The Role of Indirection and Diffusion in DDoS Defense
Post on 01-Feb-2016
34 Views
Preview:
DESCRIPTION
Transcript
The Role of Indirection and Diffusion in DDoS Defense
Angelos D. KeromytisNetwork Security Lab
Computer Science Department, Columbia University
NSLCapacity and Path Diversity
POTS/ISDNT1
10M EthernetOC3
OC192OC12
IncreasingTraffic Aggregation
Increasing SWService Deploy-ment Times
Increasing Preference for SWRestriction to Control Plane
More Nodes
DDoS seems to be largely a “last-3-hops” problem Informal survey of ISPs shows 20-40Gbps per POP Many redundant paths (some are better than the route-
converged path!) Similar characteristics likely to hold for any future
“Internet” Unless we abandon statistical mux model and adopt
single-authority/ISP (think phone network) FiOS or similar network upgrades unlikely to
significantly change the situation (wireless may make things worse!)
Must be intelligent about traffic monitoring/admission/handling
Intelligence inside the network is hard to come by
Decreasing cycles/bps
NSLIndirection and Diffusion
Send the traffic to the intelligence Put the intelligence where you can (technology, cost/benefit, deployment limitations) Intelligence be pretty invasive, e.g., full-blown authentication, payment, CAPTCHA, attestation ...
Intelligence must not be point of vulnerability Scalable, distributed, restricted interface (attack surface) But: easier proposition than same and doing it at line
speeds inside the network Diffusion helps to eliminate single-failure points
Challenges: interference, sensing, knowledge, guarantees?
Intelligence must be efficient Performance, reliability, low-cost (shared & on-demand?)
Transparent vs. explicit intelligence/indirection Complement intelligence with simple in-network
mechanisms Routing, limited filtering abilities, deflections, ??? Use what you can, where it makes sense (to paraphrase
e2e)
NSLSimple Filtering
NSLSOS/WebSOS [SIGCOMM2002, CCS2003]
NSLHuman-centric Authentication [CCS2003]
NSLDiffusion [CCS2005]
NSLLocal Perimeter Establishment [IAMCOM2007]
Limited-scope PushBack (inside home ISP only) Much simpler trust issues, pay-per-use possibility
[ACNS2004] RSVP might do the trick, too...
NSL
Backup Slides
NSLMOVE [NDSS2005]
NSLMOVE [NDSS2005]
Attack
NSLMOVE [NDSS2005]
Attack
NSLOld fashioned DoS Attack
NSLNew Attack: “Stalker” Attack
NSLNew Attack: “Stalker” Attack
NSLNew Attack: “Stalker” Attack
NSLNew Attack: “Stalker” Attack
NSLNew Attack: Sweeping Attack
NSLNew Attack: Sweeping Attack
NSLNew Attack: Sweeping Attack
NSLLatency with Diffusion
Client Packet Replication
Ove
rlay
/ D
irec
tEnd-to-End Latency with Client Packet Replication
NSLResilience & Latency
End-to-End Latency vs Node Failure
Text
No Repl.1.5x2x3x
NSLResilience & Throughput
Throughput vs Node Failure
KB
/Sec
% Node Failure
top related