practical verifiable in network filtering for ddos defense
play

Practical Verifiable In-network Filtering for DDoS Defense Deli - PowerPoint PPT Presentation

Mar 19, 2024 •260 likes •569 views

Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde, Hao Jin, Vyas Sekar, Prateek Saxena, Min Suk Kang July 8, 2019 | Dallas, TX Large-scale volumetric DDoS attacks are common (distributed denial of

  1. Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde, Hao Jin, Vyas Sekar, Prateek Saxena, Min Suk Kang July 8, 2019 | Dallas, TX

  2. Large-scale volumetric DDoS attacks are common (distributed denial of service) • Hundreds DDoS attacks occur daily * • Volume of DDoS traffic is escalating • New attack vectors (e.g., amplification) and attack source (e.g., botnets) * According to Kaspersky Lab’s report on DDoS attacks in Q1 2019 (2013) (2018) 2

  3. In-network filtering : a promising DDoS mitigation Filter rule: Drop 50% HTTP flows coming to my network AS* A DDoS victim network (* autonomous system) AS B filtering network transit networks • In-network filtering ü allows the DDoS victim to install traffic filters nearer to attack source ü not a new idea: e.g., Pushback [SIGCOMM’02], D-WARD [ICNP’02], AITF [USENIX ATC’05], StopIt [SIGCOMM’08] ü installs at 1% of ISPs can mitigate 90% of DDoS attacks ( SENSS [ACSAC’18]) 3

  4. One ignored problem: In-network filtering creates ambiguity about packet drops With in-network filtering Without in-network filtering Network faults or Network faults! legitimate filtering? Packet drops Packet drops AS A AS A AS B AS B transit network with transit network in-network filtering What can go wrong because of this ambiguity? 4

  5. Filtering can be used as an excuse for discriminating neighboring ASes Filter rule: Drop 50% HTTP Drop 0% traffic from A, flows coming to my network 100% traffic from B AS A DDoS victim network (e.g., AT&T) AS B filtering network transit networks (e.g., Level3) (e.g., Comcast) 5

  6. Filtering can be used as an excuse for discriminating neighboring ASes (2013) Filter rule: Drop 50% HTTP Drop 0% traffic from A, flows coming to my network 100% traffic from B AS A DDoS victim network (e.g., AT&T) (2014) AS B filtering network transit networks (e.g., Level3) (e.g., Comcast) Several disputes already exist between transit networks 6

  7. How to remove such an ambiguity? Verifiability of filtering distinguishes legitimate DDoS mitigation from network faults Packets are being legitimately dropped! verify filtering verify filtering Filter rule policy & operation operation AS A DDoS victim network AS B filtering network transit networks 7

  8. How to make the operations of in-network filtering verifiable ? 8

  9. Our contributions • We propose Verifiable In-network Filtering (VIF): ü Software networking functions with Trusted Execution Environments (e.g., Intel SGX) as root of trust. Scalable design Auditable filter Practical deployment ü multiple filters ü uses TEEs ü at Internet Exchange run in parallel ü is stateless Points (IXPs) ü detects bypass 9

  10. VIF design: auditable filter with TEEs audit enclaved protected memory code and state enclave victim network • Filtering within Trusted Execution Environments (TEEs) (e.g., Intel SGX) ü Isolated execution ü Remote attestation 10

  11. TEEs alone is insufficient for auditable filter design! 11

  12. Challenge 1 : Influence from malicious inputs Trusted clock can be tampered ALLOW or Malicious packets DROP ? inserted … 𝒒 𝑞 / , 𝑢 / 𝑞 0 , 𝑢 0 • Abstract model of the filtering function for packet 𝒒 : 𝐵𝑀𝑀𝑃𝑋, 𝐸𝑆𝑃𝑄 ← 𝑔( 𝑞, 𝑢 , ( 𝑞 / , 𝑢 / , 𝑞 0 , 𝑢 0 , 𝑞 1 , 𝑢 1 , … )) Previous packets/ Arrival time packet order 12

  13. Solution: Stateless filter design ALOW or DROP ? … 𝒒 𝑞 / , 𝑢 / 𝑞 0 , 𝑢 0 5-tuple ( srcIP, srcPort, dstIP, dstPort, protocol ) • No reliance on packet arrival time and packet order 𝐵𝑀𝑀𝑃𝑋, 𝐸𝑆𝑃𝑄 ← 𝑔( 𝑞 ) 13

