Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction Assumptions and Goals Architecture Design Details Analysis Implementation and Evaluation Discussion 2 A Presentation at Advanced Defence.

Similar presentations


Presentation on theme: "Introduction Assumptions and Goals Architecture Design Details Analysis Implementation and Evaluation Discussion 2 A Presentation at Advanced Defence."— Presentation transcript:

1

2 Introduction Assumptions and Goals Architecture Design Details Analysis Implementation and Evaluation Discussion 2 A Presentation at Advanced Defence Lab

3 A survey from Arbor Networks shows that DoS attacks continue to grow in both scale and sophistication.(2009) A Presentation at Advanced Defence Lab 3

4 4

5 There have been several proposals addressing this challenge. But … the best defense mechanism these systems can offer is per-host queuing at the flooded link to separate legitimate traffic from attack traffic. A Presentation at Advanced Defence Lab 5

6 Threat Model Flood-based network attacks Strong adversary A Presentation at Advanced Defence Lab 6 Victim

7 Assumptions Trust We assume that routers managed by the network are much less likely to be compromised than end systems. Line-speed lightweight cryptography Some current hardware can support AES operations at 40Gbps. Intel AES Instructions Set[link]link A Presentation at Advanced Defence Lab 7

8 Goals Guaranteed network resource fair share Open network Scalable and lightweight low communication, computation, and memory overhead Incrementally adoptable Network self-reliant defense Our hypothesis is that extra dependencies increase security risk and may create deployment deadlocks. A Presentation at Advanced Defence Lab 8

9 9

10 NetFence has three types of packets: request packets, regular packets, and legacy packets. The first two have a shim NetFence header between their IP and upper-layer protocol headers. A Presentation at Advanced Defence Lab 10

11 Congestion policing feedback nop: indicating no policing action is needed. mon: indicating the connection must be monitored. L or L : indicating the link L is overloaded or underloaded. A Presentation at Advanced Defence Lab 11

12 It limits the request channel on any link to a small fraction (5%) of the links capacity. It combines packet prioritization and priority-based rate limiting the sender is limited to send level-k packets at half of the rate of level-(k-1) packets A Presentation at Advanced Defence Lab 12

13 Monitoring cycle When a router suspects that its outgoing link L is under attack, it starts a monitoring cycle for L The routers average utilization The average loss rate p (using EWMA algorithm[link]) and the threshold p thlink It marks L as in the mon state A Presentation at Advanced Defence Lab 13

14 If the packet carries nop, stamp L. Otherwise, if the packet carries L stamped by an upstream link L, do nothing. Otherwise, if L is overloaded, stamp L. A Presentation at Advanced Defence Lab 14

15 We implement a rate limiter as a queue whose de-queuing rate is the rate limit, similar to a leaky bucket. use the queue to absorb traffic bursts A Presentation at Advanced Defence Lab 15

16 The L and L feedback enables an access router to adjust a rate limiter (src,L)s rate limit r lim with an AIMD algorithm. A Presentation at Advanced Defence Lab 16

17 However, a malicious sender can manipulate this design by hiding the L feedback to prevent its rate limit from decreasing. So… A Presentation at Advanced Defence Lab 17

18 For each rate limiter (src,L), the access router R a keeps two state variables: t s and hasIncr. If hasIncr is true, R a compares the throughput of the rate limiter with 1/2 r lim. Otherwise, R a will decrease r lim to (1 δ )r lim. A Presentation at Advanced Defence Lab 18

19 Feedback format Stamping nop feedback A Presentation at Advanced Defence Lab 19

20 Stamping L feedback Also inserts a token nop into the token nop field. Stamping L feedback The router R b erases token nop field afterwards to prevent malicious downstream routers from overwriting its feedback A Presentation at Advanced Defence Lab 20

21 Validating feedback A feedback is considered invalid if its ts field is more than w seconds older than the access routers local time t now : |t now ts| > w, or if the MAC field has an invalid signature. A Presentation at Advanced Defence Lab 21

22 A NetFence router can take several approaches to localize the damage of compromised ASes, if its congestion persists after it has started a monitoring cycle, a signal of malfunctioning access routers. A Presentation at Advanced Defence Lab 22

