SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent - - PowerPoint PPT Presentation

SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks

Min Suk Kang Virgil D. Gligor Vyas Sekar

ECE Department and CyLab, Carnegie Mellon University

Feb 22, 2016

Large-scale link-flooding attacks

2

ISP ISP

end-point target server(s) bots

• Real-world examples

 Spamhaus (March 2013), ProtonMail (Nov 2015)

…

Massive DDoS attacks against chosen target links in Internet Infrastructure

• “Indistinguishability” of attack flows

 Bot-to-bot or bot-to-server attack flows (e.g., Coremelt [ESORICS’09], Crossfire [S&P’13])

Fundamental defense approach requires inter-ISP coordination

3

Removing routing bottlenecks => inter-ISP coordination

“Routing Bottlenecks” [CCS’14]

Inter-ISP coordination requires global deployment of new protocols, bilateral agreement, and added infrastructure => Thus, we need a first-line of defense that can be offered by a single ISP and can be immediately deployed

end-point target server(s)

become the vulnerabilities exploitable by link-flooding attacks

 Bot detection at local ISP exploiting adversary’s cost-sensitive behavior  Bot detection can be circumvented when adversary accepts significant cost increase Sketch of solution cost-detectability tradeoff =>  Bot detection

First-line of defense without inter-ISP coordination

4

Deter rational Indistinguishable link-flooding adversaries Goal: attack deterrence rational: cost-sensitive and stealthy

 Majority of DDoS adversaries are rational [Png et al. 2008]

Problem statement and solutions

5

First-line of defense for link-flooding attacks Deterrence of rational link-flooding adversaries Cost-detectability tradeoffs based on bot detection SPIFFY: system design for ISP networks Problem: Solutions:

SPIFFY’s bot detection mechanism

6

degraded rate

indistinguishable

attack rate legitimate sender

targeted link L

bot

SPIFFY’s bot detection mechanism

6

degraded rate attack rate

Temporary Bandwidth Expansion (TBE)

legitimate sender bot increased rate

Distinguishable!

must have already saturated upstream bandwidth not-increased rate

Why bots are supposed to be saturated?

8

Goal Budget Let’s plan an attack Buy some bots

…

Launch!

• ptimal operation strategy:

saturate upstream bandwidth

cost-sensitive

Why legitimate senders would increase rates in response to TBE?

8

flow rate ≤ degraded rate

Why legitimate senders would increase rates in response to TBE?

8

TBE

BEFideal

(Ideal Bandwidth Expansion Factor)

=

(guaranteed) normal rate degraded rate recovered normal flow rate

Bot detection circumvention => highly increased attack cost

11

degraded rate degraded rate Temporary Bandwidth Expansion (TBE) legitimate sender

targeted link L

bot

indistinguishable

increased rate increased rate

Bot detection circumvention => highly increased attack cost

12

degraded rate degraded rate Temporary Bandwidth Expansion (TBE) legitimate sender

targeted link L

bot

indistinguishable

increased rate increased rate

Strategy => massive reduction of bots’ bandwidth utilization => massive increase in the number of required bots (by a factor of BEFideal) SPIFFY forces unpleasant tradeoff: (1) undetectability but at highly increased cost; (2) low cost but easily detectable

SPIFFY challenges and solutions

13

degraded rate attack rate Temporary Bandwidth Expansion (TBE) legitimate sender bot increased rate not-increased rate

Challenge: fast TBE in typical ISPs Solution: coordinated route changes Challenge: rate-change detection mechanism at scale Solution: sketch-based rate- change detection [NSDI’13] C det So Challenge: false identification

• f low-rate users

Solution: exemption for low-rate users

Design of temporary bandwidth expansion

14

targeted link L sudden bandwidth expansion!

Solution: coordinated, sudden route changes that handle large bandwidth expansion SDN controller  Software-defined networking (SDN) provides centralized control and traffic visibility Linear programming formulation: We find the maximum available bandwidth expansion factor (BEFavail) and new routes for a target link and a given network topology

Maximum available bandwidth expansion factor (BEFavail) for 5 ISP networks

15

BEFavail

uniform link bandwidth non-uniform link bandwidth (1:2:8)

How to implement TBE with large BEFideal when BEFavail < BEFideal?  randomized sequential TBE: we sequentially test only a random subset of senders at each TBE, providing them the ideal bandwidth expansion factor BEFideal

Simulation for rate change behaviors

Topology ns2 simulator with HTTP traffic generator (PackMime)

16

(BEFideal = 10)

Simulation for rate change behaviors

17

per-sender rate changes

individual per-sender rate mean and stdev TBE starts at 10.0 sec

 Large rate-change ratio can be quickly measured (e.g., < 5 sec)  Robust rate change behavior of legitimate senders in various environments (e.g., TCP variants, RTT changes, short flows)

Rate-increase ratios of bot and legitimate sender in SDN testbed

18

11 10 9 8 7 6 5 4 3 2 1 0 0 5 10 15 20

Rate increase ratio with TBE operation Time (sec) TBE starts at t = 10 TBE ends at t = 15 bot blocked

bot legitimate sender

normal rate degraded rate = 10 bot identified TBE

• First-line of defense for indistinguishable link-flooding

attacks

– Attack deterrence of rational adversaries – Cheaper/easier than inter-ISP coordination based defenses

• SPIFFY: system design for cost-detectability tradeoffs

– Practical bot detection mechanism for large ISPs – SDN-based design for temporary bandwidth expansion

19

Conclusion

Thank you

minsukkang@cmu.edu

20