Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles
-
Upload
rahim-koch -
Category
Documents
-
view
18 -
download
1
description
Transcript of Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles
![Page 1: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/1.jpg)
1.1Operating System Concepts
Defending Against DDoS Attacks Using Max-min Fair Server Centric
Router Throttles
David K.Y. Yau John C.S. LuCS Dept, Purdue University CS&E Dept,CUHK
![Page 2: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/2.jpg)
1.2Operating System Concepts
Motivations
Internet is an open and democratic environment increasingly used for mission-critical work
and commercial applications.
Many security threats are present or appearing Easy to launch, even for naïve users. need effective and flexible defenses to
detect/trace/counter attacks Goals:
protect innocent users; prosecute criminals
Ambitious goals
![Page 3: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/3.jpg)
1.3Operating System Concepts
Network Denial-of-service Attacks
Some attacks quite subtle securing protocols and intrusion
detection (e.g., BGP, TCP-syn attack) at routing infrastructure, malicious
dropping of packets, etc (low-rate TCP) Others by brute force:
- flooding (e.g., UDP, valid Web Request)
Cripples victim: - precludes any sophisticated defense at
victim site Philosophical question: what is an “attacker”? Viewed as resource management problem
![Page 4: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/4.jpg)
1.4Operating System Concepts
Flooding Attack
Server
![Page 5: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/5.jpg)
1.5Operating System Concepts
Server-centric Router Throttle
Installed by server when under stress, at a set deployment routers can be sent by multicast
Specifies leaky bucket rate at which router can forward traffic to the server aggressive traffic for server dropped
before reaching server rate determined by a feedbak control
algorithm
Issues: (1) Which set of routers? (2) What is the “proper” dropping rate?
![Page 6: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/6.jpg)
1.6Operating System Concepts
To S
Router Throttle
Aggressive flow
Throttlefor S’
To S’
Throttlefor S
Securely installed by S
Deployment router
C: Each victim has a leaky bucket for rate limit. Small memory and computationoverhead!
![Page 7: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/7.jpg)
1.7Operating System Concepts
Key Design Problems
Resource allocation: who is entitled to what? need to keep server operating within load
limits notion of fairness, and how to achieve it?
Need global, rather than router-local, fairness
How to respond to network and user dynamics (e.g., fluctuation of traffic)? Feedback control strategy is needed
![Page 8: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/8.jpg)
1.8Operating System Concepts
What is being fair?
Baseline approach of dropping a fraction “f”, say ½, of traffic for each flow won’t work well a flow can cause more damage to other flows
simply by being more aggressive!
Rather, no flow should get a higher rate than another flow that has unmet demands this way, we penalize “aggressive” flows only,
but protect the well-behaving ones
![Page 9: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/9.jpg)
1.10Operating System Concepts
Level-k Deployment Points
Deployment points parameterized by an integer k
R(k) -- set of routers that are either k hops away from server S, or less than k hops away from S but are directly connected to a host
Fairness across global routing points R(k)
![Page 10: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/10.jpg)
1.11Operating System Concepts
Level-3 Deployment
Server
![Page 11: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/11.jpg)
1.12Operating System Concepts
Feedback Control Strategy
Hysteresis control high and low water marks for server load, to
strengthen or relax router throttle
Additive increase/multiplicative decrease rate adjustment increases when server load exceeds US, and
decreases when server load falls below LS
throttle removed when a relaxed rate does not result in significant server load increase
![Page 12: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/12.jpg)
1.13Operating System Concepts
Fairness Definition
A resource control algorithm achieves level-k max-min fairness among the routers R(k) if the allowed forwarding rate of traffic for S at each router is the router’s max-min fair share of some rate r satisfying LS r US
![Page 13: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/13.jpg)
1.14Operating System Concepts
Fair Throttle Algorithm
![Page 14: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/14.jpg)
1.15Operating System Concepts
Example Max-min Rates (L=18, H=22)
Server
18.236.65
14.1
0.01
1.40
0.22
17.73
0.610.95
6.25
6.25
6.2520.53
24.88
15.51
17.73
0.22
0.61
0.95
59.9
![Page 15: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/15.jpg)
1.16Operating System Concepts
Interesting Questions
Can we preferentially drop attacker traffic over good user traffic?
Can we successfully keep server operating within design limits, so that good user traffic that makes it gets acceptable service?
How stable is such a control algorithm? How does it converge?
![Page 16: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/16.jpg)
1.17Operating System Concepts
Algorithm Evaluation
Control-theoretic analysis (fluid analysis) algorithm stability and convergence
under different system parameters Packet network simulations (packet
level analysis) Test under UDP and TCP traffic. Also test
with Web traces System implementation (the real
thing, baby !!!) deployment costs
![Page 17: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/17.jpg)
1.18Operating System Concepts
Control-theoretic Model
Adjusted traffic from source i
Throttle signal from victim
Step size
When throttle signal is high, server is underloaded.When throttle signal is low, server is overloaded.
ANALOGY!!!
