Presentation on theme: "The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University."— Presentation transcript:
The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University
NSL Capacity and Path Diversity POTS/ISDN T1 10M Ethernet OC3 OC192 OC12 Increasing Traffic Aggregation Increasing SW Service Deploy- ment Times Increasing Preference for SW Restriction to Control Plane More Nodes DDoS seems to be largely a last-3-hops problem Informal survey of ISPs shows 20-40Gbps per POP Many redundant paths (some are better than the route- converged path!) Similar characteristics likely to hold for any future Internet Unless we abandon statistical mux model and adopt single- authority/ISP (think phone network) FiOS or similar network upgrades unlikely to significantly change the situation (wireless may make things worse!) Must be intelligent about traffic monitoring/admission/handling Intelligence inside the network is hard to come by Decreasing cycles/bps
NSL Indirection and Diffusion Send the traffic to the intelligence Put the intelligence where you can (technology, cost/benefit, deployment limitations) Intelligence be pretty invasive, e.g., full-blown authentication, payment, CAPTCHA, attestation... Intelligence must not be point of vulnerability Scalable, distributed, restricted interface (attack surface) But: easier proposition than same and doing it at line speeds inside the network Diffusion helps to eliminate single-failure points Challenges: interference, sensing, knowledge, guarantees? Intelligence must be efficient Performance, reliability, low-cost (shared & on-demand?) Transparent vs. explicit intelligence/indirection Complement intelligence with simple in-network mechanisms Routing, limited filtering abilities, deflections, ??? Use what you can, where it makes sense (to paraphrase e2e)
Your consent to our cookies if you continue to use this website.