A Blockchain-based Architecture for Collaborative DDoS Mitigation … · 2017-02-01 · • Sahay...
Transcript of A Blockchain-based Architecture for Collaborative DDoS Mitigation … · 2017-02-01 · • Sahay...
© 2017 1
A Blockchain-based Architecture for Collaborative DDoS Mitigation with Smart
ContractsBruno Rodrigues1, Thomas Bocek1, David
Hausheer2, Andri Lareida1, Sina Rafati1, Burkhard Stiller1
1Communication Systems Group (CSG)Department of Informatics (IfI)
University of Zurich (UZH)
2P2P System Engineering LabDepartment of Electrical Engineering and
Information TechnologyTU Darmstadt
© 2017 2
DDoS Recent Attacks29.11.2016
31.01.2017
24.01.2017 03.01.2017
06.01.2017
© 2017 3
• Attacks are getting bigger
• Akamai reports a 138% yearly increase in total DDoS attacks larger than 100 Gbps; 71% in total DDoS
attacks.
DDoS Attacks (1)
Bleeping Computer (Leet bootnet)
Dec. 2016
IoT NewsNov. 2016
AkamaiQ3/2016
© 2017 4
• Attacks are becoming more sophisticated and more frequent
DDoS Attacks (2)
Imperva2016
“Identifying layer 7 attacks requires an understanding of the underlying application. It also requires proper differentiation between malicious bot traffic, regular bot traffic (such as search engine bots), and human traffic”
AkamaiQ3/2016
“In a DNS amplification attack, an attacker can send 1 Gbps of initial traffic, and 100 Gbps is delivered to the target” Incapsula
© 2017 5
• Traditional scenario of DDoS mitigation• Defense in a single domain
• Attacks are getting bigger and more sophisticated• Opportunity for collaborative-defense mechanisms
DDoS Mitigation
AS1 AS2 AS3Attack
Atta
ck
Victim
Attacker
Attacker
DDoS Defense mechanism
Atta
ck
Attacker
AS3 detect the attackbut gets overloaded
AS1 and AS2 do not detectthe attack
Attack Attack
© 2017 6
Benefits:• Allows to combine defense capabilities of different ASes• Reduce the burden of detection/mitigation in a single domain• Allows to block malicious traffic near its source• Can reduce response time
Collaborative DDoS Defense
AS1 AS2 AS3
Gossip-based protocol
Attack
Attack
AttackAttack
AttackAttack
Defense capabilities
AttackAttack
Attack
Attack
Send/receive Attack info
© 2017 7
Collaborative DDoS Defense
• IETF (draft) DOTS (DDoS Open Threat Signaling): standardization of an architecture and
protocol covering both intra-organization and inter-organization communications for advertising
DDoS attacks.
• IETF 2016
• Steinberger et al., proposes an advertising protocol based on FLEX (Flow-based Event
eXchange) to simplify the protocol integration and deployment into existing equipment.
• NOMS 2016
• Sahay et al., SDN-based collaborative framework which allows the customers to request DDoS
mitigation from ASes. Requires an SDN controller at customer side interfaced with the AS.
• NDSS (Network and Distributed System Security) 2015
• CoFence, cooperation between domains that implements VNFs to alleviate DDoS attacks by
redirecting and reshaping excessive traffic to other collaborating domains for filtering.
• CNSM 2016
© 2017 8
• IETF DOTS: Architecture for inter-organization DDoS protection
• Complex architecture and deployment• Main asset: standardization power
Collaborative DDoS Defense
Ongoing IETF DOTS drafts
1 - DOTS requirements2 - DOTS proposal3 - DOTS architecture
© 2017 9
• Decentralized and immutable ledger; no central repository or single administrator.• Full decentralization, enabling trust among non-trusted peers.
• Holds and reports numbers of every transaction ensuring transparency.• Available to everybody, so transactions are public.
Smart contracts are a piece of software made to facilitate the negotiation or performance a contract, being able to be executed, verified or enforced on its own.
