ddos defense mechanisms for ixp infrastructures
play

DDoS Defense Mechanisms for IXP Infrastructures Tim Dijkhuizen - PowerPoint PPT Presentation

Apr 03, 2023 •387 likes •720 views

DDoS Defense Mechanisms for IXP Infrastructures Tim Dijkhuizen Lennart van Gijtenbeek Supervisor: Stavros Konstantaras (AMS-IX) SNE: Research Project II 03-07-2018 Introduction D istributed D enial o f S ervice DDoS attacks on banks in

  1. DDoS Defense Mechanisms for IXP Infrastructures Tim Dijkhuizen Lennart van Gijtenbeek Supervisor: Stavros Konstantaras (AMS-IX) SNE: Research Project II 03-07-2018

  2. Introduction D istributed D enial o f S ervice ● DDoS attacks on banks in NL [1] ● DDoS launched via botnets/booters ● Increase in size and complexity [2] ● IXP is a central entity ● Challenges: ● High traffic loads ○ IXP neutrality ○ Complex infrastructure ○ DDoS Defense Mechanisms for IXP Infrastructures 2

  3. Research Question What (automated) solution can be developed to identify and mitigate DDoS attacks in an IXP network? Image source - thenounproject.com DDoS Defense Mechanisms for IXP Infrastructures 3

  4. Internet eXchange Points (IXPs) ● Peering LAN (BGP) ● Exchange of traffic ● Wide range of networks connected ○ Such as banks, content providers, etc. ● Layer 2 forwarding (no routing) ● Route servers DDoS Defense Mechanisms for IXP Infrastructures 4

  5. Amsterdam Internet Exchange (AMS-IX) ~820 peers ● 5 Tbit/s peaks each day ● Traffic forwarding: MPLS/VPLS ● Statistics collector: sFlow ● Route server: BIRD ● Current DDoS solution ● ○ Disable port(s), NaWas DDoS Defense Mechanisms for IXP Infrastructures 5

  6. Types of DDoS Attacks Image source - nbip.nl/nl/2018/05/16/nbip-ddos-data-report-2017-now-available/ DDoS Defense Mechanisms for IXP Infrastructures 6

  7. Types of DDoS Attacks cont'd Volumetric attacks ● ○ Amplification attacks E.g. DNS amplification ■ ■ Small request, large response Protocol attacks ● ○ E.g. TCP SYN flood State exhaustion ○ ● Application attacks Layer 7 ○ No single detection method ● ● Distinct in: bandwidth and packets per second Image source - thenounproject.com DDoS Defense Mechanisms for IXP Infrastructures 7

  8. Design Principles 1. Mitigate as close to the source as possible 2. No configuration required on the CEs 3. No congestion in the IXP core 4. Identification and mitigation on lower layers is preferred 5. Detect most common DDoS attacks 6. Intelligence resides in the IXP 7. Minimal impact on good traffic 8. IXP neutrality 9. Compatibility DDoS Defense Mechanisms for IXP Infrastructures 8

  9. Detection Methods Traffic monitoring needed ● ○ PE switches Sample data: sFlow/Netflow ○ ● L2 detection L2 headers are too limited ○ ■ Frame size, CRC Other parameters ○ ■ Send rate, arrival interval L3/L4 detection ● DDoS Defense Mechanisms for IXP Infrastructures 9

  10. Detection Methods cont'd Threshold-based detection ● ○ Calculate thresholds based on destination IP(s) ■ Scalability: thresholds on prefixes ■ IXP environment: per source AS ○ Metrics: ■ L2/L3: BPS, PPS L4: TCP flags, source ports, destination ports ■ ● Fingerprint-based detection DDoSDB [3] ○ False negatives ○ DDoS Defense Mechanisms for IXP Infrastructures 10

