ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Minimizing Collateral Damage by Proactive Surge Protection Jerry Chou, Bill Lin University of.

Slides:

Advertisements

Similar presentations

CNDS 2001, Phoenix, AZ Simulating the Smart Market Pricing Scheme on Differentiated- Services Architecture Murat Yuksel and Shivkumar Kalyanaraman Rensselaer.

Advertisements

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

CS 268: Lecture 8 Router Support for Congestion Control Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Advanced Computer Networking Congestion Control for High Bandwidth-Delay Product Environments (XCP Algorithm) 1.

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.

Ion Stoica, Scott Shenker, and Hui Zhang SIGCOMM’98, Vancouver, August 1998 subsequently IEEE/ACM Transactions on Networking 11(1), 2003, pp Presented.

A Study of Multiple IP Link Failure Fang Yu

The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP

Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.

A Case for Relative Differentiated Services and the Proportional Differentiation Model Constantinos Dovrolis Parameswaran Ramanathan University of Wisconsin-Madison.

Adaptive Packet Marking for Maintaining End-to-End Throughput in a Differentiated-Services Internet Wu-Chang Feng, Dilip D.Kandlur, Member, IEEE, Debanjan.

Congestion Pricing Overlaid on Edge-to-Edge Congestion Control Murat Yuksel, Shivkumar Kalyanaraman and Anuj Goel Rensselaer Polytechnic Institute, Troy,

1 Controlling High Bandwidth Aggregates in the Network.

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

ACN: IntServ and DiffServ1 Integrated Service (IntServ) versus Differentiated Service (Diffserv) Information taken from Kurose and Ross textbook “ Computer.

December 20, 2004MPLS: TE and Restoration1 MPLS: Traffic Engineering and Restoration Routing Zartash Afzal Uzmi Computer Science and Engineering Lahore.

Analysis and Simulation of a Fair Queuing Algorithm

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )

Jerry Chou and Bill Lin University of California, San Diego

CSE 401N Multimedia Networking-2 Lecture-19. Improving QOS in IP Networks Thus far: “making the best of best effort” Future: next generation Internet.

1 Core-Stateless Fair Queueing: Achieving Approximately Fair Bandwidth Allocations in High Speed Networks Ion Stoica,Scott Shenker, and Hui Zhang SIGCOMM’99,

ACN: Congestion Control1 Congestion Control and Resource Allocation.

A Strategy for Implementing Smart Market Pricing Scheme on Diff-Serv Murat Yuksel and Shivkumar Kalyanaraman Rensselaer Polytechnic Institute, Troy, NY.

Using Prices to Allocate Resources at Access Points Jimmy Shih, Randy Katz, Anthony Joseph One Administrative Domain Access Point A Access Point B Network.

Using Prices to Allocate Resources at Access Points Jimmy Shih, Randy Katz, Anthony Joseph One Administrative Domain Access Point A Access Point B Network.

1 Core-Stateless Fair Queueing: Achieving Approximately Fair Bandwidth Allocations in High Speed Networks Ion Stoica,Scott Shenker, and Hui Zhang SIGCOMM’99,

Congestion Control for High Bandwidth-delay Product Networks Dina Katabi, Mark Handley, Charlie Rohrs.

Core Stateless Fair Queueing Stoica, Shanker and Zhang - SIGCOMM 98 Rigorous fair Queueing requires per flow state: too costly in high speed core routers.

Congestion Control for High Bandwidth-Delay Product Environments Dina Katabi Mark Handley Charlie Rohrs.

UCB Improvements in Core-Stateless Fair Queueing (CSFQ) Ling Huang U.C. Berkeley cml.me.berkeley.edu/~hlion.

USENIX Security Symposium, San Jose, USA, July 30, 2008 Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks Jerry Chou, Bill Lin.

Core Stateless Fair Queueing Stoica, Shanker and Zhang - SIGCOMM 98 Fair Queueing requires per flow state: too costly in high speed core routers Yet, some.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Introduction 1-1 Lecture 3 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 CS3516: These slides.

Integrated Services (RFC 1633) r Architecture for providing QoS guarantees to individual application sessions r Call setup: a session requiring QoS guarantees.

1 Quality of Service (QoS) - DiffServ EE 122: Intro to Communication Networks Fall 2007 (WF 4-5:30 in Cory 277) Vern Paxson TAs: Lisa Fowler, Daniel Killebrew.

Tiziana Ferrari Quality of Service Support in Packet Networks1 Quality of Service Support in Packet Networks Tiziana Ferrari Italian.

CSE QoS in IP. CSE Improving QOS in IP Networks Thus far: “making the best of best effort”

Quality of Service (QoS)

Interoperable Intelligent Optical Networking: Key to future network services and applications OIF Carrier Group Interoperability: Key issue for carriers.

Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,

ACN: CSFQ1 CSFQ Core-Stateless Fair Queueing Presented by Nagaraj Shirali Choong-Soo Lee ACN: CSFQ1.

SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.

