Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks

Transcription

1 Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks Jerry Chou, Bill Lin University of California, San Diego Subhabrata Sen, Oliver Spatscheck AT&T Labs-Research USENIX Security Symposium, San Jose, USA, July 30, 2008

2 Outline Problem Approach Experimental Results Summary USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 2

3 Motivation Seattle Sunnyvale Los Angeles Chicago New York Denver Indianapolis Kansas City Washington Atlanta Houston Large-scale bandwidth-based DDoS attacks can quickly knock out substantial parts of a network before reactive defenses can respond All traffic that share common route links will suffer collateral damage even if it is not under direct attack USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 3

4 Motivation Potential for large-scale bandwidth-based DDoS attacks exist e.g. large botnets with more than 100,000 bots exist today that, when combined with the prevalence of highspeed Internet access, can give attackers multiple tens of Gb/s of attack capacity Moreover, core networks are oversubscribed (e.g. some core routers in Abilene have more than 30 Gb/s incoming traffic from access networks, but only 20 Gb/s of outgoing capacity to the core USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 4

5 Example Scenario Seattle/NY: 3 Gb/s Seattle 10G New York Sunnyvale 10G Kansas City 10G Indianapolis Sunnyvale/NY: 3 Gb/s Houston Atlanta Suppose under normal condition Traffic between Seattle/NY + Sunnyvale/NY under 10 Gb/s USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 5

6 Example Scenario Seattle/NY: 3 Gb/s Seattle 10G New York Sunnyvale 10G Kansas City 10G Indianapolis Sunnyvale/NY: 3 Gb/s Houston Atlanta Houston/Atlanta: Attack 10 Gb/s Suppose sudden attack between Houston/Atlanta Congested links suffer high rate of packet loss Serious collateral damage on crossfire OD pairs USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 6

7 Impact on Collateral Damage US Europe OD pairs are classified into 3 types with respect to the attack traffic Attacked: OD pairs with attack traffic Crossfire: OD pairs sharing route links with attack traffic Non-crossfire: OD pairs not sharing route links with attack traffic Collateral damage occurs on crossfire OD pairs Even a small percentage of attack flows can affect substantial parts of the network USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 7

8 Related Works Most existing DDoS defense solutions are reactive in nature However, large-scale bandwidth-based DDoS attacks can quickly knock out substantial parts of a network before reactive defenses can respond Therefore, we need a proactive defense mechanism that works immediately when an attack occurs USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 8

9 Related Works (cont d) Router-based defenses like Random Early Drop (RED, RED-PD, etc) can prevent congestion by dropping packets early before congestion But may drop normal traffic indiscriminately, causing responsive TCP flows to severely degrade Approximate fair dropping schemes aim to provide fair sharing between flows But attackers can launch many seemingly legitimate TCP connections with spoofed IP addresses and port numbers Both aggregate-based and flow-based router defense mechanisms can be defeated USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 9

10 Previous Solutions (cont d) Router-based defenses like Random Early Drop (RED, RED-PD, etc) can prevent congestion by dropping packets early before congestion But may drop normal traffic indiscriminately, causing responsive TCP flows to severely degrade In In general, defenses based on unauthenticated header information such as IP addresses and port numbers Approximate unauthenticated fair dropping header schemes information aim to provide such fair as sharing between flows But attackers can may launch many seemingly legitimate TCP connections not with be spoofed reliable IP addresses and port numbers Both aggregate-based and flow-based router defense mechanisms can be defeated USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 10

11 Outline Problem Approach Experimental Results Summary USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 11

12 Our Solution Provide bandwidth isolation between OD pairs, independent of IP spoofing or number of TCP/UDP connections We call this method Proactive Surge Protection (PSP) as it aims to proactively limit the damage that can be caused by sudden demand surges, e.g. sudden bandwidth-based DDoS attacks USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 12

13 Basic Idea: Bandwidth Isolation Seattle/NY: Limit: 3.5 Gb/s Actual: 3 Gb/s All admitted as High Traffic received in NY: Seattle: 3 Gb/s Sunnyvale: 3 Gb/s Seattle Meter and tag packets on ingress as HIGH or LOW priority Based on historical traffic demands and network capacity Drop LOW packets under congestion inside network New York Kansas City 10G 10G Sunnyvale Indianapolis Proposed mechanism proactively drop attack Proposed mechanism proactively drop attack traffic immediately when attacks occur Sunnyvale/NY: Limit: 3.5 Gb/s Actual: 3 Gb/s All admitted as High Houston Atlanta 10G Houston/Atlanta: Limit: 3 Gb/s Actual: 210 Gb/s Gb/s All High: admitted 3 Gb/sas High Low: 7 Gb/s USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 13

