on the feasibility of rerouting-based ddos defenses · nethide (meier et al.) stride (hsiao et al.)...
TRANSCRIPT
![Page 1: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/1.jpg)
On the Feasibility of Rerouting-based DDoS
Defenses Muoi Tran, Min Suk Kang, Hsu-Chun Hsiao,
Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA
![Page 2: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/2.jpg)
Transit-linkDDoSattack:apowerfultypeofvolumetricDDoSattack
2
Coremeltattack(ESORICS‘09)
Crossfireattack(S&P‘13)
(distributeddenialofservice)
Traditional:volumetricattacktraffictargetingendservers
Non-traditional:volumetricattacktraffictargetingtransitlinks
AS
AS
AS AS
Realincidents:
Academicstudies:
2013 2015
![Page 3: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/3.jpg)
Handlingtransit-linkDDoSattackischallenging
AS
AS
AS
AS
AS
Indistinguishablelow-ratetraffic
Victimsareindirectlyaffected
3
Destination Source
AS
AS
AS
![Page 4: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/4.jpg)
Transit-linkDDoSattacksstillremainanopenproblem
Coremeltattack(Studeretal.)
Crossfireattack(Kangetal.)
2009
2013
2016
2014
4
2018
RoutingAroundCongestion(Smithetal.S&P’18)
“Readilydeployablesolution"
SPIFFY(Kangetal.)
CoDefdefense(Leeetal.)
LinkScope(Xueetal.)
Partialsolutions RADAR(Zhengetal.)
NetHide(Meieretal.)
STRIDE(Hsiaoetal.)
SIBRA(Basescuetal.)
NotavailableinthecurrentInternet
![Page 5: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/5.jpg)
Background:HowBGProutingworks?
5
{D}
BorderGatewayProtocol(BGP)
ASD ASZ ASX ASC ASY
{Z,D} {Y,Z,D} {X,Y,Z,D}
Trafficpath
BGPpropagationTrafficforwarding
SourceDestination
Nocontrolovertrafficpathbydesign
Loop-freeAS-path
![Page 6: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/6.jpg)
RoutingAroundCongestion(RAC):ReroutingusingBGPpoisoning[Smithetal.,S&P’18]
6
ASD ASZ
ASW
ASX ASC
ASY
Goal:reroutetoavoidASW
{D,W,D}
xLoopdetected!
Criticalsource
Detourpath
BGPpoisoningmessage
Originalpath
Victimdestination
Switchtodetourpath
AScollaborationisnotneeded!
![Page 7: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/7.jpg)
7
WillRACdefensestillworkagainstadaptiveattackers?
![Page 8: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/8.jpg)
Futuredirectionsfortransit-linkDDoSdefenses
Practicalchallengeofmitigatingadaptivedetour-learningattack
Ourcontributions
8
Adaptivedetour-learningattackagainstreroutingsolutions
![Page 9: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/9.jpg)
Adaptivedetour-learningattack:Threatmodel
9
Goals:(1)Todetectreroutinginreal-time(2)Tolearnnewdetourpathaccurately(3)Tocongestnewdetourpath(seethepaper)
Capabilities:-Samebotnetsusedintransit-linkDDoSattack
![Page 10: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/10.jpg)
Victimdestination
Adaptivedetour-learningattack:(1)howtodetectreroutinginreal-time
10
ASD ASZ
ASW
ASX ASC
ASY Criticalsource
Detourpath
Originalpath
ASI traceroute
Reroutingisdetected!
Adaptiveadversary
![Page 11: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/11.jpg)
Adaptivedetour-learningattack:(2)howtolearndetourpathaccurately
11
ASD ASY
ASG
ASC ASX
ASE ASJ
ASI
ASH
(3)congestdetourpath(seethepaper)
Challenge:Whichismoreaccurateroutemeasurementofactualdetourpath?
