Optimal Allocation of Filters against DDoS Attacks

Transcription

1 Optimal Alloation of Filters against DDoS Attaks Karim El Defrawy ICS Dept. University of California, Irvine Athina Markopoulou EECS Dept. University of California, Irvine Katerina Argyraki I&C Shool EPFL, Lausanne, CH Abstrat Distributed Denial-of-Servie (DDoS) attaks are a major problem in the Internet today. During a DDoS attak, a large number of ompromised hosts send unwanted traffi to the vitim, thus exhausting the resoures of the vitim and preventing it from serving its legitimate lients. One of the main mehanisms against DDoS is filtering, whih allows routers to seletively blok unwanted traffi. Given the magnitude of DDoS attaks and the high ost of filters in the routers today, the suessful mitigation of a DDoS attak using filtering ruially depends on the effiient alloation of filtering resoures. In this paper, we onsider a single router with a limited number of available filters. We study how to optimally alloate filters to attak soures, or entire domains of attak soures, so as to maximize the amount of good traffi preserved, under a onstraint on the number of filters. First, we look at the single-tier problem, where the ollateral damage on legitimate traffi is high due to the filtering at the granularity of attak domains. Seond, we look at the two-tier problem, where we have an additional onstraint on the number of filters and filtering is performed at the granularity of attakers and/or domains. We formulate both problems as optimization problems, and we evaluate the optimal solution over a range of realisti attak-senarios. Our results demonstrate that effiient filter alloation signifiantly improves the tradeoff between the number of filters used and the amount of legitimate traffi preserved. I. INTRODUCTION Distributed Denial-of-Servie attaks (DoS) are one of the most severe and hard to solve problems on the Internet today. During a DDoS attak, a large number of ompromised hosts oordinate and send unwanted traffi to the vitim thus exhausting the vitim s resoures and preventing it from serving its legitimate lients. For example, vitims of DDoS attaks an be ompanies that rely on the Internet for their business, in whih ase DDoS attaks an result in severe finanial loss or even in the ompany quitting the business [1]. Government sites (e.g. www1.whitehouse.gov) and other organizations an also be vitims of DDoS attaks, in whih ase disruption of operation results in a politial or reputation ost. Several approahes and mehanisms have been proposed to deal with DDoS attaks. In this work, we fous on filtering mehanisms, whih are a neessary omponent in the anti- DDoS solution. We onsider the senario of a bandwidth flooding attak, during whih the bottlenek link to the vitim is flooded with undesired traffi. To defend against suh an attak, the vitim must identify undesired traffi (using some identifiation mehanism whih is not the fous of this work) and request from its ISP/gateway to blok it before it enters the vitim s aess link and auses damage to legitimate traffi. Even assuming a perfet mehanism for identifiation of attak traffi, filter alloation at the vitim s gateway is in itself a hard problem. The reason is that the number of attak soures in today s DDoS attaks is muh larger than the number of expensive filters (ACLs) at the routers. Therefore, the vitim annot afford to seletively blok traffi from eah individual attak soure, but instead may have to blok entire domains; in that ase legitimate traffi originating from that domain is also unneessarily filtered together with the attak soures. Clearly, the suessful mitigation of a DDoS attak using filtering, ruially depends on the effiient alloation of filtering resoures. In this paper, we study the optimal alloation of filters to individual attakers or entire domains of attakers. Filters an be plaed at a single gateways tier, so as to maximize the preserved good traffi; the ore insight in the single-tier problem is that the oarse filtering granularity makes o-loated attak and legitimate traffi to share fate. We also onsider filter plaements at two tiers (attakers and gateways); in this ase, the trade-off is between the preserved goodput and the number of filters used. We evaluate the optimal solution for three realisti attak senarios, based on data sets from the analysis of the Code Red [16] and Slammer [17] worms, the Prolexi Zombie Report [19], and statistis on Internet users [2]. The struture of the rest of the paper is as follows. In setion II, we give more bakground on the problem and we disuss related work. In setion III, we formulate the problem of optimal filter alloation on a single tier (i.e. gateways or attakers tier) and the more general problem of filtering at both the gateway and attaker tier. We solve the problem optimally using dynami programming. We study the properties of the optimal solution and evaluate it through simulation in setion IV. In setion V, we onlude the paper and disuss open issues and future work. II. BACKGROUND A. Flooding Attaks and Filtering In this paper, we are onerned with a DDoS attak on network bandwidth, also alled flooding attak. A flooding attak is very easy to launh as it only requires sending a ertain amount of traffi that overwhelms the link onneting the vitim to the Internet. An example of flooding attak is shown in Fig. 1. A vitim (V) is onneted to the Internet through ISP-V, using an aess link with bandwidth C. The vitim is under a DDoS attak from several attak soures

