The Role of Indirection and Diffusion in DDoS Defense

The Role of Indirection and Diffusion in DDoS Defense

Angelos D. KeromytisNetwork Security Lab

Computer Science Department, Columbia University

NSLCapacity and Path Diversity

POTS/ISDNT1

10M EthernetOC3

OC192OC12

IncreasingTraffic Aggregation

Increasing SWService Deploy-ment Times

Increasing Preference for SWRestriction to Control Plane

More Nodes

DDoS seems to be largely a “last-3-hops” problem Informal survey of ISPs shows 20-40Gbps per POP Many redundant paths (some are better than the route-

converged path!) Similar characteristics likely to hold for any future

“Internet” Unless we abandon statistical mux model and adopt

single-authority/ISP (think phone network) FiOS or similar network upgrades unlikely to

significantly change the situation (wireless may make things worse!)

Must be intelligent about traffic monitoring/admission/handling

Intelligence inside the network is hard to come by

Decreasing cycles/bps

NSLIndirection and Diffusion

Send the traffic to the intelligence Put the intelligence where you can (technology, cost/benefit, deployment limitations) Intelligence be pretty invasive, e.g., full-blown authentication, payment, CAPTCHA, attestation ...

Intelligence must not be point of vulnerability Scalable, distributed, restricted interface (attack surface) But: easier proposition than same and doing it at line

speeds inside the network Diffusion helps to eliminate single-failure points

Challenges: interference, sensing, knowledge, guarantees?

Intelligence must be efficient Performance, reliability, low-cost (shared & on-demand?)

Transparent vs. explicit intelligence/indirection Complement intelligence with simple in-network

mechanisms Routing, limited filtering abilities, deflections, ??? Use what you can, where it makes sense (to paraphrase

e2e)

NSLSimple Filtering

NSLSOS/WebSOS [SIGCOMM2002, CCS2003]

NSLHuman-centric Authentication [CCS2003]

NSLDiffusion [CCS2005]

NSLLocal Perimeter Establishment [IAMCOM2007]

Limited-scope PushBack (inside home ISP only) Much simpler trust issues, pay-per-use possibility

[ACNS2004] RSVP might do the trick, too...

NSL

Backup Slides

NSLMOVE [NDSS2005]

NSLMOVE [NDSS2005]

Attack

NSLMOVE [NDSS2005]

Attack

NSLOld fashioned DoS Attack

NSLNew Attack: “Stalker” Attack

NSLNew Attack: “Stalker” Attack

NSLNew Attack: “Stalker” Attack

NSLNew Attack: “Stalker” Attack

NSLNew Attack: Sweeping Attack

NSLNew Attack: Sweeping Attack

NSLNew Attack: Sweeping Attack

NSLLatency with Diffusion

Client Packet Replication

Ove

rlay

/ D

irec

tEnd-to-End Latency with Client Packet Replication

NSLResilience & Latency

End-to-End Latency vs Node Failure

Text

No Repl.1.5x2x3x

NSLResilience & Throughput

Throughput vs Node Failure

KB

/Sec

% Node Failure