Victimdestination Criticalsource Solution:Prioritizemeasurementfrombotclosertotrafficsource
Detourpath closerAS(e.g.,shorterAS-path)
Results:94%oflearneddetourpathsarecorrect
![Page 12: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/12.jpg)
Futuredirectionsfortransit-linkDDoSdefenses
Adaptivedetour-learningattackagainstreroutingsolutions
Ourcontributions
12
Practicalchallengeofmitigatingadaptivedetour-learningattack
![Page 13: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/13.jpg)
ASI
ASJ
Howtodefendagainstdetour-learningattack?
13
Exclusivelyusedforcriticalflows
PoisonallpeersofASesondetourpath!
ASD ASZ
ASW
ASX ASC
ASY CriticalsourceVictimdestination
Detourpathmustbeisolated!
Detourlearned!
Howtoisolate?
![Page 14: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/14.jpg)
0.8
102 103 1040
0.2
0.4
0.6
0.8
1
Detourpathisolation=>poisoningtoomanyASes
14
CDF
100100010000
NumberofASesthatshouldbepoisoned
ThousandsASesshouldbepoisoned Butwhy?
Tier-1orlargeTier-2onthedetourpaths(moreinthepaper)
0
0.2
0.4
0.6
1
![Page 15: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/15.jpg)
0.8
102 103 1040
0.2
0.4
0.6
0.8
1
CanwepoisonthatmanyASes?
15
CDF
100100010000
NumberofASesthatshouldbepoisoned255 2034
Specificationupto2034
Implementationupto255
Configurationupto30-50
0
0.2
0.4
0.6
1
Specification
Implementation
![Page 16: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/16.jpg)
Confirmed:ISPsdonotsupportpoisoning>255ASes
16
Numberofobserved
BGPmessages
99.99%
1 10100100030
slowlydecreaseinfrequency
50xdropinfrequency
255
NumberofASesseeninaBGPmessage16
Poisoning>1,000ASesisnearlyimpossible
=>Detourpathisolationisinfeasible=>Detour-learningattackisalmostalwayspossible
![Page 17: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/17.jpg)
Practicalchallengeofmitigatingadaptivedetour-learningattack
Adaptivedetour-learningattackagainstreroutingsolutions
Ourcontributions
17
Futuredirectionsfortransit-linkDDoSdefenses
![Page 18: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/18.jpg)
Desireddefenseproperty:destination-controlledrouting
18
Clean-slateInternetarchitecture
HackingBGP
e.g.,STRIDE,SIBRAe.g.,RoutingAroundCongestion
?
e.g.,explicitBGPreroutingforcriticalflowsunderemergency ✕Toocostlytodeploy✕Doesnotwork
![Page 19: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/19.jpg)
TwoLessonsLearned
19
![Page 20: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/20.jpg)
Lesson1
HackingthecurrentInternetroutingisaflawedidea!
20
![Page 21: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/21.jpg)
ü Adaptiveattacksarepossible
ü Mitigationishard
ü Adaptivedefenseisslowerthanadaptiveattacker(moreinthepaper)
21
![Page 22: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/22.jpg)
Lesson2
Analysisofprotocolspecificationsaloneisinsufficient!
22
![Page 23: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/23.jpg)
23
Specification Implementation Configuration
![Page 24: On the Feasibility of Rerouting-based DDoS Defenses · NetHide (Meier et al.) STRIDE (Hsiao et al.) SIBRA (Basescu et al.) Not available in the current Internet Background: How BGP](https://reader033.vdocuments.mx/reader033/viewer/2022051917/60092fa88166892de3744f14/html5/thumbnails/24.jpg)
Conclusion• Detour-learningattacksareeffectiveandhardtomitigate
ü Transit-linkDDoSattacksstillremainanopenproblem
• Suggestiononresearchdirectionü Balancedestination-controlledroutinganddeployability
• 2lessonslearned:ü HackingBGPforreroutingisaflawedideaü Analysiswithspecificationonlycanbedangerous
24