Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael...
-
Upload
ezra-mills -
Category
Documents
-
view
228 -
download
0
Transcript of Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael...
![Page 1: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/1.jpg)
Bohatei: Flexible and Elastic DDoS Defense
Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey
https://github.com/ddos-defense/bohatei
![Page 2: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/2.jpg)
DDoS attacks are getting worse
Increasing in number
Threatpost, 7/31/2015
The New York Times, 3/30/2015
Increasing in volumeIncreasing in diversity
Incapsula, 11/12/2014
2Arbor Networks, 2/14/2014 Radware, 10/7/2014
Cloudflare, 3/27/2013
Imperva, 2015
Techworld, 7/16/2014
High cost on victims
![Page 3: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/3.jpg)
Intranet
DDoS Defense Today: Expensive Proprietary Hardware
3
Assets
![Page 4: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/4.jpg)
Limitation: Fixed functionality
4
Intranet
Assets
What if new types of attacks emerge?
![Page 5: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/5.jpg)
Limitation: Fixed capacity
t1 t2 t3 time
fixed capacity
attack vol.(Gbps)
t4
5
wastewaste
Intranet
Assets
![Page 6: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/6.jpg)
Limitation: Fixed location
• Additional traffic latency due to waypointing• Routing hacks to enforce defense
6
source
destination
✗shortest path
![Page 7: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/7.jpg)
7
Need flexibility w.r.t. attack type
Assets
![Page 8: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/8.jpg)
8
Need Flexibility w.r.t Attack Locations
AssetsA
B
C
![Page 9: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/9.jpg)
9
Need Elasticity w.r.t. Attack Volume
Assets
![Page 10: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/10.jpg)
10
Bohatei in a nutshell..
A practical ISP-scale system for Flexible and Elastic DDoS Defense via Software-Defined Networking (SDN) &Network Functions Virtualization (NFV)
React to 500 Gbps scale attacks in 1 min!
![Page 11: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/11.jpg)
11
Outline• Motivation• Background on SDN/NFV • Bohatei overview and challenges• System design• Implementation• Evaluation• Conclusions
![Page 12: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/12.jpg)
12
Centralized management + Open config APIs
Controller
“Flow” FwdAction… …
“Flow” FwdAction… …
“Flow” FwdAction… …
Software-Defined Networking (SDN)
![Page 13: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/13.jpg)
Network Functions Virtualization (NFV)
13
Proxy Firewall IDS/IPS AppFilterToday: Standalone and Specialized
Commodity hardware
![Page 14: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/14.jpg)
Why are SDN/NFV useful for DDoS defense?
14
ExpensiveFixed functionalityFixed capacityFixed location
NFV
SDN
Our Work: Bring these benefits to DDoS Defense
![Page 15: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/15.jpg)
15
Outline• Motivation• Background on SDN/NFV • Bohatei overview and challenges• System design• Implementation• Evaluation• Conclusions
![Page 16: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/16.jpg)
Bohatei Vision: Flexible + Elastic Defense via SDN/NFV
16
SDN/NFV Controller
DC2DC1customerintranet
VM
attack traffic
defense policy
ISP
![Page 17: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/17.jpg)
17
Bohatei Controller Workflow
Predict attack pattern
Decide how many VMs, what types, where
Configure network to route traffic
Strategy layer
Resource management
Network orchestration
![Page 18: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/18.jpg)
Threat model: general, dynamic adversaries• Targets one or more customers• Attacker has a fixed “budget” w.r.t. total attack volume
18
do{Pick_Target()Pick_Attack_Type()Pick_Attack_Volume() Pick_Attack_Ingress()Observe_and_Adapt()
}
![Page 19: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/19.jpg)
19
Bohatei Design Challenges
Strategy layer
Resource management
Network orchestration
Resilient toadaptation?
Fast algorithms?
Scalable SDN?
Predict attack pattern
Decide how many VMs, what types, where
Configure network to route traffic
![Page 20: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/20.jpg)
20
Outline• Motivation• Background on SDN/NFV • Bohatei overview and challenges• System design• Implementation• Evaluation• Conclusions
![Page 21: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/21.jpg)
Naïve resource management is too slow!
21
Global optimization
Takes hours to solve…
Types, numbers, and locations of VMs?Routing decisions?