2 attakers ISP-A GW-B ISP-V GW-V V C attak gateways Fig. 1. The vitim (V) is onneted to its ISP (ISP-V) through an aess router (GW-V ) and an aess link (with bandwidth C). GW-B is a border router of ISP-V. Attakers are loated in various ASes behind the attak gateways; the total traffi exeeds the apaity C. hosted by other ISPs, suh as ISP-A. The total traffi oming from those soures exeeds the total apaity C. Filtering is one of the mehanisms that an help to mitigate DDoS attaks and stop the unwanted traffi from reahing the vitim and onsuming network bandwidth along the way. For example, in Fig.1, the vitim an send a filtering request to its own ISP-V to blok all traffi from ISP-A to the vitim. ISP-V responds by plaing filters at appropriately hosen gateway(s), e.g. GW-V or GW-B. In this paper, we are not onerned with hoosing the best gateway within an ISP for plaing the filters; instead we look at a single gateway, say GW-V, and how to alloate filters to attakers or attak domains. By filters, we refer to aess ontrol lists (ACLs), whih allow a router to math a paket header against rules. E.g. in the DDoS ase desribed above, the router heks if the paket is going to vitim V and oming from attaking host A; or the router might hek the soure IP address and filter out any paket oming from the entire ISP-A. Paket filters in routers are a sare, expensive resoure beause they are stored in the expensive TCAM (ternary ontent addressable memory). A router lineard or supervisor-engine ard typially supports a single TCAM hip with tens of thousands of entries. So, depending on how an ISP onnets its lients to its network, eah lient an typially laim from a few hundred to a few thousand filters not enough to blok the attaks observed today and not nearly enough to blok the attaks expeted in the near future. We formulate two filtering problems: the single-tier and the two-tier filtering, depending on the granularity of paket filtering (or equivalently, the levels of the attak graph onsidered). In the single-tier ase, we are interested in filtering entire attak gateways, a task for whih there are enough filters today; in this ontext, we seek to filter out traffi so that the total traffi arriving at the vitim is below the available bandwidth, while maximizing the preserved legitimate traffi. In the two-tier problem, we are interested in filtering not only attak gateways but also individual attakers, a task for whih there are not enough filters in a single router today; the number of filters beomes then an additional onstraint. B. Related Work A taxonomy of DDoS attaks and defense mehanisms an be found in [2]. Here we review only aspets related to our work. Our work relies on existing mehanisms to be able to identify the attak traffi, distinguish it from the legitimate traffi and trae its approximate path bak to the attak soure [3]. The main diffiulty in path identifiation lies in dealing with soure IP address spoofing. Other mehanisms for path identifiation and traebak inlude probabilistially sending ICMP messages [5]; mehanisms based on hashing [6] or paket marking [7]. Also, in this work, we fous on filtering at a single router, typially at the vitim s gateway. Looking at the bigger piture, several mehanisms have been proposed to enable filter propagation as lose to the attak soure a possible. For example, Pushbak [8] enables routers to propagate filtering upstream hop-by-hop, at the router-level. AITF [9] proposes to ommuniate filtering information from the vitim upstream towards the attak domain, but at the granularity of AS, as opposed to router. Filtering is not the only mehanism for mitigation of DDoS attaks. Some of the proposed approahes revisit the basi assumption of the Internet arhiteture, stating that every host an send to any other host, without requiring permission of the reeiving host. For example, apabilities whih propose that tokens are obtained before establishing a onnetion with a destination, and that these token are inluded in eah paket [1][11] [12] This proposal requires hanging the routers on the Internet and adding new servers and hanges the whole Internet arhiteture. Other proposals use overlay mehanisms to implement a similar onept whih is to restrit ommuniation to the vitim only through some known well provisioned overlay nodes whih an filter and detet attaks [13] [14]. Using filtering ould provide a quik solution or first line of defense to DoS attaks, until a permanent one is developed and is already used today in ommerially available systems and anti-dos servies [15]. The downside of filtering is that its performane heavily depends on being able to identify attak traffi and distinguish it from legitimate traffi, whih is not an easy task. However, it is an available, reative mehanism that an be used in onjuntion with other approahes. Finally, in this paper, we rely upon data from analysis of worms, to onstrut realisti attak senarios. Internet worms are older than DDoS attaks, but are relevant for studying suh attaks beause they are used as a tool to infet and ompromise hosts on the Internet with the attak lients. The Code Red [16] worm is one well-known worm from 21, whih ontained ode to launh a DoS attak on the website (www1.whitehouse.gov), whih did not sueed. Reently, several other worms have been aused huge finanial losses, suh as Slammer [17], MyDoom, Flash worms [18] and others and have attrated a lot of researher s attention. Prolexi [15] is also regularly publishing a very informative Zombie

