Practical Verifiable In-network Filtering for DDoS...
Transcript of Practical Verifiable In-network Filtering for DDoS...
![Page 1: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/1.jpg)
Practical Verifiable In-network Filtering for DDoS Defense
Deli Gong, Muoi Tran, Shweta Shinde, Hao Jin, Vyas Sekar, Prateek Saxena, Min Suk Kang
July 8, 2019 | Dallas, TX
![Page 2: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/2.jpg)
Large-scale volumetric DDoS attacks are common(distributed denial of service)
• Hundreds DDoS attacks occur daily*• Volume of DDoS traffic is escalating• New attack vectors (e.g., amplification)
and attack source (e.g., botnets)
(2013) (2018)* According to Kaspersky Lab’s report on DDoS attacks in Q1 2019
2
![Page 3: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/3.jpg)
In-network filtering: a promising DDoS mitigation
• In-network filtering ü allows the DDoS victim to install traffic filters nearer to attack sourceü not a new idea:
e.g., Pushback [SIGCOMM’02], D-WARD [ICNP’02], AITF [USENIX ATC’05], StopIt [SIGCOMM’08]ü installs at 1% of ISPs can mitigate 90% of DDoS attacks (SENSS [ACSAC’18])
AS* A
AS B
DDoS victimnetwork
filtering network transit networks
Filter rule: Drop 50% HTTPflows coming to my network
3
(* autonomous system)
![Page 4: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/4.jpg)
One ignored problem: In-network filtering creates ambiguity about packet drops
AS A
AS Btransit network
4
Without in-network filtering
AS A
AS B transit network within-network filtering
Packet dropsNetwork faults!
With in-network filteringNetwork faults or
legitimate filtering?Packet drops
What can go wrong because of this ambiguity?
![Page 5: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/5.jpg)
Filtering can be used as an excuse for discriminating neighboring ASes
5
AS A
AS B
DDoS victimnetwork
filtering network transit networks
Filter rule: Drop 50% HTTPflows coming to my networkDrop 0% traffic from A,
100% traffic from B
(e.g., AT&T)
(e.g., Comcast) (e.g., Level3)
![Page 6: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/6.jpg)
Filtering can be used as an excuse for discriminating neighboring ASes
6
AS A
AS B
DDoS victimnetwork
filtering network transit networks
Filter rule: Drop 50% HTTPflows coming to my networkDrop 0% traffic from A,
100% traffic from B
(e.g., AT&T)
(e.g., Comcast) (e.g., Level3)
(2014)
Several disputes already exist between transit networks
(2013)
![Page 7: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/7.jpg)
How to remove such an ambiguity?
77
AS A
AS B
DDoS victimnetwork
filtering network transit networks
Filter rule
Packets are beinglegitimately dropped! verify filteringpolicy & operation
Verifiability of filtering distinguishes legitimate DDoS mitigation from network faults
verify filteringoperation
![Page 8: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/8.jpg)
How to make the operations of in-network filtering verifiable?
8
![Page 9: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/9.jpg)
Our contributions
• We propose Verifiable In-network Filtering (VIF):ü Software networking functions with Trusted Execution
Environments (e.g., Intel SGX) as root of trust.
9
Scalable design Practical deploymentü multiple filters
run in parallelü at Internet Exchange
Points (IXPs)
Auditable filterü uses TEEsü is statelessü detects bypass
![Page 10: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/10.jpg)
VIF design: auditable filter with TEEs
• Filtering within Trusted Execution Environments (TEEs) (e.g., Intel SGX)ü Isolated executionü Remote attestation
10
enclavevictim
network
audit enclavedcode and state
protected memory
![Page 11: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/11.jpg)
TEEs alone is insufficient for auditable filter design!
11
![Page 12: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/12.jpg)
Challenge 1: Influence from malicious inputs
• Abstract model of the filtering function for packet 𝒑:𝐴𝐿𝐿𝑂𝑊,𝐷𝑅𝑂𝑃 ← 𝑓( 𝑝, 𝑡 , ( 𝑝/, 𝑡/ , 𝑝0, 𝑡0 , 𝑝1, 𝑡1 , … ))
12
…𝑝/, 𝑡/ 𝑝0, 𝑡0𝒑
ALLOW orDROP?
Arrival time Previous packets/packet order
Malicious packetsinserted
Trusted clockcan be tampered
![Page 13: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/13.jpg)
Solution: Stateless filter design
13
…𝑝/, 𝑡/ 𝑝0, 𝑡0𝒑
ALOW orDROP?
𝐴𝐿𝐿𝑂𝑊,𝐷𝑅𝑂𝑃 ← 𝑓( 𝑝 )
5-tuple (srcIP, srcPort, dstIP, dstPort, protocol)
• No reliance on packet arrival time and packet order
![Page 14: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/14.jpg)
Challenge 2: Traffic may be redirected to bypass filter
14
enclaveredirect
![Page 15: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/15.jpg)
Solution to filter bypass:Accountable logs for bypass detection
logs logs
packet logs
packet logs
filtering network
neighboring networks
• Accountable packet logging before and after filteringü Compare logs to detect bypass
𝒑 does not reach filter!Bypass detected!
𝒑
15
![Page 16: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/16.jpg)
victim network
packet logs
Solution to filter bypass:Accountable logs for bypass detection
logs logs
filtering network
• Accountable packet logging before and after filteringü Compare logs to detect bypass
drop
𝒑
𝒑 is droppedoutside TEEs!
transit networks
How to check if packets aredropped by a transit network?
16
![Page 17: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/17.jpg)
How does victim know who is dropping packets?
