Traffic-Adaptive Packet Filtering of Denial of Service Attacks

Transcription

1 Traffic-Adaptive Packet Filtering of Denial of Service Attacks Lukas Kencl, Christian Schwarzer Intel Research JJ Thomson Avenue, Cambridge, CB FD, United Kingdom {lukas.kencl, Abstract Traffic-adaptive packet filtering is a mechanism to adjust packet classification methods at run-time to the particular traffic mix a network node is receiving. It has been conjectured previously that such techniques could perform positively when filtering out malicious attack traffic, due to their flow aggregation capabilities. In this work, we present two novel contributions - a first ever working implementation of a traffic adaptive firewall, based on insertion of shortcuts into a search tree, and both a simulated and a real-life performance study of adaptive packet filtering under denial-of-service attack traffic, the outcomes of which support the above conjecture.. Introduction Recent interest in packet filtering, or packet classification, stems from the growing size of filter rule databases (i.e. Access Control Lists (ACLs)), used to protect ISPs and enterprise networks as well as individual hosts against attacks on the increasingly hostile Internet. Packet classification methods are also used in implementing Virtual Private Networks (VPNs) and in performing Traffic Engineering (TE). By packet classification we understand a task where multiple fields in the packet header are compared against rules in a classification table, to determine the applying rule with the highest priority. The rules can be a combination of a fixed match, prefix match or range match over various fields of the packet header. Classification rule bases can be very large (e.g. k rules []) and the search speed is a major performance factor. Executed per every packet, the search must be carried out within a tight time budget. As it usually requires a number of memory accesses, and memory latency lags behind processor and link transmission speed growth, optimization of data structures is critical. Efficient rule-based classification [6, 8,, ] has been a subject of extensive research. Often, a search tree is built over a pre-processed rule-set (as in the Hi-Cuts [8] and HyperCuts [] methods, see Fig. ). The methods are typically optimized for the worst case scenario, minimizing the depth of the search tree. However, neither the packet flows (sequences of packets sharing the same -tuple flow ID ) are distributed uniformly over the address- or rule-space, nor the popularity of flows in terms of packet count is uniform [7, ]. Previous studies [7] confirmed that some of the flow parameters are correlated (e.g. rate and size) and that small flows (mice) represent the majority, yet most of the traffic (in bytes) is concentrated in few big flows (elephants) []. These were shown to be persistent at least on a small time scale (holds for flow volumes []). In search trees this traffic bias is reflected as imbalance in the tree traversal patterns, as a vast majority of searches typically end in a tiny subset of tree leaves [, ]. This phenomenon has led to recent designs of traffic-aware classification methods [, ], aiming to obtain much superior average case performance, while bounding the worst case. As often in TE [], flows that carry most of the traffic are identified and treated differently to optimize resources utilization. While performing well under the typical Zipf-like patterns of normal networking traffic, it remained an open question how would such methods fare in presence of malicious traffic, such as a denial-of-service attack [9]. In the following, we experimentally validate the performance of the shortcut method [] under such conditions, showing that it actually adapts gracefully to the attack traffic. The -tuple flow ID is defined as: IP source and destination addresses, IP protocol number and TCP/UDP source and destination port numbers. Packet IP Source: IP Dest.: IP Source 9.6/ 9.8/ IP Destination 8.6/ 8.7/ Rule IP Source: /6 IP Destination: /7... Figure. Example of tree-based packet classification, as in Hi-Cuts [8].

