Presentation is loading. Please wait.

Presentation is loading. Please wait.

DDoS: Defense by Offense 1 DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker, SIGCOMM ‘06 Presented.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "DDoS: Defense by Offense 1 DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker, SIGCOMM ‘06 Presented."— Presentation transcript:

1 DDoS: Defense by Offense 1 DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker, SIGCOMM ‘06 Presented by Karl Deng, Zhaosheng Zhu

2 DDoS: Defense by Offense 2 Outline Introduction Design Implementation Evaluation Concerns Conclusions

3 DDoS: Defense by Offense 3 Introduction

4 DDoS: Defense by Offense 4 Basic Idea Defense against application level DDoS attacks –Way of dealing with attack as it occurs, not a prevention scheme

5 DDoS: Defense by Offense 5 Application-level attacks Attacker sends legitimate-looking requests to waste server ’ s resources Overwhelms server, not access links Cheaper than link-level attacks (for the attacker) Attack traffic is harder to identify

6 DDoS: Defense by Offense 6 Application-level attacks Current defenses focus on slowing down attackers/stopping the attack. But good clients are totally drowned out in these defense systems – it ’ s time for them to speak-up.

7 DDoS: Defense by Offense 7 3 Types of Defenses 1.Overprovision computation resources massively 2.Detect and block attackers Rate-limit, filter, capability 3.Charge all clients a currency (scare resource) Such resources can be: –Digital payment (micro-payment) –Computational work (proof of work) e.g, solving a puzzle –Human attention (proof of humanity) e.g., CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart)

8 DDoS: Defense by Offense 8 Speak-up It ’ s a currency-based defense that uses bandwidth as the currency –Claim: attackers use most of their available bandwidth during attacks, victims don ’ t –Use encouragement to make victims send more traffic so they are better represented at the server

9 DDoS: Defense by Offense 9 Two conditions to make it work … Adequate Link Bandwidth: there must be enough spare bandwidth to allow for speak-up inflated traffic Adequate Client Bandwidth: the aggregate bandwidth of all good clients must be on the same order as the attackers ’

10 DDoS: Defense by Offense 10 Three conditions where it wins … No predefined clientele: Makes filtering impossible, so use speak-up. Non-human clientele: Makes “ human ” tests (type in the word, etc) impossible, so use speak-up. Unequal requests or spoofing or smart bots: No method for dealing with the first, can ’ t use methods for the second two … use speak-up!!!

11 DDoS: Defense by Offense 11 Design

12 DDoS: Defense by Offense 12 Design Goal Allocate resources to competing clients in proportion to bandwidth [math]

13 DDoS: Defense by Offense 13 3 Required Mechanisms 1. Way to limit the total requests to the server to its max, c 2. Mechanism to reveal available bandwidth/provide encouragement 3. Proportional allocation mechanism – let clients in proportional to delivered bandwidth Hence, the thinner appears.

14 DDoS: Defense by Offense 14 Explicit Payment Channel Thinner pads client traffic with dummy bytes, but how many should we pad with? We don ’ t need to know that information!

15 DDoS: Defense by Offense 15 Explicit Payment Channel When server is overloaded, thinner asks clients to open separate payment channels (virtual auction) Client sends bytes on this channel, becomes a contender Thinner tracks how much each contender sends When server is free, thinner admits the highest bidder and closes the channel

16 DDoS: Defense by Offense 16 Heterogeneous requests Charging the same amount for unequal requests gives unfair advantage to attacker So charge per time chunk instead of per request

17 DDoS: Defense by Offense 17 Heterogeneous requests Charge ongoing request Instead of closing the bid channel after accepting a client, keep it open until request is served Every unit of service time, reopen the auction

18 DDoS: Defense by Offense 18 Heterogeneous requests 1.At time t, v is active connection, u is the highest contender 2.u > v, SUSPEND v, ADMIT (RESUME) u 3.v > u, let v continue sending, but reset its payment counter for time t+1 4.ABORT requests that have been suspended too long

19 DDoS: Defense by Offense 19 Implementation

20 DDoS: Defense by Offense 20 Implementation

21 DDoS: Defense by Offense 21 Evaluation

22 DDoS: Defense by Offense 22 Evaluation Validating the thinner ’ s allocation Latency and byte cost Adversarial advantage Heterogeneous network conditions Good and bad clients sharing bottlenecks Impact of speak-up on other traffic

