michael walfish, mythili vutukuru, hari balakrishnan, david karger, and scott shenker presented by...
TRANSCRIPT
![Page 1: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/1.jpg)
DDoS Defense by Offense 1
DDoS Defense By Of-fense
Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker
Presented by Sunjun Kim, Donyoung Koo
![Page 2: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/2.jpg)
DDoS Defense by Offense 2
• Introduction– Application-level DDoS Attack– Applicability of Speak-up
• Design of Speak-up– Design approaches– Two approaches
• Implementation
• Experimental Evaluation
• Objections
• Conclusion
Outline
![Page 3: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/3.jpg)
DDoS Defense by Offense 3
INTRODUCTION
![Page 4: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/4.jpg)
DDoS Defense by Offense 4
• Defense against application-level DDoS– After occurrence– No prevention– Slow down attacks
• For savvy attacker– Requirement of far less bandwidth– “in-band”, harder to identify & more potent
• Example– Bots attacking Web sites
Requests for large files Requests issuing computationally expensive cost
Overview
![Page 5: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/5.jpg)
DDoS Defense by Offense 5
• Purpose– For exhaustion of server’s resources– No access, just for overwhelming
• Characteristics– Cheaper– Proper-looking– Hard to identify
Application-level DDoS
![Page 6: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/6.jpg)
DDoS Defense by Offense 6
Example Of Application-level DDoS
Good
Good
Bad
B
server
c
g
![Page 7: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/7.jpg)
DDoS Defense by Offense 7
• Over-provision– Additional resource purchase
• Detect and Block– Profiling by IP address– CAPTCHA-based– Capabilities
• Charge in a currency– No need for discremination
Defenses of DDoS
![Page 8: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/8.jpg)
DDoS Defense by Offense 8
• Bad Clients are already exhausted– Already Full-bandwidth usage– Cannot respond to encouragement by Speak-up
• Application-level DDoS attacks server resources– Not attacking network linkage– Total bandwidth may sufficient even with DDoS attack
Speak-up : Intuition
![Page 9: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/9.jpg)
DDoS Defense by Offense 9
• Currency-based approach– Bandwidth for Currency
• Central mechanism– Thinner, Server front-end
• Thinner– Front-end to server– Protection of server from overload– Encouragement of clients
In the form of “Virtual auction”
Speak-up
![Page 10: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/10.jpg)
DDoS Defense by Offense 10
Speak-up
Good
Good
Bad
B
server
c
thinner
![Page 11: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/11.jpg)
DDoS Defense by Offense 11
• How much aggregate Bandwidth by legitimate clientele?– If 90% spare capability : 1/9th than attacker– If 50% spare capability : same as attacker
• For small site? (when legitimate clientele are small)– With combination of other defense mechanisms– Smaller botnets(but smarter) in the future
• Possibility of damage to communal resources– Inflation only to servers under attack, very small fraction– “core”, absorption through over-provision
Applicability of Speak-up
![Page 12: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/12.jpg)
DDoS Defense by Offense 12
• Adequate Link Bandwidth for Server– To handle inflated speak-up traffic– Common deployment to be ISPs
• Adequate Client Bandwidth– To be unharmed during an attack– In total, the same or more order of magnitude bandwidth
• No pre-defined clientele• Non-human clientele• Unequal request, spoofing, or smart bots
Conditions for Speak-up
![Page 13: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/13.jpg)
DDoS Defense by Offense
DESIGN OF SPEAK-UP
13
![Page 14: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/14.jpg)
DDoS Defense by Offense 14
g B
c
• In a request-response server– Cheap for clients to issue– Expensive for server to provide
• Variables for Modeling– Server capacity : c requests/sec
– Demands from good clients : g requests/sec
– (Max.) demands from bad clients : B requests/sec
– Max. demands of good clients : G requests/sec
– g << B
– Server process
min( g, )
Design Model
cBG
G
)(
gG B
thinner
c
g
g B
c
![Page 15: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/15.jpg)
DDoS Defense by Offense 15
• Modest over-provisioning is enough for good clients– Good client demand is satisfied when
– From the equation above,
– If B=G, c = 2g 50% spare capability required
– If B=9*G, c=10g 90% spare capability require
Design Goal
gcBG
G
idcGBgc )/1(
![Page 16: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/16.jpg)
DDoS Defense by Offense 16
• Encouragement– Cause client to send more traffic
• Proportional Reduction– Rate limiting
Way to limit requests to server c requests/sec
– Proportional Allocation Admission of clients At rates proportional to incoming bandwidth
Required Mechanisms
![Page 17: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/17.jpg)
DDoS Defense by Offense 17
• Random dropping of requests to the rate to c
• Encouragement for dropped request– Immediate request for client to retry
“please-retry” signal Taxing easier than identifying
– Modification of scheme Request pipelining Pipe to the thinner full
• Price r = 1/p– Client with affordable price, rate g as required– Client without affordable price,
Thinner Approach I
Random Drops And Aggressive Retries
pc
B G
r
B G
c
![Page 18: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/18.jpg)
DDoS Defense by Offense 18
• Choosing client– Paying more price in “Payment auction”
• Separate “Payment” channel– Thinner requests client to open Payment channel– Clients send congestion-controlled byte sequence to
Thinner
– Tracking # bytes by thinner In virtual auction, # bytes = price
– When server is available, thinner admits the winner, and terminates the payment channel.
