Post on 05-Feb-2018
1
SENSSSecurityServicefortheInternet
JelenaMirkovic(USC/ISI),Minlan Yu(USC),YingZhang(HPLabs),Sivaram Ramanathan (USC)
DDoS Attacks:LargeandPowerful
• DDoS attacksareincreasinginvolumeandfrequency(newrecord1.2Tbps)
• Disproportionatepowerinhandsofattacker– Attacksthatbringdownlarge,wellprovisionedvictimsoftenwieldedbyasinglepersonorsmallgroup(Spamhouse,Dyn,OVHandKrebs)
– Nospecialexperienceorcircumstance– Cheapforattacker,veryexpensiveforthevictim
• Enabledbylarge,distributedbotnets– Nosingleentity(centralizedordistributed)canwithstandthis,distributeddefensesamust
2
Oursolution:SENSS
3
• Fullysoftwaresolution– easytodeploy• EnablesanyISPtoofferautomated servicesfor
DDoS diagnosisandmitigation- Naturallydistributed,secure,robusttomisbehavior- WorkswithexistingISPinfrastructure(SDN,Flowspec,Netflow)
• VictimqueriesitsownISPorremoteISPs- Aboutitsinboundtraffic,routestoitsprefixes- Thishelpsdetectbestpointsformitigation
• VictimasksselectISPsto:- Filtersomeofitsinboundtraffic(victimspecifiesheadersignature)
- Demotearoutethatmaycontainabottleneck
SENSSModules
4
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
ST
client
clientserver
server
server
server
detector
detectorproxyblacklist aggregator
4
SENSSAPIsatISPs
• ExposedasWebservices– Leverageexistingfunctionalitiesforrobustness(replication),
security(HTTPS),charging(e-commerce)
• Messageauthentication:Proofofauthorityforaprefix– E.g.,RPKI,aDBofknowncustomers,prefixesandpublickeys
• TLSforcommunicationsecurity
5
Type Fields Action/ReplyTrafficquery Flow,dir,obs_time Listof<tag,dir,volume>
Trafficfilter/allow Flow,dir,tag,duration Deployfilter/allowactions
Routequery Prefix List ofbestpathstoprefix
Routedemote Prefix,segment,duration Demoterouteswithgivensegment
HowCanYouHelp?• Deployapassivemodule:
– Detector– learnhowoftenyouexperienceDDoS orparticipateinit
– Blacklistaggregator– getourfeedofsuspiciousprefixes• Deployanactivemodule:
– Server– automatefilterruledeploymentinmultipleswitches– Client+Detector– leverageyourISP’sDDoS solutionandtriggeritautomatically
• Lookingfor:– Experiencesfromtrenches,whatdoyoudonowforDoS?– One-timefeedbackonneeds,deployability,concerns– 1h/monthongoingfeedbackfromopsworld– Sitestopilotoursolutions
6
Contactussunshine@isi.edu
http://steel.isi.edu/Projects/SENSS/
Jelena Mirkovic Minlan Yu Ying Zhang SivaramRamanathan