3 Report, on the most infeted hosts per ountry, network servie-provider and other meaningful groupings [19]. III. FORMULATION OF OPTIMAL ALLOCATION OF FILTERS A. General Disussion In priniple, one might onsider alloating filters at any level of the attak graph, see Fig.1. There is learly a tradeoff between filtering granularity (to maximize goodput) and the number of filters. If there were no onstraints on the number of filters, the maximum throughput of good traffi (goodput) would be ahieved by alloating filters as lose to individual attakers as possible. The gateway in question (GW- V) faes the following tradeoff. Ideally, GW-V would like to filter out all attakers and allow all good traffi to reah the vitim. Unfortunately, in a typial DDoS attak, there are not enough filters to individually filter all IP addresses of attak hosts. A solution is to aggregate attak soures into a single filter; in pratie, there are enough filters available to filter at that granularity. E.g. GW-V ould summarize several attak soures oming from the same domain, e.g. behind GW-1, into a single rule and filter out the entire domains, as shown in Fig. 2. However, there is also legitimate traffi oming from eah domain. Therefore, filtering at the granularity of attak gateway-tier auses ollateral damage to legitimate traffi that falls into the range of the IP addresses desribed by the filter. This problem, referred to as the single-tier filtering, is studied in setion III-B so as to preserve the maximum amount of legitimate traffi while meeting the apaity onstraint. This turns out to be a knapsak problem that an be solved by a greedy algorithm (shown in Algorithm 1). In pratie, there are more filters (F ) than attak gateways (N < F ), but less filters than individual attakers (F < N M i) (see Fig. 3). Filtering at the gateway level is feasible but auses the ollateral damage disussed above, due to its oarse granularity. Filtering at the attaker s level would preserve the maximum possible throughput but it is not realisti (due to the high number of attakers as well as due to spoofing); we still onsider it as an upper bound for performane. A pratial and effetive ompromise between the two extremes an be the two-tier filtering, shown in Fig. 3. In the two-tier filtering, we an hoose to filter either at gateways granularity (e.g. filter 1 in Fig. 3) or at attakers granularity (e.g. filter 2 in Fig. 3). The optimal alloation of filters to individual attak soures, or to entire attak gateways, depends on the harateristis of the attak (distribution and intensity) as well as on the number of available filters. Furthermore, the suessful ontainment of the DDoS attak ruially depends on the optimization of the filter alloation. B. Single-Tier Filter Alloation The single-tier senario is shown in Fig.2. There are N attaking gateways, eah generating both good (G i ) and bad (B i ) traffi toward the vitim; the total traffi toward the vitim exeeds its apaity C. Gateway GW-V alloates filters to blok the attak traffi towards V. There are enough filters to alloate to the N gateways. The objetive is to alloate Algorithm 1 Greedy Algorithm for the Single-Tier. Order nodes in dereasing order largest to smallest effiieny. Find the ritial node s.t.: j= j=1 G j + B j > C Alloate filters to nodes i = 1, 2,...N as follows: x j = 1 for j = 1, 2,.. 1 (allow to pass) x = C j= 1 j=1 G j +B j (rate limiter) G +B x j = for j = + 1,..n (filters) G j G j +B j. W.l.o.g. j = 1, 2,..N from j= 1 j=1 G j + B j < C and filters to limit the total traffi below the available apaity, so as to maximize the amount of legitimate traffi that is getting through to the vitim (beause this is what the vitim ares about, e.g. revenue for a web server). Let us use x i = 1 and x i = to indiate whether we allow or blok all traffi from gateway i. The problem of optimal alloation of filters is to hoose {x i } N i : max G i x i i=n s.t. (G i + B i ) x i C x i {,1},i = 1,2,..N We notied that the filter alloation problem is essentially a - 1 knapsak problem [21]. Reall that in the knapsak problem, we hoose some among N objets, eah with profit v i and a weight w i, so as to maximize the total profit, subjet to a total weight onstraint. In our ase, the objets are the attaking nodes with profits and weights G i and G i + B i respetively; and there is a onstraint C on the vitim s bandwidth. This is well-known to be a omputationally hard problem. However, we need omputationally effiient solutions, beause the filter alloation should be deided in real-time during the attak. The ontinuous relaxation of the problem (where x is no longer binary, but instead x i 1) an be interpreted as plaing rate-limiters: we allow ratio x i of the traffi oming from node i to get to the vitim. This orresponds to the frational knapsak problem, whih an be solved optimally using a greedy algorithm [21]. The algorithm in Algorithm 1, shown below, sorts nodes in a dereasing order of effiieny G j G j+b j, 1 and greedily aepts (x i = 1) nodes with the maximum effiieny, until a ritial node, whih if allowed will exeed the apaity. Traffi from all remaining nodes is filtered out (x i = ) and installs a rate-limiter to the ritial element (x = C j= 1 j=1 G j+b j G +B ) to use the remaining apaity. This requires only O(nlogn) steps for sorting and O(n) for filer/rate-limiters alloation. Notie, that it is impratial to alloate rate-limiters to all attaking nodes, beause rate-limiters are expensive resoures and require keeping state. Fortunately, the optimal solution of the frational problem turned out to be 1 Tehnially, maximizing G i G i +B i is different from maximizing G i. However beause the optimal solution operates at G i + B i C, it is the same in pratie. (1)

