in network filtering of distributed denial of service
play

In-Network Filtering of Distributed Denial-of-Service Traffic with - PowerPoint PPT Presentation

Jan 15, 2024 •248 likes •730 views

In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection Devkishen Sisodia, Jun Li, Lei Jiao {dsisodia, lijun, jiao}@cs.uoregon.edu C ENTER F OR C YBER S ECURITY & P RIVACY Outline Introduction

  1. In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection Devkishen Sisodia, Jun Li, Lei Jiao {dsisodia, lijun, jiao}@cs.uoregon.edu C ENTER F OR C YBER S ECURITY & P RIVACY

  2. Outline • Introduction • Offer-Based Model • Rule Selection Problem • ACO-Based Rule Selection Algorithm • Evaluation • Conclusion 2

  3. Introduction 3

  4. Large-Scale DDoS Attacks • Large scale distributed denial-of-service (DDoS) attacks are on the rise • Oct 2016: 1.2 Tbps (terabit per second) • Feb 2018: 1.3 Tbps • Mar 2018 : 1.7 Tbps • Jan 2019 : 500 Mpps (million packets per second) • Apr 2019: 580 Mpps • Feb 2020: 2.3 Tbps • Victim-end defense approaches: insufficient in mitigating large volume attacks • Alternative: in-network filtering approaches victim’s network Introduction In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection AsiaCCS 2020 4

  5. In-Network Filtering • Filter traffic at multiple locations on the Internet • General approach: • A DDoS defense agent generates DDoS-filtering rules • Places them at DDoS-filtering networks across the Internet • DDoS defense agent: victim • DDoS-filtering network: strategically located transit networks or scrubbing centers • Plethora of papers on in-network filtering approaches • All surveyed papers follow the directive-based model Introduction In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection AsiaCCS 2020 5

  6. Directive-Based Model for In-Network Filtering • Each DDoS-filtering network is obliged to deploy filtering rules • Two main optimization problems: • Rule generation: How to generate filtering rules given incoming traffic? • Rule placement: Which DDoS-filtering networks to select to deploy generated rules? • Assumptions: 1. DDoS-filtering networks are willing and able to deploy generated rules 2. Defense agent has complete knowledge of the filtering capabilities at the filtering networks • Advantage: simplifies the defense agent's decision process • Disadvantage: assumptions may not hold in the real-world Introduction In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection AsiaCCS 2020 6

  7. Questions • Is there a better operational model for in-network DDoS filtering? • Yes: offer-based model • If so, is there a new optimization problem associated with this model? • Yes: rule selection problem • If so, how can we solve this problem? • Ant Colony Optimization (ACO)-based rule selection algorithm Introduction In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection AsiaCCS 2020 7

  8. Offer-Based Model 8

  9. Overview • Allows the defense agent to express its filtering needs • Plethora of mechanisms for filtering DDoS traffic: • Access control lists (ACLs) • Berkeley Packet Filters (BPFs) • Remotely Triggered Black Hole (RTBH) signals • BGP FlowSpec rules • SDN rules • Focus of this paper: filtering rules based on source IP prefixes (e.g., 162.243.141.0/24) Offer-Based Model In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection AsiaCCS 2020 9

  10. Operational Model • Step 1: defense agent generates rules • Step 2: filtering networks create offers • Offer: a set of rules a filtering network is willing to deploy on behalf of the defense agent • Step 3: defense agent selects offers • Step 4: filtering networks deploy rules in selected offers Offer-Based Model In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection AsiaCCS 2020 10

  11. Offer-Based Model vs. Directive-Based Model • Both models allow a defense agent to express filtering rules to all participating filtering networks • However, only the offer-based model allows all participating DDoS filtering networks to decide which rules they deploy • Offer-based model advantages: • Removes assumptions made by the directive-based model • More suitable for the real-world • Offer-based model disadvantage: • A new optimization problem arises: rule selection Offer-Based Model In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection AsiaCCS 2020 11

  12. The Need for Rule Selection • Significant drawback to source IP-based filtering: limited number of rules can be deployed at defending networks • Scarcity of memory space on routers/switches • Most high-end routers today only have enough TCAM space to support a few thousand filtering rules • Case in point: Mirai • 50 million unique IP addresses spread all across the world • Infeasible to deploy a filtering rule for each /32 IP address -- very expensive! • Therefore, defense agent must aggregate rules • Ex: multiple /32 -> one /24; multiple /24 -> one /16 • Aggregation leads to collateral damage! Offer-Based Model In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection AsiaCCS 2020 12