  11. Mitigation Methods ● Scrubbing ○ On-site Proprietary box ■ ○ Off-site NaWas ■ ● Access Control Lists ● Software Defined Networking (SDN) ● BGP Blackholing DDoS Defense Mechanisms for IXP Infrastructures 11

  12. Blackholing Techniques with BGP Source-based blackholing ● IXP neutrality ○ IP spoofing / false positives ○ Destination-based blackholing on the CE ● 1. Route withdrawal 2. Static routing entry for prefix to Null0 and announce next-hop Destination-based blackholing on the PE ● Set CE next-hop to ARP-dummy ○ L2 ACL ○ DDoS Defense Mechanisms for IXP Infrastructures 12

  13. Design Proposal Image source - thenounproject.com DDoS Defense Mechanisms for IXP Infrastructures 13

  14. Added Components to IXP DTM = DDoS Threat Mitigator DDoS Defense Mechanisms for IXP Infrastructures 14

  15. Component Interaction DTM = DDoS Threat Mitigator DTA = DDoS Threshold Adviser CTA = Current Traffic Analyzer DDoS Defense Mechanisms for IXP Infrastructures 15

  16. Design Proposal Threshold-based detection Three-way mitigation DDoS Defense Mechanisms for IXP Infrastructures 16

  17. Design Workflow DDoS Defense Mechanisms for IXP Infrastructures 17

  18. Identification Start Phase (1.1) 1. Peer starts the process 2. Identify PE port(s) of the victim 3. Get the CE IP, and announced prefixes (RS) 4. Start the DTA/CTA ○ Based on victim ports, and destination prefixes 5. Perform threshold comparisons 6. Present customer with exceeded prefixes ○ Customer decides which prefixes to mitigate DDoS Defense Mechanisms for IXP Infrastructures 18

  19. Mitigation Start Phase (1.2) 1. Determine the culprit AS(es) Compare current to historical traffic ○ ASes to mitigation prefix ○ 2. Determine mitigation workflow Culprit AS is peered with RS: ○ ■ Perform mitigation via BGP route withdrawal (phase 2.1) ○ Culprit AS is NOT peered with RS: Perform mitigation via ACL on the ingress PE ■ (phase 2.3) DDoS Defense Mechanisms for IXP Infrastructures 19

  20. CE Route Withdrawal Mitigation (2.1) ● Instruct the RS to withdraw the destination prefix to culprit ○ Wait for <BGP_convergence_timeout> ● Threshold is still exceeded: ○ Method unsuccessful , restore original BGP announcement ○ Perform mitigation via BGP blackhole nexthop ( phase 2.2 ) ● Threshold is NOT exceeded: ○ Continue mitigation until DDoS no longer active ○ DDoS stopped or mitigation still working? DDoS Defense Mechanisms for IXP Infrastructures 20

  21. CE Blackhole Next-hop Mitigation (2.2) ● Instruct the RS to announce blackhole next-hop to culprit ○ Wait for <BGP_convergence_timeout> ● Threshold is still exceeded: ○ Method unsuccessful , restore original BGP announcement ○ Perform mitigation via L2 ACL (phase 2.3) ● Threshold is NOT exceeded: ○ Continue mitigation until DDoS no longer active ○ Monitor on ingress PE DDoS Defense Mechanisms for IXP Infrastructures 21

  22. PE L2 ACL Mitigation (2.3) ● Determine MAC addresses and DDoS ingress PE ● Instruct the PE to set up L2 ACL on the ingress PE Based on source CE and destination CE ○ ○ Wait for <ACL_timeout> ● Threshold is still exceeded: ○ Identification unsuccessful , remove ACL and go to phase 1.1 ● Threshold is NOT exceeded: ○ Continue mitigation until DDoS no longer active Monitor on ingress PE ○ DDoS Defense Mechanisms for IXP Infrastructures 22