4 G 1 B 1 G i B i G N B N GW N GW 1 GW i.... Gateways Tier b 11 b 1M1 b i1 b 1Mi G 1 G i filter 2 GW N GW 1 GW i.... Attakers Tier Gateways Tier filter C GW V filter 1 C GW V V V Fig. 2. Single-Tier Filtering Problem Fig. 3. Two-Tiers Filtering Problem (x 1,...x 1,x,x +1,...,x N ) = (1,...1,x 1,,...), thus using C 1 filters and exatly one rate-limiter, whih mathes well urrent router resoures. C. Two-Tier Filter Alloation The two-tier problem is the following. Consider N attak gateways and M i attak hosts behind attak gateway i, i.e. the last two tiers in Fig.1. Eah attaker ontributes both good (G ij ) and bad traffi (B ij ), i = 1,2..N,j = 1,2...M j. x ij,1 depending on whether we alloate a filter to attakhost j behind gateway i. x i,1 depending on whether we alloate a filter to attak-gateway i; if x i =, then all traffi originating behind GW-i is bloked, and there is no need to alloate additional filters to attakers (i,j),j = 1,2,...M i. The problem is how to hoose {x i } s, {x ij } s, given the onstraints C on the vitim s apaity and on the available number of filters F at the gateway: max i=n j=mi j=1 G ij x i x ij i=n j=mi s.t. (G ij + B ij ) x i x ij C j=1 i=n i=n j=mi (1 x i ) + (1 x ij ) F j=1 x i,x ij {,1},i = 1,...N, j = 1,...,M j The two-tier problem is harder than the single-tier one: it is a variation of the ardinality-onstrained knapsak [21], and the optimal solution annot be found effiiently. In this paper, we formulate the problem using dynami programming and ompute its optimal solution as a baseline for omparison. However, the dynami programming algorithm is omputationally expensive and annot be used in real time; we are urrently working on developing effiient heuristis. Definitions. Consider the two-tiers onfiguration, shown in Fig. 3. There are N gateways. A gateway n generates (2) legitimate traffi G n and also attak traffi from M n attak soures. Notie that for simpliity we depart from Eq.(2) and we onsider that attaker ij generates only bad traffi b ij and no goodput G ij ; instead we onsider that the total goodput G n omes from different hosts behind gateway n. W.l.o.g. onsider that the attak soures are ordered from worst to best: b(n,1) >... > b(n,m n ). Therefore, eah gateway generates total traffi C n = G n + M n b(n,i). Before filtering, the total traffi exeeds the vitim s aess bandwidth (apaity) C: N C n > C. We are interested in plaing F filters aross the N gateways, so as to bring the total traffi below C, while maximizing the total goodput after filtering T N (C,F). TN (C,F), an be omputed reursively as shown in Algorithm 2. The reursion proeeds onsidering one more gateway at a time; the order in whih gateways are onsidered is not important. Let Ti (,f), for i N, be the maximum goodput of the smaller problem, i.e. with optimal plaement of f F filters onsidering only gateways {1, 2,..i} and apaity up to C. Assume that, in previous steps, we have already obtained and stored the optimal solutions T i (,f) onsidering only gateways 1,2,...n 1, for all values of =,1,..C and f =,1,...F. Then Tn(,f) an be omputed from the Bellman reursive equation (line 23 of Alg.2): Tn(,f) = max T j=x n 1( (C n b(n,j)),f x)+g n x=,1,..f j= (3) Intuition. In step n, we onsider gateway n together with the previous gateways 1,2,...n 1. The f available filters are split among two groups of gateways: {1,2,..n 1} and {n}; x f filters are assigned to gateway n and the remaining f x filters are assigned to the previous gateways {1,2,..n 1}. The x filters assigned to GW n are used to blok the x worst attakers. Therefore, j=x j= b(n,j) bad traffi is bloked and the remaining C(n) j=x j= b(n,j) = G n + j=m n j=x+1 b(n,j) traffi goes through (gwn unfiltered in line 24), onsuming part of the total apaity. The remaining f x filters are

5 optimally assigned to gateways 1,2,...n 1. Reall that we have previously obtained and stored the optimal solutions Tn 1(,f) onsidering only gateways {1,2,...n 1}, for all and f; therefore, we already know the best alloation of f x filters aross gateways {1,2,...n 1} and we an get the maximum goodput Tn 1( (C(n) j=x j= b(n,j)),f x). We onsider all possible values of x and hoose the value among x f that maximizes goodput (line 33 in Alg.2). There are some values of x that deserve speial attention: x = means that we assign no filters to gateway n, in whih ase our best goodput is the same as before, enhaned by the goodput of the urrent gateway: T n 1( C n,f) + G n (max in line 12 of Alg. 2). x = 1 means that we assign exatly one filter to gateway n, either at attaker or at gateway level. If we assign this filter to an attaker, it should be the worst attaker b(n,1) (line 16 in Alg.2). If this one filter is assigned to the entire gateway, then the entire traffi C n from gateway n is filtered out and all goodput omes from the previous gateways T n 1(,f 1) (line 18 of Alg.2). We ompare the two options and hoose the one that maximizes the overall goodput (max1 in line 19 of Alg.2). We onsider inreasing values of x until we either run out of filters (x = f) or we filter out all attakers in this gateway (x = M n ). Therefore, x an inrease up to min{f,m n } (line 23 in Alg. 2). Other tehnialities in Algorithm 2 inlude the initializations (lines 1-3) and assigning T = to infeasible problems (line 3-2 nd ase and line 28). Optimal Substruture. We are able to ompute the optimal solution using dynami programming (DP) beause the problem exhibits the optimal substruture property. Proposition. If a is the optimal solution for problem (n,,f), then it ontains a part a {1,...n 1} a (orresponding to the filters assigned to the first n-1 gateways) whih must also be the optimal solution for the smaller problem (n 1,C (C n j=x j= b(n,j)),f x). Proof: a is the optimal solution for problem (n,,f), ahieving maximum goodput Tn(,f). 