 
              How does NetFence Work? L • A router under attack replaces nop with L  – All traffic – Signal congestion to access router – L  link,   act, mon  mode = MAC (src, dst, ts, L, mon,  , ) – – No downstream overwrite
How does NetFence Work? L • A router under attack replaces nop with L  – All traffic – Signal congestion to access router – L  link,   act, mon  mode = MAC (src, dst, ts, L, mon,  , ) – – No downstream overwrite
How does NetFence Work? L • A router under attack replaces nop with L  – All traffic – Signal congestion to access router – L  link,   act, mon  mode = MAC (src, dst, ts, L, mon,  , ) – – No downstream overwrite
How does NetFence Work? L A shared time-varying secret key via distributed Diffie-Hellman via BGP [Passport] • A router under attack replaces nop with L  – All traffic – Signal congestion to access router – L  link,   act, mon  mode = MAC (src, dst, ts, L, mon,  , ) – – No downstream overwrite
How does NetFence Work? L A shared time-varying secret key via distributed Diffie-Hellman via BGP [Passport] • A router under attack replaces nop with L  – All traffic – Signal congestion to access router – L  link,   act, mon  mode = MAC (src, dst, ts, L, mon,  , ) – – No downstream overwrite
How does NetFence Work? L A shared time-varying secret key via distributed Diffie-Hellman via BGP [Passport] • A router under attack replaces nop with L  – All traffic – Signal congestion to access router – L  link,   act, mon  mode = MAC (src, dst, ts, L, mon,  , ) – – No downstream overwrite
How does NetFence Work? L • A receiver use the feedback as capabilities • Sender sends regular packets that carry the congestion policing feedback – Could be nop when there is no attack – Can’t send if receiving no feedback from receiver
How does NetFence Work? L • A receiver use the feedback as capabilities • Sender sends regular packets that carry the congestion policing feedback – Could be nop when there is no attack – Can’t send if receiving no feedback from receiver
How does NetFence Work? L • A receiver use the feedback as capabilities • Sender sends regular packets that carry the congestion policing feedback – Could be nop when there is no attack – Can’t send if receiving no feedback from receiver
How does NetFence Work? L • A receiver use the feedback as capabilities • Sender sends regular packets that carry the congestion policing feedback – Could be nop when there is no attack – Can’t send if receiving no feedback from receiver
How does NetFence Work? L • A receiver use the feedback as capabilities • Sender sends regular packets that carry the congestion policing feedback – Could be nop when there is no attack – Can’t send if receiving no feedback from receiver
How does NetFence Work? L • A receiver use the feedback as capabilities • Sender sends regular packets that carry the congestion policing feedback – Could be nop when there is no attack – Can’t send if receiving no feedback from receiver
How does NetFence Work? L • Access router validates feedback • Starts congestion policing – One leaky bucket per (src, L) limits sending rate – Not distinguish legitimate/malicious senders • Resets L  – now  ts,   act = MAC (src, dst, ts, L, mon,  ) –
How does NetFence Work? L • Access router validates feedback • Starts congestion policing – One leaky bucket per (src, L) limits sending rate – Not distinguish legitimate/malicious senders • Resets L  – now  ts,   act = MAC (src, dst, ts, L, mon,  ) –
How does NetFence Work? (src, L) L • Access router validates feedback • Starts congestion policing – One leaky bucket per (src, L) limits sending rate – Not distinguish legitimate/malicious senders • Resets L  – now  ts,   act = MAC (src, dst, ts, L, mon,  ) –
How does NetFence Work? (src, L) L • Access router validates feedback • Starts congestion policing – One leaky bucket per (src, L) limits sending rate – Not distinguish legitimate/malicious senders • Resets L  – now  ts,   act = MAC (src, dst, ts, L, mon,  ) –
How does NetFence Work? (src, L) L • Access router validates feedback • Starts congestion policing – One leaky bucket per (src, L) limits sending rate – Not distinguish legitimate/malicious senders • Resets L  – now  ts,   act = MAC (src, dst, ts, L, mon,  ) –
How does NetFence Work? (src, L) L
How does NetFence Work? (src, L) L
How does NetFence Work? (src, L) L • Establishes a congestion policing loop – Bottleneck router signals • If congested, L   L  • Otherwise, L  – Access router polices • Periodic Additive Increase Multiplicative Decrease (AIMD, TCP-like) for fairness and efficiency
How does NetFence Work? (src, L) L • Establishes a congestion policing loop – Bottleneck router signals • If congested, L   L  • Otherwise, L  – Access router polices • Periodic Additive Increase Multiplicative Decrease (AIMD, TCP-like) for fairness and efficiency