• Average price =
Thinner Approach II
Explicit Payment Channel
rB G
c
![Page 19: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/19.jpg)
DDoS Defense by Offense 19
Comparison
• Approach I
Thinner should determine
(which means, expect B,G)
Pays in-band
• Approach II
Simply select winning bid-der
Pays on a separate channel- depends on application
pc
B G
![Page 20: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/20.jpg)
DDoS Defense by Offense 20
• Approach II cannot claim that good clients get
• Theorem – If any client transmit ε fraction of average band-
widthit can get at least ε/2 fraction of service
– Key idea : one client should spend their bandwidth to de-feat other clients, so it’s hard to win forever.
• Over-provision by factor of 2– 100% more provision than
※ 15% in evaluation
Robustness To Cheating
cBG
G
Still propor-tional!
idc
![Page 21: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/21.jpg)
DDoS Defense by Offense 21
• Generalization of design– More realistic case with unequal requests
• Attacker may request only “Hardest” requests
• Assumptions– “hardness” is counted by how long it takes to compute– Server provides an interface to Thinner
SUSPEND, RESUME, and ABORT requests
Heterogeneous Requests
![Page 22: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/22.jpg)
DDoS Defense by Offense 22
Time-sharing Mechanism
Request 1
Request 2
Request 3
Server
Thinner
Request 1
Request 1
Request 1
Request 1
Request 1
Request 1
Request 1
Request 2
Request 2
Request 2
Request 2
Request 2
Request 2
Request 3
Request 3
Request 3
Request 3
Request 3
Request 3
Request 3
RESUME request 1SUSPEND request 1 RESUME request 2SUSPEND request 2 RESUME request 1RESUME request 3SUSPEND request 1 ABORT request 3SUSPENT request 3 RESUME request 1
Time-outDone
![Page 23: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/23.jpg)
DDoS Defense by Offense 23
IMPLEMENTATIONExplicit Payment Channel
![Page 24: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/24.jpg)
DDoS Defense by Offense 24
• Running on– Linux 2.6 kernel– Exporting well-known URL
• Thinner– Prototype implemented in C++– Requested from clients– Decide when to send requests to the server– Received responses from the server, and forward to
clients– Classify each client by “id” field in HTTP request
Specifications
![Page 25: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/25.jpg)
DDoS Defense by Offense 25
• Thinner’s Decision– When to send request to server– Using “Explicit Payment Channel”
• Server “processes”– With “Service Time” selected randomly
between 0.9/c and 1.1/c– Respond to requests
• Thinner’s Return– HTML to client with server’s response
Sequence
![Page 26: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/26.jpg)
DDoS Defense by Offense 26
• JavaScript sent from thinner (Encouragement)– Automatically issuing two requests– One for actual request– One for 1MB HTTP POSTs
Dynamic construction by browser Dummy data inclusion Payment channel
• Client’s win– Termination of HTTP POST request– Submission of actual request to server
• Client’s lose– JavaScript from thinner– Trigger process continuation
In Case Of Busy Server
![Page 27: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/27.jpg)
DDoS Defense by Offense 27
EXPERIMENTAL EVALUATIONExplicit Payment Channel
![Page 28: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/28.jpg)
DDoS Defense by Offense 28
• On Emulab testbed– Python Web clients connected to Python Thinner in various topology
• Requests by Poisson process– Rate λ requests/sec
• Server– Processing at rate c request/sec
• 50 clients– With 2 Mbits/sec each– B + G = 100 Mbits/sec– Good client : λ = 2 w = 1– Bad client : λ = 40 w = 20
• 600-second experiments– 1451 Mbps (stdev 38Mbps) for payment bytes– 379 Mbps (stdev 24Mbps) for regular requests(both from good and bad)
Environment
![Page 29: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/29.jpg)
DDoS Defense by Offense 29
Validation of Thinner’s Allocation
• Server allocation with c = 100 requests/sec
![Page 30: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/30.jpg)
DDoS Defense by Offense 30
• In different “provisioning” regimes
Validation of Thinner’s Allocation
![Page 31: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/31.jpg)
