for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple...
Transcript of for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple...
![Page 1: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/1.jpg)
DDoS Defense Mechanisms for IXP InfrastructuresTim DijkhuizenLennart van Gijtenbeek
SNE: Research Project II 03-07-2018
Supervisor: Stavros Konstantaras (AMS-IX)
![Page 2: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/2.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Introduction
2
● Distributed Denial of Service
● DDoS attacks on banks in NL [1]
● DDoS launched via botnets/booters
● Increase in size and complexity [2]
● IXP is a central entity
● Challenges:
○ High traffic loads
○ IXP neutrality
○ Complex infrastructure
![Page 3: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/3.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Research Question
3
What (automated) solution can be developed to
identify and mitigate DDoS attacks in an IXP network?
Image source - thenounproject.com
![Page 4: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/4.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Internet eXchange Points (IXPs)
● Peering LAN (BGP)
● Exchange of traffic
● Wide range of networks connected
○ Such as banks, content providers, etc.
● Layer 2 forwarding (no routing)
● Route servers
4
![Page 5: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/5.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Amsterdam Internet Exchange (AMS-IX)
● ~820 peers
● 5 Tbit/s peaks each day
● Traffic forwarding: MPLS/VPLS
● Statistics collector: sFlow
● Route server: BIRD
● Current DDoS solution
○ Disable port(s), NaWas
5
![Page 6: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/6.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Types of DDoS Attacks
6Image source - nbip.nl/nl/2018/05/16/nbip-ddos-data-report-2017-now-available/
![Page 7: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/7.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Types of DDoS Attacks cont'd
● Volumetric attacks
○ Amplification attacks
■ E.g. DNS amplification
■ Small request, large response
● Protocol attacks
○ E.g. TCP SYN flood
○ State exhaustion
● Application attacks
○ Layer 7
● No single detection method
● Distinct in: bandwidth and packets per second
7Image source - thenounproject.com
![Page 8: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/8.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Design Principles
1. Mitigate as close to the source as possible
2. No configuration required on the CEs
3. No congestion in the IXP core
4. Identification and mitigation on
lower layers is preferred
5. Detect most common DDoS attacks
6. Intelligence resides in the IXP
7. Minimal impact on good traffic
8. IXP neutrality
9. Compatibility
8
![Page 9: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/9.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Detection Methods
● Traffic monitoring needed
○ PE switches
○ Sample data: sFlow/Netflow
● L2 detection
○ L2 headers are too limited
■ Frame size, CRC
○ Other parameters
■ Send rate, arrival interval
● L3/L4 detection
9
![Page 10: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/10.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Detection Methods cont'd
● Threshold-based detection
○ Calculate thresholds based on destination IP(s)
■ Scalability: thresholds on prefixes
■ IXP environment: per source AS
○ Metrics:
■ L2/L3: BPS, PPS
■ L4: TCP flags, source ports, destination ports
● Fingerprint-based detection
○ DDoSDB [3]
○ False negatives
10
![Page 11: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/11.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Mitigation Methods
● Scrubbing ○ On-site
■ Proprietary box
○ Off-site
■ NaWas
● Access Control Lists
● Software Defined Networking (SDN)
● BGP Blackholing
11
![Page 12: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/12.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Blackholing Techniques with BGP
● Source-based blackholing
○ IXP neutrality
○ IP spoofing / false positives
● Destination-based blackholing on the CE
1. Route withdrawal
2. Static routing entry for prefix to Null0
and announce next-hop
● Destination-based blackholing on the PE
○ Set CE next-hop to ARP-dummy
○ L2 ACL
12
![Page 13: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/13.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Design Proposal
13Image source - thenounproject.com
![Page 14: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/14.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Added Components to IXP
14
DTM = DDoS Threat Mitigator
![Page 15: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/15.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Component Interaction
15
DTM = DDoS Threat MitigatorDTA = DDoS Threshold AdviserCTA = Current Traffic Analyzer
![Page 16: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/16.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Design Proposal
16
Threshold-based detection
Three-way mitigation
![Page 18: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/18.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Identification Start Phase (1.1)
1. Peer starts the process
2. Identify PE port(s) of the victim
3. Get the CE IP, and announced prefixes (RS)
4. Start the DTA/CTA
○ Based on victim ports, and destination prefixes
5. Perform threshold comparisons
6. Present customer with exceeded prefixes
○ Customer decides which prefixes to mitigate
18
![Page 19: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/19.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Mitigation Start Phase (1.2)
1. Determine the culprit AS(es)
○ Compare current to historical traffic
○ ASes to mitigation prefix
2. Determine mitigation workflow
○ Culprit AS is peered with RS:
■ Perform mitigation via BGP route withdrawal (phase 2.1)
○ Culprit AS is NOT peered with RS:
■ Perform mitigation via ACL on the ingress PE (phase 2.3)
19
![Page 20: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/20.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
CE Route Withdrawal Mitigation (2.1)
● Instruct the RS to withdrawthe destination prefix to culprit
○ Wait for <BGP_convergence_timeout>
● Threshold is still exceeded:
○ Method unsuccessful, restore original BGP announcement
○ Perform mitigation via BGP blackhole nexthop (phase 2.2 )
● Threshold is NOT exceeded:
○ Continue mitigation until DDoS no longer active
○ DDoS stopped or mitigation still working?
