The Role of Indirection and Diffusion in DDoS Defense

Angelos D. KeromytisNetwork Security Lab

Computer Science Department, Columbia University

NSLCapacity and Path Diversity

POTS/ISDNT1

10M EthernetOC3

OC192OC12

IncreasingTraffic Aggregation

Increasing SWService Deploy-ment Times

Increasing Preference for SWRestriction to Control Plane

More Nodes

DDoS seems to be largely a “last-3-hops” problem Informal survey of ISPs shows 20-40Gbps per POP Many redundant paths (some are better than the route-

converged path!) Similar characteristics likely to hold for any future

“Internet” Unless we abandon statistical mux model and adopt

single-authority/ISP (think phone network) FiOS or similar network upgrades unlikely to

significantly change the situation (wireless may make things worse!)

Must be intelligent about traffic monitoring/admission/handling

Intelligence inside the network is hard to come by

Decreasing cycles/bps

NSLIndirection and Diffusion

Send the traffic to the intelligence Put the intelligence where you can (technology, cost/benefit, deployment limitations) Intelligence be pretty invasive, e.g., full-blown authentication, payment, CAPTCHA, attestation ...

Intelligence must not be point of vulnerability Scalable, distributed, restricted interface (attack surface) But: easier proposition than same and doing it at line

speeds inside the network Diffusion helps to eliminate single-failure points

Challenges: interference, sensing, knowledge, guarantees?

Intelligence must be efficient Performance, reliability, low-cost (shared & on-demand?)

Transparent vs. explicit intelligence/indirection Complement intelligence with simple in-network

mechanisms Routing, limited filtering abilities, deflections, ??? Use what you can, where it makes sense (to paraphrase

e2e)

NSLSimple Filtering

NSLSOS/WebSOS [SIGCOMM2002, CCS2003]

NSLHuman-centric Authentication [CCS2003]

NSLDiffusion [CCS2005]

NSLLocal Perimeter Establishment [IAMCOM2007]

Limited-scope PushBack (inside home ISP only) Much simpler trust issues, pay-per-use possibility

[ACNS2004] RSVP might do the trick, too...

NSL

Backup Slides

NSLMOVE [NDSS2005]

NSLMOVE [NDSS2005]

Attack

NSLMOVE [NDSS2005]

Attack

NSLOld fashioned DoS Attack

NSLNew Attack: “Stalker” Attack

NSLNew Attack: “Stalker” Attack

NSLNew Attack: “Stalker” Attack

NSLNew Attack: “Stalker” Attack

NSLNew Attack: Sweeping Attack

NSLNew Attack: Sweeping Attack

NSLNew Attack: Sweeping Attack

NSLLatency with Diffusion

Client Packet Replication

Ove

rlay

/ D

irec

tEnd-to-End Latency with Client Packet Replication

NSLResilience & Latency

End-to-End Latency vs Node Failure

Text

No Repl.1.5x2x3x

NSLResilience & Throughput

Throughput vs Node Failure

KB

/Sec

% Node Failure