• Self-executing and immutable code stored on the blockchain
Blockchain and Smart Contracts
© 2017 10
Proof of Work (PoW)
Pool of Transactions
Blockchain and Smart Contracts
Block Block Block
Transactions
Hash previousblock header
Data
Hash previousblock header
Data
Hash previousblock header
Data
Header Header Header
Miners
TransactionsTransactions
5. Broadcast data
Transactions
Miners Miners
Blockchain Users
1. submit transactions
2. collect transactions
4. solve PoW 3. execute smart contract
© 2017 11
• Blockchain users: Autonomous Systems (ASes or customers)
• Transaction: composed by a list of addresses either to be explicitly allowed (whitelist) or blocked (blacklist) d immutable code stored on the blockchain
• Smart contracts: comprises the logic to report IP addresses in the blockchain and proof the authenticity of the entity is reporting the IP list.• For the customer the certificate can be created with an automated challenge-
response system.
Header
Blockchain and Smart Contracts AppliedTo Collaborative DDoS Mitigation
ASes
CustomersList of
addresses
Report
Transaction
Miner
Smart Contract
Collect Broadcast
Blockchain
Retrieve
© 2017 12
Advantages:• Public and already available technology • Appliances to read/write in the blockchain are easy to integrate to existing solutions• Can be used as an additional security mechanism without modifying existing ones
• Independent of security policies and mechanisms• Customer can also report attacks
Blockchain-based Collaborative Defense
AS1 AS2 AS3
Attack
Attack
AttackAttack
AttackAttack
AttackAttack
Attack
Attack
Send/receive attack info
Block
Data
Block
Data
Block
Data
Block
Data
Block
Data
Block
Data
Customer
Block
Data
Block
Data
© 2017 13
Blockchain-based Collaborative Defense
• A new block is mined at every 14 seconds in Ethereum
• Either ASes and verified customers can report/retrieve IP addresses to the blockchain
• Ether black and whitelisted IP addresses are supported
• The “gossip-logic” is implemented in Smart Contracts
Ethereum blockchain
© 2017 14
Blockchain-based Collaborative Defense
• Either the AS or customers can create contracts; customers need to be certified in order to report addresses.
• Smart contracts are linked using a registry-type entry so whenever a new list is reported, other contracts are updated.
• Smart contract data can use an URL to point
to a list of addresses.
© 2017 15
Smart Contract code:Collaborative approach with a few lines of code
© 2017 16
Summary and Future Work
• Summary• Blockchains reduce the complexity of collaborative DDoS mitigation
approaches by replacing existing gossip-based architectures/protocols by an already available infrastructure.
• Solution presents low development complexity (less than 100 lines of code).
• Easy to integrate, it can be deployed as an additional security mechanism. Existing security mechanisms and policies do not need to be modified in ASes.
• Future work• Investigate detection and enforcement details based on the combination of
SDN and NFV technologies. • SDN enables the enforcement of customizable security policies and
services.• NFV-enabled blockchain appliance able to report and retrieve IP
addresses and request traffic changes to an SDN controller.
© 2017 17
Discussion
• Reasonable approach?
• Could this be deployed at an ISP?
• Fed4Fire?
© 2017 18
References
• K. Nishizuka, L. Xia, J. Xia, D. Zhang, L. Fang, and C. Gray. 2016. Inter-organization
cooperative DDoS protection mechanism. Draft. https://tools.ietf.org/html/draft-
nishizuka-dots-inter-domain-mechanism-02 IETF Draft.
• Steinberger, J., Kuhnert, B., Sperotto, A., Baier, H., Pras, A. (2016, April). Collaborative
DDoS defense using flow-based security event information. In Network Operations and
Management Symposium (NOMS), 2016 IEEE/IFIP (pp. 516-522).
• Bahman Rashidi and Carol Fung. 2016. CoFence: A Collaborative DDoS Defence Using
Network Function Virtualization. In 12th International Conference on Network and
Service Management (CNSM), 2016. IEEE.
• Sahay, R., Blanc, G., Zhang, Z., & Debar, H. (2015). Towards Autonomic DDoS
Mitigation using Software Defined Networking. NDSS Workshop on Security of
Emerging Networking Technologies, Feb 2015, San Diego, Ca, United States.