20
![Page 21: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/21.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
CE Blackhole Next-hop Mitigation (2.2)
● Instruct the RS to announce blackhole next-hop to culprit
○ Wait for <BGP_convergence_timeout>
● Threshold is still exceeded:
○ Method unsuccessful, restore original BGP announcement
○ Perform mitigation via L2 ACL (phase 2.3)
● Threshold is NOT exceeded:
○ Continue mitigation until DDoS no longer active
○ Monitor on ingress PE
21
![Page 22: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/22.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
PE L2 ACL Mitigation (2.3)
● Determine MAC addressesand DDoS ingress PE
● Instruct the PE to set up L2 ACL on the ingress PE
○ Based on source CE and destination CE
○ Wait for <ACL_timeout>
● Threshold is still exceeded:
○ Identification unsuccessful, remove ACL and go to phase 1.1
● Threshold is NOT exceeded:
○ Continue mitigation until DDoS no longer active
○ Monitor on ingress PE
22
![Page 23: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/23.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Proof of Concept
23
● Focused on mitigation phases
○ Prefix identification, DTA, culprit AS identification
● Four different scenarios
○ Peered with RS:
■ 2.1 ✔
■ 2.1 ✘, 2.2 ✔
■ 2.1 ✘, 2.2 ✘, 2.3 ✔
○ Not peered with RS:
■ 2.3 ✔
Mitigation Scenario 1 Scenario 2 Scenario 3 Scenario 4
2.1 ✔
2.2 ✘ ✔
2.3 ✘ ✘ ✔
2.4 ✘ ✘ ✘ ✔
![Page 24: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/24.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Proof of Concept cont'd
24
The DTM here also functions as the statistics collectorFastNetMon: DDoS detector that supports multiple packet capture engines
iPerf to generate traffic
![Page 25: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/25.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
● Culprit AS is peered with RS● BGP route withdrawal mitigation (2.1)● Converge timeout: 10s, analysis: 4s● 50Mbit normal traffic, 150Mbit threshold
Proof of Concept cont'd
25
BPS (Mbit)
Threshold (Mbit)
BPS
(Mbi
t)
Time (s)
Mitigation Scenario 1
Threshold detectedand performing 2.1 mitigation at 27s
2.1 converge timeout at 37s2.1 mitigation successful at 41s
![Page 26: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/26.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Proof of Concept cont'd
● Culprit AS is peered with RS● BGP route withdrawal mitigation unsuccessful (2.1)● BGP blackhole next-hop mitigation (2.2)
26
BPS (Mbit)
Threshold (Mbit)
BPS
(Mbi
t)
Time (s)
Mitigation Scenario 2
Threshold detected and performing 2.1 mitigation at 26s
2.1 NOT successful and performing 2.2 mitigation at 40s2.1 converge timeout at 36s2.2 converge timeout at 44s2.2 mitigation successful at 55s
![Page 27: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/27.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Proof of Concept cont'd
● Culprit AS is peered with RS● BGP route withdrawal mitigation unsuccessful (2.1)● BGP blackhole next-hop mitigation unsuccessful (2.2)● Ingress PE L2 ACL mitigation (2.3)
27
BPS (Mbit)
Threshold (Mbit)
BPS
(Mbi
t)
Time (s)
Mitigation Scenario 3
2.1 mitigation NOT successful and performing 2.2 mitigation at 41s
Threshold detected and performing 2.1 mitigation at 27s
2.1 converge timeout at 37s2.2 mitigation NOT successful and performing 2.3 mitigation at 55s2.2 converge timeout at 51s
![Page 28: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/28.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Proof of Concept cont'd
● Culprit AS is NOT peered with RS● Ingress PE L2 ACL mitigation (2.3)
28
Mitigation Scenario 4
BPS (Mbit)
Threshold (Mbit)
BPS
(Mbi
t)
Time (s)
Threshold detected and 2.3 mitigation at 25s
![Page 29: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/29.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Discussion
● Usage of route server and statistics collector
● BGP convergence time (too long?)
● Layer 3 ACL
○ IXP environment: focus on layer 2 mitigation
● Fine-grained thresholds (time of day)
● Present more details to customer
29
![Page 30: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/30.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Conclusion
● Thresholds and Three-way mitigation
● Identification requires layer 3 analysis (prefixes)
● Mitigation achieved on layer 2
○ BGP TE
○ IXP perspective
30
![Page 31: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/31.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Future Work
● Different mitigations per type of attack
○ More advanced threshold metrics
● Testing with different sample rates
● Test scalability of the design
● Expand proof of concept
○ Identification phase
● Other methods of identification
○ Unsupervised/supervised learning
31
![Page 32: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/32.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
Questions
Image source - thenounproject.com
![Page 33: for IXP Infrastructures DDoS Defense Mechanisms · FastNetMon: DDoS detector that supports multiple packet capture engines iPerf to generate traffic. DDoS Defense Mechanisms for IXP](https://reader033.fdocuments.us/reader033/viewer/2022042808/5f852158be33ac5b8d6722a2/html5/thumbnails/33.jpg)
DDoS Defense Mechanisms for IXP Infrastructures
References
[1] ABN AMRO Group. Service temporarily disrupted by DDoS attacks (Jan 2018). Available at https://www.abnamro.com/en/newsroom/newsarticles/2018/service-temporarily-disrupted-by-ddos-attacks.html (Accessed on 01/06/2018)
[2] Cyberscoop. Arbor: DDoS attacks growing faster in size, complexity (Jan 2018). Available athttps://www.cyberscoop.com/ddos-attacks-growing-arbor-networks/ (Accessed on 01/06/2018)
[3] DDoSDB. Collecting and Sharing the most important information of DDoS attacks.https://ddosdb.org/ (Accessed on 14/06/2018)
33