2 . Traffic-Adaptive Packet Filtering The adaptive packet filtering method periodically introduces shortcuts into the search tree along frequently travelled paths, to reduce the number of memory accesses. Statistics about how the tree is traversed are collected continuously and read periodically. Reading counters in all the tree leaves is sufficient to recreate the entire traversal pattern of the tree, as the statistics can be aggregated in parent nodes all the way up to the root. With large trees, this operation may be prohibitive (e.g. in a tree of depth l = and node degree d =, about million leaf counters would have to be read). Heuristics and optimizations have been proposed to streamline the counter management [, ]. Shortcuts are further edges inserted into the tree, bypassing several nodes and aggregating the tests along that path (see Fig. ). Shortcuts are placed only along such paths where beneficial for the number of memory accesses saved. In this work, we use the previously proposed sequential shortcut placement heuristic by Bergamini and Kencl []. This Network of Shortcuts (NoS) placement algorithm traverses the tree in a top-down, left-to-right fashion, and at each node attempts to place the best shortcut in the node subtree, based on Local Gain, i.e. how many memory accesses would placing such a shortcut save. The complexity is O(N log d N), wheren is the total number of nodes. Variables used for evaluating the shortcut method performance are Total Gain, e.g. the total number of memory accesses saved by using the method (equal to the sum of Local Gains), and, which determines what fraction of memory accesses have been eliminated. If BMA is the number of memory accesses needed if using the original tree and AMA if using the shortcuts, Total Gain is defined as TGAIN =(BMA AMA) and as RGAIN = TGAIN/BMA. The NoS method performs a control loop, where periodically the statistics are read and the shortcuts for the next time interval are placed. The duration of the adaptation interval is determined on a few profiling runs by trading off the gain obtained by the shortcuts against the cost of recomputing the shortcuts and running the control loop. The method of prediction of the frequently travelled paths is open for further research. In this work, we place shortcuts as they would perform best on traffic in the previous time interval. The NoS method has been shown in [] to compare favorably with a similar sized cache. This is due to high aggregation of different flows along a single path, easily covered with shortcuts. Similarly, we conjecture that a shortcut method actually benefits from an exhaustive Denial-of- Service (DoS) Attack on the firewall, as the many different flow identifiers used in the attack packets gather along few paths in the search tree. a Figure. Shortcut example: a shortcut from a is inserted to reach hotspot e faster.. Implementation The traffic-adaptive packet filtering is implemented, on one hand, in MATLAB for fast prototyping and simulation and, on the other hand, in Linux for real-life experiments. Our Linux implementation is based on PTree [], a treebased packet classification package for Linux. that is implemented in three parts: a Java GUI front-end, a user-space back-end with tree compiler and a kernel module that hooks itself into the Linux protocol stack by means of the netfilter architecture. We enhanced the PTree implementation with modules that perform the adaptation to the network traffic conditions. The resulting architecture is shown in Fig.. Kernel modules execute the actual per-packet classification and the hit statistics collection on all the tree nodes. The creation of the search tree and the periodic recomputation of the shortcuts is performed in the user-space. The NoS module periodically pulls the hit statistics from the User Space PTree Front End GUI Kernel Space Packets IN PTree Back End NoS Module Rule Base Statistics Gathering b Search Tree NoS Placement NoS on PTree Packet Classification Kernel module Memory Node Monitoring Counters Tree NoS Shortcuts Figure. NoS Linux implementation. c d e Packets OUT

3 kernel to the user-space in order to compute a new shortcut placement. The new shortcuts are then downloaded to the kernel and added to the decision tree without updating the original search tree itself. The actual shortcuts are represented as enhanced copies of original tree nodes and stored at a different memory location than the classification tree. Branch and shortcut traversal is done by memory indirection, which doesn t affect the memory layout of the initial classification tree.. Experimental Validation We use two approaches to validate the shortcut concept. Firstly, we simulate the classification based on packet headers from real traces against realistic trees in MATLAB software. Secondly, the Linux kernel implementation of the adaptive classification method is used as a firewall over which a client is streaming a video from a server. Both in the simulated as well as in the real-life experiments, we evaluate the behavior and performance of the adaptive system in presence of a denial of service (DoS) attack... Simulated Experiments In order to make the simulated MATLAB experiments as realistic as possible we are not only