defending against ddos attacks using max-min fair server centric router throttles
DESCRIPTION
Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles. David K.Y. Yau John C.S. Lu CS Dept, Purdue University CS&E Dept,CUHK. Motivations. Internet is an open and democratic environment - PowerPoint PPT PresentationTRANSCRIPT
1.1Operating System Concepts
Defending Against DDoS Attacks Using Max-min Fair Server Centric
Router Throttles
David K.Y. Yau John C.S. LuCS Dept, Purdue University CS&E Dept,CUHK
1.2Operating System Concepts
Motivations
Internet is an open and democratic environment increasingly used for mission-critical work
and commercial applications.
Many security threats are present or appearing Easy to launch, even for naïve users. need effective and flexible defenses to
detect/trace/counter attacks Goals:
protect innocent users; prosecute criminals
Ambitious goals
1.3Operating System Concepts
Network Denial-of-service Attacks
Some attacks quite subtle securing protocols and intrusion
detection (e.g., BGP, TCP-syn attack) at routing infrastructure, malicious
dropping of packets, etc (low-rate TCP) Others by brute force:
- flooding (e.g., UDP, valid Web Request)
Cripples victim: - precludes any sophisticated defense at
victim site Philosophical question: what is an “attacker”? Viewed as resource management problem
1.4Operating System Concepts
Flooding Attack
Server
1.5Operating System Concepts
Server-centric Router Throttle
Installed by server when under stress, at a set deployment routers can be sent by multicast
Specifies leaky bucket rate at which router can forward traffic to the server aggressive traffic for server dropped
before reaching server rate determined by a feedbak control
algorithm
Issues: (1) Which set of routers? (2) What is the “proper” dropping rate?
1.6Operating System Concepts
To S
Router Throttle
Aggressive flow
Throttlefor S’
To S’
Throttlefor S
Securely installed by S
Deployment router
C: Each victim has a leaky bucket for rate limit. Small memory and computationoverhead!
1.7Operating System Concepts
Key Design Problems
Resource allocation: who is entitled to what? need to keep server operating within load
limits notion of fairness, and how to achieve it?
Need global, rather than router-local, fairness
How to respond to network and user dynamics (e.g., fluctuation of traffic)? Feedback control strategy is needed
1.8Operating System Concepts
What is being fair?
Baseline approach of dropping a fraction “f”, say ½, of traffic for each flow won’t work well a flow can cause more damage to other flows
simply by being more aggressive!
Rather, no flow should get a higher rate than another flow that has unmet demands this way, we penalize “aggressive” flows only,
but protect the well-behaving ones
1.10Operating System Concepts
Level-k Deployment Points
Deployment points parameterized by an integer k
R(k) -- set of routers that are either k hops away from server S, or less than k hops away from S but are directly connected to a host
Fairness across global routing points R(k)
1.11Operating System Concepts
Level-3 Deployment
Server
1.12Operating System Concepts
Feedback Control Strategy
Hysteresis control high and low water marks for server load, to
strengthen or relax router throttle
Additive increase/multiplicative decrease rate adjustment increases when server load exceeds US, and
decreases when server load falls below LS
throttle removed when a relaxed rate does not result in significant server load increase
1.13Operating System Concepts
Fairness Definition
A resource control algorithm achieves level-k max-min fairness among the routers R(k) if the allowed forwarding rate of traffic for S at each router is the router’s max-min fair share of some rate r satisfying LS r US
1.14Operating System Concepts
Fair Throttle Algorithm
1.15Operating System Concepts
Example Max-min Rates (L=18, H=22)
Server
18.236.65
14.1
0.01
1.40
0.22
17.73
0.610.95
6.25
6.25
6.2520.53
24.88
15.51
17.73
0.22
0.61
0.95
59.9
1.16Operating System Concepts
Interesting Questions
Can we preferentially drop attacker traffic over good user traffic?
Can we successfully keep server operating within design limits, so that good user traffic that makes it gets acceptable service?
How stable is such a control algorithm? How does it converge?
