Upload
kizzy
View
35
Download
0
Tags:
Embed Size (px)
DESCRIPTION
The Role of Indirection and Diffusion in DDoS Defense. Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University. Capacity and Path Diversity. DDoS seems to be largely a “last-3-hops” problem Informal survey of ISPs shows 20-40Gbps per POP - PowerPoint PPT Presentation
Citation preview
The Role of Indirection and Diffusion in DDoS Defense
Angelos D. KeromytisNetwork Security Lab
Computer Science Department, Columbia University
NSLCapacity and Path Diversity
POTS/ISDNT1
10M EthernetOC3
OC192OC12
IncreasingTraffic Aggregation
Increasing SWService Deploy-ment Times
Increasing Preference for SWRestriction to Control Plane
More Nodes
DDoS seems to be largely a “last-3-hops” problem Informal survey of ISPs shows 20-40Gbps per POP Many redundant paths (some are better than the route-
converged path!) Similar characteristics likely to hold for any future
“Internet” Unless we abandon statistical mux model and adopt
single-authority/ISP (think phone network) FiOS or similar network upgrades unlikely to
significantly change the situation (wireless may make things worse!)
Must be intelligent about traffic monitoring/admission/handling
Intelligence inside the network is hard to come by
Decreasing cycles/bps
NSLIndirection and Diffusion
Send the traffic to the intelligence Put the intelligence where you can (technology, cost/benefit, deployment limitations) Intelligence be pretty invasive, e.g., full-blown authentication, payment, CAPTCHA, attestation ...
Intelligence must not be point of vulnerability Scalable, distributed, restricted interface (attack surface) But: easier proposition than same and doing it at line
speeds inside the network Diffusion helps to eliminate single-failure points
Challenges: interference, sensing, knowledge, guarantees?
Intelligence must be efficient Performance, reliability, low-cost (shared & on-demand?)
Transparent vs. explicit intelligence/indirection Complement intelligence with simple in-network
mechanisms Routing, limited filtering abilities, deflections, ??? Use what you can, where it makes sense (to paraphrase
e2e)
NSLSimple Filtering
NSLSOS/WebSOS [SIGCOMM2002, CCS2003]
NSLHuman-centric Authentication [CCS2003]
NSLDiffusion [CCS2005]
NSLLocal Perimeter Establishment [IAMCOM2007]
Limited-scope PushBack (inside home ISP only) Much simpler trust issues, pay-per-use possibility
[ACNS2004] RSVP might do the trick, too...
NSL
Backup Slides
NSLMOVE [NDSS2005]
NSLMOVE [NDSS2005]
Attack
NSLMOVE [NDSS2005]
Attack
NSLOld fashioned DoS Attack
NSLNew Attack: “Stalker” Attack
NSLNew Attack: “Stalker” Attack
NSLNew Attack: “Stalker” Attack
NSLNew Attack: “Stalker” Attack
NSLNew Attack: Sweeping Attack
NSLNew Attack: Sweeping Attack
NSLNew Attack: Sweeping Attack
NSLLatency with Diffusion
Client Packet Replication
Ove
rlay
/ D
irec
tEnd-to-End Latency with Client Packet Replication
NSLResilience & Latency
End-to-End Latency vs Node Failure
Text
No Repl.1.5x2x3x
NSLResilience & Throughput
Throughput vs Node Failure
KB
/Sec
% Node Failure