[PPT] - SIBRA Cristina Basescu, Raphael M. Reischuk , Pawel Szalachowski, PowerPoint Presentation

SLIDE 1 picture: http://map.norsecorp.com/ Cristina Basescu, Raphael M. Reischuk, Pawel Szalachowski, Adrian Perrig, Yao Zhang, Hsu-Chun Hsiao, Ayumu Kubota, Jumpei Urakawa

SIBRA: Scalable Internet Bandwidth Reservation Architecture

SIBRA

NDSS 2016, San Diego, CA

SLIDE 2 source: http://www.securityweek.com/ddos-attacks-cost-40000-hour-incapsula picture: https://www.incapsula.com/blog/headless-browser-ddos.html 2

150 hours

2013

180,000 IP addresses +690,000,000 hits per day 861 user agents

SLIDE 3 source: http://www.securityweek.com/ddos-attacks-cost-40000-hour-incapsula picture: https://www.incapsula.com/blog/headless-browser-ddos.html 2

150 hours

2013

180,000 IP addresses +690,000,000 hits per day 861 user agents

SLIDE 4

Why are current DDoS defenses inadequate?

SLIDE 5 Target Internet Internet

Defense Strategies

Target link Internet · Traffic Scrubbing: clean incoming traffic from malicious flows 4 Useless if a link upstream is flooded The Coremelt attack [38] (ESORICS 2009) Exploits a characteristic of today’s Internet: (legitimate) end hosts cannot control the path  to bypass congested links · Network Capabilities: isolate attack traffic from benign traffic Useless if links are congested (DoC attacks [32])

SLIDE 6 Current defenses lack a crucial property:

Availability does not diminish 

— regardless of the botnet size Everyone has the incentive to increase their “fair share”. Tragedy of the commons, Garrett Hardin (1968) 5 Per flow fair sharing, and similar notions Fair share on every link too small to be useful. "Botnet-size independence" · Fair Resource Reservation: guarantee exclusive usage Useless in today’s Internet since actual allocations would be too small

Defense Strategies

SLIDE 7

What ingredients do we need for DDoS defense?

SLIDE 8 S D Core AS

SIBRA: Key Ingredients

7 S D Autonomous System (AS) Internet Group ASes into Isolation Domains (ISDs) ISD ISD ISD Distribute control for path construction  & resource allocation between 

source AS, 
destination AS,
core ASes

ISD S D ISD ISD ISD ISD Internet Architecture

SLIDE 9

Which notion of fairness is required for botnet-size independence?

SLIDE 10 S ISD Austria ISD Japan I S D G e r m a n y ASB1 ASA2 ASD1 ASB2 D ISD United States ASC1

SIBRA Paths

9

2Tbps 1Tbps

Fairness between ISDs: core paths

between ISD Core ASes
negotiated between

direct neighbors

initiated from destination
according to previous

traffic volumes

long-term (months)
optional guarantees

e.g., 99.99% availability C O R E

SLIDE 11 ASH ASE S ISD Austria ISD Japan I S D G e r m a n y ASF ASB1 ASG ASA2 ASD1 ASB2 D ISD United States ASC1

SIBRA Paths

10

30 Mbps 50 Mbps

Fairness inside ISDs: steady paths Fairness between ISDs: core paths

requested by inner ASes
low-bandwidth traffic

(control traffic, DNS, ICMP)

intermediate-term

(order of minutes)

periodically extendable
basis for launching high-

bandwidth reservations

cryptograph. protected

(using local keys) STEADY

SLIDE 12

SIBRA Paths

11 ASH ASE S ISD Austria ISD Japan I S D G e r m a n y ASF ASB1 ASG ASA2 ASD1 ASB2 D ISD United States ASC1 Fairness inside ISDs: steady paths Fairness between ISDs: core paths E2E reservations: ephemeral paths fairness: per-source and dest. AS bandwidth proportional to steady paths and core paths

requested by end hosts
high-bandwidth traffic

(proportional to steady bw.)

short-term

(tens of seconds)

periodically extendable
similar to leased lines

(more flexible and cheaper)

similar to virtual paths

(with security protection) E P H E M E R A L

SLIDE 13

How much bandwidth do ephemeral paths obtain?

