On t On the F he Feas easibilit ibility o y of Re - - PowerPoint PPT Presentation

on t on the f he feas easibilit ibility o y of re
SMART_READER_LITE
LIVE PREVIEW

On t On the F he Feas easibilit ibility o y of Re - - PowerPoint PPT Presentation

Oct 08, 2022 242 likes •548 views

On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens nses Mu Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA Transit-link DDoS

slide-1
SLIDE 1

On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens nses

Mu Muoi Tran, Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA

slide-2
SLIDE 2

Transit-link DDoS attack: a powerful type of volumetric DDoS attack

2 Coremelt attack (ESORICS ‘09) Crossfire attack (S&P ‘13)

(distributed denial of service)

Traditional: volumetric attack traffic targeting end servers Non-traditional: volumetric attack traffic targeting transit links

AS AS AS AS

t r a n s i t l i n k Real incidents: Academic studies:

2013 2015

slide-3
SLIDE 3

Handling transit-link DDoS attack is challenging

AS AS AS

AS AS

Indistinguishable low-rate traffic Victims are indirectly affected

3 Destination Source

AS AS

AS

slide-4
SLIDE 4

Transit-link DDoS attacks still remain an open problem

Coremelt attack (Studer et al.) Crossfire attack (Kang et al.) 2009 2013 2016 2014 4 2018

Routing Around Congestion

(Smith et al. S&P’18)

“Readily deployable solution"

SPIFFY (Kang et al.) CoDef defense (Lee et al.) LinkScope (Xue et al.)

Partial solutions

RADAR (Zheng et al.) NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.)

Not available in the current Internet

slide-5
SLIDE 5

Background: How BGP routing works?

5

{D}

Border Gateway Protocol (BGP)

AS D AS Z AS X AS C AS Y { Z, D} { Y, Z, D} { X, Y, Z, D}

Traffic path

BGP propagation Traffic forwarding Source Destination

No control over traffic path by design Loop-free AS-path

slide-6
SLIDE 6

Routing Around Congestion (RAC): Rerouting using BGP poisoning [Smith et al., S&P ’18]

6

AS D AS Z AS W AS X AS C AS Y

Goal: reroute to avoid AS W

{D, W, D}

x

Loop detected!

Critical source Detour path

BGP poisoning message

Original path Victim destination

slide-7
SLIDE 7

Routing Around Congestion (RAC): Rerouting using BGP poisoning [Smith et al., S&P ’18]

7

AS D AS Z AS W AS X AS C AS Y {D, W, D}

Critical source Detour path

BGP poisoning message

Original path Victim destination

Switch to detour path

AS collaboration is not needed!

slide-8
SLIDE 8

8

Will RAC defense still work against adaptive attackers?

slide-9
SLIDE 9

Future directions for transit-link DDoS defenses Practical challenge of mitigating adaptive detour-learning attack

Our contributions

9

Adaptive detour-learning attack against rerouting solutions

slide-10
SLIDE 10

Adaptive detour-learning attack: Threat model

10

Goals: (1) To detect rerouting in real-time (2) To learn new detour path accurately (3) To congest new detour path (see the paper) Capabilities:

  • Same botnets used in transit-link DDoS attack
slide-11
SLIDE 11

Victim destination

Adaptive detour-learning attack: (1) how to detect rerouting in real-time

11

AS D AS Z AS W AS X AS C AS Y

Critical source Original path

AS I

traceroute

Adaptive adversary

slide-12
SLIDE 12

Victim destination

Adaptive detour-learning attack: (1) how to detect rerouting in real-time

12

AS D AS Z AS W AS X AS C AS Y

Critical source Detour path

AS I

traceroute

Rerouting is detected!

Adaptive adversary

slide-13
SLIDE 13

Adaptive detour-learning attack: (2) how to learn detour path accurately

13

AS D AS Y AS G AS C AS X AS E AS J AS I AS H

(3) congest detour path (see the paper)

Challenge: Which is more accurate route measurement

  • f actual detour path?