23 DDoS: Defense by Offense 23 Validating the thinner ’ s allocation Question 1: Do groups get service in proportion to bandwidth? Setup: 50 clients over 100 Mb/s LAN Each gets 2Mb/s c = 100 req/s Vary f, the fraction of good clients

24 DDoS: Defense by Offense 24 Validating the thinner ’ s allocation

25 DDoS: Defense by Offense 25 Validating the thinner ’ s allocation Speak-up defended clients are always a little behind ideal Always fare better than undefended

26 DDoS: Defense by Offense 26 Validating the thinner ’ s allocation Question 2: What happens when we vary the capacity of the server? Setup: 25 good clients, 25 bad clients cid = 100 c = 50, 100, 200

27 DDoS: Defense by Offense 27 Validating the thinner ’ s allocation

28 DDoS: Defense by Offense 28 Validating the thinner ’ s allocation

29 DDoS: Defense by Offense 29 Validating the thinner ’ s allocation Good clients do best when the server has ability to process all requests (i.e., large c) Service proportional to bandwidth even when server can ’ t process all requests

30 DDoS: Defense by Offense 30 Latency cost Same setup as last experiment Measures the length of time clients spend uploading dummy bytes

31 DDoS: Defense by Offense 31 Latency cost

32 DDoS: Defense by Offense 32 Latency cost With a large c, cost isn ’ t very high Even with a small c, worst added delay is 1s. –Pretty bad, but not as bad as getting no service during an attack, right?

33 DDoS: Defense by Offense 33 Byte Cost Still the same setup Measure the average number of bytes uploaded for served requests

34 DDoS: Defense by Offense 34 Byte Cost

35 DDoS: Defense by Offense 35 Byte Cost Bad clients do end up paying more than good clients

36 DDoS: Defense by Offense 36 Heterogeneous Network Conditions First, look at varied bandwidth 5 client categories, 10 clients in each category Bandwidth for category i = 0.5i Mbps (1 <= i <= 5) All clients are good clients c = 10

37 DDoS: Defense by Offense 37 Heterogeneous Network Conditions

38 DDoS: Defense by Offense 38 Heterogeneous Network Conditions Roughly proportional to bandwidth of clients Close to ideal

39 DDoS: Defense by Offense 39 Heterogeneous Network Conditions Now look at effect of varied RTT 5 client categories, with 10 clients in each RTT for category i = 100i ms (1 <= i <= 5) Bandwidth per client = 2 Mbps c = 10 Run with all good or all bad clients

40 DDoS: Defense by Offense 40 Heterogeneous Network Conditions

41 DDoS: Defense by Offense 41 Heterogeneous Network Conditions Good clients with long RTTs do worse than any bad clients

42 DDoS: Defense by Offense 42 Good and Bad Sharing a Bottleneck 30 clients, each with 2 Mbps, connect to thinner through link l l ‘ s bandwidth = 40 Mbps 10 good, 10 bad clients, each with 2Mbps, connect directly to thinner C = 50 req/s Vary number of good/bad behind l

43 DDoS: Defense by Offense 43 Good and Bad Sharing a Bottleneck

44 DDoS: Defense by Offense 44 Good and Bad Sharing a Bottleneck Clients behind l capture half of the server ’ s capacity Good behind l suffer some, especially with greater number of bad clients Effect on good clients greater when bottleneck is smaller

45 DDoS: Defense by Offense 45 Impact of speak-up on other traffic Bottleneck, m, shared between speak- up clients and TCP endpoint, H Run with H as a sender, m is shared fairly Run with H as a receiver, H ’ s ACKs will get lost, H ’ s requests will be delayed

46 DDoS: Defense by Offense 46 Impact of speak-up on other traffic Experimented specifically with H as a receiver 10 good speak-up clients, 1 HTTP client downloading with wget m = 1Mbps, rest = 2Mbps c = 2

47 DDoS: Defense by Offense 47 Impact of speak-up on other traffic

48 DDoS: Defense by Offense 48 Impact of speak-up on other traffic Huge impact on H “ Pessimistic ” result according to authors Only happens during attack, might be worth it to help “ defend the Internet ”

