Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
A Novel Framework for Modeling and Mitigating
Distributed Link Flooding Atta ks
Christos Liaskos
1
V. Kotronis
2
X. Dimitropoulos
1
1
Foundation of Resear h and Te hnology - Hellas (FORTH), Gree e
2
ETH Zuri h, Switzerland
Emails: liaskos�i s.forth.gr, vkotroni�tik.ee.ethz. h, fontas�i s.forth.gr
Funding sour e: European Resear h Coun il, Grant Agreement
no. 338402, proje t �NetVolution�
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
S ope & Motivation
DDoS Link-Flooding atta ks have great potential:
Deplete the bandwidth of ertain network links, dis onne ting
entire domains�even ountries�from the Internet.
DDoS atta ks are a reality:
Spamhaus (2013): 300 Gbit/s of mali ious tra� upon the
intended target [1℄.
DDoS atta ks are evolving in stealth:
Cross�re, Coremelt [2, 3℄: Flood links indire tly, with
seemingly legit tra� .
S ope: De�ne a framework to Model, Understand, and Expose
evolved DDoS atta ks.
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 2
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
Key-requirements for Defense
M. Nikkhah, C. Dovrolis and R. Guerin, "Why didn't my (great!)
proto ol get adopted?", Pro eedings of ACM HOTNETS,
November 2015.
1
Deliver as promised:
1
Expose Cross�re atta ks. (Mitigation is ontext-spe i� ).
2
Be thin & non-disruptive:
1
Do not upset the network's operation.
3
Add value to existing network me hanisms!
1
Don't start your own, independent path!
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 3
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
Relevant Existing Network Me hanisms
Tra� Engineering (TE):
Existing & riti al network me hanism.
Natural rea tion to link-�ooding events, regardless of ause.
A omplished in two phases:
Cal ulate optimal load per network path (load-balan ing).
Map tra� �ows to paths, upholding the optimal loads.
Note: The mapping is done randomly!
Key-idea: Optimize �ow mapping for atta k exposure.
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 4
44
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
Our Contributions
An analyti al framework to understand Cross�re atta ks.
Wide appli ability (multigraphs, multipath routing, generi bot
behavior).
A thin and s alable way to implement the framework in
pra ti e.
All done in an SQL DB, standard SQL queries only.
SDN and NFV- ompliant design.
An open-sour e simulator to experiment with Cross�re atta ks.
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks
55
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
Modeling the Cross�re Atta k
BOTS
RANDOM
DESTINATIONS
Flooded
LinkOrigin Target
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 6
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
Modeling the Atta k Cy le: Rea tive Cross�re
Attacker: Discover path(s)
- Using distributed tracert
O T
Attacker: Execute link(s) flooding
- Using indirect traffic
O T
Defender: (TE) Flow mapping
- Source-based routing.
- Uphold optimal quotas.
Defender: (TE) Load Balancing
- Use alternative paths.
-Define optimal traffic quotas per
path (%),
- E.g., using Linear Programming .
O T
%
%
%O T
%
Flooded
Links
Detected!!!
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 7
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
Modeling the Atta k Exposure with Asso iative Relations
Nodes
affected by
Flood eventsO
!
!
!
!
T - Traffic sources (IPs),
- over congested links.
Nodes affected by
Flood events
Relation at time t:
Strength, S
An atta k at y le t �oods a set of links, a�e ting nodes
N (t).
E (t): Tra� sour es (IPs) over ongested links.
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 8
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
Modeling the Atta k Exposure with Asso iative Relations
For all y les 0...t, form the relation:
R(t) : ∪∀t
E (t)−→ ∪∀t
N (t).
e
s
→ n, �entity e atta ks node n� .
*
s
→ n, �node n is an atta k target� .
e
s
→ *, �entity e is a bot� .
Strength s: # of observations for a relation (running).
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 9
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
E�e ts of Atta ker's A tions on the Dete tion Pro ess
The atta ker seeks to remain hidden.
Hide the identity of bots and targets.
Ensures E −→ N ontains many false bots e and targets n.
Terminology:
In rease ‖E ‖, (Left-spe i� ity).
In rease ‖N ‖, (Right-spe i� ity).
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 10
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
E�e ts of Load Balan ing on the Dete tion Pro ess
TARGET AREA
Distance from target (Hops)
Presently flooded link
} Additional links
deployed by TE
"Vertical" Attack (V)
"Horizontal - Afferent" Attack (H )
"Horizontal - Efferent" Attack (H )e a
Figure: TE re laims/adds apa ity around ongested areas. The atta ker
responds to keep a�e ting the target.
Table: E�e ts on the L / R spe i� ity of observed relations.
Atta ker's response types
Verti al Horizontal-e�erent Horizontal-a�erent
+, ± +, − −, +
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 11
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
Optimizing TE Flow Mapping for Atta k Exposure
Defender's goal
At t, reroute tra� �ows su h as, at t+1: min{s} es
→ n, ∀r⊂ R (t)
BOT (e)
FLOW DESTINATION (d)
OriginTarget
(n)
FLOW (f)
BOT (e)
FLOW DESTINATION (d)
OriginTarget
(n)
FLOW (f)
Shortest Path
Qualitative meaning:
i) If �ow retains destination
t+1
→ No atta k, (RED is disjoint).
ii) If it hanges
t+1
→ Minimal probability of a idental atta k (GREEN).