  13. Rule Selection Optimization Problem Maximize the amount of DDoS traffic filtered, while limiting the amount of collateral damage incurred and money spent on deploying filtering rules. Offer-Based Model In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection AsiaCCS 2020 13

  14. Rule Selection Problem 14

  15. Overview • Three main factors a defense agent must consider when selecting an offer: • Efficacy of the offer • Collateral damage incurred by the offer • Price of the offer • In this paper, we focus on maximizing the defense efficacy, while keeping the maximum total collateral damage and the maximum amount of money spent on defense as constraints Rule Selection Problem In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection AsiaCCS 2020 15

  16. Formulation maximize the total amount of attack traffic filtered collateral damage constraint budget constraint limit to 1 selected offer per network offers are atomic Rule Selection Problem In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection AsiaCCS 2020 16

  17. Challenges • NP-hard 0-1 multidimensional knapsack problem with value-dependent items • Offers are value-dependent items • Unlikely to be solved in pseudo- polynomial time • Can use algorithms for the general 0-1 knapsack problem as bases • Greedy & Naïve • Dynamic Programming • Branch-and-Bound • Ant Colony Optimization Rule Selection Problem In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection AsiaCCS 2020 17

  18. ACO-Based Rule Selection Algorithm 18

  19. Analysis of Classical Algorithms branch-and-bound Optimal bound • Greedy & naive algorithms • Advantage: linear time complexity (short runtimes) • Disadvantage: perform relatively poorly in most cases ACO? • Branch-and-bound-based algorithm Optimality • Advantage: optimal • Disadvantage: exponential time complexity dynamic programming (extremely long runtime) • Dynamic programming-based algorithm • Advantage: outperforms greedy and naive, naive significantly better runtime than branch-and-bound Runtime • Disadvantage: suboptimal greedy ACO-Based Rule Selection Algorithm In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection AsiaCCS 2020 19

  20. Overview of the ACO Framework • Inspired by the foraging behavior of some ant species • Iterative algorithm • Each cycle, ants traverse a graph • Each ant builds a solution by walking from node to node • An ant chooses the next node partly based on the amount of pheromone laid on the path • At the end of a cycle, certain amount of pheromone is evaporated based on quality of the solution • Thus, ants in future cycles will be more attracted to solutions like the best ones previously constructed • Overall best solution is chosen at the end of last cycle • Challenge: Cannot be directly applied to the rule selection problem • Why?: correlated nature of offers and their potential for overlapping • Our contribution: develop an ACO-based algorithm for the rule selection problem • First time the classical ACO framework has been adapted and applied to the domain of in-network DDoS defense ACO-Based Rule Selection Algorithm In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection AsiaCCS 2020 20

  21. Example Attack: A4, A5 1 Legitimate: None Victim’s Budget: $6 Cost: $1 Victim’s Collateral Damage Threshold: 2 Attack: A1, A3, A4 Legitimate: G1 2 Cost: $2 Attack: A1, A2, A3, A4, A5 Legitimate: G1, G2, G3 3 Cost: $1 Attack: A2, A3, A4, A8 Legitimate: G2 4 Cost: $3 Attack: A1, A2, A6, A7 Legitimate: G1, G2 5 Cost: $2 Total of 5 offers, each containing rules that filter certain attack and legitimate flows, and the deployment cost. ACO-Based Rule Selection Algorithm In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection AsiaCCS 2020 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Detecting Distributed Denial of Service Attacks: A Neural Network Approach Gulay Oke

Detecting Distributed Denial of Service Attacks: A Neural Network Approach Gulay Oke

Detecting Distributed Denial of Service Attacks: A Neural Network Approach Gulay Oke (g.oke@imperial.ac.uk) Intelligent Systems and Networks Group Dept. of Electrical and Electronic Engineering Imperial College London Multi-Service

681 views • 21 slides
Terminus: Towards a Network-Level Deployable Architecture Against Distributed Denial-of- Service

Terminus: Towards a Network-Level Deployable Architecture Against Distributed Denial-of- Service

Terminus: Towards a Network-Level Deployable Architecture Against Distributed Denial-of- Service Attacks Felipe Huici and Mark Handley Networks Research Group Department of Computer Science Overview Terminus architecture Protecting

