Bohatei: Flexible and Elas2c DDoS Defense

Size: px

Start display at page:

Download "Bohatei: Flexible and Elas2c DDoS Defense"

Isabella Wiggins
8 years ago
Views:

1 Bohatei: Flexible and Elas2c DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey h5ps://github.com/ddos- defense/bohatei

2 DDoS a5acks are gecng worse High cost on vicims Increasing in number Increasing in volume Increasing in diversity Threatpost, 7/31/2015 Incapsula, 11/12/2014 Imperva, 2015 The New York Times, 3/30/2015 Cloudflare, 3/27/2013 Techworld, 7/16/2014 Arbor Networks, 2/14/2014 Radware, 10/7/2014 2

Incapsula, 11/12/2014 Imperva, 2015 The New York Times, 3/30/2015

3 DDoS Defense Today: Expensive Proprietary Hardware Assets Intranet 3

4 LimitaIon: Fixed funcionality What if new types of a5acks emerge? Assets Intranet 4

5 LimitaIon: Fixed capacity a5ack vol.(gbps) ﬁxed capacity waste t1 Assets waste t2 t3 t4 Ime Intranet 5

6 LimitaIon: Fixed locaion AddiIonal traffic latency due to waypoining RouIng hacks to enforce defense source desinaion shortest path 6

7 Need flexibility w.r.t. a5ack type Assets 7

8 Need Flexibility w.r.t A5ack LocaIons Assets B C A 8

9 Need ElasIcity w.r.t. A5ack Volume Assets 9

10 Bohatei in a nutshell.. A pracical ISP- scale system for Flexible and ElasIc DDoS Defense via Socware- Defined Networking (SDN) & Network FuncIons VirtualizaIon (NFV) à React to 500 Gbps scale a5acks in 1 min! 10

11 Outline MoIvaIon Background on SDN/NFV Bohatei overview and challenges System design ImplementaIon EvaluaIon Conclusions 11

12 Socware- Deﬁned Networking (SDN) Centralized management + Open conﬁg APIs Controller Flow FwdAc2on Flow FwdAc2on Flow FwdAc2on 12

13 Network FuncIons VirtualizaIon (NFV) Today: Standalone and Specialized Proxy Firewall IDS/IPS AppFilter Commodity hardware 13

14 Why are SDN/NFV useful for DDoS defense? NFV SDN Expensive Fixed funcionality Fixed capacity Fixed locaion Our Work: Bring these benefits to DDoS Defense 14

15 Outline MoIvaIon Background on SDN/NFV Bohatei overview and challenges System design ImplementaIon EvaluaIon Conclusions 15

16 Bohatei Vision: Flexible + ElasIc Defense via SDN/NFV SDN/NFV Controller defense policy ajack traffic VM DC 1 DC 2 customer intranet ISP 16

17 Bohatei Controller Workflow Strategy layer Predict a5ack pa5ern Resource management Decide how many VMs, what types, where Network orchestraion Configure network to route traffic 17

18 Threat model: general, dynamic adversaries Targets one or more customers A5acker has a fixed budget w.r.t. total a5ack volume do{ Pick_Target() Pick_Attack_Type() Pick_Attack_Volume() Pick_Attack_Ingress() Observe_and_Adapt() } 18

19 Bohatei Design Challenges Strategy layer Predict a5ack pa5ern Resilient to adaptaion? Resource management Decide how many VMs, what types, where Fast algorithms? Network orchestraion Configure network to route traffic Scalable SDN? 19

Resource management Decide how many VMs, what types, where

20 Outline MoIvaIon Background on SDN/NFV Bohatei overview and challenges System design ImplementaIon EvaluaIon Conclusions 20

21 Naïve resource management is too slow! Defense library Compute/network resources Suspicious traffic predicions Global opimizaion Types, numbers, and locaions of VMs? RouIng decisions? Takes hours to solve 21

22 Our Approach: Hierarchical + Greedy Defense library Compute/network resources Suspicious traffic predicions ISP- level Greedy How much traffic to DC 1 Per datacenter 1 How much traffic to DC N Per datacenter N Which VM slots in DC 1 Which VM slots in DC N 22