![Page 18: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/18.jpg)
1.19Operating System Concepts
Feedback Control Model (Us=1750;Ls=1650)
Constant Source of 20
Constant Source of 30
Constant Source of 25
Constant Source of 4000
Constant Source of 2800
![Page 19: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/19.jpg)
1.20Operating System Concepts
Output for good traffic (total from source 1)
![Page 20: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/20.jpg)
1.21Operating System Concepts
Output for attack traffic (total from source 5)
![Page 21: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/21.jpg)
1.22Operating System Concepts
Output for attack traffic (total from source 6)
![Page 22: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/22.jpg)
1.23Operating System Concepts
Total traffic to server (Us=1750;Ls=1650)
![Page 23: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/23.jpg)
1.24Operating System Concepts
Case 2: variable attack traffic (Us=1750,Ls=1650)
Square Pulse
![Page 24: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/24.jpg)
1.25Operating System Concepts
Output of attack traffic 1
![Page 25: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/25.jpg)
1.26Operating System Concepts
Output of attack traffic 2
![Page 26: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/26.jpg)
1.27Operating System Concepts
Total traffic to server (Us=1750;Ls=1650)
![Page 27: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/27.jpg)
1.28Operating System Concepts
Feedback Control Model(sources and server)
![Page 28: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/28.jpg)
1.29Operating System Concepts
Feedback Control Model (server throttle signal)
![Page 29: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/29.jpg)
1.30Operating System Concepts
Feedback Control Model (sources process throttle)
![Page 30: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/30.jpg)
1.31Operating System Concepts
Throttle Rate (L=900; U=1100)
![Page 31: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/31.jpg)
1.32Operating System Concepts
Server Load (L = 900; U = 1100)
![Page 32: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/32.jpg)
1.33Operating System Concepts
Throttle Rate (U = 1100)
![Page 33: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/33.jpg)
1.34Operating System Concepts
Server Load (U = 1100)
![Page 34: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/34.jpg)
1.35Operating System Concepts
Throttle Rate (L=1050;U=1100)
![Page 35: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/35.jpg)
1.36Operating System Concepts
Server Load (L=1050; U=1100)
![Page 36: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/36.jpg)
1.37Operating System Concepts
NS2: UDP Simulation Experiments
Global network topology reconstructed from real traceroute data AT&T Internet mapping project: 709,310 traceroute
paths, single source to 103,402 other destinations randomly select 5,000 paths, with 135,821 nodes of
which 3879 are hosts
Randomly select x% of hosts to be attackers good users send at rate [0,r], attackers at rate [0,R]
![Page 37: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/37.jpg)
1.38Operating System Concepts
20% Evenly Distributed Aggressive (10:1) Attackers
![Page 38: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/38.jpg)
1.39Operating System Concepts
40% Evenly Distributed Aggressive (5:1) Attackers
![Page 39: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/39.jpg)
1.40Operating System Concepts
Evenly Distributed “meek” Attackers
![Page 40: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/40.jpg)
1.41Operating System Concepts
Deployment Extent
![Page 41: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/41.jpg)
1.42Operating System Concepts
NS2: TCP Simulation Experiment
Clients access web server via HTTP 1.0 over TCP Reno
Simulated network subset of AT&T traceroute topology 85 hosts, 20% attackers
Web clients make request probabilistically with empirical document size and inter-request time distributions
![Page 42: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/42.jpg)
1.43Operating System Concepts
Web Server Protection
![Page 43: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/43.jpg)
1.44Operating System Concepts
Web Server Traffic Control
![Page 44: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/44.jpg)
1.45Operating System Concepts
System Implementation
On Linux router loadable kernel moduleCPU resource reservation
Deployment platformPentium 4/2G Hz PCmultiple 10/100 Mb/s Ethernet
interfaces
![Page 45: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/45.jpg)
1.46Operating System Concepts
System Implementation: cont
OPERA: An Open-Source Extensible Router Architecture
http://www.cse.cuhk.edu.hk/~cslui/ANSRlab/software/opera/ A Linux-based package for implementing a
software programmable router architecture with the aim to facilitate networking experiments for the research community. Using this architecture, one can dynamically load new extension and services into the programmable router. Some interesting extensions include QoS support and traceback of DDoS attacks.)
Dynamic module loading Resource reservation General extension framework Secured Communication
![Page 46: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/46.jpg)
1.48Operating System Concepts
Future Work
Offered load-aware control algorithm for computing throttle rate impact on convergence and stability
Policy-based notion of fairness heterogeneous network regions, by size,
susceptibility to attacks, tariff payment
Selective deployment issues Impact on real user applications Defense for other forms of DDoS like
the reflector attack, BGP cascading failure..etc.
![Page 47: Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles](https://reader036.fdocuments.net/reader036/viewer/2022062721/568137e7550346895d9f94af/html5/thumbnails/47.jpg)
1.49Operating System Concepts
Conclusions
Extensible routers can help improve network health
Presented a server-centric router throttle mechanism for DDoS flooding attacks can better protect good user traffic from aggressive
attacker traffic can keep server operational under an ongoing
attack has efficient implementation