2 This solution (filter assignment) must have two parts a = (a {1,2..n 1},a {n}). The first part a {1,2..n 1} desribes how filters are plaed aross gateways {1,2,..n 1}. The seond part, a {n} desribes how filters are assigned to gateway {n} only. Let s look at the optimal solution a : it assigns some number of filters (x) to gateway n and the remaining (f x) to gateways {, 1,..n 1}. This means that j=x j= b(n,j) out of C n traffi is filtered out at gateway n and the remaining C n j=x j= b(n,j) is left unfiltered. The two parts ontribute to the maximum throughput as follows: Tn(,f) := T a = T + T a {1,2..n 1} a {n} 2 a will have the form of a vetor (1,,,...,, 1); /1 desribes whether an attaker or gateway has been filtered out or not; the attakers and gateways should be listed in the same order they are onsidered in the DP. Algorithm 2 Dynami Programming (DP) Formulation for the Two-Tiers Filtering Problem 1: for n = 1,2,..N do 2: Tn ( =,:) = { N 3: Tn (:, f = ) = n=1 Gn if N n=1 Gn < C otherwise 4: end for 5: 6: for n [1, N] do 7: for [1, C] do 8: for f [1, F] do 9: /* x out of f filters are assigned to GW n */ 1: 11: /* assign x = filters to GW n*/ 12: max = Tn 1 ( Cn, f) + Gn 13: 14: /*assign x = 1 filter to GW n*/ 15: /*...either at gateway level*/ 16: max1 gw = Tn 1 (, f 1) 17: /*...or at attaker level*/ 18: max1 att = Tn 1 ( (Cn b(n,1)), f 1) + Gn 19: max1 = max{max1 gw, max1 att} 2: max = max{max, max1} 21: 22: /* assign x 2 filters at attak level. */ 23: for x [2, min(f, M n)] do 24: gwn unfiltered := C n x j=1 b(n, j) 25: if > gwn unfiltered then 26: temp := T n 1 ( gwn unfiltered, f x) + G n 27: else 28: temp := 29: end if 3: if temp > max then 31: max := temp 32: end if 33: Tn(, f) := max 34: end for 35: end for 36: end for 37: end for Assume that b, and not a {1,2..n 1}, is the optimal filter assignment for the smaller problem (n 1,C (C n j=x b(n,j)),f x). Then, by definition of the optimal j= filtering, it ahieves larger goodput than the substruture a {1,2..n 1} : T n 1 := T b > T a. {1,2..n 1} We an now onstrut another solution d for the larger problem (n,,f) as follows. Replae the first part a {1,2..n 1} of a with b, for assigning f x filters up to gateway n 1, whih would fit within apaity C (C n j=x j= b(n,j)). Then, do exatly the same assignment as the DP would do, in Eq. 3, for assigning the x remaining filters to gateway n. This newly onstruted filter assignment d has two parts d = (b,d 2 ) that ontribute to the total goodput. The first part b is over gateways {1,2,..n 1}. We onstruted this part to be the same as the optimal assignment of f x filters over gateways {1,2,..n 1}, with available apaity C (C n j=x j= optimal goodput T b := T n 1 T a {1,2..n 1} b(n,j)). Therefore it ahieves. The seond part d 2 is an assignment over only gateway {n}. We onstruted it to do exatly what the DP would do at step n with x available filters: either filter out the worst x attakers of gateway n (i.e. attakers b(n, 1)...b(1, x)) or filter out the entire gateway

6 Differene in Perentage of Good Traffi Perentage of Nodes Attaking Bad/Overall Traffi of Attaking Nodes Fig. 4. Improvement from using optimal filtering for various attak intensities (% of attaking nodes, B/(G+B)). We onsider n = 1 attaking nodes, all sending at the same rate (1Mbps). (if x = 1 is assigned at gateway level). Therefore, d 2 is by onstrution the same assignment as the DP s: d 2 = a {n} and results in the same goodput: T d2 = T a. {n} Therefore, we onstruted a solution d = (b,d 2 ) whih performs better than the DP solution a. T = T + T d b d{n} > T + T a = T (4) {n} a a {1,2..n 1} This is a ontradition beause we assumed that a was an optimal solution for the bigger problem (n,, f). Therefore the substruture a {1,...n 1} of the optimal solution a has to be the optimal solution for the smaller problem. Cost of the Dynami Programming. Computing the optimal solution value T n(c,f) using dynami programming (DP) an be seen as filling up a table of size N C F. For realisti (large) values of N, C, F this an be prohibitively large, both from a run-time and from a memory point of view. While the number of gateways N an be moderate, C (normalized in units of the smallest attak rate) and F (in the order of thousands or tens of thousands) an be quite large in pratie. An idea might be to work with oarser inrements of C and F - whih brings us already in the realm of heuristis for the DP, not addressed in this paper. Nevertheless, omputing the optimal solution is still important as a benhmark for evaluation of any proposed heuristi. Properties of the Optimal Solution. From the simulations in setion IV-D, we made some preliminary observations. E.g., we ompared the two-tier with the attak-tier-only and the gateway-tier-only filtering. Let T N (C,f), G N (C,f), A N (C,f) be the maximum goodput ahieved by the optimal plaement of f filters aross N gateways, onsidering twotier plaement, single-tier plaement at gateways and single attakers respetively. For the same attak senario: T N (C,f) A N (C,f) and T N (C,f) G N (C,f). This is expeted, beause by definition, the optimal solution of the two-tier problem onsiders plaing all filters at gateway and attak level, as speial ases. G < T < A where: G is the optimal filtering Perentage of Good Traffi on Congested Link % High BW Links = 1% (Before Filteirng) 3 % High BW Links = 5% (Before Filteirng) % High BW Links = 9% (Before Filteirng) 2 % High BW Links = 1% (After Filteirng) 1 % High BW Links = 5% (After Filteirng) % High BW Links = 9% (After Filteirng) Perentage of Nodes whith High Bad Traffi Intensity Fig. 5. Improvement from using optimal filtering for various % of nodes with high intensity, and various % of nodes sending at higher rate (1Mbps). H =.9 is fixed for all attaking nodes. for (single) gateway tier and A is the optimal (single) attak tier filtering. Single-tier filtering does not have a onstraint on the number of filters and is only onstrained by the ollateral damage on legitimate traffi. As f, T onverges to A, the optimal solution for attaker s single tier, without a onstraint on f. IV. SIMULATIONS A. Single-Tier Artifiially Generated Senarios We onsidered a wide range of senarios and here we showase some representative results. Let us fix the number N of attak nodes; we onsidered N = 1,1,1. We ontrol the intensity of the attak