CoDef: Collaborative Defense against Large-Scale Link-Flooding - - PowerPoint PPT Presentation

codef collaborative defense against large scale link
SMART_READER_LITE
LIVE PREVIEW

CoDef: Collaborative Defense against Large-Scale Link-Flooding - - PowerPoint PPT Presentation

Apr 10, 2024 202 likes •489 views

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk Kang , Virgil D. Gligor CyLab, Carnegie Mellon University * Qualcomm Dec. 12, 2013 Large Scale Link-Flooding Attacks Massive DDoS attacks against

slide-1
SLIDE 1

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks

Soo Bum Lee*, Min Suk Kang, Virgil D. Gligor CyLab, Carnegie Mellon University

*Qualcomm

  • Dec. 12, 2013
slide-2
SLIDE 2
  • Massive DDoS attacks against chosen targets

in Internet Infrastructure

Large Scale Link-Flooding Attacks

C2 ISR Logistics

Smart Electric Grid GIG

dropped legitimate packets

scalable impact

2

Financial Services

flooding

slide-3
SLIDE 3

3

Real World Example: “Spamhaus” Attack (2013)

3

Adversary

  • flooding few links in 4 IXPs

– scalable impact: regionally degraded connectivity – but easily mitigated: attack flows are distinguished from legitimate flows and filtered => lasted only ~ 1 - 1.5 hours

IXP

Attack traffic

flooding

slide-4
SLIDE 4
  • Distinguish attack flows from legitimate ones

 e.g., flow filtering, pushback, anti-spoof filtering, capability-based solutions

4

Typical Defenses against Link-Flooding Attacks

But, advanced link-flooding attacks can easily circumvent the typical defenses

slide-5
SLIDE 5

5

“Crossfire” Attack (S&P’13)

use “bot to public server” attack flows

flooding

(e.g., HTTP web server)

bots public servers O(NM) flows N M

“indistinguishable” attack flows from legitimate flows

 many, low-rate, diverse source/destination addresses, protocol conforming, destination-wanted

slide-6
SLIDE 6

use “bot to bot” colluding attack flows

O(N2) flows Nbots flooding

“Coremelt” Attack (ESORICS’09)

6

Our adversary model: “indistinguishable link-flooding attacks”

slide-7
SLIDE 7
  • I. Identify the indistinguishable attack flows?
  • force the adversary’s untenable choice by conformance tests
  • II. Avoid collateral damage to legitimate flows?
  • route separation (i.e., providing detours for legitimate flows)
  • III. Prevent the attack from being dispersed and causing

unanticipated damage to legitimate flows?

  • pin down potential attack flows

7

Problems

“I’m gonnamake him an offer he can’t refuse…” target

slide-8
SLIDE 8
  • 1. Collaborative Rerouting

Target AS sends reroute requests to source ASes => provides detours around the flooded link

8

CoDef: Collaborative Defense

Source AS Target AS

Okay! Link flooding

  • Pls. avoid me!
slide-9
SLIDE 9
  • 2. Collaborative Rate Control

Target AS sends rate-control requests to source ASes => allows source AS to prioritize flows

9

CoDef: Collaborative Defense

Source AS Target AS

Okay! Link flooding

  • Pls. slow down!
slide-10
SLIDE 10

Target AS

Has no way to distinguish attack flows by itself Has limited control over the incoming traffic e.g., end-to-end AS-paths, traffic rate

Source AS

Has no idea about the flooding at the remote target Has good reason for collaboration to circumvent flooding

Transit ASes

Has no incentive/motivation for changing (optimized/complex) routing policies

10

Motivations of Collaborative Defense

slide-11
SLIDE 11
  • CoDef adds complementary routing functions

– route controllers, secure route-control channels

11

CoDef Architecture

route-controller route-controller route-control channel router autonomous system

slide-12
SLIDE 12

12

Collaborative Rerouting

C is flooded and A’s packets to G are dropped (1) C sends re-route message to A: “Please avoid me (i.e., C)”

B D A

F E D G A B C

CG* CFG CBFG FG * FCG BCG* BFG DEFG* ABCG* G* * : default route EFG* ADEFG DABCG EDABCG

