Do Network-layer Connections Solve DoS ? Katerina Argyraki David - - PowerPoint PPT Presentation

do network layer connections solve dos
SMART_READER_LITE
LIVE PREVIEW

Do Network-layer Connections Solve DoS ? Katerina Argyraki David - - PowerPoint PPT Presentation

Nov 19, 2022 343 likes •1.06k views

Do Network-layer Connections Solve DoS ? Katerina Argyraki David R. Cheriton Datagrams vs. Connections Datagrams vs. Connections Connection-less network layer flexibility, simplicity best-effort service Datagrams vs. Connections

slide-1
SLIDE 1

Do Network-layer Connections Solve DoS ?

Katerina Argyraki David R. Cheriton

slide-2
SLIDE 2

Datagrams vs. Connections

slide-3
SLIDE 3

Datagrams vs. Connections

  • Connection-less network layer

– flexibility, simplicity – best-effort service

slide-4
SLIDE 4

Datagrams vs. Connections

  • Connection-less network layer

– flexibility, simplicity – best-effort service

  • Connection-oriented network layer

– end-to-end guarantees – more mechanism in routers, connection setup

slide-5
SLIDE 5

Bandwidth Flooding Attacks

slide-6
SLIDE 6

Bandwidth Flooding Attacks

srv G G

slide-7
SLIDE 7

Bandwidth Flooding Attacks

  • Victim's link flooded with malicious traffic

B B srv

slide-8
SLIDE 8

Bandwidth Flooding Attacks

  • Victim's link flooded with malicious traffic
  • Legitimate TCP clients back off

B B srv

slide-9
SLIDE 9

Datagrams vs. Connections

slide-10
SLIDE 10

Datagrams vs. Connections

  • Datagram approach

– allow all, explicitly deny bad traffic – use filtering to block bad traffic

slide-11
SLIDE 11

Datagrams vs. Connections

  • Datagram approach

– allow all, explicitly deny bad traffic – use filtering to block bad traffic

  • Connection-oriented (capability) approach

– deny (or limit) all, explicitly allow good traffic – use network-layer connections to shield good traffic

slide-12
SLIDE 12

What about Connection Setup?

slide-13
SLIDE 13

What about Connection Setup?

  • Must protect connection setup against DoS
slide-14
SLIDE 14

What about Connection Setup?

  • Must protect connection setup against DoS
  • Necessarily datagram traffic
slide-15
SLIDE 15

What about Connection Setup?

  • Must protect connection setup against DoS
  • Necessarily datagram traffic
  • Need datagram DoS solution
slide-16
SLIDE 16

What about Connection Setup?

  • Must protect connection setup against DoS
  • Necessarily datagram traffic
  • Need datagram DoS solution
  • Can use to protect all datagrams
slide-17
SLIDE 17

What about Connection Setup?

  • Must protect connection setup against DoS
  • Necessarily datagram traffic
  • Need datagram DoS solution
  • Can use to protect all datagrams

Once datagram DoS solution is deployed, connections become unnecessary

slide-18
SLIDE 18

The Datagram Approach

B B srv

slide-19
SLIDE 19

The Datagram Approach

  • Explicitly filter traffic from bad sources

B B srv

slide-20
SLIDE 20

The Datagram Approach

  • Explicitly filter traffic from bad sources
  • Securely move filtering state close to sources

– Active Internet Traffic Filtering (USENIX '05)

B B srv

slide-21
SLIDE 21

Capabilities: Stateless Connections

cli

srv

slide-22
SLIDE 22

Capabilities: Stateless Connections

cli marking/verification nodes srv

slide-23
SLIDE 23

Capabilities: Stateless Connections

cli capability request srv

slide-24
SLIDE 24

Capabilities: Stateless Connections

cli capability request capability srv

slide-25
SLIDE 25

Capabilities: Stateless Connections

  • Ticket to send n bytes within t seconds

cli capability request capability srv

slide-26
SLIDE 26

Capabilities: Stateless Connections

  • Ticket to send n bytes within t seconds
  • No filtering state, no special inter-ISP relationships

cli capability request capability srv

slide-27
SLIDE 27

Capabilities: Stateless Connections

  • Ticket to send n bytes within t seconds
  • No filtering state, no special inter-ISP relationships

Elegant and easy to deploy cli capability request capability srv

slide-28
SLIDE 28

DoS with Capability Requests

  • Can flood victim with capability requests

B B capability requests capability requests srv

slide-29
SLIDE 29

DoS with Capability Requests

  • Can flood victim with capability requests

B B capability requests capability requests srv

slide-30
SLIDE 30

DoS with Capability Requests

  • Can flood victim with capability requests
  • New client has trouble connecting to site

B B capability requests capability requests srv

slide-31
SLIDE 31

DoS with Capability Requests

  • Can flood victim with capability requests
  • New client has trouble connecting to site

Denial of Capability B B capability requests capability requests srv

slide-32
SLIDE 32

Setup vs. General Traffic

slide-33
SLIDE 33

Setup vs. General Traffic

  • Are setup requests easier to protect ?

– more resistant to loss – more predictable

slide-34
SLIDE 34

Setup vs. General Traffic

  • Are setup requests easier to protect ?

– more resistant to loss – more predictable

  • Our position: Setup traffic is not different

– with respect to vulnerability to DoS – and means required to protect it

slide-35
SLIDE 35

Is Connection Setup Resistant to Loss ?

slide-36
SLIDE 36

Is Connection Setup Resistant to Loss ?

  • Assume victim knows good clients
slide-37
SLIDE 37

Is Connection Setup Resistant to Loss ?