DDoS Defense by Offense 31
• Mean time to upload dummy bytes for good re-quests
Latency cost
![Page 32: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/32.jpg)
DDoS Defense by Offense 32
• Average number of bytes sent on the payment channel
Byte cost
![Page 33: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/33.jpg)
DDoS Defense by Offense 33
• Heterogeneous client bandwidth with 50 all good clients
Heterogeneous client network
![Page 34: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/34.jpg)
DDoS Defense by Offense 34
• Two sets of heterogeneous clients RTT
Heterogeneous client network
![Page 35: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/35.jpg)
DDoS Defense by Offense 35
• 50 Clients– 30 Clients behind bottleneck– 10 Good Clients connected to Thinner directly– 10 Bad Clients connected to Thinner directly
Experimental Topology
60Mbps
20Mbps
20Mbps
40Mbps
clientMbpsMbps
MbpsMbps /
3
4
60
402
2Mbps/client
2Mbps/client
![Page 36: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/36.jpg)
DDoS Defense by Offense 36
Good & Bad clients sharing bottleneck
![Page 37: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/37.jpg)
DDoS Defense by Offense 37
Impact of Speak-up on other traffic
![Page 38: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/38.jpg)
DDoS Defense by Offense 38
OBJECTIONS
![Page 39: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/39.jpg)
DDoS Defense by Offense 39
• Under speak-up– More good clients “better off”– High-bandwidth good clients “more better off”
• Unfairness with speak-up– Only under attack– Unfortunate, but not fatal
• Possible solution for ISPs– Offering low-bandwidth customer to
high-bandwidth proxy that “Pay bandwidth” to thinner
Bandwidth envy
![Page 40: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/40.jpg)
DDoS Defense by Offense 40
• In some countries– Payment for “per-bit”– Under speak-up, more actual payment
• Possible solutions– Proxies provided by ISPs– Exposition of “going rate” in bytes by thinner
Translation of rate to money and report Up to customer whether to pay
Variable bandwidth costs
![Page 41: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/41.jpg)
DDoS Defense by Offense 41
• Incentive to encourage botnets– In many commercial relationships
• Trust in– Regulation– Professional norms– Reputation to limit harmful conduct
Incentives for ISPs
![Page 42: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/42.jpg)
DDoS Defense by Offense 42
• Problem caused by bots– Isn’t this approach too mess?– Encouraging more traffic ?!
• Cannot clean up whole– Even if bots are reduced by order of magnitude– Bots can still do effective attack (smart bots)
Speak-up is still useful
Sloving the wrong problem
![Page 43: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/43.jpg)
DDoS Defense by Offense 43
• Overload from good clients alone– Treat like application-level DDoS
• Not applicable case for low bandwidth service– Find another solution, please
Flash crowds
![Page 44: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/44.jpg)
DDoS Defense by Offense 44
CONCLUSION
![Page 45: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/45.jpg)
DDoS Defense by Offense 45
• Who needs speak-up?– Survey to find out
• But we can say that, it works.
• Main advantages– No need to change network elements– Only need for server modification & Thinner addition– Client also should be modified little bit
• Main disadvantages– Possibility of edge network hurt– Assumptions may not hold in many cases
Speak-up summary
![Page 46: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/46.jpg)
DDoS Defense by Offense 46
• Distributed Thinner– Problem : Thinner should aggregate all “encouraged”
traffic,may results in congestion
– Solution : Distribute Thinner to regulate traffic step-by-step
• One approach– Paper in ICC 2008
[ Combining Speak-up with DefCOM for Improved DDoS De-fense ]
– DefCOM : Distributed DDoS Defense System Combine speak-up as its rate-limiter As a result, thinner is distributed
Future Working
![Page 47: Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense](https://reader030.vdocuments.mx/reader030/viewer/2022032723/56649d005503460f949d28a0/html5/thumbnails/47.jpg)
DDoS Defense by Offense 47
THANK YOUAny question?