SLIDE 14

2-Dimensional Bandwidth Decomposition

13

1. vertical

(hierarchical, per-location)

2. horizontal

(per-link)

SLIDE 15 ASE ASG S1 ISD Austria ASF ASA2 S2 ISD Japan I S D G e r m a n y ASB1 ASD1 ASB2 D ISD United States ASC1

2-Dimensional Bandwidth Decomposition

13 c a s e 1 )   source ISD case 2)  between ISDs case 3)  destination ISD

1. vertical

(hierarchical, per-location)

2. horizontal

(per-link)

SLIDE 16 ASE ASG S1 ISD Austria ASF ASA2 S2 ISD Japan I S D G e r m a n y ASB1 ASD1 ASB2 D ISD United States ASC1

2-Dimensional Bandwidth Decomposition

13 c a s e 1 )   source ISD case 2)  between ISDs case 3)  destination ISD

1. vertical

(hierarchical, per-location) ASH ASK ASB1 ASB2 steady ephemeral ASD1 D 80% ephemeral 5% steady 15% best-effort path path path core

2. horizontal

(per-link)

SLIDE 17 ASE ASG S1 ISD Austria ASF ASA2 S2 ISD Japan I S D G e r m a n y ASB1 ASD1 ASB2 D ISD United States ASC1

2-Dimensional Bandwidth Decomposition

13 100 Gbps 80 Gbps ephemeral 5 Gbps steady 15 Gbps best-effort c a s e 1 )   source ISD case 2)  between ISDs case 3)  destination ISD

1. vertical

(hierarchical, per-location) ASH ASK ASB1 ASB2 steady ephemeral ASD1 D 80% ephemeral 5% steady 15% best-effort path path path core

2. horizontal

(per-link)

SLIDE 18 ASE ASG S1 ISD Austria ASF ASA2 S2 ISD Japan I S D G e r m a n y ASB1 ASD1 ASB2 D ISD United States ASC1 ASE ASG S1 ISD Austria ASF ASA2 S2 ISD Japan I S D G e r m a n y ASB1 ASD1 ASB2 D ISD United States ASC1 ASE ASG S1 ISD Austria ASF ASA2 S2 ISD Japan I S D G e r m a n y ASB1 ASD1 ASB2 D ISD United States ASC1

2-Dimensional Bandwidth Decomposition

13 100 Gbps 80 Gbps ephemeral 5 Gbps steady 15 Gbps best-effort 30 Mbps 90 Mbps c a s e 1 )   source ISD case 2)  between ISDs case 3)  destination ISD

1. vertical

(hierarchical, per-location) ASH ASK ASB1 ASB2 steady ephemeral ASD1 D 80% ephemeral 5% steady 15% best-effort path path path core

2. horizontal

(per-link)

SLIDE 19 14 Mbps Gbps Mbps 30 Mbps * 80 / 5 = 480 Mbps S1 S2 D

2-Dimensional Bandwidth Decomposition

Source Destination ISD ISD steady path core path ephemeral path

2

30 90 880 50 core core 480 Mbps case 1)  source ISD Core Path

SLIDE 20 14 Mbps Gbps Mbps 30 Mbps * 80 / 5 = 480 Mbps S1 S2 D

2-Dimensional Bandwidth Decomposition

Source Destination ISD ISD steady path core path ephemeral path

2

30 90 880 50 core core 30 / (30+90+880) * 2 Gbps = 960 Mbps 960 Mbps 480 Mbps * 80 / 5 Core Path case 2)  between ISDs

SLIDE 21 14 Mbps Gbps

8

Mbps 30 Mbps * 80 / 5 = 480 Mbps S1 S2 D

2-Dimensional Bandwidth Decomposition

Source Destination ISD ISD steady path core path ephemeral path

2

30 90 880 50 core core 4.8 Mbps 30 / (30+90+880) * 2 Gbps = 960 Mbps 30 / (30+90+880) * 2 / (2+8) * 50 Mbps * 80 / 5 = 4.8 Mbps 960 Mbps 480 Mbps * 80 / 5 Core Path

SLIDE 22 ASE ASG S1 ISD Austria ASF ASA2 S2 ISD Japan I S D G e r m a n y ASB1 ASD1 ASB2 D ISD United States ASC1

2-Dimensional Bandwidth Decomposition

480 Mbps

1. vertical

(hierarchical, per-location) ASH ASK ASB1 ASB2 steady ephemeral ASD1 D 80% ephemeral 5% steady 15% best-effort path path path core

2. horizontal

(per-link) ASK 4.8 Mbps 960 Mbps

SLIDE 23 ASE ASG S1 ISD Austria ASF ASA2 S2 ISD Japan I S D G e r m a n y ASB1 ASD1 ASB2 D ISD United States ASC1

2-Dimensional Bandwidth Decomposition

480 Mbps

1. vertical

(hierarchical, per-location) ASH ASK ASB1 ASB2 steady ephemeral ASD1 D 80% ephemeral 5% steady 15% best-effort path path path core

2. horizontal

(per-link) ASK 4.8 Mbps 960 Mbps bottom line:  ephemeral BW is proportional to steady BW (source-ISD paths, core paths, dest-ISD paths) unused st./eph. BW is loaned to best-effort BW (through statistical multiplexing)

SLIDE 24 ASH ASE S ISD Austria ISD Japan ISD Germany ASF ASB1 ASG ASA2 ASD1 ASB2 D ISD United States ASC1

SIBRA Guarantees

Source AS S initiates a reservation.