17
filtering network
• Victim network tests individual intermediate ASesü Rerouting inbound traffic using BGP poisoning (LIFEGUARD[SIGCOMM’12])ü Detour takes place in a few minutes and no collaboration needed (Nyx [S&P’18])
AS A
AS B
AS C
victim network
avoid AS BPackets are still dropped!à Filtering network
misbehaved!
logslogs
![Page 18: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/18.jpg)
Our contributions
18
Practical deploymentü at Internet Exchange
Points (IXPs)
Auditable filterü TEEsü statelessü bypass detection
Scalable designü multiple filters
run in parallel
![Page 19: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/19.jpg)
Deployment issue: Scalability
19
0
50
100
150
200
0
5
10
15
20
0 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000 10,000
Memory footprint Throughput
MBMpps
• Performance issues when filtering within a single enclave:ü Memory footprint grows linearly with number of rulesü Throughput degrades when number of rules exceeds ~3,000
Number of rules
EPC limit (e.g., 92 MB)
![Page 20: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/20.jpg)
Solution to scalability issue: multiple SGX filters
• More in our paper:ü How trusted filters detect misbehaviors from untrusted componentsü A greedy solution to calculate filter rules among filtersü Filter rules redistribution 20
E0
filter
VIF Filtering Network
En-1
filter
…
per-enclave limitations:(1) # rules (3,000)(2) bandwidth (10 Gb/s)*
victim networkload balance
* Demonstrated by mbTLS (CoNEXT’17) on four SGX-core machines.
untrustedswitching fabric
untrustedcontroller
![Page 21: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/21.jpg)
Our contributions
21
Auditable filterü TEEsü statelessü bypass detection
Scalable designü multiple filters
run in parallel
Practical deploymentü at Internet Exchange
Points (IXPs)
![Page 22: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/22.jpg)
Deployment example
22
IXP
switch fabric
controller Enclave
filterrules
AS A
AS C
AS B
Enclave
filterrules
Enclave
filterrules
remote attestation
VIF filters
route control
• Internet Exchange Points (IXPs) :ü have peering relationship with hundreds ISPsü have flexible software-defined architecture
filter rule insertion victim network
SDX [SIGCOMM’15]iSDX [NSDI’16]FLANC [SOSR’16]
![Page 23: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/23.jpg)
Implementation• Overview
ü Intel SGX SDK for Linux 2.1ü Data Plane Development Kit (DPDK) 17.05.2
• Trusted computing base:ü modification of DPDK ip_pipeline (1,044 SLoC)ü packet logging and optimizations (162 SLoC)
• Two optimizations:ü Reducing context switches (more in our paper)ü Near-zero copy approach
23
1,206 SLoC
![Page 24: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/24.jpg)
Optimization: near-zero copy
24
Full packet copy
ü low memory usageü low packet-logging overhead
Enclave memory
Untrusted packet memory pool
NIC
filterpacketlogs
packetlogs
Rx Queues
Incoming packets
packet
packet
Tx Queues
Forwarded packets
allow!
drop!a/d?
allow or drop!
only when allowed
Enclave memory
Untrusted packet memory pool
NIC
filtersketch(srcIP)
sketch(5T)
Rx Queues
Incoming packets
Tx Queues
Forwarded packets
drop!
allow!
a/d?
allow or drop!
only when allowedpacket
5T sNear-zero copy
![Page 25: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/25.jpg)
Data-plane implementation
25
• Testbedü Packet generator ⟷ Filter machineü Measurement is done at packet generator
Packet Generatorü Intel E5-2630 v3 CPU
(2.40 GHz, 8 cores)ü 32 GB memoryü Ubuntu 16.04.3 LTSü Kernel version 4.10ü 10 GbE Intel X540-AT2
Filter Machineü Intel i7-6700 CPU
(3.40 GHz, 4 cores)ü 8 GB memoryü Ubuntu 16.04.3 LTSü Kernel version 4.10ü 10 GbE Intel X540-AT2
• Synthetic dataü 3,000 random filter rulesü 10 Gb/s traffic
Intel SGX
![Page 26: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/26.jpg)
Evaluation: Data-plane performance
26
• Throughput of near-zero copy:ü 8 Gb/s throughput even with smallest packet size (64 bytes)
0
2
4
6
8
10
64 128 256 512 1024 1500Packet size (bytes)
Native (no SGX) SGX with full packet copy SGX with near-zero copy
Throughput (Gb/s)
![Page 27: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/27.jpg)
Evaluation: VIF deployment at IXPs
• Simulation setup:ü Two real attack source data: 3 millions DNS resolvers and 250K Mirai botnetsü CAIDA AS relationship and IXP peering for building inter-domain topology
27
VIF at only top-5 IXPs per region mitigate up to 90% of attack
Ratio of attack source IPs handled by top-n IXPs per region
DNS resolvers Mirai botnets0
0.20.40.60.8
1
Top-1 Top-2 Top-3 Top-4 Top-5
![Page 28: Practical Verifiable In-network Filtering for DDoS Defensemuoitran/publications/vif-slides.pdfIn-network filtering: a promising DDoS mitigation •In-network filtering üallows the](https://reader033.fdocuments.us/reader033/viewer/2022060405/5f0f20697e708231d4429ed3/html5/thumbnails/28.jpg)
Conclusion
• VIF addresses the core issue of in-network filteringü Lack of filtering verifiability à ambiguity in handling
packet drops which can be exploited by malicious ISPs• VIF: the first auditable and scalable DDoS traffic filter• VIF takes advantages of:ü Trusted execution environments as the root of trustü Software-defined, line-rate packet processingü IXPs for practical deployment
28