49 DDoS: Defense by Offense 49 Concerns

50 DDoS: Defense by Offense 50 Concerns/Cautions/Objections Does speak-up hurt small sites? –Yes, for current sized botnets –But this might get better with smaller botnets Does speak-up hurt the whole Internet? –Not really –Only for servers under attack –Core over-provisioning dampens the effect –Congestion control will keep speak-up under control

51 DDoS: Defense by Offense 51 Concerns/Cautions/Objections Bandwidth envy –Only “ more better off ” during attacks –ISPs could offer high bw proxies to low bw clients Variable bandwidth costs –Again, offer a high bw proxy –Or let customers decide whether or not to bid

52 DDoS: Defense by Offense 52 Concerns/Cautions/Objections Incentives for ISPs –The basic goodness of society will protect us!!! Solving the wrong problem –Cleaning up botnets is good, but we need to do something in the meantime Flash crowds –Reasonable to treat them as attacks

53 DDoS: Defense by Offense 53 Conclusions

54 DDoS: Defense by Offense 54 Conclusions Not sure who wants/needs speak-up –Survey to find out Speak-up does what it proposes to do

55 DDoS: Defense by Offense 55 Conclusions Main advantages –Network elements don ’ t need to change –Only need to modify servers and add thinners Main disadvantages –Everyone floods, so harder to detect bad clients –Hurts edge networks –Rendered useless if access links to thinner are saturated

Download ppt "DDoS: Defense by Offense 1 DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker, SIGCOMM ‘06 Presented."

Similar presentations

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.

Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.

Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.
10/10/14 INASP: Effective Network Management Workshops Unit 6: Solving Network Problems.

10/10/14 INASP: Effective Network Management Workshops Unit 6: Solving Network Problems.
DDOS Defense by Offense OFFENSE Presented by: Anup Goyal Aojan Su.

DDOS Defense by Offense OFFENSE Presented by: Anup Goyal Aojan Su.
DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by: Boris Kurktchiev and Kimberly.

DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by: Boris Kurktchiev and Kimberly.
5/18/2015 Samarpita Hurkute DDoS Defense By Offense 1 DDoS Defense by Offense Michael Walfish,Mythili Vutukuru,Hari Balakrishnan,David Karger,Scott Shenker.

5/18/2015 Samarpita Hurkute DDoS Defense By Offense 1 DDoS Defense by Offense Michael Walfish,Mythili Vutukuru,Hari Balakrishnan,David Karger,Scott Shenker.
DDoS: Defense by Offense 1 DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker, SIGCOMM ‘06 Presented.

DDoS: Defense by Offense 1 DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker, SIGCOMM ‘06 Presented.
1 DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, Scott Shenker, SIGCOMM ‘06 Presented by Lianmu Chen DDoS:

1 DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, Scott Shenker, SIGCOMM ‘06 Presented by Lianmu Chen DDoS:
Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense.

Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Confused, Timid and Unstable: Picking a Video Rate is Hard Te-Yuan (TY) Huang Stanford University Nov 15 th, 2012 Joint work with Nikhil Handigol, Brandon.

Confused, Timid and Unstable: Picking a Video Rate is Hard Te-Yuan (TY) Huang Stanford University Nov 15 th, 2012 Joint work with Nikhil Handigol, Brandon.
The Tension Between High Video Rate and No Rebuffering Te-Yuan (TY) Huang Stanford University IRTF Open 87 July 30th, 2013 Joint work Prof.

The Tension Between High Video Rate and No Rebuffering Te-Yuan (TY) Huang Stanford University IRTF Open 87 July 30th, 2013 Joint work Prof.
XCP: Congestion Control for High Bandwidth-Delay Product Network Dina Katabi, Mark Handley and Charlie Rohrs Presented by Ao-Jan Su.

XCP: Congestion Control for High Bandwidth-Delay Product Network Dina Katabi, Mark Handley and Charlie Rohrs Presented by Ao-Jan Su.
Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.

Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.
The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP 2001 1.

The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP
Michael Walfish, Mythili Vutukuru, Hari Balakrishanan, David Karger, Scott Shankar DDos Defense by Offense.

Michael Walfish, Mythili Vutukuru, Hari Balakrishanan, David Karger, Scott Shankar DDos Defense by Offense.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
DDoS Defense by Offense Presented by: Matthew C.H. Ma Damon Chan.

DDoS Defense by Offense Presented by: Matthew C.H. Ma Damon Chan.

Similar presentations

Ads by Google