  23. Proof of Concept ● Focused on mitigation phases Prefix identification, DTA, culprit AS identification ○ Mitigation Scenario 1 Scenario 2 Scenario 3 Scenario 4 2.1 ✔ ● Four different scenarios 2.2 ✘ ✔ Peered with RS: ○ 2.3 ✘ ✘ ✔ 2.1 ✔ ■ 2.4 ✘ ✘ ✘ ✔ 2.1 ✘ , 2.2 ✔ ■ 2.1 ✘ , 2.2 ✘ , 2.3 ✔ ■ Not peered with RS: ○ 2.3 ✔ ■ DDoS Defense Mechanisms for IXP Infrastructures 23

  24. Proof of Concept cont'd The DTM here also functions as the statistics collector FastNetMon : DDoS detector that supports multiple packet capture engines iPerf to generate traffic DDoS Defense Mechanisms for IXP Infrastructures 24

  25. Proof of Concept cont'd ● Culprit AS is peered with RS ● BGP route withdrawal mitigation (2.1) Converge timeout: 10s, analysis: 4s ● 2.1 converge timeout at 37s 2.1 mitigation successful at 41s 50Mbit normal traffic, 150Mbit threshold ● Threshold detected and performing 2.1 mitigation at 27s Mitigation Scenario 1 BPS (Mbit) Threshold (Mbit) BPS (Mbit) Time (s) DDoS Defense Mechanisms for IXP Infrastructures 25

  26. Proof of Concept cont'd ● Culprit AS is peered with RS ● BGP route withdrawal mitigation unsuccessful (2.1) BGP blackhole next-hop mitigation (2.2) ● Threshold detected 2.1 NOT successful and 2.2 converge timeout at 44s 2.1 converge timeout at 36s 2.2 mitigation successful at 55s and performing 2.1 mitigation at 26s performing 2.2 mitigation at 40s Mitigation Scenario 2 BPS (Mbit) Threshold (Mbit) BPS (Mbit) Time (s) DDoS Defense Mechanisms for IXP Infrastructures 26

  27. Proof of Concept cont'd ● Culprit AS is peered with RS ● BGP route withdrawal mitigation unsuccessful (2.1) BGP blackhole next-hop mitigation unsuccessful (2.2) ● Ingress PE L2 ACL mitigation (2.3) ● 2.2 mitigation NOT successful and 2.1 mitigation NOT successful and Threshold detected 2.1 converge timeout at 37s 2.2 converge timeout at 51s performing 2.3 mitigation at 55s performing 2.2 mitigation at 41s and performing 2.1 mitigation at 27s Mitigation Scenario 3 BPS (Mbit) Threshold (Mbit) BPS (Mbit) Time (s) DDoS Defense Mechanisms for IXP Infrastructures 27

  28. Proof of Concept cont'd ● Culprit AS is NOT peered with RS ● Ingress PE L2 ACL mitigation (2.3) Threshold detected and 2.3 mitigation at 25s Mitigation Scenario 4 BPS (Mbit) Threshold (Mbit) BPS (Mbit) Time (s) DDoS Defense Mechanisms for IXP Infrastructures 28

  29. Discussion ● Usage of route server and statistics collector ● BGP convergence time (too long?) ● Layer 3 ACL ○ IXP environment: focus on layer 2 mitigation ● Fine-grained thresholds (time of day) ● Present more details to customer DDoS Defense Mechanisms for IXP Infrastructures 29

  30. Conclusion ● Thresholds and Three-way mitigation ● Identification requires layer 3 analysis (prefixes) ● Mitigation achieved on layer 2 ○ BGP TE ○ IXP perspective DDoS Defense Mechanisms for IXP Infrastructures 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin &amp; Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin &amp; Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin &amp; Peter Reiher Manu Shantharam &amp; David Hadka What is DoS? DoS A type of attack wherein access to computer resource / service is denied or

380 views • 18 slides
Exploring DDoS Defense Mechanisms Patrick Holl Seminar Future Internet SS14-WS14/15 Lehrstuhl