Beyond Best-Effort Service Advanced Multimedia University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot November 2010 November.

I-Path : Network Transparency Project Shigeki Goto* Akihiro Shimoda*, Ichiro Murase* Dai Mochinaga**, and Katsushi Kobayashi*** 1 * Waseda University **

27th, Nov 2001 GLOBECOM /16 Analysis of Dynamic Behaviors of Many TCP Connections Sharing Tail-Drop / RED Routers Go Hasegawa Osaka University, Japan.

1 Can coarse circuit switching work & What to do when it doesn't? Jerry Chou Advisor: Bill Lin University of California, San Diego CNS Review, Jan. 14,

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

A Practical Approach for Providing QoS: MPLS and DiffServ

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.

Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.

Research Unit in Networking - University of Liège A Distributed Algorithm for Weighted Max-Min Fairness in MPLS Networks Fabian Skivée

T. S. Eugene Ngeugeneng at cs.rice.edu Rice University1 COMP/ELEC 429 Introduction to Computer Networks Lecture 18: Quality of Service Slides used with.

We used ns-2 network simulator [5] to evaluate RED-DT and compare its performance to RED [1], FRED [2], LQD [3], and CHOKe [4]. All simulation scenarios.

Internet2/Abilene Perspective Guy Almes and Ted Hanss Internet2 Project NASA Ames -- August 10, 1999.

NC STATE UNIVERSITY / MCNC Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves  S. Felix Wu  Fengmin Gong Talk:

Queue Scheduling Disciplines

Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

An End-to-End Service Architecture r Provide assured service, premium service, and best effort service (RFC 2638) Assured service: provide reliable service.

Providing QoS in IP Networks

Multicast and Quality of Service Internet Technologies and Applications.

Corelite Architecture: Achieving Rated Weight Fairness

The Taming of The Shrew: Mitigating Low-Rate TCP-targeted Attack

Queue Management Jennifer Rexford COS 461: Computer Networks

Congestion Control and Resource Allocation

EE 122: Lecture 18 (Differentiated Services)

Congestion Control and Resource Allocation

Presentation transcript:

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Minimizing Collateral Damage by Proactive Surge Protection Jerry Chou, Bill Lin University of California, San Diego Subhabrata Sen, Oliver Spatscheck AT&T Labs-Research

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 2 Problem Large-scale bandwidth-based DDoS attacks can quickly knock out substantial parts of the network before reactive defenses can respond All traffic that share common route links will suffer collateral damage even if OD pair is not under direct attack

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 3 Problem Potential for large-scale bandwidth-based DDoS attacks exist e.g. large botnets with more than 100,000 bots exist today that, when combined with the prevalence of high-speed Internet access, can give attackers multiple tens of Gb/s of attack capacity Moreover, core networks are oversubscribed (e.g. some core routers in Abilene have more than 30 Gb/s incoming traffic from access networks, but only 20 Gb/s of outgoing capacity to the core

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 4 Problem Router-based defenses like Random Early Drop (RED, RED-PD, etc) can prevent congestion by dropping packets early before congestion  But may drop normal traffic indiscriminately, causing responsive TCP flows to severely degrade Approximate fair dropping schemes aim to provide fair sharing between flows  But attackers can launch many seemingly legitimate TCP connections with spoofed IP addresses and port numbers Both aggregate-based and flow-based router defense mechanisms can be defeated

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 5 Problem Router-based defenses like Random Early Drop (RED, RED-PD, etc) can prevent congestion by dropping packets early before congestion  But may drop normal traffic indiscriminately, causing responsive TCP flows to severely degrade Approximate fair dropping schemes aim to provide fair sharing between flows  But attackers can launch many seemingly legitimate TCP connections with spoofed IP addresses and port numbers Both aggregate-based and flow-based router defense mechanisms can be defeated In general, defenses based on unauthenticated header information such as IP addresses and port numbers may not be reliable

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 6 Example Scenario Suppose under normal condition  Traffic between Seattle/NY + Sunnyvale/NY under 10 Gb/s New YorkSeattle 10G Seattle/NY: 3 Gb/s HoustonAtlanta Indianapolis Kansas City Sunnyvale Sunnyvale/NY: 3 Gb/s

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 7 Example Scenario Suppose sudden attack between Houston/Atlanta  Congested links suffer high rate of packet loss  Serious collateral damage on crossfire OD pairs New York Sunnyvale Seattle 10G Sunnyvale/NY: 3 Gb/s Seattle/NY: 3 Gb/s HoustonAtlanta Houston/Atlanta: Attack 10 Gb/s Indianapolis Kansas City

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 8 Impact on Collateral Damage OD pairs are classified into 3 types with respect to the attack traffic Even a small percentage of attack flows can affect substantial parts of the network

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 9 Our Solution Provide bandwidth isolation between OD pairs, independent of IP spoofing or number of TCP/UDP connections We call this method Proactive Surge Protection (PSP) as it aims to proactively limit the damage that can be caused by sudden demand surges, e.g. sudden bandwidth-based DDoS attacks