1.17Operating System Concepts
Algorithm Evaluation
Control-theoretic analysis (fluid analysis) algorithm stability and convergence
under different system parameters Packet network simulations (packet
level analysis) Test under UDP and TCP traffic. Also test
with Web traces System implementation (the real
thing, baby !!!) deployment costs
1.18Operating System Concepts
Control-theoretic Model
Adjusted traffic from source i
Throttle signal from victim
Step size
When throttle signal is high, server is underloaded.When throttle signal is low, server is overloaded.
ANALOGY!!!
1.19Operating System Concepts
Feedback Control Model (Us=1750;Ls=1650)
Constant Source of 20
Constant Source of 30
Constant Source of 25
Constant Source of 4000
Constant Source of 2800
1.20Operating System Concepts
Output for good traffic (total from source 1)
1.21Operating System Concepts
Output for attack traffic (total from source 5)
1.22Operating System Concepts
Output for attack traffic (total from source 6)
1.23Operating System Concepts
Total traffic to server (Us=1750;Ls=1650)
1.24Operating System Concepts
Case 2: variable attack traffic (Us=1750,Ls=1650)
Square Pulse
1.25Operating System Concepts
Output of attack traffic 1
1.26Operating System Concepts
Output of attack traffic 2
1.27Operating System Concepts
Total traffic to server (Us=1750;Ls=1650)
1.28Operating System Concepts
Feedback Control Model(sources and server)
1.29Operating System Concepts
Feedback Control Model (server throttle signal)
1.30Operating System Concepts
Feedback Control Model (sources process throttle)
1.31Operating System Concepts
Throttle Rate (L=900; U=1100)
1.32Operating System Concepts
Server Load (L = 900; U = 1100)
1.33Operating System Concepts
Throttle Rate (U = 1100)
1.34Operating System Concepts
Server Load (U = 1100)
1.35Operating System Concepts
Throttle Rate (L=1050;U=1100)
1.36Operating System Concepts
Server Load (L=1050; U=1100)
1.37Operating System Concepts
NS2: UDP Simulation Experiments
Global network topology reconstructed from real traceroute data AT&T Internet mapping project: 709,310 traceroute
paths, single source to 103,402 other destinations randomly select 5,000 paths, with 135,821 nodes of
which 3879 are hosts
Randomly select x% of hosts to be attackers good users send at rate [0,r], attackers at rate [0,R]
1.38Operating System Concepts
20% Evenly Distributed Aggressive (10:1) Attackers
1.39Operating System Concepts
40% Evenly Distributed Aggressive (5:1) Attackers
1.40Operating System Concepts
Evenly Distributed “meek” Attackers
1.41Operating System Concepts
Deployment Extent
1.42Operating System Concepts
NS2: TCP Simulation Experiment
Clients access web server via HTTP 1.0 over TCP Reno
Simulated network subset of AT&T traceroute topology 85 hosts, 20% attackers
Web clients make request probabilistically with empirical document size and inter-request time distributions
1.43Operating System Concepts
Web Server Protection
1.44Operating System Concepts
Web Server Traffic Control
1.45Operating System Concepts
System Implementation
On Linux router loadable kernel moduleCPU resource reservation
Deployment platformPentium 4/2G Hz PCmultiple 10/100 Mb/s Ethernet
interfaces
1.46Operating System Concepts
System Implementation: cont
OPERA: An Open-Source Extensible Router Architecture
http://www.cse.cuhk.edu.hk/~cslui/ANSRlab/software/opera/ A Linux-based package for implementing a
software programmable router architecture with the aim to facilitate networking experiments for the research community. Using this architecture, one can dynamically load new extension and services into the programmable router. Some interesting extensions include QoS support and traceback of DDoS attacks.)
Dynamic module loading Resource reservation General extension framework Secured Communication
1.48Operating System Concepts
Future Work
Offered load-aware control algorithm for computing throttle rate impact on convergence and stability
Policy-based notion of fairness heterogeneous network regions, by size,
susceptibility to attacks, tariff payment
Selective deployment issues Impact on real user applications Defense for other forms of DDoS like
the reflector attack, BGP cascading failure..etc.
1.49Operating System Concepts
Conclusions
Extensible routers can help improve network health
Presented a server-centric router throttle mechanism for DDoS flooding attacks can better protect good user traffic from aggressive
attacker traffic can keep server operational under an ongoing
attack has efficient implementation