usenix security symposium, san jose, usa, july 30, 2008 proactive surge protection: a defense...

USENIX Security Symposium, San Jose, USA, July 30, 2008

Proactive Surge Protection: A Defense Mechanismfor Bandwidth-Based Attacks

Jerry Chou, Bill Lin University of California, San Diego

Subhabrata Sen, Oliver Spatscheck

AT&T Labs-Research

USENIX Security Symposium, San Jose, USA, July 30, 2008 – Slide 2

Outline

• Problem

• Approach

• Experimental Results

• Summary


Motivation

• Large-scale bandwidth-based DDoS attacks can quickly knock out substantial parts of a network before reactive defenses can respond

• All traffic that share common route links will suffer collateral damage even if it is not under direct attack

Seattle

Sunnyvale Denver

Los Angeles

Chicago New York

Washington

Atlanta

Houston

Kansas CityIndianapolis


Motivation

• Potential for large-scale bandwidth-based DDoS attacks exist

• e.g. large botnets with more than 100,000 bots exist today that, when combined with the prevalence of high-speed Internet access, can give attackers multiple tens of Gb/s of attack capacity

• Moreover, core networks are oversubscribed (e.g. some core routers in Abilene have more than 30 Gb/s incoming traffic from access networks, but only 20 Gb/s of outgoing capacity to the core


Example Scenario

• Suppose under normal condition Traffic between Seattle/NY + Sunnyvale/NY under 10

Gb/s

New YorkSeattle

10G10G

10G

Seattle/NY:3 Gb/s

Houston Atlanta

Indianapolis

KansasCity

Sunnyvale

Sunnyvale/NY:3 Gb/s


Example Scenario

• Suppose sudden attack between Houston/Atlanta Congested links suffer high rate of packet loss Serious collateral damage on crossfire OD pairs

New York

Sunnyvale

Seattle

10G10G

10G

Sunnyvale/NY:3 Gb/s

Seattle/NY:3 Gb/s

Houston Atlanta Houston/Atlanta:Attack 10 Gb/s

Indianapolis

KansasCity


Impact on Collateral Damage

• OD pairs are classified into 3 types with respect to the attack traffic

Attacked: OD pairs with attack traffic Crossfire: OD pairs sharing route links with attack traffic Non-crossfire: OD pairs not sharing route links with attack traffic

• Collateral damage occurs on crossfire OD pairs

• Even a small percentage of attack flows can affect substantial parts of the network

US Europe


Related Works

• Most existing DDoS defense solutions are reactive in nature

• However, large-scale bandwidth-based DDoS attacks can quickly knock out substantial parts of a network before reactive defenses can respond

• Therefore, we need a proactive defense mechanism that works immediately when an attack occurs


Related Works (cont’d)• Router-based defenses like Random Early Drop (RED,

RED-PD, etc) can prevent congestion by dropping packets early before congestion But may drop normal traffic indiscriminately, causing

responsive TCP flows to severely degrade

• Approximate fair dropping schemes aim to provide fair sharing between flows But attackers can launch many seemingly legitimate

TCP connections with spoofed IP addresses and port numbers

• Both aggregate-based and flow-based router defense mechanisms can be defeated


Previous Solutions (cont’d)• Router-based defenses like Random Early Drop (RED,

RED-PD, etc) can prevent congestion by dropping packets early before congestion But may drop normal traffic indiscriminately, causing

responsive TCP flows to severely degrade

• Approximate fair dropping schemes aim to provide fair sharing between flows But attackers can launch many seemingly legitimate

TCP connections with spoofed IP addresses and port numbers

• Both aggregate-based and flow-based router defense mechanisms can be defeated

In general, defenses based on unauthenticated header information such as

IP addresses and port numbersmay not be reliable

In general, defenses based on unauthenticated header information such as

IP addresses and port numbersmay not be reliable


Outline

• Problem

• Approach


• Summary


Our Solution

• Provide bandwidth isolation between OD pairs, independent of IP spoofing or number of TCP/UDP connections

• We call this method Proactive Surge Protection (PSP) as it aims to proactively limit the damage that can be caused by sudden demand surges, e.g. sudden bandwidth-based DDoS attacks


Traffic received in NY:Seattle: 3 Gb/sSunnyvale: 3 Gb/s…

Basic Idea: Bandwidth Isolation

• Meter and tag packets on ingress as HIGH or LOW priority Based on historical traffic demands and network capacity

• Drop LOW packets under congestion inside network

New York

Sunnyvale

Seattle

10G10G

10G

Seattle/NY:Limit: 3.5 Gb/sActual: 3 Gb/sAll admitted as High

Houston Atlanta

Indianapolis

KansasCity

Sunnyvale/NY:Limit: 3.5 Gb/sActual: 3 Gb/sAll admitted as High

Houston/Atlanta:Limit: 3 Gb/sActual: 2 Gb/sAll admitted as High

Houston/Atlanta:Limit: 3 Gb/sActual: 10 Gb/sHigh: 3 Gb/sLow: 7 Gb/s

Proposed mechanism proactively drop attack traffic immediately when attacks occur