Victim destination Critical source

Solution: Prioritize measurement from bot closer to traffic source

Detour path

closer AS (e.g., shorter AS-path)

slide-14
SLIDE 14

Adaptive detour-learning attack: (2) how to learn detour path accurately

14

AS D AS Y AS G AS C AS X AS E AS J AS I AS H

(3) congest detour path (see the paper)

Challenge: Which is more accurate route measurement

  • f actual detour path?

Victim destination Critical source

Solution: Prioritize measurement from bot closer to traffic source

Detour path

closer AS (e.g., shorter AS-path)

Results: 94% of learned detour paths are correct

slide-15
SLIDE 15

Future directions for transit-link DDoS defenses Adaptive detour-learning attack against rerouting solutions

Our contributions

15

Practical challenge of mitigating adaptive detour-learning attack

slide-16
SLIDE 16

AS I AS J

How to defend against detour-learning attack?

16

Exclusively used for critical flows

Poison all peers of ASes on detour path!

AS D AS Z AS W AS X AS C AS Y

Critical source Victim destination

Detour path must be isolated!

Detour learned!

How to isolate?

slide-17
SLIDE 17

0.8

2 3 4

0.2 0.4 0.6 0.8 1

Detour path isolation => poisoning too many ASes

17

CDF 100 1000 10000 Number of ASes that should be poisoned

Thousands ASes should be poisoned But why? Tier-1 or large Tier-2

  • n the detour paths

(more in the paper)

0.2 0.4 0.6 1

slide-18
SLIDE 18

0.8

2 3 4

0.2 0.4 0.6 0.8 1

Can we poison that many ASes?

18

CDF

100 1000 10000

Number of ASes that should be poisoned

255 2034

Specification up to 2034 Implementation up to 255 Configuration up to 30-50

0.2 0.4 0.6 1

Specification Implementation

slide-19
SLIDE 19

Confirmed: ISPs do not support poisoning > 255 ASes

19

Number of

  • bserved

BGP messages

99.99%

1 10 100 1000 30

slowly decrease in frequency 50x drop in frequency

255 Number of ASes seen in a BGP message

19

slide-20
SLIDE 20

Confirmed: ISPs do not support poisoning > 255 ASes

20

Number of

  • bserved

BGP messages

99.99%

1 10 100 1000 30

slowly decrease in frequency 50x drop in frequency

255 Number of ASes seen in a BGP message

20

Poisoning > 1,000 ASes is nearly impossible => Detour path isolation is infeasible => Detour-learning attack is almost always possible

slide-21
SLIDE 21

Practical challenge of mitigating adaptive detour-learning attack Adaptive detour-learning attack against rerouting solutions

Our contributions

21

Future directions for transit-link DDoS defenses

slide-22
SLIDE 22

Desired defense property: destination-controlled routing

22

Clean-slate Internet architecture Hacking BGP e.g., STRIDE, SIBRA e.g., Routing Around Congestion

?

e.g., explicit BGP rerouting for critical flows under emergency

✕ Too costly to deploy ✕ Does not work

slide-23
SLIDE 23

Two Lessons Learned

23

slide-24
SLIDE 24

Lesson 1

Hacking the current Internet routing is a flawed idea!

24

slide-25
SLIDE 25

üAdaptive attacks are possible üMitigation is hard ü Adaptive defense is slower than adaptive attacker (more in the paper)

25

slide-26
SLIDE 26

Lesson 2

Analysis of protocol specifications alone is insufficient!

26

slide-27
SLIDE 27

27

Specification Implementation Configuration

slide-28
SLIDE 28

Conclusion

  • Detour-learning attacks are effective and hard to mitigate

üTransit-link DDoS attacks still remain an open problem

  • Suggestion on research direction

üBalance destination-controlled routing and deployability

  • 2 lessons learned:

üHacking BGP for rerouting is a flawed idea üAnalysis with specification only can be dangerous

28

slide-29
SLIDE 29

Question?

Muoi Tran muoitran@comp.nus.edu.sg