Exploring DDoS Defense Mechanisms Patrick Holl Seminar Future Internet SS14-WS14/15 Lehrstuhl

Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Exploring DDoS Defense Mechanisms Patrick Holl Seminar Future Internet SS14-WS14/15 Lehrstuhl Netzarchitekturen und Netzdienste Fakultt

622 views • 29 slides
Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent the access to a computer system to it's legitimate users. DDoS: DoS attack on the network using a lot of different source IP Why:

327 views • 16 slides
Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection &amp; Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection &amp; Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection &amp; Defense Prevention DOS/DDoS Types Vulnerability attack Flooding attack DoS vs DDoS DoS: Attack is launched from single host Less

614 views • 26 slides
DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
DDoS Defense by Defense by DDoS Offense Offense Published in ACM SIGCOMM06 Presented By:

DDoS Defense by Defense by DDoS Offense Offense Published in ACM SIGCOMM06 Presented By:

DDoS Defense by Defense by DDoS Offense Offense Published in ACM SIGCOMM06 Presented By: Marwa K. Elteir Outline Outline Problem definition Problem definition Related Work Related Work Speak Speak- -up up Model Model

458 views • 9 slides
Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&amp;D division of Nexusguard building next

764 views • 44 slides
Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde,

Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde,

Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde, Hao Jin, Vyas Sekar, Prateek Saxena, Min Suk Kang July 8, 2019 | Dallas, TX Large-scale volumetric DDoS attacks are common (distributed denial of

569 views • 29 slides
Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar

Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar

Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar DDoS Attacks A persistent threat on the global Internet Working from home new online tools for collaboration New tools new attack

405 views • 9 slides
CDN on Demand Affordable DDoS Defense using Untrusted IaaS-Clouds Yossi Gilad, Michael Goberman,

CDN on Demand Affordable DDoS Defense using Untrusted IaaS-Clouds Yossi Gilad, Michael Goberman,

CDN on Demand Affordable DDoS Defense using Untrusted IaaS-Clouds Yossi Gilad, Michael Goberman, Amir Herzberg and Michael Sudkovitch Talk Outline Content Delivery Networks as DoS defense The CDN-on-Demand system Clientless

529 views • 22 slides
Modelling and simulation of a defense strategy to face indirect DDoS flooding attacks A. Furfaro,

Modelling and simulation of a defense strategy to face indirect DDoS flooding attacks A. Furfaro,

Modelling and simulation of a defense strategy to face indirect DDoS flooding attacks A. Furfaro, P. Pace, A. Parise, L. Molina Valdiviezo Universit` a della Calabria D.I.M.E.S 87036 Rende(CS) - Italy Email: a.furfaro@unical.it A. Furfaro

510 views • 18 slides
.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS A)ack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos A)acks Few Qmes

150 views • 13 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
Defense mechanisms How do we stop this from happening? sws1 1 Defenses Different strategies:

Defense mechanisms How do we stop this from happening? sws1 1 Defenses Different strategies:

Defense mechanisms How do we stop this from happening? sws1 1 Defenses Different strategies: Prevention Detection Reaction Ideally, youd like to prevent problems, but typically you cannot, so you have to make it

419 views • 17 slides
DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

1 DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology of work DDoS tactics in-the-wild and how to improve Ready, set, FACEPALM! Q&amp;A ~$ whoami 3 Moshe Zioni, Head of Research,

656 views • 47 slides
Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim to DDoS mitigation service SOS &quot;I am getting DoSd&quot; 2 DDoS Transport Choice SOS : Requirements Emergency signal.