through a simple model with three parameters. (i) the bandwidth at whih eah node sends is a onfigurable parameter. (ii) x% of the nodes that are attaking and the remaining (1-x)% send legitimate traffi (iii) attaking nodes have all the same bad-to-overall traffi B B+G ratio H = ; the legitimate nodes have ratio 1 H of bad to overall. Fig.4 shows the results for N = 1 nodes, whih all send at the same rate (1Mbps). We onsider all ombinations of x {,1}% and H (.5,.9) and we look at the differene in the % of good traffi on the ongested link, before and after optimal filtering. The figure shows that there is always improvement, with the best improvement (4%) ahieved when 5% of all nodes are attakers, sending at H = B B+G =.9. Then, we also vary the sending rate of eah node. We randomly pik 1%, 5% or 9% of the nodes to have 1 times more bandwidth than the rest (i.e. 1Mbps). The reason we look at heterogeneous bandwidths is that a node should be B B+G filtered based not only on the ratio, but also on its total ontribution B+G to the apaity of the ongested link. Fig.5, shows that optimal filtering signifiantly helps in this ase. 1) Varying the number of attaking nodes: In this setion, we inrease the number of nodes and we are interested not only in the % of good traffi preserved, but also in the number of filters required. We ompare optimal filtering to 3 benhmark poliies:

7 Fig. 6. Perentage of Preserved Good Traffi Number of Filters Uniform Rate Limiting Random Filtering Max min Rate Limiting Optimal Filtering Total Number of Nodes (a) % Good Traffi Preserved after Filtering 5.5 x 14 Optimal Filtering (32Kbps) Optimal Filtering (64Kbps) Optimal Filtering (128Kbps) Uniform & Max Min Rate Limiting ( Kbps) Total Number of Nodes (b) Number of filters used. Performane of Optimal Filtering for the attakers one tier. Uniform rate limiting: rate-limit all nodes by C total traffi, to make sure the total traffi does not exeed the apaity. Notie, that this poliy is equivalent to no filtering in terms of perentage of good to overall traffi on the ongested link. Random filtering: randomly plae the same number of filters as the optimal poliy. Max-min rate limiting: admit the low-rate nodes first while alloating the same bandwidth to the high rate ones; then distribute the exess apaity fairly among the unsatisfied remaining nodes. We vary the number of attakers (from 1 to 5) and we alloate filters to individual attakers (attakers onetier problem ) 3. In Fig6, optimal filtering learly outperforms the other poliies: it preserves more good traffi using less filters. However, the number of filters inreases linearly with the number of attakers, whih learly does not sale for a large number of attakers. To deal with this salability issue, we solve the one-tier problem at the gateway level. We onsider again an inreasing number of attakers (from 1 to 5), but this time 3 In this simulation senario, we vary N, but we make sure that the total good traffi is below the apaity (in partiular N 1 G i = C ), beause this is 2 the pratial ase of adequate provisioning. To onstrut suh an assignment, we assign C 2 over half of the nodes assigning C to every other node and we N randomly pik N/2 nodes and assign them bad traffi. We make sure that the total traffi emitted by eah node is no more than its maximum rate (32, 64, or 128 kbps) TABLE I CODE-RED SCENARIOS Code Red I Code Red II Country GW % of % of % of % of Good Bad Good Bad Traffi Traffi Traffi Traffi from [2] from [16] USA Korea China Taiwan Canada UK Germany Australia Japan Netherlands attakers are evenly spread behind n = 1 gateways (as in Fig. 1) and we alloate filters to gateways, not to individual attakers. The results are shown in Fig. 7. The optimal poliy again outperforms the others: it preserves signifiantly more good traffi while using muh less filters. However, there are several differenes from filtering at the attakers tier, all due to the oarser filtering granularity. First, we need less filters, but the % of preserved traffi drops below 5% in the ase of larger number of attakers. Seond, the number of filters used by the optimal poliy inreases fast up to around 9% and then saturates, beause otherwise all traffi would be bloked. Third, the max-min poliy performs muh worse now; also from a pratial point of view, the uniform and max-min poliies are less attrative, beause they use rate-limiters on all nodes, whih is unrealisti. B. Realisti Attak Senarios First, we used data from the analysis of two reent worms, Code-Red [16] and Slammer [17] to onstrut realisti attak distributions as in the single-tier setion. Another soure of data we used for the attak traffi distribution is Zombie Report [19] published by Prolexi [15]. This report ontains the perentage of bots, grouped per ountry, network, ISP and other meaningful groupings; we use the data referring to the number of infeted hosts per ountry. We assume that if a vitim is under attak that traffi would ome from ten ountries. We onsider the ten first ountries and assume that they are behind ten different gatewaysthe distribution of attak traffi for the Code-Red, Slammer Zombie senario is summarized in the last olumn of Tables I, II and III. We onsider a typial vitim a web-server with 1Mbps aess link. We also onsider that eah ountry is in a different AS, thus is behind a different gateway; we then use the number of attak soures per gateway, as reported in [16], [17], [19] 4 and shown in the 4 th olumn of Table I. For the legitimate traffi, we use the breakdown of Internet users per ountry reported in [2] and shown in the 3 rd olumn of Table I, II and III. We onsider that both attakers and 4 In [16] 8% of the total attak omes from 1 ountries; we distributed the rest 2% of the attak uniformly aross the lower 8 ountries.