  • Assume victim knows good clients
  • A single setup request must get through
slide-38
SLIDE 38

Is Connection Setup Resistant to Loss ?

  • Assume victim knows good clients
  • A single setup request must get through
  • Can retransmit setup request until connected
slide-39
SLIDE 39

Is Connection Setup Resistant to Loss ?

  • Assume victim knows good clients
  • A single setup request must get through
  • Can retransmit setup request until connected
  • Probability of failure decreases exponentially
slide-40
SLIDE 40

Is Connection Setup Resistant to Loss ?

B B

2.5 Gbps attack traffic 100 Mbps

srv

slide-41
SLIDE 41

Is Connection Setup Resistant to Loss ?

  • Good client retransmits every second

B B

2.5 Gbps attack traffic 100 Mbps

srv

slide-42
SLIDE 42

Is Connection Setup Resistant to Loss ?

  • Good client retransmits every second
  • Expected time to connection is over 8 minutes

B B

2.5 Gbps attack traffic 100 Mbps

srv

slide-43
SLIDE 43

Is Connection Setup Resistant to Loss ?

  • Good client retransmits every second
  • Expected time to connection is over 8 minutes

B B

2.5 Gbps attack traffic 100 Mbps

srv Response time suffers

slide-44
SLIDE 44

Is Setup Traffic Policeable ?

slide-45
SLIDE 45

Is Setup Traffic Policeable ?

  • Attack sources send more than good sources
slide-46
SLIDE 46

Is Setup Traffic Policeable ?

  • Attack sources send more than good sources
  • Fair-queue setup requests
slide-47
SLIDE 47

Is Setup Traffic Policeable ?

  • Attack sources send more than good sources
  • Fair-queue setup requests
  • Each source gets same share of receiver's bwdth
slide-48
SLIDE 48

Is Setup Traffic Policeable ?

  • Fair-queuing per incoming interface

G B srv

slide-49
SLIDE 49

Is Setup Traffic Policeable ?

  • Fair-queuing per incoming interface
  • Ineffective during highly distributed attacks

B B srv

slide-50
SLIDE 50

Is Setup Traffic Policeable ?

  • Fair-queuing per source

B B srv

slide-51
SLIDE 51

Is Setup Traffic Policeable ?

  • Fair-queuing per source
  • Similar state with per-source filtering

B B srv

slide-52
SLIDE 52

Is Setup Traffic Policeable ?

  • Fair-queuing per source
  • Similar state with per-source filtering

B B srv At the cost of simplicity and deployability

slide-53
SLIDE 53

The Datagram Approach

  • Explicitly filter setup requests from bad sources

B B srv

slide-54
SLIDE 54

The Datagram Approach

  • Explicitly filter setup requests from bad sources
  • Explicitly filter all traffic from bad sources

B B srv

slide-55
SLIDE 55

The Datagram Approach

  • Explicitly filter setup requests from bad sources
  • Explicitly filter all traffic from bad sources

B B srv Connections become unnecessary

slide-56
SLIDE 56

Capabilities as an Optimization

slide-57
SLIDE 57

Capabilities as an Optimization

  • At least connected clients are unaffected by attack

B B srv

slide-58
SLIDE 58

Unless there Are Lots of Bad Guys

slide-59
SLIDE 59

Unless there Are Lots of Bad Guys

  • Undetected bad sources acquire capabilities
slide-60
SLIDE 60

Unless there Are Lots of Bad Guys

  • Undetected bad sources acquire capabilities
  • Victim must decide how to split bandwidth
slide-61
SLIDE 61

Unless there Are Lots of Bad Guys

  • Undetected bad sources acquire capabilities
  • Victim must decide how to split bandwidth
  • Randomly chooses which capabilities to renew
slide-62
SLIDE 62

Unless there Are Lots of Bad Guys

  • Undetected bad sources acquire capabilities
  • Victim must decide how to split bandwidth
  • Randomly chooses which capabilities to renew
  • Good clients lose to bad sources
slide-63
SLIDE 63

Unless there Are Lots of Bad Guys

  • Undetected bad sources acquire capabilities
  • Victim must decide how to split bandwidth
  • Randomly chooses which capabilities to renew
  • Good clients lose to bad sources

Undetected bad sources can always harm good traffic

slide-64
SLIDE 64

Capabilities = Reservations

slide-65
SLIDE 65

Capabilities = Reservations

  • Sender reserves receiver's bandwidth
slide-66
SLIDE 66

Capabilities = Reservations

  • Sender reserves receiver's bandwidth
  • Challenge: make the “right” reservation
slide-67
SLIDE 67

Capabilities = Reservations

  • Sender reserves receiver's bandwidth
  • Challenge: make the “right” reservation
  • Large botnets: each attack source sends low rate
slide-68
SLIDE 68

Capabilities = Reservations

  • Sender reserves receiver's bandwidth
  • Challenge: make the “right” reservation
  • Large botnets: each attack source sends low rate
  • Less relevant to restrict per-sender bandwidth
slide-69
SLIDE 69

Capabilities = Reservations

  • Sender reserves receiver's bandwidth
  • Challenge: make the “right” reservation
  • Large botnets: each attack source sends low rate
  • Less relevant to restrict per-sender bandwidth
  • More relevant to monitor traffic patterns
slide-70
SLIDE 70

Conclusions

  • Connections can protect good traffic against DoS
  • Connection-setup relies on datagrams

– must protect datagrams against DoS

  • Connections become unnecessary
slide-71
SLIDE 71

Conclusions

  • Connections can protect good traffic against DoS
  • Connection-setup relies on datagrams

– must protect datagrams against DoS

  • Connections become unnecessary
  • Capabilities may be useful optimization

– must compute the “right” capability for each source