Proactive Defenses Against DDoS and Worm Attacks

Proactive Defenses Against Proactive Defenses Against DDoSDDoS and Worm Attacks and Worm AttacksHarnessing the Power of Power-Law Topology for Scalable Network SecurityHarnessing the Power of Power-Law Topology for Scalable Network Security

Kihong Park (PI), Hyojeong Kim, Ali Selcuk, Bhagya Bethala, Humayun Khan, Wonjun LeeNetwork Systems Lab, Department of Computer Sciences, Purdue University

Internet Power-Law Topology “A few are connected to many,many are connected to a few.”

→ facilitates strategic & economic filter deployment

Proactive protection: Prevent attacks from imparting harm in the first placeReactive protection: Respond, attribute, and contain new and non-preventable attacks

Objective

→ new approach: distributed packet filtering (DPF) → proactive & reactive filtering

Worm Attack ProtectionDDoS Attack Protection→ DPF: route-based filtering “unde venis?”

→ NLANR (1997-2002), CAIDA, RIPE, USC/ISI, UMich Internet AS measurement data

lowmedhigh

victim

attackers

lowmedhigh

filters

With DPFWithout DPF

→ 4% deployment achieves significant protection: containment & traceback

InfectionDynamics

Percolation Threshold

→ DPF: content-based filtering

Critical Filter Density

Tools: Large-Scale Simulation & Prototype System Building

{attackers, traffic generators, fault generators, …} CBR, Poisson, self-similar, MMPP, file transfer

Link Layer

DPF Lookup

IP

TCP UDP

Socket API

BGP DPF Update

Applications

DaSSF Kernel

MPI

DML

Protocol Stack

Meta-DMLTopology

Protocol Stack

AttackConfiguration

Network Partition

Dynamic DPF Simulator: Parallel Network Simulation

Intel IXP1200Intel IXP1200Network ProcessorNetwork Processor

→ workstation cluster

Network Processor Prototyping

_ 7-node IXP1200 NP testbed_ DPF implementation &evaluation_ Teja development environment

_ 12,500+ node networks_ Failure model_ Power-law partitioning_ System measurement_ Meta-DML configuration_ Trace-driven visualization