Phalanx: Withstanding Multimillion-Node Botnets
description
Transcript of Phalanx: Withstanding Multimillion-Node Botnets
Phalanx: WithstandingMultimillion-Node
BotnetsColin Dixon Arvind Krishnamurthy Tom Anderson
University of WashingtonNSDI 2008
Why isn’t this a solved problem? Solved for static content
Replicate everywhere Large CDNs (Akamai, CoDeeN, Coral)
Potentially solved if we can replace all routers Promising “clean slate” academic research .
. . . . . but, pervasive bots require universal
deployment Unsolved for dynamic content on the
Internet today VoIP, e-govt, e-commerce, AJAX web apps,
etc. Can we use a pervasive set of machines
(i.e., a CDN) to solve the problem? Without changing every router?
Key Ideas Tie fate of a server to a large part of the
Internet Goals
Deployable – without changing all ISPs or all routers
Scalable – to terabit attacks w/millions of attackers
Mechanisms Packet Mailboxes Secure Random Multipathing Filtering Ring
Let’s go design it!
Simple Proxy Use nodes as
proxies They can make
filtering decisions Forward
remaining traffic to server
How do they make filtering decisions?
Do we trust them?
How does the network know we trust them?
Mailbox Use nodes as
mailboxes Hold each packet
for an explicit request
Policy at destination
Don’t trust mailboxes
Explicitly express trust to the network
Still, any single node is vulnerable to attack
Secure Random Multipathing
Send traffic randomly among mailboxes
According to shared secret sequence
Secure Random Multipathing
Send traffic randomly among mailboxes
According to shared secret sequence
Botnet can take down one mailbox
Secure Random Multipathing
Send traffic randomly among mailboxes
According to shared secret sequence
Botnet can take down one mailbox
But communication continues
Secure Random Multipathing
Send traffic randomly among mailboxes
According to shared secret sequence
Botnet can take down one mailbox
But communication continues
Diluted attacks against all mailboxes fail
Secure Random Multipathing Sequence of mailboxes
Negotiate secret X at connection setup Construct a secret sequence based on X
x0 = h(X,X), xi = h(xi-1,X) Use xi to name that packet and select
mailbox Also a lightweight authenticator
Need a multipath congestion control algorithm
Filtering Ring Attackers can
ignore the mailboxes and just attack the server
Need to drop unrequested traffic in the network
request/response framework signals the network
blacklist
whitelist
blacklist
whitelist
xi xi
blacklist
whitelistxi
Filtering Ring
req: xi
data: xi
req: xi
data: xi
data: xi
req: xi
Connection Setup So far, we protect established
connections How do clients initiate connections? Server issues “first packet” requests Mediate access to these requests
Computational puzzles (Portcullis-style) Per-computation fair queueing
Authentication tokens For small deployments w/known principals
Example
Example Get static content
and applet from CDN (1)
Connection setup Get/solve puzzle
(2) Server issues first
packet request (3) First packet &
request paired and sent (4,5)
Server returns mailbox list and secret X (6)
Protected comm. (7)
Example Get static content
and applet from CDN (1)
Connection setup Get/solve puzzle
(2) Server issues first
packet request (3) First packet &
request paired and sent (4,5)
Server returns mailbox list and secret X (6)
Protected comm. (7)
Example Get static content
and applet from CDN (1)
Connection setup Get/solve puzzle
(2) Server issues first
packet request (3) First packet &
request paired and sent (4,5)
Server returns mailbox list and secret X (6)
Protected comm. (7)
Example Get static content
and applet from CDN (1)
Connection setup Get/solve puzzle
(2) Server issues first
packet request (3) First packet &
request paired and sent (4,5)
Server returns mailbox list and secret X (6)
Protected comm. (7)
Example Get static content
and applet from CDN (1)
Connection setup Get/solve puzzle
(2) Server issues first
packet request (3) First packet &
request paired and sent (4,5)
Server returns mailbox list and secret X (6)
Protected comm. (7)
Example Get static content
and applet from CDN (1)
Connection setup Get/solve puzzle
(2) Server issues first
packet request (3) First packet &
request paired and sent (4,5)
Server returns mailbox list and secret X (6)
Protected comm. (7)
Evaluation Microbenchmarks on PlanetLab (see
paper) Simulation
Based on gathered topology data PlanetLab node serve as stand in for server 7200 Akamai nodes as mailboxes Attacker bandwidth from BT measurements
(avg 3Mb)
Protection vs. Deployment
All mailboxes see less than 30% “goodput”
60% of mailboxes see no loss
20% of mailboxes see high loss
Even a moderate deployment (7200 10 Mb mailboxes and only the victim AS filtering) has huge benefit against large botnets (100k nodes)
Scalability
Any fixed deployment will reach it’s limit at some point . . .
Scalability
40% of mailboxes see no loss even vs. 4 mil. attackers w/36k mbxes
. . . but, a more significant deployment can deal with botnets an order of magnitude larger than those of today. 36,000 100 Mbit mailboxes.
Related Work CDNs (Akamai, Coral, CoDeeN)
Capabilities (SIFF, TVA) Overlays (SOS, MayDay, Spread
Spectrum) Resource Proofs (Speak Up, Portcullis) Architecture (Secure-i3, Off By Default) Filtering (AITF, dFence, CenterTrack,
Pushback)
Wireless Frequency Hopping
Conclusions Ties one server’s fate to the fate of the
Internet Scales to deal with attacks of today and
tomorrow Deployable
Use CDN for mailboxes Use upstream ISP to install filtering ring
Server is in control Explicitly asks for each packet Implements it’s own policies locally Is not required to trust any given mailbox
Questions?