23 All approaches require a router to correctly identify a packets source AS, which can be achieved using an IP-to- AS mapping tool if the packets source IP address is not spoofed. NetFence uses Passport to prevent source address spoofing. A Presentation at Advanced Defence Lab 23 IP HeaderPassportPayload

24 A Presentation at Advanced Defence Lab 24

25 A request packet size is estimated as 92 bytes that includes a 40-byte TCP/IP header, a 28-byte NetFence header and a 24-byte Passport header. We set the attack detection threshold p th to 2%, since at this packet loss rate, a TCP flow with 200ms RTT and 1500B packets can obtain about 500Kbps throughput A Presentation at Advanced Defence Lab 25

26 As a closed-loop design, NetFence can place different functions at different locations to provide per-sender fairness. We think 100 links per legitimate sender is a reasonable upper bound. If an access router serves 10K end hosts. The total amount of memory requirement is less than 2GB. The per-packet processing time on our benchmarking PC is less than 1.3μs during attack times. This translates into a throughput more than 9Gbps A Presentation at Advanced Defence Lab 26

27 Malicious End Systems Forgery or Tampering MAC and robust AIMD Evading attack detection Packet loss rate p On-off attacks prolonged monitor cycle A Presentation at Advanced Defence Lab 27

28 Malicious On-path Routers A malicious router downstream to a congested link may attempt to remove or modify the L feedback. MAC A malicious on-path router may discard packets to completely disrupt end-to-end communications, duplicate packets, or increase packet sizes to congest downstream links. Passport A Presentation at Advanced Defence Lab 28

29 Routers at congested links and access routers need to be upgraded, but well- provisioned routers that can withstand tens of Gbps attack traffic may not need to upgrade. A Presentation at Advanced Defence Lab 29

30 A Presentation at Advanced Defence Lab 30

31 We have implemented NetFence in Linux using XORP [link] and Click [link].link We benchmark the Linux implementation on Deterlab [link] with a three-node testbed.link A---B--{5Mbp}C Send 100Kbps UDP request and 1Mbps UDP regular 1 Mbps UDP req and 10Mbps UDP reg for DoS A Presentation at Advanced Defence Lab 31

32 A Presentation at Advanced Defence Lab 32

33 Using ns-2 simulations Compare with other solutions TVA+ Uses network capabilities and per-host fair queuing to defend against DoS flooding attacks. StopIt StopIt is a filter and fair queuing based DoS defense system. Fair Queuing A Presentation at Advanced Defence Lab 33

34 Unwanted Traffic Flooding Attacks A Presentation at Advanced Defence Lab 34 victim 1 legitimate and 99 attacker R bl R br

35 A Presentation at Advanced Defence Lab 35

36 Colluding Attacks Single Bottleneck A Presentation at Advanced Defence Lab 36 victim 25% legitimate R bl R br 10 ASes

37 Two metrics Throughput Ratio, the ratio between the average throughput of a legitimate user and that of an attacker Fairness Index among legitimate users. Let x i denote a legitimate sender is throughput, and the fairness index is defined as (Σ x i ) 2 /(n Σ x i 2 ). A Presentation at Advanced Defence Lab 37

38 A Presentation at Advanced Defence Lab 38

39 A Presentation at Advanced Defence Lab 39 A B C C L1 C L2

40 A Presentation at Advanced Defence Lab 40

41 Multi-bottleneck feedback in a NetFence header A Presentation at Advanced Defence Lab 41

42 A Presentation at Advanced Defence Lab 42

43 Fair Share Bound O( C/(G+B) ) Congestion Quota If we assume legitimate users have limited traffic demand while attackers aim to persistently congest a bottleneck link, we can further weaken a DoS flooding attack by imposing a congestion quota. A Presentation at Advanced Defence Lab 43

44 Convergence Speed It may take a relatively long time (e.g., 100s- 200s) for NetFence to converge to fairness. Equal Cost Multiple Path NetFence assumes that a flows path is relatively stable and the bottleneck links on the path do not change rapidly. A Presentation at Advanced Defence Lab 44


Download ppt "Introduction Assumptions and Goals Architecture Design Details Analysis Implementation and Evaluation Discussion 2 A Presentation at Advanced Defence."

Similar presentations


Ads by Google