How does NetFence Work? (src, L) L • Establishes a congestion policing loop – Bottleneck router signals • If congested, L   L  • Otherwise, L  – Access router polices • Periodic Additive Increase Multiplicative Decrease (AIMD, TCP-like) for fairness and efficiency
How does NetFence Work? (src, L) L • Establishes a congestion policing loop – Bottleneck router signals • If congested, L   L  • Otherwise, L  – Access router polices • Periodic Additive Increase Multiplicative Decrease (AIMD, TCP-like) for fairness and efficiency
How does NetFence Work? (src, L) L • Establishes a congestion policing loop – Bottleneck router signals • If congested, L   L  • Otherwise, L  – Access router polices L  L  • Periodic Additive Increase Multiplicative Decrease (AIMD, TCP-like) for fairness and efficiency
How does NetFence Work? • Bottleneck router 1. Detect attack to start a policing cycle Loss or load based • 2. Signal congestion within a cycle Random Early Detection (RED) •
Recap: Why It Works 1. Secret keys to secure congestion policing feedback 2. Periodic AIMD based on secure congestion police feedback L  L  3. Secure congestion feedback as network capabilities
Properties • Provable fairness – Denial of Service  Predictable Delay of Service Theorem: Given G good and B bad senders sharing a bottleneck link of capacity C , regardless of the attack strategies, any good sender g with sufficient demand eventually obtains a fair share  v g C  G B where and is a transport efficiency factor.   v 1 g
Properties • Provable fairness – Denial of Service  Predictable Delay of Service Theorem: Given G good and B bad senders sharing a bottleneck link of capacity C , regardless of the attack strategies, any good sender g with sufficient demand eventually obtains a fair share  v g C  G B where and is a transport efficiency factor.   v 1 g
Properties • Provable fairness – Denial of Service  Predictable Delay of Service Theorem: Given G good and B bad senders sharing a bottleneck link of capacity C , regardless of the attack strategies, any good sender g with sufficient demand eventually obtains a fair share  v g C  G B where and is a transport efficiency factor.   v 1 g
Now the Trickier Stuff
More Challenges • A broad range of attacks – Flood request packets (with no feedback) – Hide L  – Evade attack detection – On/Off – … • Multiple bottlenecks • Practical constraints – Low overhead – Gradual deployment – Incentive-compatible adoption
More Challenges • A broad range of attacks – Flood request packets (with no feedback) – Hide L  – Evade attack detection – On/Off – … • Multiple bottlenecks • Practical constraints – Low overhead – Gradual deployment – Incentive-compatible adoption
Limiting Request Packet Floods L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles •
Limiting Request Packet Floods L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles •
Limiting Request Packet Floods k L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles •
Limiting Request Packet Floods 2   k 1 k L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles •
Limiting Request Packet Floods 2   k 1 k L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles •
Limiting Request Packet Floods 2   k 1 k k-1 L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles •
Limiting Request Packet Floods 2   k 1 k k-1 L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles •
Limiting Request Packet Floods 2   k 1 k k-1 L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles • 1. Eventual success 2. Efficient: waiting replaces proof of work
Making hiding L  ineffective Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends
Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends
Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends
Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends
Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends
Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends
Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router t e t e + I ctrl Access Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends
Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router t e t e + I ctrl Access Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends
Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router t e t e + I ctrl Access Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends
Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router t e t e + I ctrl Access Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends
Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router t e t e + I ctrl Access Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends
Recommend
More recommend