553 views • 27 slides
Denial of Service Denial of Service An attack designed to disrupt or completely deny

Denial of Service Denial of Service An attack designed to disrupt or completely deny

1 Denial of Service Denial of Service An attack designed to disrupt or completely deny legitimate users access to network, servers, services, or other resources Two basic favors: Target resource starvation Network

430 views • 19 slides
The Problem Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in

The Problem Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in

The Problem Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Network Security Peter Reiher May 3, 2006 Lecture 9 Lecture 9 Page 1 Page 2 CS 239, Spring 2006 CS 239, Spring 2006 Distributed Denial of Service

500 views • 4 slides
CyberWarfare Defense against Penetration T esting and distributed Denial-of-Service Attacks The

CyberWarfare Defense against Penetration T esting and distributed Denial-of-Service Attacks The

CyberWarfare Defense against Penetration T esting and distributed Denial-of-Service Attacks The Foundation of Network Security Stand-alone (ISP/Carrier Server Farm) modular TIPS for Perimeter Defense We brought a prototype for you!

263 views • 24 slides
Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall

Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall

Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall 2011 Distributed Denial of Service (DDoS) Exhaust resources of a target, or the resources it depends on Resources: CPU, Memory, Bandwidth

427 views • 23 slides
Distributed Denial of Service Attacks and Coutntermeasures CSE598K/CSE545 - Advanced Network

Distributed Denial of Service Attacks and Coutntermeasures CSE598K/CSE545 - Advanced Network

740 views • 26 slides
Denial of Service Last Class Fault tolerance Concurrency Naming This Class

Denial of Service Last Class Fault tolerance Concurrency Naming This Class

Denial of Service Last Class Fault tolerance Concurrency Naming This Class Networking How DDoS works UDP Data Client Server Response TCP DDoS Distributed denial-of-service attack Attacker targets a victim from a

436 views • 28 slides
Outline Malware and the network, contd Denial of service and the network CSci 5271

Outline Malware and the network, contd Denial of service and the network CSci 5271

Outline Malware and the network, contd Denial of service and the network CSci 5271 Introduction to Computer Security Announcements intermission Malware and anonymity combined lecture Anonymous communications techniques Stephen McCamant

665 views • 10 slides
Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde,

Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde,

Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde, Hao Jin, Vyas Sekar, Prateek Saxena, Min Suk Kang July 8, 2019 | Dallas, TX Large-scale volumetric DDoS attacks are common (distributed denial of

569 views • 29 slides
Resilient Networking 07: Denial of Service 1 Outline Classification DoS examples

Resilient Networking 07: Denial of Service 1 Outline Classification DoS examples

Resilient Networking 07: Denial of Service 1 Outline Classification DoS examples Countermeasures against DoS Crypto Puzzles Stateless Protocols Avoid IP address spoofing / identifying malicious nodes Ingress filtering

937 views • 72 slides
A Machine Learning Approach for Detecting Distributed Denial of Service Attacks Tanaphon Roempluk

A Machine Learning Approach for Detecting Distributed Denial of Service Attacks Tanaphon Roempluk

A Machine Learning Approach for Detecting Distributed Denial of Service Attacks Tanaphon Roempluk Master's degree studying Majoring in Information technology Faculty of informatics, Mahasarakham University The 4th International Conference on

207 views • 17 slides
IoDDoS The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai

IoDDoS The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai

SPAWAR S YSTEMS C ENTER P ACIFIC IoDDoS The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai Malware and IoT-Based Botnets 24-26 April, 2017 Presented at the 2 nd International Conference Presented by Roger

654 views • 20 slides
Outline Distributed Denial of Service Introduction Attacks Characteristics of DDoS

Outline Distributed Denial of Service Introduction Attacks Characteristics of DDoS

Outline Distributed Denial of Service Introduction Attacks Characteristics of DDoS attacks CS 239 Some examples Security for Networks and Proposed prevention methods System Software May 15, 2002 Lecture 12 Lecture 12

421 views • 9 slides
1 Connect | Communicate | Collaborate Distributed Denial of Service (DDoS) Effects, Mitigations

1 Connect | Communicate | Collaborate Distributed Denial of Service (DDoS) Effects, Mitigations

1 Connect | Communicate | Collaborate Distributed Denial of Service (DDoS) Effects, Mitigations & Future Tony Barber Nov 2013 TF-NOC Wayne Routly, DANTE GEANT APM, Vienna 8 October, 2013 Agenda Effects Real World Examples Mitigations

