SIBRA Cristina Basescu, Raphael M. Reischuk , Pawel Szalachowski, - PowerPoint PPT Presentation

SIBRA : S calable I nternet B andwidth R eservation A rchitecture SIBRA Cristina Basescu, Raphael M. Reischuk , Pawel Szalachowski, Adrian Perrig, Yao Zhang, Hsu-Chun Hsiao, Ayumu Kubota, Jumpei Urakawa picture: http://map.norsecorp.com/ NDSS 2016, San Diego, CA

180,000 IP addresses +690,000,000 hits per day 150 hours 2013 861 user agents source: http://www.securityweek.com/ddos-attacks-cost-40000-hour-incapsula picture: https://www.incapsula.com/blog/headless-browser-ddos.html 2

180,000 IP addresses +690,000,000 hits per day 150 hours 2013 861 user agents source: http://www.securityweek.com/ddos-attacks-cost-40000-hour-incapsula picture: https://www.incapsula.com/blog/headless-browser-ddos.html 2

Why are current DDoS defenses inadequate?

Defense Strategies · Traffic Scrubbing: clean incoming traffic from malicious flows Useless if a link upstream is flooded Target link Internet Internet Internet Target The Coremelt attack [38] (ESORICS 2009) Exploits a characteristic of today’s Internet: (legitimate) end hosts cannot control the path 
 to bypass congested links · Network Capabilities: isolate attack traffic from benign traffic Useless if links are congested (DoC attacks [32]) 4

Defense Strategies · Fair Resource Reservation: guarantee exclusive usage Useless in today’s Internet since actual allocations would be too small Fair share on every link too small Everyone has the incentive to to be useful. increase their “fair share”. Per flow fair sharing, Tragedy of the commons, and similar notions Garrett Hardin (1968) Current defenses lack a crucial property: Availability does not diminish 
 — regardless of the botnet size "Botnet-size independence" 5

What ingredients do we need for DDoS defense?

SIBRA: Key Ingredients Group ASes into Isolation Domains (ISDs) Internet ISD ISD ISD S D ISD Autonomous System (AS) S D Core AS ISD Internet Architecture ISD Distribute control for path construction 
 & resource allocation between 
 - source AS, 
 - destination AS, ISD - core ASes S ISD D 7

Which notion of fairness is required for botnet-size independence ?

E R O C Fairness between ISDs: core paths SIBRA Paths • between ISD Core ASes • negotiated between direct neighbors D I S • initiated from destination a n y AS C1 G e r m AS D1 • according to previous traffic volumes • long-term (months) • optional guarantees 
 1 Tbps ISD United States 2 Tbps e.g., 99.99% availability AS B1 AS B2 AS A2 ISD Japan S ISD D Austria 9

STEADY Fairness between ISDs: core paths SIBRA Paths Fairness inside ISDs: steady paths • requested by inner ASes I S D • low-bandwidth traffic 
 AS C1 r m a n y G e (control traffic, DNS, ICMP) AS D1 • intermediate-term 
 (order of minutes) • periodically extendable • basis for launching high- ISD United States bandwidth reservations • cryptograph. protected 
 (using local keys) AS B1 AS B2 AS A2 50 Mbps AS G AS F 30 Mbps ISD Japan AS E S ISD AS H D Austria 10

L R A E M H E P E Fairness between ISDs: core paths SIBRA Paths Fairness inside ISDs: steady paths E2E reservations: ephemeral paths I S D fairness: per-source and dest. AS n y AS C1 G e r m a AS D1 bandwidth proportional to steady paths and core paths ISD United States AS B1 AS B2 AS A2 • requested by end hosts • high-bandwidth traffic 
 (proportional to steady bw.) AS G AS F • short-term 
 ISD (tens of seconds) Japan • periodically extendable AS E S • similar to leased lines 
 ISD AS H D Austria (more flexible and cheaper) • similar to virtual paths 
 (with security protection) 11

How much bandwidth do ephemeral paths obtain?

2-Dimensional Bandwidth Decomposition 1. vertical 2. horizontal (hierarchical, per-location) (per-link) 13

2-Dimensional Bandwidth Decomposition 1. vertical 2. horizontal case 2) 
 I S D between ISDs (hierarchical, per-location) (per-link) AS C1 G e r m a n y AS D1 ISD United States 
 ) 1 e s a c source ISD AS B1 AS B2 AS A2 case 3) 
 ISD destination ISD Japan D AS F AS E S1 S2 AS G ISD Austria 13

2-Dimensional Bandwidth Decomposition 1. vertical 2. horizontal case 2) 
 I S D between ISDs (hierarchical, per-location) (per-link) AS C1 G e r m a n y AS D1 80% ephemeral ISD United States 5% steady AS D1 
 ) 1 e s 15% best-effort a c source ISD AS B1 AS B2 core ephemeral path path AS A2 case 3) 
 ISD destination ISD Japan D AS B2 AS B1 AS F steady AS E path S1 S2 AS G ISD Austria D AS K AS H 13

2-Dimensional Bandwidth Decomposition 1. vertical 2. horizontal case 2) 
 I S D between ISDs (hierarchical, per-location) (per-link) AS C1 G e r m a n y AS D1 80% ephemeral 5% steady AS D1 ISD United States 15% best-effort 
 core ) 1 e ephemeral s path a c path source ISD AS B1 AS B2 AS B2 AS B1 AS A2 case 3) 
 ISD steady destination ISD path Japan D AS K D AS H AS F 100 Gbps 80 Gbps ephemeral 5 Gbps steady AS E S1 S2 AS G 15 Gbps best-effort ISD Austria 13