8 TABLE II SLAMMER SCENARIO: ATTACK LAUNCHED BY A POPULATION OF HOSTS INFECTED BY A WORM SIMILAR TO SLAMMER. Country GW % Good Traffi % Bad Traffi USA % 44.6% South Korea 2 5.8% 13.6% China % 8% Taiwan 4 2.4% 5.7% Canada 5 3.6% 4.6% Australia 6 2.5% 4.2% UK 7 6.7% 3.8% Japan % 3.5% Netherlands % 3.3% Unknown 1 8.4% 8.7% Total 1% 1% TABLE III PROLEXIC SCENARIO: ATTACK LAUNCHED BY A BOTS POPULATION, SIMILAR TO THE ONE IN THE PROLEXIC ZOMBIE REPORT. Country GW % Good Traffi % Bad Traffi US % 21.5% China % 14.5% Germany % 13.5% UK % 8.5% Frane % 8.5% Brazil 6 4% 7.5% Japan % 7.5% Phillippines 8 1.4% 6.5% Russia % 6.5% Malaysia 1 1.8% 5.5% Total 1% 1% legitimate users send at the same rate (32kbps, 64kbps or 128kbps), orresponding to upstream dialup/dsl. Therefore, if the total number of legitimate users is N and that of attakers is M, then the amount of good and bad traffi oming from gateway i is G i = N (% users behind gateway i) (rate) and B i = M (% users behind gateway i) (rate). Our rationale is that the number of legitimate users is representative of the legitimate traffi oming from eah ountry. We use the number/perentage of legitimate users, to ompute the % of total good traffi generated by eah gateway. The result is summarized in the third olumn in eah attak senario. In summary, we onstrut three realisti attak senarios using data from [2] as well as from the analysis of ode-red worm, slammer worm and the zombie report. C. Results for Single-Tier We simulated the Code-Red senario, (CodeRed I olumns 3 and 4 of Table I) for a number of legitimate users N from 1 to 1 and attakers M from 1 to 1, and we ompared the amount of good traffi preserved without any filtering and with optimal filtering. The results are shown in Fig. 8 for 32Kbps sending rate. (The results for 64kbps and 128kbps show similar trends and are omitted here). Fig. 8(a) shows the % of good traffi preserved. When the total good traffi is less than the apaity of the ongested link, 5 and the number of attakers was between 1 and 2, 5 When the good traffi exeeds the apaity, we annot preserve 1% of it. This an be seen as a ombination of a flash-rowd and a DDoS attak. In the rest of the paper, we fous on ases where the good traffi does not exeed the apaity (whih is the ase with normal operation and good provisioning). Perenatge of Preserved Good Traffi Number of Filters Uniform Rate Limiting Random Filteirng Max min rate limiting Optimal Filtering Total Number of Nodes (a) % Good Traffi Preserved after Filtering Uniform & Max Min ( Kbps) Optimal (32Kbps) Optimal (64Kbps) Optimal (128Kbps) TotaL Number of Nodes (b) Number of filters used. Fig. 7. Performane of Optimal Filtering for the gateways one tier (1 gateways, same number of attakers behind eah gateway). optimal filtering preserves 1% of the good traffi. As the number of attakers inreases, the % of good traffi preserved drops; e.g. for 1 users and 1 attakers, optimal filtering preserves 55% of the good traffi. This is beause filtering at the gateway level is based on destination address and domain soure address; better results ould be ahieved if a finer granularity of filtering ould be applied (i.e. soure address of individual attakers), as in the multi-tier ase later. Fig. 8(b) shows the % of the apaity of the ongested link that onsists of good traffi. When the number of attakers is omparable to the number of legitimate users (e.g. 1 attakers and 1 users), we observe that the optimal filtering preserves 25% more good traffi, whih inreases the perentage of good traffi on the ongested link from 5% to 75%. However, at the extremes where the number of legitimate users is muh smaller (e.g. 1 users and 1 attakers) or muh larger (e.g. 1 users and 1 attakers) than the number of attakers then the optimal filtering inreases the preserved good traffi only marginally ( 1%). The improvement ahieved above was moderate, beause all gateways had both good and bad traffi. If there are gateways that arry only good or bad traffi, then filtering would be able to better separate good from bad traffi and further improve performane. To demonstrate this, we modify the distributions of good and bad traffi per gateway, as shown in senario Code Red II 5 th and 6 th olumn of Table I. This modifiation maps to real life senarios in whih a ertain website has only ustomers in some, but not all, ountries (ASes). Also it is reasonable to assume that the attaker will not be able to ompromise hosts in ASes that span all ountries, thus there are some gateways with only bad or good traffi.

9 Perentage of Preserved Good Traffi legitimate users 5 legitimate users 1 legitimate users (a) % Good Traffi Preserved after Optimal Filtering Perenatge of Good Traffi Preserved Legitimate Users 5 Legitimate Users 1 Legitimate Users Perenatge of Good Traffi on Gongested Link Legitimate Users 5 Legitimate Users 1 Legitimate Users (b) Good % Link BW before/after Optimal Filtering. Fig. 8. Performane of Optimal Filtering for senario Code Red I. We used the same simulation setup as for the Code-Red I senario and the results are shown in Fig. 9. The trends are similar but the improvement is more substantial: the apaity of the ongested link used by good traffi improves up to 5%. In the ase of 1 legitimate users, optimal filtering allows only good traffi through the ongested link until the apaity is used. The same behavior an be observed for 5 legitimate users with 64Kbps and 128Kbps rates. D. Results For Two-Tiers Figures 1, 11, and 12 show the performane of optimal two-tier filtering for the Code-Red senario, Slammer and Zombie senario respetively. In all three ases, we inrease the number of attakersand we look at how well filtering an handle the inreasing attak traffi. The performane metris of interest are (a) the % goodput preserved after filtering and (b) the number of filters used in the proess. As a baseline for omparison, we also show the performane of the optimal single-tier filtering at gateway and attak level. In all three figures, the optimal solution performs similarly, although they are based on different distributions of good and bad traffi. As expeted, filtering at attakers level (plain red line) gives the upper bound for the preserved goodput. Indeed, one an preserved 1 % of the good traffi by filtering out eah individual attaker (assuming there are no hosts that produe both good and bad traffi) but requires as many filters as the number of attakers, whih is impratial. Filtering at the gateway level (shown in dashed green line) provides a lower bound to the preserved goodput (beause it filters out together both good and bad traffi behind the same gateway) but uses a small number of filters. Two-tier filtering lies in the middle (blue urves): it provides a graeful degradation of Fig. 9. (a) % Good Traffi Preserved after Optimal Filtering Perentage of Good Traffi on Congested Link Legitimate Users 1 Legitimate Users 1 Legitimate Users (b) Good % Link BW before/after Optimal Filtering. Fration of Preserved Good Traffi Number of Used Filters Performane of Optimal Filtering for senario Code Red II Optimal Attak Single Tier Optimal Two Tiers, 5 Filters Optimal Two Tiers, 5 Filters Optimal Single Gateways Tier (a) % Good Traffi Preserved Optimal Attakers Tier Optimal DP (5 Filters) Optimal DP (7 Filters) Optimal GW Tier (b) Number of filters used. Fig. 1. Performane of Optimal Two-tier Filtering for the CodeRed senario.