using real network traces to extract -tuple packet header information, but also realistic rule sets to generate the classification tree. Two different real network traces are replayed against the packet classification tree. The dump trace was collected by the network monitor described in [] at a Gigabit Ethernet connection. The distributions of flow sizes, durations and rates can be considered to be in stationary regime. The prefix-preserving anonymized DDoS_Attack trace (as used in [9]) contains a distributed denial of service attack. The attack is a reflector attack that sends echo reply packets to a target victim. Basic statistics for the two traces are shown in Table. Fig. shows the scatter plot of IP destination address (-bit) vs. IP source address (- bit) of all flow IDs for both traces. The IP tuples of the DDoS_Attack trace occupy a much larger area of the total tuple space ( ) than those of the dump trace. This is probably caused by the anonymization scheme. Table. Trace statistics DDos Attack dump Total packets Distinct flow IDs 99 Attack packets - Attack flow IDs - First attack packet 7 - Last attack packet 69 - We evaluate the shortcut method on two instances of search trees. Firstly, on an artificial balanced and complete tree of degree and depth 9, where at each node the search space is partitioned into neighboring chunks of equal size. Secondly, a HyperCuts [] packet classification tree on IP source and destination fields is derived from rules with the filter set generator of the ClassBench suite [6], with default parameters: smoothness =, address scope = and application scope = -.. HyperCuts parameters are: maximum rules in leaf = and maximum number of cuts =. The resulting tree has a total of nodes out of which 99 are leaves. Average tree depth is 7. (standard deviation of.7), whereas minimal and maximal depth are and 9. As performance metric of the shortcut placement we use RGAIN (fraction of memory accesses saved per adaptation interval). An adaptation interval of packets was used for both dump and DDoS_Attack traces. Results Discussion: The evolution of the relative gain vs. the number of the adaptation interval is shown in Fig. (top and middle). The adaptation intervals containing packets of the distributed denial of service attack can clearly be distinguished from intervals containing only non-malicious traffic. In fact, the attack has a beneficial impact on the performance of the adaptive method. On average, there are only around packets per non-malicious flow as opposed to 79 packets in a flow taking part in the DDoS attack. As many packets in few different flows can be much better captured by the shortcuts than few packets in many different flows, the adaptive method performs better during the attack. The shortcut placement algorithm achieves better performance on the dump trace. This is probably due to the fact that IP source and destination tuples (Fig. ) in the DDoS_Attack trace are spread more uniformly over the address space. Clustering in the dump trace leads to more packets being caught by the same branch in the classification tree, which makes a shortcut placement in such a branch more effective. Fig. also shows results for both trees. The higher relative gain on the balanced tree is due to its high depth that allows the placement of longer and, therefore, more effective shortcuts, as illustrated by average shortcut lengths in Fig. (bottom). IP destination address... x 9 9 IP source address x IP destination address... x 9 9 IP source address x Figure. IP source vs. dest. address for DDoS Attack (left) and dump (right) trace

4 "DDos_Attack" on artificial tree "DDos_Attack" on HyperCuts tree.6.6 Attack.... Attack "dump" on artificial tree "dump" on HyperCuts tree. Average Shortcut Length "dump" on artificial tree Average Shortcut Length "dump" on HyperCuts tree Figure. Time series of relative gain and average shortcut length for DDoS Attack and dump trace on artificial tree and HyperCuts tree. Adaptation interval is packets... Real-life Experiments The performance of the shortcut method in a real network configuration is demonstrated by using the Linux implementation of the adaptive packet filter as a firewall on a Linux machine. The firewall is placed as a router in a small network configuration using four Linux machines. The testbed is depicted in Fig. 6 and includes the router running a tree-based packet classifier, a video streaming server, a video client and a machine hosting an attacker. The client is playing a video stream provided by the video server directly over the network and over the cen- Video Server Video Stream Malicious Traffic Router with Firewall Attacker Video Stream Figure 6. Experimental testbed Video Client tral router. The firewall on the router is configured to allow through the video data packets from server to client and the corresponding acknowledgements from client to server. Packets not belonging to one of these flows are dropped at the router. We compare the performance of the shortcut placement in terms of throughput at the client with and without attacking traffic on the router by switching the adaptive shortcut placement module from off to on during the experiments. Results Discussion: In both experiments, the video is initially played at the client without loss or jitter at a rate of about. MBytes/sec (Fig. 7: NoS off). As the shortcuts accelerate the classification of a data flow, the activation of the adaptive method increases the throughput of the video stream as shown on the left of Fig. 7. If the attacker starts her denial of service attack by sending bogus packets at rate MBytes/sec against the router, the tree-based classification algorithm gets overwhelmed with malicious packets that also need to be matched against the firewall tree. For the purpose of this experiment, the firewall is configured as not to be able to handle the amount