2-Dimensional Bandwidth Decomposition 1. vertical 2. horizontal case 2) 
 I I I S S S D D D between ISDs (hierarchical, per-location) (per-link) AS C1 AS C1 AS C1 G G G e e e r r r m m m a a a n n n y y y AS D1 AS D1 AS D1 80% ephemeral 5% steady AS D1 ISD United States ISD United States ISD United States 15% best-effort 
 core ) 1 e ephemeral s path a c path source ISD AS B1 AS B1 AS B1 AS B2 AS B2 AS B2 AS B2 AS B1 AS A2 AS A2 AS A2 case 3) 
 ISD ISD ISD steady destination ISD path Japan Japan Japan D AS K D D D AS H 30 Mbps AS F AS F AS F 90 Mbps 100 Gbps 80 Gbps ephemeral 5 Gbps steady AS E AS E AS E S1 S1 S1 S2 S2 S2 AS G AS G AS G 15 Gbps best-effort ISD ISD ISD Austria Austria Austria 13

2-Dimensional Bandwidth Decomposition case 1) 
 source ISD Destination Source Core Path ISD ISD 480 Mbps S 1 30 D core S 2 50 core 2 90 Gbps 880 Mbps Mbps steady path core path ephemeral path 30 Mbps * 80 / 5 = 480 Mbps 14

2-Dimensional Bandwidth Decomposition case 2) 
 Destination between ISDs Source Core Path ISD ISD 480 Mbps S 1 960 Mbps 30 D core S 2 50 core 2 90 Gbps 880 Mbps Mbps steady path core path ephemeral path 30 Mbps * 80 / 5 = 480 Mbps 30 / ( 30 + 90 + 880 ) * 2 Gbps * 80 / 5 = 960 Mbps 14

2-Dimensional Bandwidth Decomposition Destination Source Core Path ISD ISD 480 Mbps 4.8 Mbps S 1 960 Mbps 30 D core S 2 50 core 2 90 Gbps 8 880 Mbps Mbps steady path core path ephemeral path 30 Mbps * 80 / 5 = 480 Mbps 30 / ( 30 + 90 + 880 ) * 2 Gbps * 80 / 5 = 960 Mbps 30 / ( 30 + 90 + 880 ) * 2 / ( 2 + 8 ) * 50 Mbps * 80 / 5 = 4.8 Mbps 14

2-Dimensional Bandwidth Decomposition 1. vertical 2. horizontal I S D (hierarchical, per-location) (per-link) AS C1 G e r m a n y AS D1 80% ephemeral 960 Mbps 5% steady AS D1 ISD United States 15% best-effort 4.8 Mbps core ephemeral path path AS B1 AS B2 AS B2 AS B1 AS A2 480 Mbps ISD steady path Japan D AS K AS K D AS H AS F AS E S1 S2 AS G ISD Austria

2-Dimensional Bandwidth Decomposition 1. vertical 2. horizontal I S D (hierarchical, per-location) (per-link) AS C1 G e r m a n y AS D1 80% ephemeral 960 Mbps 5% steady AS D1 ISD United States 15% best-effort 4.8 Mbps core ephemeral path path AS B1 AS B2 bottom line: 
 AS B2 AS B1 ephemeral BW is proportional to steady BW AS A2 480 Mbps ISD steady (source-ISD paths, core paths, dest-ISD paths) path Japan D AS K AS K D AS H AS F unused st./eph. BW is loaned to best-effort BW (through statistical multiplexing) AS E S1 S2 AS G ISD Austria

CBC-MAC (AES) 
 SIBRA Guarantees Intel’s AESni [16] 4.15 cycles/byte • Source AS S initiates a reservation. 
 RT AS i = ingress AS i ∥ egress AS i ∥ Each AS on path accepts or declines 
 � � ingress AS i ∥ egress AS i ∥ Request ∥ RT AS i − 1 MAC K i and provides a cryptographic token: • Efficiency & Scalability : 
 ASes verify these tokens , embedded in the forwarded packets, i.e., no per-flow state. ISD Germany AS C1 AS D1 ISD United States AS B1 AS B2 AS A2 AS G AS F ISD Japan AS E S ISD AS H D Austria 16

SIBRA under Attack Probabilistic 
 monitoring at transit ASes Per-neighbor 
 (fastpath, [43]) monitoring ISD AS C1 Germany at transit ASes AS D1 (fastpath) Botnet B Botnet A ISD United States Per-flow 
 monitoring AS B1 AS B2 at the edge AS A2 (slowpath, [37]) AS G AS F ISD Japan AS E S ISD AS H D Austria Botnet C Botnet D 17

Is there enough bandwidth in today’s Internet?

Case study: core links to Australia • The entire world connects to Australia (32 428 leaf ASes) 2 Capacity (Gbps) 1.12 3 1.12 (1) SEA-ME-WE 3 (2) Australia - Papua 4 1280 960 New Guinea-2 (3) PIPE - Paci fj c Cable-1 2560 1 (4) Australia - Japan Cable 3600 (5) Gondwana-1 5 (6) Sothern Cross Cable Network (7) Telstra Endeavor 640 (8) Tasman-2 6 6000 7 6 463.9 Mbps 
 8 ( 371.1 Mbps ephemeral bandwidth) 5.64 Gbps 
 for each AS in 2018 19

How effective is SIBRA?

Evaluation: Defense against Coremelt 140 120 File Transfer Time(s) File Transfer Time(s) SIBRA 100 TVA Portcullis 80 STRIDE 60 40 20 0 0 0.5 1 1.5 2 5000 10000 15000 20000 # of Attacker Pairs 5 Number of Attacker Pairs x 10 21