Suspicious traffic predictionsDefense library
Compute/network resources
![Page 22: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/22.jpg)
Our Approach: Hierarchical + Greedy
22
ISP-level Greedy
… Per datacenter NPer datacenter 1
How much traffic to DC1
Which VM slots in DC1
How much traffic to DCN
Which VM slots in DCN
Suspicious traffic predictionsDefense library
Compute/network resources
…
![Page 23: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/23.jpg)
Port1 Port2
Port3
A reactive, per-flow controller will be a new vulnerability
23
VM1
VM2
SW
Controller
packet1
VM3
Flow outPortSwitch Forwarding Table
Flow1 Port 2
Flow100 Port 3
packet100
Reactive, per-flow isn’t scalable
… …
![Page 24: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/24.jpg)
Port1
Port 3
Port 2
VM1
VM2
VM3
Idea: Proactive tag-based steering
24
Port 2
SW
Controller
Port 3
Context Tag Tag outPort
Proactive set up
Proactive per-VM tagging enables scaling
Benign
Suspicious
1
2
1
2
2packet100
packet1 1packet1
packet100
![Page 25: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/25.jpg)
Dynamic adversaries can game the defenseAdversary’s goals:
1. Increase defense resource consumption 2. Succeed in delivering attack traffic
Simple prediction (e.g., prev. epoch, avg) can be gamed
t1 t2 t3 time
SYN floodpredicted attack
volume for t4
Attack vol.(Gbps)
t4
DNS amp.
25
![Page 26: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/26.jpg)
26
Our approach: Online adaptation• Metric of Success = “Regret minimization” How worse than best static strategy in hindsight?
• Borrow idea from online algorithms:Follow the perturbed leader (FPL) strategy
• Intuition: Prediction = F (Obs. History + Random Noise)
• This provably minimizes the regret metric
![Page 27: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/27.jpg)
Putting it together
Predictionstrategy
launching VMs,traffic path set up
predicts volume of suspicious traffic of each attack type at
each ingress
Orchestration
quantity, type, location of VMs
suspicious traffic spec.
27
DC2DC1customerintranet
VM
attack traffic
ISP
Resource management
defense policy
![Page 28: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/28.jpg)
28
Outline• Motivation• Background on SDN/NFV • Bohatei overview and challenges• System design• Implementation• Evaluation• Conclusions
![Page 29: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/29.jpg)
29
Defense policy library
Analyze Srces:count
SYN – SYN/ACKper source
SYNPROXY
[Legitimate]
OK
LOG DROP
[Unknown]
[Attack] [Attack]
• A defense graph per attack type• Customized interconnection of defense modules• Open source defense VMs
Example (SYN flood defense)
[Legitimate]
![Page 30: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/30.jpg)
Implementation
30
FlowTags-enabled defense VMs (e.g., Snort)
OpenDaylight
resourcemanager
FlowTags (Fayaz et al., NSDI’14)
13 20-core Intel Xeon machines
OpenFlow
https://github.com/ddos-defense/bohatei
KVM
Control Plane
Data Plane
defense library
Switches (OVS)
…
![Page 31: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/31.jpg)
31
Outline• Motivation• Background on SDN/NFV • Bohatei overview and challenges• System design• Implementation• Evaluation• Conclusions
![Page 32: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/32.jpg)
32
Evaluation questions
• Does Bohatei respond to attacks rapidly?
• Can Bohatei handle ≈500 Gbps attacks?
• Can Bohatei successfully cope with dynamic adversaries?
![Page 33: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/33.jpg)
33
Responsiveness
Bohatei restores performance of benign traffic ≈ 1 min.
• Hierarchical resource management:– A few milliseconds (vs. hours)– Optimality gap < 1%
![Page 34: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/34.jpg)
34
Scalability: Forwarding table size
Per-VM tagging cuts #rules by 3-4 orders of magnitudeProactive setup reduces time by 3-4 orders of magnitude
![Page 35: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/35.jpg)
35
Adversarial resilience
Bohatei online adaptation strategy minimizes regret.
![Page 36: Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey .](https://reader036.fdocuments.net/reader036/viewer/2022062304/56649edc5503460f94bed8b6/html5/thumbnails/36.jpg)
36
Conclusions• DDoS defense today : Expensive, Inflexible, and Inelastic
• Bohatei: SDN/NFV for flexible and elastic DDoS defense
• Key Challenges: Responsiveness, scalability, resilience
• Main solution ideas:– Hierarchical resource management– Proactive, tag-based orchestration– Online adaptation strategy
• Ideas may be applicable to other security problems
• Scalable + Can react to very large attacks quickly!