23 ReacIve, per- ﬂow isn t scalable Controller packet1 packet100 VM1 Port1 Port2 SW Port3 VM2 VM3 Switch Forwarding Table Flow outport Flow1 Port 2 Flow100 Port 3 A reacive, per- ﬂow controller will be a new vulnerability 23

24 24 Idea: ProacIve tag- based steering Controller ProacMve set up packet 1 packet 100 packet 1 VM 1 packet Port1 SW Port 2 Port 3 VM 2 VM 3 Context Tag Tag outport Benign 1 1 Port 2 Suspicious 2 2 Port 3 ProacIve per- VM tagging enables scaling

25 Dynamic adversaries can game the defense Adversary s goals: 1. Increase defense resource consumpion 2. Succeed in delivering a5ack traffic A5ack vol.(gbps) predicted ajack volume for t 4 SYN flood DNS amp. t 1 t 2 t 3 t 4 Ime Simple predicion (e.g., prev. epoch, avg) can be gamed 25

26 Our approach: Online adaptaion Metric of Success = Regret minimizaion à How worse than best staic strategy in hindsight? Borrow idea from online algorithms: Follow the perturbed leader (FPL) strategy IntuiIon: PredicIon = F (Obs. History + Random Noise) This provably minimizes the regret metric 26

27 PuCng it together suspicious traffic spec. PredicIon strategy OrchestraIon predicts volume of suspicious traffic of each a5ack type at each ingress launching VMs, traffic path set up quanity, type, locaion of VMs Resource management defense policy ajack traffic VM DC 1 DC 2 customer intranet ISP 27

28 Outline MoIvaIon Background on SDN/NFV Bohatei overview and challenges System design ImplementaIon EvaluaIon Conclusions 28

29 Defense policy library A defense graph per a5ack type Customized interconnecion of defense modules Open source defense VMs Example (SYN flood defense) OK Analyze Srces: count SYN SYN/ACK per source [LegiImate] [Unknown] [A5ack] [LegiImate] SYNPROXY [A5ack] LOG DROP 29

30 ImplementaIon Control Plane resource manager OpenFlow defense library OpenDaylight FlowTags (Fayaz et al., NSDI 14) Data Plane Switches (OVS) FlowTags- enabled defense VMs (e.g., Snort) KVM core Intel Xeon machines h5ps://github.com/ddos- defense/bohatei 30

31 Outline MoIvaIon Background on SDN/NFV Bohatei overview and challenges System design ImplementaIon EvaluaIon Conclusions 31

32 EvaluaIon quesions Does Bohatei respond to a5acks rapidly? Can Bohatei handle 500 Gbps a5acks? Can Bohatei successfully cope with dynamic adversaries? 32

33 Responsiveness Hierarchical resource management: A few milliseconds (vs. hours) OpImality gap < 1% Benign traffic throughput (Gbps) SYN flood DNS amp. attack starts Elephant flow UDP flood Time (s) Bohatei restores performance of benign traffic 1 min. 33

34 Scalability: Forwarding table size Max required number of rules on a switch 10e ,000 1, Bohatei per-flow rules Attack traffic volume (Gbps) Per- VM tagging cuts #rules by 3-4 orders of magnitude ProacIve setup reduces Ime by 3-4 orders of magnitude 34

35 Adversarial resilience Regret w.r.t. volume of successful attacks (%) Uniform PrevEpoch Bohatei RandIngress RandAttack RandHybrid Steady FlipPrevEpoch Bohatei online adaptaion strategy minimizes regret. 35

36 Conclusions DDoS defense today : Expensive, Inflexible, and InelasIc Bohatei: SDN/NFV for flexible and elasic DDoS defense Key Challenges: Responsiveness, scalability, resilience Main soluion ideas: Hierarchical resource management ProacIve, tag- based orchestraion Online adaptaion strategy Scalable + Can react to very large a5acks quickly! Ideas may be applicable to other security problems 36

Bohatei: Flexible and Elastic DDoS Defense

Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, and Vyas Sekar, Carnegie Mellon University; Michael Bailey, University of Illinois at Urbana-Champaign https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/fayaz