247 views • 5 slides
Carryover Requests and No Cost Extensions December 5, 2017 1:00 2:00 pm ET Introductions P

Carryover Requests and No Cost Extensions December 5, 2017 1:00 2:00 pm ET Introductions P

UCEDD Grants Management Series: Carryover Requests and No Cost Extensions December 5, 2017 1:00 2:00 pm ET Introductions P RESENTERS Dorothy Garcia Program Manager, UCEDD TA AUCD LaDeva Harris Grants Management Specialist

510 views • 15 slides
Training Advisory Committee (TAC) for SB 19-238 Meeting November 7, 2019 2:00 4:00 PM

Training Advisory Committee (TAC) for SB 19-238 Meeting November 7, 2019 2:00 4:00 PM

Training Advisory Committee (TAC) for SB 19-238 Meeting November 7, 2019 2:00 4:00 PM Clayton Learning 1 st Floor Meera Mani Room Facilitator: Government Performance Solutions, Inc. 1 Welcome Roll call, obj ectives, and agenda 2 TAC

528 views • 23 slides
IEEE- SA (Standards Activity) FIPA ROFS-SG (Review of the FIPA Specifications - Study Group)

IEEE- SA (Standards Activity) FIPA ROFS-SG (Review of the FIPA Specifications - Study Group)

IEEE- SA (Standards Activity) FIPA ROFS-SG (Review of the FIPA Specifications - Study Group) Presentation Stefan Poslad, Queen Mary Uni. London Email: fipa-rofs-chair@ieee.org Edinburg, FIPA meeting cohosted 2006-09-13 with CIA 2006 1

171 views • 13 slides
Fiscal Management Part 1 Recipient Share and Match Part 2 Everything Counts William Kim,

Fiscal Management Part 1 Recipient Share and Match Part 2 Everything Counts William Kim,

Fiscal Management Part 1 Recipient Share and Match Part 2 Everything Counts William Kim, Grants Management Officer David Colangeli, Financial Management Specialist Administration for Community Living Office of Grants Management July

769 views • 39 slides
VA VA Medical Device Protection Program Medical Device Protection Program presented to

VA VA Medical Device Protection Program Medical Device Protection Program presented to

VA VA Medical Device Protection Program Medical Device Protection Program presented to presented to Information Security and Privacy Information Security and Privacy Advisory Board Advisory Board March 4, 2011 March 4, 2011 March 4, 2011

254 views • 21 slides
ANTERIOR CRUCIATE LIGAMENT RE- INJURY Sam Feldpausch, Jeff King, Seth Lashuay, McKenna Mathis

ANTERIOR CRUCIATE LIGAMENT RE- INJURY Sam Feldpausch, Jeff King, Seth Lashuay, McKenna Mathis

KNEE BRACE FOR PREVENTION OF ANTERIOR CRUCIATE LIGAMENT RE- INJURY Sam Feldpausch, Jeff King, Seth Lashuay, McKenna Mathis PROBLEM/PURPOSE Problem : Re-injury post ACL reconstruction when athletes return to sport Purpose : To evaluate the

522 views • 15 slides
Do Pa tie nts with De pre ssio n o r Anxie ty E xpe rie nc e Gre a te r L e ve ls o f Pa in

Do Pa tie nts with De pre ssio n o r Anxie ty E xpe rie nc e Gre a te r L e ve ls o f Pa in

Do Pa tie nts with De pre ssio n o r Anxie ty E xpe rie nc e Gre a te r L e ve ls o f Pa in Ca ta stro phizing ? Me g a n Simo n MA, L AT , AT C, OT C PI : Jo hn Xe ro g e a ne s, MD, Je nnife r Hunnic utt, PhD BACKGROUND Hig h c o

420 views • 14 slides
Nursing Grand Rounds Point of Care Scholars: Filling the Gaps in Evidence with Research

Nursing Grand Rounds Point of Care Scholars: Filling the Gaps in Evidence with Research

7/24/2014 Nursing Grand Rounds Point of Care Scholars: Filling the Gaps in Evidence with Research Christin Zwolski DPT, PT, OCS Deborah Williams RN, CNOR Jennifer Bekins MS, CCC-SLP Objective Discuss newly discovered gaps in nursing and

618 views • 23 slides

More recommend