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 12
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
Pra ti al Implementation of the Exposure Pro ess
Intuitive implementation via SQL.
Maintain two, simple tables, updated on link ongestion
events.
Relation exposure:
e→* : SELECT Sr _IP, ount(PK) AS strength from
PROBABLE_BOTS GROUP BY Sr _IP
*→n : SELECT NodeID, ount(PK) AS strength from
PROBABLE_TARGETS GROUP BY NodeID
e→n : ... INNER JOIN on FLOODED_LINK ...
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 13
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
Simulations / Setup
We evaluate:
1
E�e tiveness of atta ker's bot/target obfus ation attempts
(L/R spe i� ity)
1
Atta k using some of the the bots only.
2
Atta k more than one targets.
3
Also: Natural re-homing of legit �ows.
2
The role of the topology.
50 real ISP topologies (Internet Topology-Zoo).
s enario: ut-o� an ISP POP from the Internet.
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 14
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
Results I: Obfus ation E�e ts
Easier to obfus ate the target than the bots
0 5 10 15 200
5
10
15
Time step t
∆s = E[sbots] −E[sbenign]
for ǫs→ ⋆ relations
20%60%80%100%
(a) L-spe i� ity (ε → ⋆ relations):
Probabilisti bot parti ipation to an
atta k. %→allowed bot re-use.
0 5 10 15 200
5
10
15
20
25
Time step t
∆s = E[starget node ] −E[sbenign]
for ⋆s→ n relations
20%60%80%100%
(b) R-spe i� ity (⋆→ n relations):
E�e ts of atta king random nodes.
% is the �ow rehome_ratio.
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 15
(∆s)
Bot
exp
osur
e -
(∆s)
Tar
get e
xpos
ure
-
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
Results II: Topologi al E�e ts
De entralized topologies (i.e., not star-like): easier to atta k, easier
to dete t.
0
10
20
30
40
50
Abi
lene
Abv
tA
cone
tA
gis
Ai3
Am
res
Ans Arn
Arn
esA
rpan
et19
719
Arp
anet
1972
3A
rpan
et19
728
Atm
net
AttM
pls
Bbn
plan
etB
elne
t200
7B
elne
t200
8B
elne
t200
9B
elne
t201
0B
izne
tB
ren
Bso
netE
urop
eB
tNor
thA
mer
ica
Can
erie
Cer
net
Ces
net1
997
Ces
net2
001
Ces
net2
0030
4C
esne
t200
511
Cla
rane
tC
ompu
serv
eC
rlNet
Ser
vice
sC
wix
Cyn
etD
arks
tran
dD
igex
Een
etE
liBac
kbon
eE
poch
Ern
etF
unet
Gam
bia
Gar
r199
901
Gar
r199
904
Gar
r199
905
Gar
r200
109
Gar
r200
112
Gar
r200
212
Gar
r200
404
Gbl
net1
2
3
4
5
6
Avg
. Sho
rtes
t Pat
h Le
ngth∆ s
Avg. SPL
Figure: E�e t of topology on the spe i� ity of the ε → ⋆ relations.
Strong orrelation to the average-shortest-path-length (avg. SPL)
topology metri .
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 16
Bot
exp
osur
e af
ter
20 c
ycle
s
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
Summary
Introdu ed a novel framework for studying stealthy DDoS
link-�ooding atta ks.
Goal: Fa ilitate dete tion of sus eptible bots and targets.
Use relational algebra to formulate bots→ target relations.
Bene�t: Ease & s alability of implementation (SQL).
Entry point: the TE pro ess.
Use same inputs, leave TE load-balan ing obje tive untou hed.
Dete tion-optimal mapping of �ows-to-paths.
Key-idea: keep probable bots targets � separate paths, punish
persisten e.
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 17
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
Outlook
Build upon the analyti al framework:
Express Atta k/Defense strategies (Game-theory).
Quantify the vulnerability of a given topology as a metri .
Distribute the defense s heme as an SDN se urity app.
FRESCO framework.
Shin, Seungwon, et al.
FRESCO: Modular Composable Se urity Servi es for
Software-De�ned Networks. NDSS. 2013.
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 18
Introdu tion
Analyti al Modeling of Cross�re Atta ks
Simulations
Con luding remarks
Thank you!
JAVA Simulator available at:
http://users.i s.forth.gr/ liaskos/#PUBLICATIONS
Referen es
The DDoS That Almost Broke The Internet, (2014)
http://blog. loud�are. om/the-ddos-that-almost-broke-the-
internet.
Kang M. et al., The Cross�re Atta k,
Pro . of Se urity & Priva y (SP'13).
Studer A. et al., The Coremelt Atta k,
Pro . of ESORICS'09.
Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 19