10 Fration of Preserved Good Traffi Optimal Single Attak Tier Optimal Two Tiers, 5 Filters Optimal Two Tiers, 5 Filters Optimal Single Gateway Tier Fration of Preserved Good Traffi Optimal Single Attak Tier Optimal Two Tiers, 5 Filters Optimal Two Tiers, 5 Filters Optimal Single Gateways Tier (a) % Good Traffi Preserved (a) % Good Traffi Preserved Number of Used Filters Optimal Single Attak Tier Optimal Two Tiers, 5 Filters Optimal Two Tiers, 7 Filters Optimal Single Gateway Tier Number of Used Filters Optimal Single Attak Tier Optimal Two Tiers, 5 Filters Optimal Two Tiers, 7 Filters Optimal Single Gateway Tier (b) Number of filters used. (b) Number of filters used. Fig. 11. Performane of Optimal Two-tier Filtering for the Slammer senario. Fig. 12. Performane of Optimal Two-tier Filtering for the Zombie senario. preserved goodput using a small number of filters. The larger the number of filters available to multi-tier filtering, the loser the preserved goodput to the upper bound. V. CONCLUSION In this paper, we studied the optimal alloation of filters against DDoS attaks. We formulated the single-tier alloation as a knapsak problem and the two-tier problem using dynami programming. We simulated the optimal solution using realisti attak senarios and showed that optimal filtering an signifiantly improve the trade-off between preserved good traffi and number of filters. We are urrently working on several issues inluding effiient heuristis to ahieve nearoptimal performane at lower omplexity, filter alloation under unertainty in the identifiation of attakers, and alloation aross many routers and vitims. ACKNOWLEDGMENT We would like to thank the Center for Pervasive Communiations and Computing (CPCC) and the Emulex Fellowship from Calit2 for sponsoring K. El Defrawy at U.C. Irvine. REFERENCES [1] Blue Seurity folds under spammer s wrath, [2] J. Mirkovi and P.Reiher, A Taxonomy of DDoS Attaks and DDoS Defense Mehanisms, ACM CCR Vol.34(2), 24. [3] A.Yaar, A. Perrig and D.Song, A Path Identifiation Mehanism to Defend against DDoS Attaks, in Pro. of IEEE Symposium on Seurity and Privay, Oakland, CA, USA, May 23. [4] P. Furgeson and D. Denie, Network Ingress Filtering: Defeating DoS Attaks that Employ IP Soure address spooofing, RFC 2827, Jan [5] S. Savage, D. Wetherall, A. Karlin, T. Anderson, Pratial Network Support for IP Traebak, in ACM SIGCOMM Computer Communiation Review, Vol. 3(4), pp , Ot. 2. [6] A. Snoeren,, Hash-Based IP Traebak, in Pro. ACM SIGCOMM, Aug. 21, San Diego, CA. [7] Mihael T. Goodrih, Effiient Paket Marking for Large-Sale IP Traebak, in Pro. of CCS 2, pp [8] R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson and S. Shenker, Controlling High Bandwidth Aggregates in the Network, in ACM Computer Comm. Review, Vol. 32(3), pp , July 22. [9] K. Argyraki and D.R.Cheriton, Ative Internet Traffi Filtering: Realtime Response to Denial-of-servie Attaks, in Pro. of USENIX Seurity 25. [1] T.Anderson, T.Rosoe, D.Wetherall, Preventing Internet Denial-of- Servie attaks with Capabilities, Internet Denial of Servie, 23. [11] X.Yang, D.Wetherall, T.Anderson, A DoS-limiting Arhiteture, in Pro. ACM SIGCOMM, Aug. 25, Philadelphia, PA, USA. [12] X. Liu, X. Yang, D. Wetherall, T. Anderson, Effiient and Seure Soure Authentiation with Paket Passports, in Pro. of USENIX SRUTI, San Jose, CA 26. [13] A. Keromytis, V. Misra, D. Rubenstein, SoS: Seure Overlay Servies, in Pro. of ACM SIGCOMM 2, pp , Aug. 22, Pittsburgh, PA. [14] D.Andersen, Mayday: Distributed Filtering for Internet Servies, in Pro. 4th USENIX Symposium (USITS), Seattle, WA, Mar. 23. [15] Prolexi Tehnologies, [16] D. Moore, C. Shannon, J. Brown, Code-Red: a ase study on the spread and vitims of an Internet worm, in Pro. ACM IMW 22. [17] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford and N. Weaver, Inside the Slammer Worm, in Pro. of IEEE Seurity and Privay, 1(4):33-39, July 23. [18] S. Staniford, D. Moore, V. Paxson and N. Weaver, The Top Speed of Flash Worms, in Pro. ACM CCS WORM, Ot. 24. [19] The Prolexi zombie report, Q1-Q2 25. [2] Internet World Stats, [21] H. Kellerer, U. Pfershy, D.Pisinger, Knapsak Problems, Springer 24.