopology

…

Usersbottleneck

…

Colluders

Victim

Non-responsiveHost

Attackers

Destination Flooding AttacksStopIt

TVA+

• StopIt– Block attack traffic

completely• TVA+

– Not good with small bottlenecks

When filters can be installed:Filters > Capabilities

One-Way Link Flooding Attacks

TVA+• StopIt

– No filters installed; fail-safe• TVA+

– More effective when file size increases

StopIt

When filters fail to install:Filters < Capabilities

Two-Way Link Flooding AttacksStopIt

TVA+• StopIt

– No filters installed; degraded to per-source FQ• TVA+

– Attackers get capabilities; degraded to per-destination FQ

• Under the specific settings, per-src FQ > per-dst FQ

Filters and capabilitiesmay both fail in extreme cases

Compare Filters & Capabilities: Summary

Attack PowerLow High

Both work,but Filters > Capabilities

Filters become ineffectivewhen they cannot be installed

Capabilities become ineffectivewhen attackers can get capabilities

Both become ineffective,fail-safe mechanisms neededEf

fect

iven

ess

Low

Hig

h

FiltersCapabilities

Comments• It’s feasible to design an effective filter system

– Resilient to various attacks– Fail-safe

• Filters v.s. Capabilities– Filters are more effective if they can be installed– Capabilities are more robust against attacks– Capability systems tend to be simpler

• Capabilities + Per-AS fairness: might be the most cost-effective solution

Phalanx: WithstandingMultimillion-Node

BotnetsAn overlay-based approach

Motivation: deployability • Solved for static content

– Replicate everywhere– Large CDNs (Akamai, CoDeeN, Coral)

• Potentially solved if we can replace all routers– Promising “clean slate” academic research . . .– . . . but, pervasive bots require universal deployment

• Unsolved for dynamic content on the Internet today– VoIP, e-govt, e-commerce, AJAX web apps, etc.– Can we use a pervasive set of machines (i.e., a CDN) to solve the

problem? Without changing every router?

Key Ideas• Tie fate of a server to a large part of the Internet

• Goals– Deployable – without changing all ISPs or all routers– Scalable – to terabit attacks w/millions of attackers

• Mechanisms– Packet Mailboxes– Secure Random Multipathing– Filtering Ring

Simple Proxy• Use nodes as proxies• They can make

filtering decisions• Forward remaining

traffic to server• How do they make

filtering decisions?• Do we trust them?• How does the network

know we trust them?

Mailbox• Use nodes as mailboxes

• Hold each packet for an explicit request

– Nonce in a data packet must match that in a request

• Policy at destination

• Don’t trust mailboxes

• Explicitly express trust to the network

• Still, any single node is vulnerable to attack

Secure Random Multipathing• Send traffic

randomly among mailboxes

• According to shared secret sequence

• Botnet can take down one mailbox

• But communication continues

Secure Random Multipathing• Send traffic randomly

among mailboxes• According to shared

secret sequence• Botnetcan take down

one mailbox• But communication

continues• Diluted attacks against

all mailboxes fail

Secure Random Multipathing• Sequence of mailboxes

– Negotiate secret X at connection setup– Construct a secret sequence based on X

• x0 = h(X,X), xi = h(xi-1,X)– Use xi to name that packet and select mailbox

• Neat!– Also a lightweight authenticator

• Need a multipath congestion control algorithm

Filtering Ring• Attackers can ignore

the mailboxes and just attack the server

• Need to drop unrequested traffic in the network

• request/response framework signals the network

blacklist

whitelist

blacklist

whitelist

xi xi

blacklist whitelistxi

Filtering Ring

req: xi

data: xireq: xi

data: xi

data: xi

req: xi

Connection Setup

• So far, we protect established connections

• How do clients initiate connections?

• Server issues “first packet” requests– They are scarce resources

– Can’t be grabbed at will

• Mediate access to these requests– Computational puzzles (Portcullis-style)

• Per-computation fair queueing

– Authentication tokens• For small deployments w/known principals

• Pre-authenticated clients

Example

Example• Get static content and

applet from CDN (1)• Connection setup

– Get/solve puzzle (2)– Server issues first packet

request (3)– First packet & request

paired and sent (4,5)– Server returns mailbox

list and secret X (6)• Protected comm. (7)

Comments• Essentially a multi-path capability system

• Clients of an open server still needs to compete for the server’s first requests– When bots outnumber clients of a server, waiting time

may still be significant

• Availability of mailboxes, response latency, per-packet nonce blacklists are all questionable

Practical DDoS Mitigation Products

• Outpower botnets by raw bandwidth capacity– CloudFlare– Google Project Shield– AWS shield– Akamai

J

Summary

• Various DoS defense systems

• Capability-based• Filter-based• Overlay-based

CompSci514 Computer Networks Lecture 20: Combating Denial ... · –Resilient to various attacks...

Documents

Transcript of CompSci514 Computer Networks Lecture 20: Combating Denial ... · –Resilient to various attacks...