237 views • 13 slides
Denial of Service Attacks that prevent legitimate users from doing their work By flooding

Denial of Service Attacks that prevent legitimate users from doing their work By flooding

Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing tables Or flooding routers Or destroying key packets Lecture 9 Page 1 CS 236 Online How Do Denial of

259 views • 15 slides
REALTIMECOMMUNICATIONINAN IP/ETHERNETBASED INCARNETWORK

REALTIMECOMMUNICATIONINAN IP/ETHERNETBASED INCARNETWORK

REALTIMECOMMUNICATIONINAN IP/ETHERNETBASED INCARNETWORK ForschungundTechnik. OUTLINE 1. IntroductionandScope Motivation

681 views • 15 slides
After 9/11 The terrorist network / 1 Those who were trained to fly didn t know the others.

After 9/11 The terrorist network / 1 Those who were trained to fly didn t know the others.

N ETWORK S CIENCE Prof. Marcello Pelillo Ca Foscari University of Venice a.y. 2016/17 After 9/11 The terrorist network / 1 Those who were trained to fly didn t know the others. One group of people did not know the other group. Osama

501 views • 23 slides
BENDAMUSTINE + RITUXIMAB IN CLL Barbara Eichhorst Bologna 13. November 2017 CONFLICT OF

BENDAMUSTINE + RITUXIMAB IN CLL Barbara Eichhorst Bologna 13. November 2017 CONFLICT OF

BENDAMUSTINE + RITUXIMAB IN CLL Barbara Eichhorst Bologna 13. November 2017 CONFLICT OF INTERESTS 1. Advisory Boards Janssen, Gilead, Roche, Abbvie, GSK 2. Honoraria Roche, GSK, Gilead, Janssen, Abbvie, Celgene 3. Resarch support Roche,

827 views • 30 slides
Macroeconomics and Household Inequality: Data, Models and an Application Dirk Krueger University

Macroeconomics and Household Inequality: Data, Models and an Application Dirk Krueger University

Macroeconomics and Household Inequality: Data, Models and an Application Dirk Krueger University of Pennsylvania, CEPR, CFS, NBER and Netspar W. Edmund Clark Lecture Queens University Based on work with Andrew Glover, Jonathan Heathcote, Kurt

884 views • 67 slides
th Nov. 2017 snapshot 28 th Record-breaking sea temps have cascading effects on food webs

th Nov. 2017 snapshot 28 th Record-breaking sea temps have cascading effects on food webs

Tasman Sea temperature th Nov. 2017 snapshot 28 th Record-breaking sea temps have cascading effects on food webs (eg . drastic reduction in krill biomass, Johnson et al. 2011) Storms Cyclone Fehi Jan-Feb 2018

178 views • 6 slides
INT INTO O PRA PRACTICE CTICE Act Actions ions for or a Health a Healthy y an and d

INT INTO O PRA PRACTICE CTICE Act Actions ions for or a Health a Healthy y an and d

PUT PUTTING TING SUST SUSTAIN AINABILITY ABILITY INT INTO O PRA PRACTICE CTICE Act Actions ions for or a Health a Healthy y an and d Sust Sustaina ainable ble Soc Society iety Joint Chairs: Caroline Jessel NHS England

730 views • 72 slides
INF3490 - Biologically inspired computing Swarm Intelligence, Fuzzy Logic Weria Khaksar

INF3490 - Biologically inspired computing Swarm Intelligence, Fuzzy Logic Weria Khaksar

11/5/2018 INF3490 - Biologically inspired computing Swarm Intelligence, Fuzzy Logic Weria Khaksar November, 06, 2018 1 11/5/2018 06.11.2018 2 2 11/5/2018 Swarm Intelligence: Concept Collective behavior emerged from social insects working

847 views • 65 slides
Cellbots CS 2951A Evan Stites-Clayton Allows a phone to be a robot, not just control one

Cellbots CS 2951A Evan Stites-Clayton Allows a phone to be a robot, not just control one

Cellbots CS 2951A Evan Stites-Clayton Allows a phone to be a robot, not just control one Streaming video from phone Text to speech Remote control Various techs developed by Supported Platforms Arduino based robots such as

365 views • 12 slides

More recommend