14 Architecture Traffic Traffic Data Data Collector Collector Traffic Measurement Bandwidth Bandwidth Allocator Allocator Bandwidth Allocation Matrix Policy Plane Proposed mechanism readily available Data Planein Deployed at Network modern Routers routers tagged arriving packets packets Proposed mechanism readily available in forwarded packets Preferential Preferential Dropping Dropping Differential Differential Tagging Tagging dropped packets Deployed at Network Perimeter High priority Low priority USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 14

15 Allocation Algorithms Aggregate traffic at the core is very smooth and variations are predictable Compute a bandwidth allocation matrix for each hour based on historical traffic measurements e.g. allocation at 3pm is computed by traffic measurements during 3-4pm in the past 2 months Source: Roughan 03 on a Tier-1 US Backbone USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 15

16 Allocation Algorithms To account for measurement inaccuracies and provide headroom for traffic burstiness, we fully allocate the entire network capacity as an utility max-min fair allocation problem Mean-PSP: based on the mean of traffic demands CDF-PSP: based on the Cumulative Distribution Function (CDF) of traffic demands Utility Max-min fair allocation Iteratively allocate bandwidth in water-filling manner Each iteration maximize the common utility of all flows Remove the flows without residual capacity after each iteration USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 16

17 Utility Max-min Fair Bandwidth Allocation Utility functions A B Utility(%) Network A BW B C 5 Utility(%) BW Allocation B C BW 1st round AB Links BC Utility(%) BW A C BW 2nd round AB Links BC USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 17

18 Mean-PSP (Mean-based Max-min) Use mean traffic demand as the utility function f ij ( B Iteratively allocate bandwidth in waterfilling manner A ij ) = 10G 10G d ij B B ij /# measurement 10G 10G C A B C BW Mean Demand AB A B C st round BC CB Links 1 - BA A B C BW BW Allocation B ij - AB A B C nd round BC CB Links 4 - BA USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 18

19 CDF-PSP (CDF-based Max-min) Explicitly capture the traffic variance by using a Cumulative Distribution Function (CDF) model as utility functions f ij ( Bij) = PROB[ dij Bij] Maximize utility is equivalent to minimizing the drop probabilities for all flows in a max-min fair manner E.g : = Utility(%) d ij (1,1,1, 3, 5) BW When allocated 3 unit bandwidth, drop probability is 20% USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 19

20 Outline Problem Approach Experimental Results Summary USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 20

21 Networks US Backbone Large tier1 backbone network in US ~700 nodes, ~2000 links (1.5Mb/s 10Gb/s) 1-minute traffic traces: 07/01/07-09/03/07 Europe Backbone Large tier1 backbone network in Europe ~900 nodes, ~3000 links (1.5Mb/s 10Gb/s) 1-minute traffic traces: 07/01/07-09/03/07 USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 21

22 Evaluation Methodology NS2 Simulation Normal traffic: Based on actual traffic demands over 24 hour period for each backbone Attack traffic: US Backbone: highly distributed attack scenario Based on commercial anomaly detection systems From 40% ingress routers to 25% egress routers Europe Backbone: targeted attack scenario Created by synthetic attack flow generator From 40% ingress routes to only 2% egress routers USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 22

23 Packet Loss Rate Comparison US Europe Both PSP schemes greatly reduced packet loss rates Peak hours have higher packet loss rates USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 23

24 Relative Loss Rate Comparison US Europe PSP reduced packet loss rates by more than 75% USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 24

25 Behavior Under Scaled Attacks Packet drop rate under attack demand scaled by factor up to 3x US Europe Under PSP, the loss remains small throughout the range! USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 25

26 Summary of Contributions Proactive solution for protecting networks that provides a first line of defense when sudden DDoS attacks occur Very effective in protecting network traffic from collateral damage Not dependent on unauthenticated header information, thus robust to IP spoofing Readily deployable using existing router mechanisms USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 26

27 Questions? USENIX Security Symposium, San Jose, USA, July 30, 2008