dfence: Transparent Network-based Denial of Service Mitigation

Transcription

1 dfence: Transparent Network-based Denial of Service Mitigation Ajay Mahimkar, Jasraj Dange, Vitaly Shmatikov, Harrick Vin, Yin Zhang Department of Computer Sciences, The University of Texas USENIX NSDI 2007 April Presented by Jiun Chao Chiou 2007/05/16

2 Outline Introduction Types of DoS attack dfence Middlebox Performance Conclusion

3 Introduction

4 Introduction : DoS (1/6) Denial of Service ( DoS ) are growing theat to Internet services. DoS attacks are malicious actions trying to disturb or stop web servers providing their services. DoS attack includes sending spoofed/unspoofed data or SYN packets to victim to affect its function.

5 Introduction : DoS (2/6) Method of DoS attacks SYN floods ICMP floods Teardrop attack Distributed attack DDoS

6 Introduction : DoS (3/6) SYN floods One malicious endpoint sends out a flood of SYN packets with spoofed sender address to target server. The victim will run out of resource because of creating too much halfopen connections. sender SYN SYN SYN SYN SYN SYN SYN SYN Victim

7 Introduction : DoS (4/6) ICMP floods It s also called Smurf attack. Sending ICMP echo request to broadcast address of one network with spoofed source address. Network A Echo ICMP request SrcAddr = Victim Victim

8 Introduction : DoS (5/6) Teardrop attack Malicious endpoint sends out abnormal IP fragments to target machine to crashing the operation system. Distributed DoS Many infected endpoints, called zombie, were controlled by malicious hacker and start DoS attack together. It s more powerful and untraceable.

9 Introduction : DoS (6/6) Reflected attack Sending requests with forged source address to a large number of computers that will reply to the request. ICMP echo request http request with forged source address

10 Introduction : dfence (1/2) Guiding design principles of dfence Dynamic introduction Stateful mitigation Features of dfence Transparency Compatibility with routing infrastructure On-demand invocation Scalability

11 Introduction : dfence (2/2)

12 Middlebox

13 Middlebox : traffic interception (1/5) Flow pinning Stateful mitigation requires both direction of traffic pass through the same middlebox. A hash h(f) of flow ID f determines the home middlebox of each connection

14 Middlebox : traffic interception (2/5) When middlebox is online, it using standard BGP/iBGP to deal with incoming packets of inbound traffic. Middlebox send updates advertising a route to S with the highest priority. IGP selects the closest middle box to the ingress router, and forward packets to home middlebox. Packets go to the real egress router.

15 Middlebox : traffic interception (3/5)

16 Middlebox : traffic interception (4/5) Outbound traffic interception dfence uses policy-based routing (PBR) to intercept outbound traffic originating from network S. The ingress router routes packets to home middlebox. Packets go to the real egress router.

17 Middlebox : traffic interception (5/5)

18 Middlebox : connections table (1/2) Middlebox maintains two tables for connection management : Src-Dest table A hash table indexed by SrcIP DestIP pair. It keeps counting currently open connections for each pair. Once the threshold exceeded, no new connections are established in each pair. For DoS attack protection.

19 Middlebox : connections table (2/2) Connection hash table Flow ID : Src (IP,port) Dest (IP,port) Offset : difference between Seq number. TimeStamp : time of last packet of this connection Service bits : Pre-existing, a pre-existing connection? Splice, a seq number translation required? Conformance, has the source complied with traffic management measures? InboundPacketRate : the rate of incoming packets during a specific interval.

20 Middlebox : Dynamic introduction (1/2) State : bootstrapping The middlebox establishs state for existing connections of protected target during interval Tb. One connection is considered legal if middlebox sees both directions traffic during Tb.

21 Middlebox : Dynamic introduction (2/2) State : removal Middlebox will continue to serve the ongoing connections if there exists some connections affected by mitigation policies. New connections pass through middlebox without applying any policies.

22 Middlebox : spoofed attacks mitigation SYN cookies Sequence number is specialized : 5 bits : t mod 32, t is 32-bit counter increases every 64 seconds 3 bits : 8 encoded unique MSS values 24 bits : server-selected secret function of the client IP, port, server IP, port and t 5 bits 3 bits 24 bits

23 Sender middlebox server a b a+1 Wnd=0 a+1 b+1 a Wnd=k b a+1 c a+1

24 Middlebox : Policy decision tree (1/2)

25 Middlebox : Policy decision tree (1/2)

26 Middlebox : Recovery & Load balance Home middlebox table HM[n] Each middlebox is responsible for a subset of entries in this table. All middleboxes are arranged to a logical ring R, each clock-wise neighbor in R is the designated backup. Recovery or load balancing can be handled in this ring

27 Performance (1/3)

28 Performance (2/3)

29 Performance (3/3) 94.3mb 87.3mb

30 Conclusion dfence works well Transparently Compatibility with existing Internet Support broad range of effective anti-dos techniques.