Proposed mechanism proactively drop attack traffic immediately when attacks occur


Traffic DataCollector

Traffic DataCollector

BandwidthAllocator

BandwidthAllocator

PreferentialDropping

PreferentialDropping

DifferentialTagging

DifferentialTagging

ArchitectureTraffic

Measurement

Bandwidth Allocation Matrix

taggedpackets

forwardedpackets

droppedpackets

Data Plane

Policy Plane

Deployed atNetwork Routers

Deployed atNetwork Perimeter

arrivingpackets

High priority

Low priority

Proposed mechanism readily available in modern routers

Proposed mechanism readily available in modern routers


Allocation Algorithms• Aggregate traffic at the core is very smooth and variations

are predictable

• Compute a bandwidth allocation matrix for each hour based on historical traffic measurements e.g. allocation at 3pm is computed by traffic

measurements during 3-4pm in the past 2 months

Source: Roughan’03 on a Tier-1 US Backbone


Allocation Algorithms

• To account for measurement inaccuracies and provide headroom for traffic burstiness, we fully allocate the entire network capacity as an utility max-min fair allocation problem Mean-PSP: based on the mean of traffic demands CDF-PSP: based on the Cumulative Distribution

Function (CDF) of traffic demands

• Utility Max-min fair allocation Iteratively allocate bandwidth in “water-filling” manner Each iteration maximize the common utility of all flows Remove the flows without residual capacity after each

iteration


Utility Max-min Fair Bandwidth Allocation

5

A

55

B

5

C

012345

BW

BCABLinks

1st round

AC

20

21 3 4 5

406080

100

BW

Utility(%

)

AB

20406080

100Utility(%

)

21 3 4 5BW

BC

20406080

100Utility(%

)

21 3 4 5BW

012345

BW

BCABLinks

2nd round

Utility functions

Network Allocation


Mean-PSP (Mean-based Max-min)

• Use mean traffic demand as the utility function

• Iteratively allocate bandwidth in “water-filling” manner

02468

10BW

BACBBCABLinks

1st round

02468

10BW

BACBBCABLinks

2nd round

A

B

C

- 1.5

1

0.5 - 0.5

-1.5

1

Mean Demand

--

-A

B

C

A B C

6

4

4 6

6

4

BW Allocation Bij

10G

A

10G

10G

B

10G

C

A B C

tmeasuremend

BBf

ij

ijijij /#)(


CDF-PSP (CDF-based Max-min)

• Explicitly capture the traffic variance by using a Cumulative Distribution Function (CDF) model as utility functions

• Maximize utility is equivalent to minimizing the drop probabilities for all flows in a max-min fair manner

][)( ijijijij BdPROBBf

)5 3, 1, 1, 1,( :E.g ijd

20

21 3 4 5

406080

100

BW

Utility(

%)

When allocated 3 unit bandwidth, drop probability is 20%


Outline

• Problem

• Approach


• Summary


Networks• US Backbone

Large tier1 backbone network in US ~700 nodes, ~2000 links (1.5Mb/s – 10Gb/s) 1-minute traffic traces: 07/01/07-09/03/07

• Europe Backbone Large tier1 backbone network in Europe ~900 nodes, ~3000 links (1.5Mb/s – 10Gb/s) 1-minute traffic traces: 07/01/07-09/03/07


Evaluation Methodology

• NS2 Simulation

• Normal traffic: Based on actual traffic demands over 24 hour period for each backbone

• Attack traffic: US Backbone: highly distributed attack scenario

• Based on commercial anomaly detection systems

• From 40% ingress routers to 25% egress routers

Europe Backbone: targeted attack scenario

• Created by synthetic attack flow generator

• From 40% ingress routes to only 2% egress routers


Packet Loss Rate Comparison

US Europe

• Both PSP schemes greatly reduced packet loss rates

• Peak hours have higher packet loss rates


Relative Loss Rate Comparison

US Europe

• PSP reduced packet loss rates by more than 75%


Behavior Under Scaled Attacks• Packet drop rate under attack demand scaled by factor up

to 3x

• Under PSP, the loss remains small throughout the range !

US Europe


Summary of Contributions• Proactive solution for protecting networks that provides a

first line of defense when sudden DDoS attacks occur

• Very effective in protecting network traffic from collateral damage

• Not dependent on unauthenticated header information, thus robust to IP spoofing

• Readily deployable using existing router mechanisms

USENIX Security Symposium, San Jose, USA, July 30, 2008

Questions?

usenix security symposium, san jose, usa, july 30, 2008 proactive surge protection: a defense...

Documents

gbs slide

core slide

san jose

usenix security symposium

attack traffic crossfire

network useurope slide

gbs seattleny

attack capacity