Tiered Incentives for Integrity Based Queuing Fariba Khan, Carl A. Gunter University of Illinois at...
-
Upload
shannon-stone -
Category
Documents
-
view
215 -
download
2
Transcript of Tiered Incentives for Integrity Based Queuing Fariba Khan, Carl A. Gunter University of Illinois at...
Tiered Incentives for Integrity Based Queuing
Fariba Khan, Carl A. GunterUniversity of Illinois at Urbana-Champaign
2
• Problem setting• Challenges and existing work• Infrastructures for IBQ• Queuing• Analytic and experimental results
Outline
3
• Finding the source of an attack is difficult
• It is often difficult to detect an attack packet
Internet DDoS Attack
4
Internet DDoS Attack
• Finding the source of an attack is difficult
• It is often difficult to detect an attack packet
• Legitimate client has to get through• Could we make it so that the
magnitude of the attack packet is less important
5
Fair-queuing• Figure she is the good guy and
skip the long line?• No? Cannot tell if a packet is
from an Alice or Eve• May be give everybody
opportunity to send one packet
• No one gets to send a million
Head of line blocking
Eve 1
Eve 2
Alice 1
Eve 3
Alice 2
Eve 4
Alice 3
All Alice’s
All Eve’s
6
Fair-queue: Head of Line Blocking
Alice 1
Alice 2
Alice 3
Alice 4
Alice 5
Alice 6
Alice 7
Eve
7
Performance of Integrity Protection and Fairness
ns2 Simulation Setup: Depth 10, 1024 clients/flows, 10Mbps links, 102 attackers, 10 Mbps/attacker, Client bandwidth 0.01 Mbps
No attack, no defense
Attack, no defense
Attack, FQ,
no spoofing
Attack, FQ,
spoofing
Attack, FQ,
spoofing (20%)
0
20
40
60
80
100100
3.78
100
4.34
45
Client Packet Success (%)
8
• Ingress Filtering: Neither a complete nor verifiable • IP of a filtered domain can be spoofed
– In the same domain– From an unfiltered domain
Source Address Validation
1 2 3 4 5 6 7 8
1,2
3,4 3,4
3,4
1-4
1-8 1-8 1-8 1-8
1-8
1 2
1-81-8
RFC 2827
9
• Effectiveness of fair-queuing is dependent on accurate flow classification.
• Even with partial authentication legitimate flows can be spoofed by the spoofed origin flows.
• As the legitimate flows are choked, an ISP cannot see the benefit of deploying filtering or an advanced protocol.
Client: received level of service participation∝
Motivation
10
Concept: Integrity Based Queuing (IBQ)
High
Integrit
y
• Highly effective queuing• Each flow gets its own bucket
Medium
Integrit
y
• Less effective service• Rate-limited flows• Shared buckets
Low
Integrit
y
• Generic service• Rate limited• Least priority
11
Effort
Integrity
Defense
Service
Incentive
Cycle of Network Assurance
12
• Integrity Levels• MAC• Queue
Design
13
• Strict filtering vs Regular filtering: – The address range is divided in smaller subdomains – Spoofing is restricted within that subdomain only
• Example– In University of Illinois a host can spoof 511 neighboring
addresses within its /23 prefix– Spoofing index = 9 for University of Illinois or AS3
• Spoofing index table for all autonomous systems available for routers
Integrity Levels: Spoofing Index Table
BB05
14
MAC
RFC4301, YPS03, YWA05, LLY08, GH09, YL09
15
Queue
15
MAC verified?
N
Spoofing Index ?
Y
=0
>0
Per source high integrity queues
Per integrity-block queues
Low integrity queue
16
• α >> s >> β• Spoofing index, i• Probability that A and B
are in the same domain, p = 1/232 – i
• Loss rate,
Analytic Results
17
Experimental Results
• 2000 clients, 256 AS, 16-512 attackers• Client rate 64kbps, attacker 64 Mbps
Effort = Integrity level = Success
Experimental Results – Example Traffic VoIP
18
• 2000 clients, 256 AS, 16-512 attackers
• Client rate 64kbps, attacker 64 Mbps
19
Experimental Results: Two Attack Styles
0 5 10 15 20 25 300.0
0.2
0.4
0.6
0.8
1.0
FQ, lo integrityIBQ, hi integrity IBQ, mid integrity, si = 8, no of attacker increased
Attacker BW (Gbps)
Lo
ss
Ra
te
20
• Thesis– Using IBQ gives legitimate users an avenue to
communicate with a server while the network is under attack. The service they get directly relates to the effort their ISP spent for integrity protection and validation thus incentivizing its investment.
• Future Work– Experiment with real DDoS attack data– Overhead Measurement– Use of IBQ for network assurance
Conclusion
Thank You
Questions?
21
22
23
[0] Adaptive Selective Verification: An Efficient Adaptive Countermeasure to Thwart DoS Attacks. S. Khanna, S. S. Venkatesh, O. Fatemieh, F. Khan, and C. A. Gunter. (Submission) IEEE Transactions on Network (ToN).
[1] Attribute-Based Messaging: Access Control and Confidentiality. R. Bobba, O. Fatemieh, F. Khan, A. Khan, C. A. Gunter, H. Khurana, and M. Prabhakaran. (First three authors in alphabetic order)IN ACM Transactions on Information and System Security (TISSEC).
[2] Adaptive Selective Verification,Sanjeev Khanna, Santosh S. Venkatesh, Omid Fatemieh, Fariba Khan, and Carl A. Gunter,IEEE Conference on Computer Communications (INFOCOM '08), Phoenix, AZ, April 2008.
[3] Using Attribute-Based Access Control to Enable Attribute-Based Messaging,Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter, and Himanshu Khurana. (First three authors in alphabetic order) IEEE Annual Computer Security Applications Conference (ACSAC '06) , Miami, FL, December 2006.
[4] Using Attribute-Based Access Control to Enable Attribute-Based Messaging. Fariba KhanMaster's Thesis, University of Illinois, October 2006.
Other Work
24
•1974: The Internet was designed with an openness
•1989: FQ->active research for congestion control ->RED
•1999: FQ-> again for congestion control -> 40Gbps•2005: FQ-> active research for DDoS defenses
Fairness
25
• 1024 hosts• 33 routers• 32 subdomains• Spoofing index: 8 (scaled
down for small topology)• Links
– 200 Mbps links, 10 ms delay
– 5% of channel for request (10 Mbps)
– Bottleneck 1Gbps– Comparative to 40-100
Gbps Internet links.
Related Work Analysis
• 10% hosts are attackers• Attack bandwidth 100-700
Mbps• 50B request from a client