Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel § *, Matthias Wichtlhuber*, Georgios Smaragdakis § , Anja Feldmann † § TU Berlin, *DE-CIX, † MPI
Volumetric DDoS Attacks ? Tbps 1.7 Tbps 1 Tbps 200 Gbps ‘15 ‘16 ‘18 ‘19 www.de-cix.net 2
ISP DDoS Defense Toolbox TSS ACL Flowspec RTBH (Traffic Scrubbing Services) • Filters at • Carefree • Configures • Configures arbitrary service rules at rules at granularity neighbor neighbor • Redirects network network • Vendor- traffic to specific scrubbing • Filters at • Filters at IP centers arbitrary granularity • Per device granularity config • On-demand • Cooperation vs. always • Cooperation required on required www.de-cix.net 3
DDoS Defense at IXPs Ú Combine good properties of existing solutions Ú Eradicate current shortcomings + IXPs offer services to hundreds of Ases + IXPs have multiple Tbps capacity + Trusted part of the Internet community www.de-cix.net 4
Blackholing at IXPs � 100.10.10.10 100.10.10.10 AS1 AS1 AS1 AS2 AS2 AS2 AS1 AS2 NTP route route server server 100.10.10.0/24 100.10.10.0/24 � AS3 AS3 AS3 IXP IXP IXP AS3 IXP control plane data plane control plane data plane www.de-cix.net 5
Blackholing at IXPs 100.10.10.10 100.10.10.10 100.10.10.10 accept AS1 AS2 AS1 AS1 AS1 AS1 � AS2 AS2 AS2 AS2 AS1 AS2 NTP route NTP route route route � server server � 100.10.10.10/32 server server 100.10.10.0/24 100.10.10.0/24 deny IXP_ASN:666 AS3 IXP AS3 AS3 AS3 AS3 IXP IXP IXP IXP AS3 IXP control plane data plane control plane data plane control plane data plane www.de-cix.net 6
Blackholing – Limitations 100.10.10.10 Ú Blocks unwanted and wanted traffic accept AS1 AS2 AS1 AS2 NTP route route Ú Hard to predict behavior server � server 100.10.10.10/32 deny IXP_ASN:666 AS3 IXP AS3 IXP Ú No effect on a subset of peerings control plane data plane www.de-cix.net 7
Blackholing – Limitations Ú Relative traffic of 40GE IXP port Ú Mostly web traffic (80, 443, … ) Ú Attack 70% memcached traffic Ú Still significant share of web traffic à Collateral damage! www.de-cix.net 8
Blackholing – Limitations Ú All or nothing approach Ú Prefix granularity Ú Per peer selection at IXPs Ú Blackholing traffic: Ú 99.94% UDP Ú Expected L4 ports (NTP, LDAP, … ) à More granularity needed! www.de-cix.net 9
Blackholing – Limitations Ú How “ineffective“ can it be? Ú NTP DDoS attack Ú AS at IXP via ML peering Ú Attacks for 10 min to /32 Ú Drop all traffic to /32 Ú Traffic: 800 to 600 Mbps Ú Peers: 38 to 26 à Signaling too complex! www.de-cix.net 10
Advanced Blackholing Requirements Ú Granularity Ú Telemetry Ú Fine-grained filtering (src/dst header fields) Ú Feedback on the state of the attack at any time Ú Scalability Ú Signaling complexity Ú Scale in terms of performance, filters, reaction Ú Easy to use, short setup time time, config complexity Ú Cost Ú Cooperation Ú Meeting all requirements with min. invest (CAPEX & OPEX) Ú Lower levels of cooperation among the involved parties www.de-cix.net 11
Advanced Blackholing System � � 100.10.10.10 accept blackholing AS1 AS2 controller AS1 AS2 � route route server server � 100.10.10.10/32 ADV_BH Signal AS3 IXP AS3 IXP control plane data plane www.de-cix.net 12
Advanced Blackholing System Control IXP IXP IXP IXP Member Member Member Member Plane Signaling IXP Interface Blackholing Manager Management Update Data Filters Filtering Plane www.de-cix.net 13
Advanced Blackholing System Control IXP IXP IXP IXP Member Member Member Member Plane Signaling IXP Interface Blackholing Manager Management Update Data Filters Filtering Plane www.de-cix.net 14
Advanced Blackholing System Control IXP IXP IXP IXP Member Member Member Member Plane Signaling IXP Interface Blackholing Manager Management Update Data Filters Filtering Plane www.de-cix.net 15
Advanced Blackholing Signaling (BGP part) iBGP Session to IXP Route Server Network Manager Options QoS Network Manager Blackholing Controller BGP Parser Hardware QoS Configuration Information Compiler Base Decoded BGP Routing BGP Processor Information Option 1 Base SDN Network Manager Token Bucket Queue Configuration Hardware SDN Configuration changes Information Compiler Base Maximum Burst Size/ Rate Limiting Option 2 Network Manager Hardware specific configuration changes www.de-cix.net 16
Building Blocks Ú Granularity Ú Telemetry - UDP, TCP, Ports, … - Monitoring with statistics Ú Signaling complexity Ú Scalability - BGP communities or API - Line-rate in hardware Ú Cost Ú Cooperation - Implemented in existing hardware Ú - Enforced by IXP www.de-cix.net 17
Implementation Challenges Ú BGP processing Ú Configuration proxy Ú Why not FlowSpec? www.de-cix.net 18
Does it Scale? Ú Scalability wrt. number of filters & IXP ports (of switches/routers) Ú TCAM to match header fields Ú Measuring system’s limits & port’s limits (max no. of filters) Ú Results on next slide Ú Scalability wrt. configuration update frequency limits (of config proxy) Ú Allows 4.33 filter updates per second Ú 70% of BH updates below 1 second www.de-cix.net 19
Stress Test on the IXP‘s Hardware 20% of IXP member ASes 60% of IXP member ASes 100% of IXP member ASes www.de-cix.net 20
Measurement Experiment Ú How “effective“ is it Ú NTP DDoS attack Ú AS at IXP via ML peering Ú Attacks for 10 min to /32 Ú Drop / shape UDP NTP Ú Traffic: 1000 to 200 to 0 Mbps Ú Peers: 60 to (almost) 0 www.de-cix.net 21
Summary Ú A number of DDoS mitigation solutions exist, but … Ú We identify and measure Blackholing limitations Ú We propose Advanced Blackholing, combining the benefits and overcome problems of today’s DDoS defense Ú We implement a new system with a BGP and API interface Ú We evaluated and proved good scales scaling www.de-cix.net 22
Recommend
More recommend
