Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates...
-
Upload
william-nathaniel-kennedy -
Category
Documents
-
view
215 -
download
0
Transcript of Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates...
![Page 1: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/1.jpg)
WithstandingWithstandingMultimillion-Node BotnetsMultimillion-Node Botnets
Colin DixonColin DixonArvind Krishnamurthy, Tom AndersonArvind Krishnamurthy, Tom Anderson
Affiliates Day, 2007Affiliates Day, 2007
![Page 2: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/2.jpg)
BotnetsBotnets
A botnet is a large group of infected A botnet is a large group of infected computers controlled by a hackercomputers controlled by a hacker
Used toUsed to Send spamSend spam Steal personal informationSteal personal information Launch DDoS attacksLaunch DDoS attacks
Extortion/Protection RacketsExtortion/Protection Rackets Attack rivalsAttack rivals
![Page 3: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/3.jpg)
![Page 4: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/4.jpg)
Botnets are BigBotnets are Big
Total bots:Total bots: 6 million [Symantec]6 million [Symantec] 150 million [Vint Cerf]150 million [Vint Cerf]
Single botnets have numbered 1.5 Single botnets have numbered 1.5 millionmillion
Average upload bandwidth: 3 Mb/sAverage upload bandwidth: 3 Mb/s Back of the envelope: 4.5-450 Tb/sBack of the envelope: 4.5-450 Tb/s
Flood many core links, small-medium ISPsFlood many core links, small-medium ISPs
![Page 5: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/5.jpg)
How DoS WorksHow DoS Works
![Page 6: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/6.jpg)
How DoS WorksHow DoS Works
![Page 7: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/7.jpg)
How DoS WorksHow DoS Works
![Page 8: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/8.jpg)
Our ApproachOur Approach
Swarm of Swarm of machines machines forward trafficforward traffic
Explicitly Explicitly request each request each packetpacket
Attacks must Attacks must down all down all mailboxes and mailboxes and thus all pathsthus all paths
![Page 9: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/9.jpg)
MailboxesMailboxes
A large number of machines offer to A large number of machines offer to carry traffic for certain destinationscarry traffic for certain destinations
Rather than immediately forward it, Rather than immediately forward it, they buffer traffic until a request is they buffer traffic until a request is receivedreceived
This building block provides two key This building block provides two key advantagesadvantages Filtering logic is left at the destinationFiltering logic is left at the destination The system as a whole is fail-stopThe system as a whole is fail-stop
![Page 10: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/10.jpg)
The MailboxThe Mailbox
![Page 11: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/11.jpg)
Many MailboxesMany Mailboxes
Send traffic Send traffic randomly among randomly among mailboxesmailboxes
![Page 12: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/12.jpg)
Many MailboxesMany Mailboxes
Send traffic Send traffic randomly among randomly among mailboxesmailboxes
Botnet can take Botnet can take down one mailboxdown one mailbox
![Page 13: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/13.jpg)
Many MailboxesMany Mailboxes
Send traffic Send traffic randomly among randomly among mailboxesmailboxes
Botnet can take Botnet can take down one mailboxdown one mailbox
But communication But communication continuescontinues
![Page 14: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/14.jpg)
Many MailboxesMany Mailboxes
Send traffic randomly Send traffic randomly among mailboxesamong mailboxes
Botnet can take Botnet can take down one mailboxdown one mailbox
But communication But communication continuescontinues
Diluted attacks Diluted attacks against all mailboxes against all mailboxes failfail
![Page 15: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/15.jpg)
Remaining DetailsRemaining Details
Attackers can Attackers can ignore the ignore the mailboxes and just mailboxes and just attack the server attack the server (Filtering Ring)(Filtering Ring)
![Page 16: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/16.jpg)
Remaining DetailsRemaining Details
Attackers can ignore Attackers can ignore the mailboxes and the mailboxes and just attack the just attack the server (Filtering server (Filtering Ring)Ring)
Before a connection Before a connection starts, the server starts, the server has no idea to has no idea to request packetsrequest packets(General Requests)(General Requests)
![Page 17: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/17.jpg)
Filtering RingFiltering Ring
Keeps a list of Keeps a list of requested packetsrequested packets
Drops all Drops all unrequested packetsunrequested packets
Protects thin access Protects thin access linkslinks
Deployed in depth to Deployed in depth to counter “insider counter “insider attacks”attacks”
![Page 18: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/18.jpg)
General RequestsGeneral Requests
First packets unexpected => can’t First packets unexpected => can’t requestrequest
Filtering ring prevents unrequested Filtering ring prevents unrequested packets from reaching the serverpackets from reaching the server
Solution: Issue some small number of Solution: Issue some small number of general requests to the mailboxesgeneral requests to the mailboxes Allow “first packets” through the filtering ringAllow “first packets” through the filtering ring Provides admission controlProvides admission control Limit access by auth tokens & crypto-puzzlesLimit access by auth tokens & crypto-puzzles
![Page 19: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/19.jpg)
Complete SystemComplete System
Lookup mailboxes for a server from a Lookup mailboxes for a server from a distributed name service (CoDoNs)distributed name service (CoDoNs)
Contact one mailbox for a puzzleContact one mailbox for a puzzle Present a solution and waitPresent a solution and wait Mailbox forwards solution to the Mailbox forwards solution to the
serverserver Server responds and begins to Server responds and begins to
request packetsrequest packets
![Page 20: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/20.jpg)
Key FeaturesKey Features
Unilaterally DeployableUnilaterally Deployable Pay Akamai for mailboxesPay Akamai for mailboxes Pay upstream ISP to install filtering ringPay upstream ISP to install filtering ring
Server is in complete controlServer is in complete control Explicitly asks for each packetExplicitly asks for each packet Is not required to trust any given Is not required to trust any given
mailboxmailbox System is fail-stopSystem is fail-stop
![Page 21: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/21.jpg)
LatencyLatency
![Page 22: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/22.jpg)
DoS ResilienceDoS Resilience
Established Established connectionconnection
![Page 23: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/23.jpg)
DoS ResilienceDoS Resilience
Established Established connectionconnection
Attack kills some Attack kills some mailboxesmailboxes
![Page 24: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/24.jpg)
DoS ResilienceDoS Resilience
Established Established connectionconnection
Attack kills some Attack kills some mailboxesmailboxes
““Goodput” Goodput” decreasesdecreases
![Page 25: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/25.jpg)
DoS ResilienceDoS Resilience
Established Established connectionconnection
Attack kills some Attack kills some mailboxesmailboxes
““Goodput” Goodput” decreasesdecreases
Client sends faster Client sends faster (more redundantly) (more redundantly) to compensateto compensate
![Page 26: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/26.jpg)
DoS ResilienceDoS Resilience
![Page 27: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/27.jpg)
ConclusionsConclusions
We have presented a system to We have presented a system to mitigate Denial of Service attacks which mitigate Denial of Service attacks which can be unilaterally deployed todaycan be unilaterally deployed today
Performance is reasonable with few Performance is reasonable with few optimizations, still room for optimizations, still room for improvementimprovement
Can scale to deal with the massive Can scale to deal with the massive botnets of today and tomorrowbotnets of today and tomorrow
![Page 28: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.](https://reader035.fdocuments.us/reader035/viewer/2022062721/56649f1c5503460f94c32984/html5/thumbnails/28.jpg)
Questions?Questions?