Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph - - PowerPoint PPT Presentation

Next Gen Blackholing to Counter DDoS

NANOG75, San Francisco Christoph Dietzel §*, Matthias Wichtlhuber*, Georgios Smaragdakis §, Anja Feldmann † §TU Berlin, *DE-CIX, †MPI

2

www.de-cix.net

Volumetric DDoS Attacks

‘19 ‘18 ‘16 ‘15

1.7 Tbps 200 Gbps 1 Tbps ? Tbps

3

www.de-cix.net

ISP DDoS Defense Toolbox

ACL

• Filters at

arbitrary granularity

• Vendor-

specific

• Per device

config

TSS

(Traffic Scrubbing Services)

• Carefree

service

• Redirects

traffic to scrubbing centers

• On-demand
• vs. always
• n

Flowspec

• Configures

rules at neighbor network

• Filters at

arbitrary granularity

• Cooperation

required RTBH

• Configures

rules at neighbor network

• Filters at IP

granularity

• Cooperation

required

4

www.de-cix.net

DDoS Defense at IXPs

Ú Combine good properties of existing solutions Ú Eradicate current shortcomings

+ IXPs offer services to hundreds of Ases + IXPs have multiple Tbps capacity + Trusted part of the Internet community

5

www.de-cix.net

Blackholing at IXPs

AS1 IXP

route server

AS3 AS2 AS1 IXP AS3 AS2

control plane data plane

100.10.10.0/24 100.10.10.10

AS1 IXP

route server

AS3 AS2 AS1 IXP AS3 AS2

control plane data plane

100.10.10.0/24 100.10.10.10 NTP

6

www.de-cix.net

Blackholing at IXPs

AS1 IXP

route server

AS3 AS2 AS1 IXP AS3 AS2

control plane data plane

100.10.10.0/24 100.10.10.10

AS1 IXP

route server

AS3 AS2 AS1 IXP AS3 AS2

control plane data plane

100.10.10.0/24 100.10.10.10 NTP

AS1 IXP

route server

AS3 AS2 AS1 IXP AS3 AS2

data plane

100.10.10.10/32 IXP_ASN:666 100.10.10.10 accept deny

control plane

route server NTP

7

www.de-cix.net

Blackholing – Limitations

AS1 IXP

route server

AS3 AS2 AS1 IXP AS3 AS2

data plane

100.10.10.10/32 IXP_ASN:666 100.10.10.10 accept deny

control plane

route server NTP

Ú Blocks unwanted and wanted traffic Ú Hard to predict behavior Ú No effect on a subset of peerings

8

www.de-cix.net

Blackholing – Limitations

Ú Relative traffic of 40GE IXP port Ú Mostly web traffic (80, 443, …) Ú Attack 70% memcached traffic Ú Still significant share of web traffic

à Collateral damage!

9

www.de-cix.net

Blackholing – Limitations

Ú All or nothing approach Ú Prefix granularity Ú Per peer selection at IXPs Ú Blackholing traffic: Ú 99.94% UDP Ú Expected L4 ports (NTP, LDAP, …)

à More granularity needed!

10

www.de-cix.net

Blackholing – Limitations

Ú How “ineffective“ can it be? Ú NTP DDoS attack Ú AS at IXP via ML peering Ú Attacks for 10 min to /32 Ú Drop all traffic to /32 Ú Traffic: 800 to 600 Mbps Ú Peers: 38 to 26

à Signaling too complex!

11

www.de-cix.net

Advanced Blackholing Requirements

Ú Granularity

Ú Fine-grained filtering (src/dst header fields)

Ú Signaling complexity

Ú Easy to use, short setup time

Ú Cooperation

Ú Lower levels of cooperation among the

involved parties

Ú Telemetry

Ú Feedback on the state of the attack at any time

Ú Scalability

Ú Scale in terms of performance, filters, reaction

time, config complexity

Ú Cost

Ú Meeting all requirements with min. invest

(CAPEX & OPEX)

12

www.de-cix.net

Advanced Blackholing System

AS1 IXP

route server

AS3 AS2 AS1 IXP AS3 AS2

data plane

100.10.10.10/32 ADV_BH Signal 100.10.10.10 accept blackholing controller

control plane

route server

13

www.de-cix.net

Advanced Blackholing System

Update Filters Blackholing Manager Data Plane Control Plane

Signaling Management Filtering

IXP Interface

IXP Member IXP Member IXP Member IXP Member

14

www.de-cix.net

Advanced Blackholing System

Update Filters Blackholing Manager Data Plane Control Plane

Signaling Management Filtering

IXP Interface

IXP Member IXP Member IXP Member IXP Member

15

www.de-cix.net

Advanced Blackholing System

Update Filters Blackholing Manager Data Plane Control Plane

Signaling Management Filtering

IXP Interface

IXP Member IXP Member IXP Member IXP Member

16

www.de-cix.net

Advanced Blackholing Signaling (BGP part)

BGP Parser BGP Processor Routing Information Base Decoded BGP Network Manager

Token Bucket Queue

Configuration changes Maximum Burst Size/ Rate Limiting Blackholing Controller iBGP Session to IXP Route Server Hardware specific configuration changes Network Manager Options QoS Configuration Compiler QoS Network Manager SDN Configuration Compiler Hardware Information Base SDN Network Manager Hardware Information Base Option 1 Option 2

17

www.de-cix.net

Building Blocks

Ú Granularity

• UDP, TCP, Ports, …

Ú Signaling complexity

• BGP communities or API

Ú Cooperation

Ú - Enforced by IXP

Ú Telemetry

• Monitoring with statistics

Ú Scalability

• Line-rate in hardware

Ú Cost

• Implemented in existing hardware

18

www.de-cix.net

Implementation Challenges

Ú BGP processing Ú Configuration proxy Ú Why not FlowSpec?

19

www.de-cix.net

Does it Scale?

Ú Scalability wrt. number of filters & IXP ports (of switches/routers) Ú TCAM to match header fields Ú Measuring system’s limits & port’s limits (max no. of filters) Ú Results on next slide Ú Scalability wrt. configuration update frequency limits (of config proxy) Ú Allows 4.33 filter updates per second Ú 70% of BH updates below 1 second

20

www.de-cix.net

Stress Test on the IXP‘s Hardware

20% of IXP member ASes 60% of IXP member ASes 100% of IXP member ASes

21

www.de-cix.net

Measurement Experiment

Ú How “effective“ is it Ú NTP DDoS attack Ú AS at IXP via ML peering Ú Attacks for 10 min to /32 Ú Drop / shape UDP NTP Ú Traffic: 1000 to 200 to 0 Mbps Ú Peers: 60 to (almost) 0

22

www.de-cix.net

Summary

Ú A number of DDoS mitigation solutions exist, but … Ú We identify and measure Blackholing limitations Ú We propose Advanced Blackholing, combining the benefits and overcome

problems of today’s DDoS defense

Ú We implement a new system with a BGP and API interface Ú We evaluated and proved good scales scaling