5 Throughput [bytes/s] 7 x 7 6 NoS off NoS on 6 Time [s] Throughput [bytes/s]. x 7 NoS off NoS on Attacker Traffic Video Traffic Time [s] Figure 7. Throughput of video data at the client before/after (NoS off/on) the activation of the shortcut placement without (left) and with (right) attack on the firewall. Adaptation interval is seconds. of packets being sent by the attacker, which leads to a growing packet queue at the root of the classification tree. Video data packets are, therefore, experiencing large delays leading to very low or zero effective throughput at the client (region in the right of Fig. 7). As a consequence, the video software stops the playback or loops through the local buffer content. Switching on the adaptive control loop remedies the situation by adapting the classification tree to the current traffic situation. The placement of shortcuts in the three frequently traveled tree branches corresponding to server-to-client, client-to-server and attacker-to-firewall packet flows reduces significantly the number of memory accesses in the classification process and, consequently, increases the throughput at the firewall. The actual throughput of video data packets (Region in the right of Fig. 7) is now again high enough to guarantee lossless and jitter-free playback at the client.. Conclusion Two statements can be concluded based on this study: firstly, it is feasible to implement an adaptive extension to a tree-based filtering method and it can improve a networking device throughput significantly; secondly, the shortcut insertion (NoS) technique can be very effective in boosting a filter performance under the DoS attack traffic conditions. To reach a general conclusion about a traffic-adaptive method s performance under attack condition, much more thorough investigation is needed, with many other types of attacks; in particular an algorithmic attack on the adaptation method itself. For the moment, though, this paper justifies mild optimism about the applicability of such methods. References [] D. Becker, R. Todorovic, and Q. Wang. PTREE: A system for flexible, efficient packet classification. Technical Report CS Networking Project at Washington University in St. Louis, USA,. [] A. Bergamini and L. Kencl. Network of shortcuts: An adaptive data structure for tree-based search methods. In Proceedings of IFIP Networking, Waterloo, Canada, May. [] N. Brownlee and kc claffy. Understanding internet traffic streams: Dragonflies and tortoises. IEEE Communications Magazine,, October. [] E. Cohen and C. Lund. Packet classification in large ISPs: design and evaluation of decision tree classifiers. In Proceedings of SIGMETRICS, Banff, Canada,. [] H. Dreger, A. Feldmann, B. Krishnamurthy, J. Wallerich, and W. Willinger. A methodology for studying stability aspects of Internet flows. Computer Communication Review, May. [6] A. Feldmann and S. Muthukrishnan. Tradeoffs for packet classification. In Proceedings of IEEE Infocom,. [7] A. Feldmann and W. Whitt. Fittingmixtures of exponentials to long-tail distributions to analyze network performance models. In Proceedings of IEEE Infocom, 997. [8] P. Gupta and N. McKeown. Packet classification using hierarchical intelligent cuttings. In Proceedings of Hot Interconnects VII, 999. [9] A. Hussain, J. Heidemann, and C. Papadopoulos. A framework for classifying denial of service attacks. In Proceedings of SIGCOMM, Karlsruhe, Germany, August. [] N. Kammenhuber and L. Kencl. Efficient statistics gathering from tree-search methods in packet processing systems. In Proceedings of IEEE ICC, Seoul, Korea, May. [] M. Kounavis, A. Kumar, H. Vin, R. Yavatkar, and A. Campbell. Directions in packet classification for network processors. In Proceedings of the nd IEEE Workshop on Network Processors,. [] A. Moore, J.Hall, C.Kreibich, E.Harris, and I.Pratt. Architecture of a network monitor. In Passive and Active Measurement Workshop (PAM), La Jolla, CA, USA,. [] K. Papagiannaki, N. Taft, and C. Diot. Impact of flow dynamics on traffic engineering principles. In Proceedings of INFOCOM,. [] S. Ramabhadran and G. Varghese. Efficient implementation of a statistics counter architecture. In Proceedings of ACM SIGMETRICS, San Diego, CA, USA, June. [] S. Singh, F. Baboescu, G. Varghese, and J. Wang. Packet classification using multidimensional cutting. In Proceedings of SIGCOMM, Karlsruhe, Germany,. [6] D. Taylor and J. Turner. ClassBench: A packet classification benchmark. In Proceedings of INFOCOM, Miami, FL, USA,. [7] Y. Zhang, L.Breslau, V.Paxson, and S. Shenker. On the characteristics and origins of internet flow rates. In Proceedings of SIGCOMM,.