R1 R2 Flooding

slide-13
SLIDE 13

13

Collaborative Rerouting

C is flooded and A’s packets to G are dropped (1) C sends re-route message to A: “Please avoid me (i.e., C)” (2) A refers to its routing table and finds alternate route: ADEFG

B D A

F E D G A B C

CG* CFG CBFG FG * FCG BCG* BFG DEFG* ABCG* G* * : default route EFG* ADEFG DABCG EDABCG

R1 R2 Flooding

slide-14
SLIDE 14

14

Collaborative Rerouting

C is flooded and A’s packets to G are dropped (1) C sends re-route message to A: “Please avoid me (i.e., C)” (2) A refers to its routing table and finds alternate route: ADEFG (3) A changes “Import Policy” of its BGP router (i.e., R2)

B D A

F E D G A B C

CG* CFG CBFG FG * FCG BCG* BFG DEFG* ABCG* G* * : default route EFG* ADEFG DABCG EDABCG

R1 R2 Flooding

slide-15
SLIDE 15

“What if domain A is single-homed exclusively to B?” => rerouting at B

15

Collaborative Rerouting

C is flooded and A’s packets to G are dropped (1) C sends re-route message to A: “Please avoid me (i.e., C)” (2) A refers to its routing table and finds alternate route: ADEFG (3) A changes “Import Policy” of its BGP router (i.e., R2) F E D G A B C

CG* CFG CBFG FG * FCG BCG* BFG DEFG* ABCG* G* * : default route EFG*

reroutingrequest

ADEFG DABCG EDABCG

Flooding

slide-16
SLIDE 16

Link Flooding

Rerouting Conformance Test

16

slide-17
SLIDE 17

Link Flooding Okay! Okay!

Rerouting Conformance Test

17

slide-18
SLIDE 18

Rerouting Conformance Test

18

slide-19
SLIDE 19

Link Flooding let’s create new attack flows! identify attack flows

  • h… wait…

flooding has stopped!

Rerouting Conformance Test

19

slide-20
SLIDE 20

Link Flooding let’s create new attack flows! identify attack flows

  • h… wait…

flooding has stopped!

Rerouting Conformance Test

20

Adversary’s untenable choice:

give up the attack or

(by conforming to the test) (by creating new attack flows)

be detected

slide-21
SLIDE 21

Link Flooding

21

Path Pinning

CoDef fixes attack paths to the target to prevent unanticipated damages

identify attack flows!

slide-22
SLIDE 22

22

Evaluation of Collaborative Rerouting

  • Internet AS topology

 40K+ ASes and their business relationships from CAIDA  538 attack ASes selected based on real spam bot distribution

  • Forwarding path decision model

 preference: (i) cheaper paths; (ii) shorter paths

(e.g., customer-provider, peer-peer)

slide-23
SLIDE 23

23

Evaluation of Collaborative Rerouting

evaluate the “availability of alternate paths” from legitimate ASes to a destination conservative attack scenario

  • all ASes on the attack paths (i.e., paths from attack ASes to

destination) are the flooding targets

Finding alternate paths: “avoid target ASes”

  • three evaluation policies

 strict  viable  flexible S

P1 P2

… …

D

P3 P4

… …

path exists?

slide-24
SLIDE 24

24

Availability of Alternate Paths

20 40 60 80 100

1 2 3

Series1 Series2 Series3 Series4 Series5 Series6 strict viable flexible AS 20144 AS 297 AS 7500 AS 27 AS 2149 AS 29216 Connection Ratio (%)

Destination ASes

slide-25
SLIDE 25
  • No significant deployment cost

– no changes to existing systems (e.g., BGP and OSPF)

  • honors routing policies of individual ASes
  • requires no disclosure of internal topology/policies
  • Significant deployment incentives

– technical advantage

  • detects and mitigates large-scale link-flooding attacks

– economical advantages

  • provides premium services

25

Ease of Deployment

slide-26
SLIDE 26
  • CoDef: a practical mechanism for defending against

large-scale link-flooding attacks

  • Test to identify the attack flows exploiting adversary’s

untenable choices

  • Significant deployment incentives

26

Conclusion

slide-27
SLIDE 27

27

Thank You