Each AS on path accepts or declines  and provides a cryptographic token:

Efficiency & Scalability:

ASes verify these tokens, embedded in the forwarded packets, i.e., no per-flow state. 16 RTASi = ingressASi ∥ egressASi ∥ MACKi

ingressASi ∥ egressASi ∥ Request ∥ RTASi−1
CBC-MAC (AES)

Intel’s AESni [16] 4.15 cycles/byte

SLIDE 25 ASH ASE S ISD Austria ISD Japan ISD Germany ASF ASB1 ASG ASA2 ASD1 ASB2 D ISD United States ASC1 17 Botnet A Botnet B Botnet C

SIBRA under Attack

Per-neighbor  monitoring at transit ASes (fastpath) Per-flow  monitoring at the edge (slowpath, [37]) Probabilistic  monitoring at transit ASes (fastpath, [43]) Botnet D

SLIDE 26

Is there enough bandwidth in today’s Internet?

SLIDE 27 1 2 3 4 5 6 7 6 8 1280 960 2560 6000 640 3600 Capacity (Gbps) (2) Australia - Papua (1) SEA-ME-WE 3 (3) PIPE - Pacifjc Cable-1 (4) Australia - Japan Cable (5) Gondwana-1 (6) Sothern Cross Cable Network (7) Telstra Endeavor (8) Tasman-2 New Guinea-2 1.12 1.12

The entire world connects to Australia (32 428 leaf ASes)

19

463.9 Mbps 

(371.1 Mbps ephemeral bandwidth)

for each AS

5.64 Gbps  in 2018

Case study: core links to Australia

SLIDE 28

How effective is SIBRA?

SLIDE 29 0.5 1 1.5 2 x 10 5 20 40 60 80 100 120 140 # of Attacker Pairs File Transfer Time(s) SIBRA TVA Portcullis STRIDE

Evaluation: Defense against Coremelt

21 5000 10000 15000 20000 Number of Attacker Pairs File Transfer Time(s)

SLIDE 30

How efficient is SIBRA?

22

SLIDE 31

Per-flow Stateless Operations

10 Gbps core link (load ~40%): 2.2 x105 flows per second  1 Tbps core link (load ~40%): 2.2 x107 flows per second Storing per-flow state is  prohibitively expensive  — especially under attack 23 Router Action Time (avg) Per second Processing 1 reservation request 9.10 µs 110 K Processing 1 packet (1 500 bytes)  using Intel’s DPDK and AESni 0.04 µs 25 Mio 280 Gbps

SLIDE 32 ASE ASG S1 ISD Austria ASF ASA2 S2 ISD Japan ISD Germany ASB1 ASD1 ASB2 D ISD United States ASC1

Conclusions

Botnet-size independence is the key property against DDoS attacks
SIBRA is the first bandwidth reservation architecture

to achieve botnet-size independence at Internet scale

Two-dimensional bandwidth decomposition
Very fast operations, per-flow stateless forwarding

Internet Architecture

Related Work

[37] I. Stoica, S. Shenker, and H. Zhang. Core-Stateless Fair Queueing: A Scalable Architecture to Approximate Fair Bandwidth Allocations in High-Speed Networks. IEEE/ ACM Transactions on Networking, 2003. [43] H. Wu, H.-C. Hsiao, and Y.-C. Hu. Efficient large flow detection over arbitrary windows: An algorithm exact outside an ambiguity region. In ACM IMC, 2014. [32] B. Parno, D. Wendlandt, E. Shi, A. Perrig, B. Maggs, and Y.-C. Hu, “Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks,” in ACM SIGCOMM, 2007. [9] D. Barrera, R. M. Reischuk, P. Szalachowski, and A. Perrig, “SCION five years later: Revisiting scalability, control, and isolation on next-generation networks,” arXiv, 2015. [38] A. Studer and A. Perrig, “The Coremelt attack,” in ESORICS, 2009. [16] S. Gueron, “Intel Advanced Encryption Standard (AES) New Instructions Set,” Intel,  2010, white paper 323641-001, Revision 3.

SLIDE 33

Backup

25

SLIDE 34

Parameter Choice: Traffic Types

ephemeral (80%)
Netflix’s video constitutes >50% of the entire Internet traffic
together with YT and FB, 70-90% are realistic for ephemeral traffic
steady (5%)
based on a 10-day measurement of a tier-1 ISP:

connection establishment (TCP-SYN) uses 0.5% of the bandwidth

SIBRA allocates 10x that amount
best-effort (15%)
email, news, SSH, DNS (3.9%)
very short-lived flows, less than 256ms (5.6%)

27