  14. Challenge 2: Traffic may be redirected to bypass filter redirect enclave 14

  15. Solution to filter bypass: Accountable logs for bypass detection 𝒒 does not reach filter! Bypass detected! packet logs 𝒒 logs logs packet logs neighboring networks filtering network • Accountable packet logging before and after filtering ü Compare logs to detect bypass 15

  16. Solution to filter bypass: Accountable logs for bypass detection How to check if packets are 𝒒 is dropped dropped by a transit network? drop outside TEEs! packet logs logs logs 𝒒 transit networks victim network filtering network • Accountable packet logging before and after filtering ü Compare logs to detect bypass 16

  17. How does victim know who is dropping packets? Packets are still dropped! à Filtering network avoid AS B misbehaved! AS B victim network AS A logs logs AS C filtering network • Victim network tests individual intermediate ASes ü Rerouting inbound traffic using BGP poisoning (LIFEGUARD[SIGCOMM’12]) ü Detour takes place in a few minutes and no collaboration needed (Nyx [S&P’18]) 17

  18. Our contributions Scalable design Auditable filter Practical deployment ü multiple filters ü TEEs ü at Internet Exchange run in parallel ü stateless Points (IXPs) ü bypass detection 18

  19. Deployment issue: Scalability Memory footprint Throughput Mpps 20 200 MB 15 150 EPC limit (e.g., 92 MB) 10 100 5 50 0 0 0 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000 10,000 Number of rules • Performance issues when filtering within a single enclave: ü Memory footprint grows linearly with number of rules ü Throughput degrades when number of rules exceeds ~ 3,000 19

  20. Solution to scalability issue: multiple SGX filters VIF Filtering Network untrusted per-enclave limitations: controller (1) # rules (3,000) E 0 (2) bandwidth (10 Gb/s)* filter … victim network load balance E n-1 untrusted filter switching fabric * Demonstrated by mbTLS (CoNEXT’17) on four SGX-core machines. • More in our paper: ü How trusted filters detect misbehaviors from untrusted components ü A greedy solution to calculate filter rules among filters ü Filter rules redistribution 20

  21. Our contributions Scalable design Auditable filter Practical deployment ü multiple filters ü TEEs ü at Internet Exchange run in parallel ü stateless Points (IXPs) ü bypass detection 21

  22. Deployment example remote attestation victim network filter rule insertion IXP SDX [SIGCOMM’15] controller Enclave Enclave Enclave route rules rules iSDX [NSDI’16] rules filter AS A filter control filter FLANC [SOSR’16] VIF filters AS C AS B switch fabric • Internet Exchange Points (IXPs) : ü have peering relationship with hundreds ISPs ü have flexible software-defined architecture 22

  23. Implementation • Overview ü Intel SGX SDK for Linux 2.1 ü Data Plane Development Kit (DPDK) 17.05.2 • Trusted computing base: ü modification of DPDK ip_pipeline (1,044 SLoC) 1,206 SLoC ü packet logging and optimizations (162 SLoC) • Two optimizations: ü Reducing context switches (more in our paper) ü Near-zero copy approach 23

  24. Optimization: near-zero copy Enclave memory Enclave memory allow! allow! packet packet sketch sketch filter filter logs logs (srcIP) (5T) drop! drop! Full a/d? a/d? 5T s Near- packet packet zero Untrusted packet memory pool Untrusted packet memory pool cop y cop y allow or drop! allow or drop! packet packet only when allowed only when allowed NIC NIC Rx Queues Tx Queues Rx Queues Tx Queues Incoming packets Forwarded packets Incoming packets Forwarded packets ü low memory usage ü low packet-logging overhead 24

  25. Data-plane implementation • Testbed • Synthetic data ü Packet generator ⟷ Filter machine ü 3,000 random filter rules ü Measurement is done at packet generator ü 10 Gb/s traffic Intel SGX Packet Generator Filter Machine ü Intel E5-2630 v3 CPU ü Intel i7-6700 CPU (2.40 GHz, 8 cores) (3.40 GHz, 4 cores) ü 32 GB memory ü 8 GB memory ü Ubuntu 16.04.3 LTS ü Ubuntu 16.04.3 LTS ü Kernel version 4.10 ü Kernel version 4.10 ü 10 GbE Intel X540-AT2 ü 10 GbE Intel X540-AT2 25