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 10 Traffic received in NY: Seattle: 3 Gb/s Sunnyvale: 3 Gb/s … Basic Idea: Bandwidth Isolation Reserve bandwidth for expected OD pair demand Meter and tag packets on ingress as HIGH or LOW Drop LOW packets under congestion inside network New York Sunnyvale Seattle 10G Seattle/NY: Limit: 3.5 Gb/s Actual: 3 Gb/s All admitted as High HoustonAtlanta Houston/Atlanta: Limit: 3 Gb/s Actual: 10 Gb/s High: 3 Gb/s Low: 7 Gb/s Indianapolis Kansas City Sunnyvale/NY: Limit: 3.5 Gb/s Actual: 3 Gb/s All admitted as High

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 11 Traffic received in NY: Seattle: 3 Gb/s Sunnyvale: 3 Gb/s … Basic Idea: Bandwidth Isolation Reserve bandwidth for expected OD pair demand Meter and tag packets on ingress as HIGH or LOW Drop LOW packets under congestion inside network New York Sunnyvale Seattle 10G Seattle/NY: Limit: 3.5 Gb/s Actual: 3 Gb/s All admitted as High HoustonAtlanta Houston/Atlanta: Limit: 3 Gb/s Actual: 10 Gb/s High: 3 Gb/s Low: 7 Gb/s Indianapolis Kansas City Sunnyvale/NY: Limit: 3.5 Gb/s Actual: 3 Gb/s All admitted as High Unlike conventional admission control, packets are permitted into the network even when reserved bandwidth has been exceeded Proposed mechanism readily available in modern routers Unlike conventional admission control, packets are permitted into the network even when reserved bandwidth has been exceeded Proposed mechanism readily available in modern routers

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 12 Forecaster Bandwidth Allocator Bandwidth Allocator Preferential Dropping Preferential Dropping Differential Tagging Differential Tagging Architecture Forecast Matrix Bandwidth Allocation Matrix tagged packets forwarded packets dropped packets Data Plane Policy Plane Deployed at Network Routers Deployed at Network Perimeter arriving packets High priority Low priority

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 13 Forecasting and Allocation We use historical network measurements as a forecast of expected normal traffic  e.g. average weekday traffic demand at 3pm EDT over past 2 months  More sophisticated forecasting methods (e.g. Bayesian schemes) possible, but already good results with simple forecasting To account for forecasting inaccuracies and to provide headroom for traffic burstiness, proportionally scale forecast matrix to fully allocate available network capacity

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 14 Proportional Scaling Iteratively scale bandwidth allocation in “water-filling” manner BW BACBBCAB Links 1st round BW BACBBCAB Links 2nd round A B C Forecast Matrix ∞ ∞ ∞ A B C ABC Bandwidth Allocation 10G A B C ABC

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 15 Networks Abilene  US public academic network  11 nodes, 14 links (10Gb/s)  Traffic data: 10/01/06-12/06/06 US Backbone  US Private ISP tier1 backbone network  700 nodes, 2000 links (1.5Mb/s – 10Gb/s)  Traffic data: 09/01/06-11/17/06 Europe Backbone  Europe private ISP tier1 backbone network  900 nodes, 3000 links (1.5Mb/s – 10Gb/s)  Traffic data: 11/18/06-12/18/06

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 16 DDoS Attack Data Abilene  Bottleneck links Denver, Kansas City, Indianapolis  Chicago (5G each) US Backbone  Commercial anomaly detection alarm Pick the alarm with most flows, and scale their demand by 1000x Europe Backbone  Synthetic attack flow generator Randomly generate attack flows among 0.1% OD pairs. Seattle Sunnyvale Indianapolis Denver Los Angeles Kansas City Chicago New York Washington Atlanta Houston

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 17 Packet Drop Rate Comparison Abilene

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 18 Packet Drop Rate Comparison US

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 19 Packet Drop Rate Comparison Europe

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 20 Behavior Under Scaled Attacks Packet drop rate under attack demand scaled by factor 0 to 3x PSP provides greater improvement as attack scale increases Abilene

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 21 Packet drop rate under attack demand scaled by factor 0 to 3x PSP provides greater improvement as attack scale increases Behavior Under Scaled Attacks US

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 22 Packet drop rate under attack demand scaled by factor 0 to 3x PSP provides greater improvement as attack scale increases Behavior Under Scaled Attacks Europe

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 – Slide 23 Summary of Contributions Proposed proactive solution provides network operators with first line of defense when sudden DDoS attacks occur Solution not dependent on unauthenticated header information, thus robust to IP and TCP sproofing Minimize collateral damage by providing bandwidth isolation between traffic Solution readily deployable using existing router mechanism Simulation results show up to 95.5% of network could suffer collateral damage Solution reduced collateral damage by %

ACM SIGCOMM LSAD Workshop, Kyoto, Japan, August 27, 2007 Questions?