  26. Evaluation: Data-plane performance Throughput (Gb/s) 10 8 6 4 2 0 64 128 256 512 1024 1500 Packet size (bytes) Native (no SGX) SGX with full packet copy SGX with near-zero copy • Throughput of near-zero copy: ü 8 Gb/s throughput even with smallest packet size (64 bytes) 26

  27. Evaluation: VIF deployment at IXPs Ratio of attack source IPs handled by top- n IXPs per region 1 VIF at only top-5 IXPs 0.8 per region mitigate 0.6 up to 90% of attack 0.4 0.2 0 DNS resolvers Mirai botnets Top-1 Top-2 Top-3 Top-4 Top-5 • Simulation setup: ü Two real attack source data: 3 millions DNS resolvers and 250K Mirai botnets ü CAIDA AS relationship and IXP peering for building inter-domain topology 27

  28. Conclusion • VIF addresses the core issue of in-network filtering ü Lack of filtering verifiability à ambiguity in handling packet drops which can be exploited by malicious ISPs • VIF: the first auditable and scalable DDoS traffic filter • VIF takes advantages of: ü Trusted execution environments as the root of trust ü Software-defined, line-rate packet processing ü IXPs for practical deployment 28

  29. Question? Muoi Tran muoitran@comp.nus.edu.sg

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense Prevention DOS/DDoS Types Vulnerability attack Flooding attack DoS vs DDoS DoS: Attack is launched from single host Less

614 views • 26 slides
Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Introduction: Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation Attacker signals slaves to launch an attack on a specific target address (victim). Slaves then respond by Comp290: Network

275 views • 9 slides
Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent the access to a computer system to it's legitimate users. DDoS: DoS attack on the network using a lot of different source IP Why:

327 views • 16 slides
DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter Reiher Manu Shantharam & David Hadka What is DoS? DoS A type of attack wherein access to computer resource / service is denied or

380 views • 18 slides
DDoS Defense Mechanisms for IXP Infrastructures Tim Dijkhuizen Lennart van Gijtenbeek

DDoS Defense Mechanisms for IXP Infrastructures Tim Dijkhuizen Lennart van Gijtenbeek

DDoS Defense Mechanisms for IXP Infrastructures Tim Dijkhuizen Lennart van Gijtenbeek Supervisor: Stavros Konstantaras (AMS-IX) SNE: Research Project II 03-07-2018 Introduction D istributed D enial o f S ervice DDoS attacks on banks in

720 views • 33 slides
DDoS Defense by Defense by DDoS Offense Offense Published in ACM SIGCOMM06 Presented By:

DDoS Defense by Defense by DDoS Offense Offense Published in ACM SIGCOMM06 Presented By:

DDoS Defense by Defense by DDoS Offense Offense Published in ACM SIGCOMM06 Presented By: Marwa K. Elteir Outline Outline Problem definition Problem definition Related Work Related Work Speak Speak- -up up Model Model

458 views • 9 slides
Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&D division of Nexusguard building next

764 views • 44 slides
Verifiable Cloud Outsourcing for Network Func9ons (+

Verifiable Cloud Outsourcing for Network Func9ons (+

Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services) Vyas Sekar vNFO joint with Seyed Fayazbakhsh,

434 views • 28 slides
Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar

Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar

Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar DDoS Attacks A persistent threat on the global Internet Working from home new online tools for collaboration New tools new attack

405 views • 9 slides
CDN on Demand Affordable DDoS Defense using Untrusted IaaS-Clouds Yossi Gilad, Michael Goberman,

CDN on Demand Affordable DDoS Defense using Untrusted IaaS-Clouds Yossi Gilad, Michael Goberman,

CDN on Demand Affordable DDoS Defense using Untrusted IaaS-Clouds Yossi Gilad, Michael Goberman, Amir Herzberg and Michael Sudkovitch Talk Outline Content Delivery Networks as DoS defense The CDN-on-Demand system Clientless

529 views • 22 slides
Modelling and simulation of a defense strategy to face indirect DDoS flooding attacks A. Furfaro,

Modelling and simulation of a defense strategy to face indirect DDoS flooding attacks A. Furfaro,

Modelling and simulation of a defense strategy to face indirect DDoS flooding attacks A. Furfaro, P. Pace, A. Parise, L. Molina Valdiviezo Universit` a della Calabria D.I.M.E.S 87036 Rende(CS) - Italy Email: a.furfaro@unical.it A. Furfaro

510 views • 18 slides
.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS A)ack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos A)acks Few Qmes

150 views • 13 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

1 DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology of work DDoS tactics in-the-wild and how to improve Ready, set, FACEPALM! Q&A ~$ whoami 3 Moshe Zioni, Head of Research,

656 views • 47 slides
VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

Confrence de lancement de l'ANR Ciao, Fvrier 2020, Bordeaux, France VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things down VERIFIABLE DELAY FUNCTIONS [Boneh, Bonneau, Bnz, Fisch 2018] A VDF is

616 views • 32 slides
Computational Social Choice: Autumn 2012 Ulle Endriss Institute for Logic, Language and

Computational Social Choice: Autumn 2012 Ulle Endriss Institute for Logic, Language and

Judgement Aggregation COMSOC 2012 Computational Social Choice: Autumn 2012 Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam Ulle Endriss 1 Judgement Aggregation COMSOC 2012 Plan for Today Preferences are

463 views • 21 slides
Universal SSL Nick Sullivan @grittygrease Real Real World Crypto: HTTPS 2 HTTPS Myths

Universal SSL Nick Sullivan @grittygrease Real Real World Crypto: HTTPS 2 HTTPS Myths

January 9th 2015 Universal SSL Nick Sullivan @grittygrease Real Real World Crypto: HTTPS 2 HTTPS Myths Only for banking Only for authentication Too hard 3 HTTPS is used for Visitor privacy Invasive

1.07k views • 81 slides
Independent Sets in Free Groups and Fields Rev. Charles McCoy & Russell Miller Univ. of

Independent Sets in Free Groups and Fields Rev. Charles McCoy & Russell Miller Univ. of

Independent Sets in Free Groups and Fields Rev. Charles McCoy & Russell Miller Univ. of Portland Queens College / CUNY Graduate Center Rutgers Logic Seminar 18 February 2013 McCoy & Miller (UP & CUNY) Free Groups and Fields

530 views • 25 slides
CS6220: DATA MINING TECHNIQUES Mining Sequential and Time Series Data Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Mining Sequential and Time Series Data Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Mining Sequential and Time Series Data Instructor: Yizhou Sun yzsun@ccs.neu.edu March 30, 2016 Announcement About course project You can gain bonus points Call for code contribution Sign-up one or

795 views • 68 slides
Improved Detection of LSB Steganography in Grayscale Images Andrew Ker adk@comlab.ox.ac.uk

Improved Detection of LSB Steganography in Grayscale Images Andrew Ker adk@comlab.ox.ac.uk

Improved Detection of LSB Steganography in Grayscale Images Andrew Ker adk@comlab.ox.ac.uk Royal Society University Research Fellow at Oxford University Computing Laboratory Information Hiding Workshop 2004 Summary This presentation will

560 views • 32 slides
Playing with AD Domains (not the Windows Way) - SambaXP 2017 Denis Cardon, Vincent Cardon

Playing with AD Domains (not the Windows Way) - SambaXP 2017 Denis Cardon, Vincent Cardon

Tranquil IT Systems Playing with AD Domains (not the Windows Way) - SambaXP 2017 Denis Cardon, Vincent Cardon Tranquil IT Systems Tranquil IT Systems IT support company since 2002, in Nantes, FRANCE 15 employees both small (outsourcing)

804 views • 25 slides
Migration v2 Andrew Cooper Citrix XenServer 17 th August 2015 17 th August 2015 Andrew Cooper

Migration v2 Andrew Cooper Citrix XenServer 17 th August 2015 17 th August 2015 Andrew Cooper

Migration v2 Andrew Cooper Citrix XenServer 17 th August 2015 17 th August 2015 Andrew Cooper (Citrix XenServer) Migration v2 1 / 12 Why Migration v2 XenServer 6.2 64bit Xen, 32bit Dom0 Inertia, More efficient to virtualise 17 th

644 views • 31 slides
Migration, Assignment, and Scheduling of Jobs in Virtualized Environment Seung-Hwan Lim Jae-Seok

Migration, Assignment, and Scheduling of Jobs in Virtualized Environment Seung-Hwan Lim Jae-Seok

Migration, Assignment, and Scheduling of Jobs in Virtualized Environment Seung-Hwan Lim Jae-Seok Huh Youngjae Kim Chita R. Das The Pennsylvania State University Oak Ridge National Laboratory Overview Challenges Migration Cost

441 views • 14 slides

More recommend