on t on the f he feas easibilit ibility o y of re
play

On t On the F he Feas easibilit ibility o y of Re - PowerPoint PPT Presentation

On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens nses Mu Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA Transit-link DDoS


  1. On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens nses Mu Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA

  2. Transit-link DDoS attack: a powerful type of volumetric DDoS attack (distributed denial of service) Traditional: volumetric attack traffic targeting end servers Non-traditional: volumetric attack traffic targeting transit links k n Academic studies : i l t i s n a AS r t Coremelt attack (ESORICS ‘09) AS AS Crossfire attack AS (S&P ‘13) Real incidents : 2015 2013 2

  3. Handling transit-link DDoS attack is challenging Indistinguishable low-rate traffic AS AS AS AS AS Victims are AS indirectly affected AS AS Destination Source 3

  4. Transit-link DDoS attacks still remain an open problem Partial solutions RADAR CoDef defense (Zheng et al. ) (Lee et al. ) SPIFFY NetHide Crossfire attack LinkScope (Kang et al. ) (Meier et al .) (Kang et al. ) (Xue et al. ) 2016 2009 2018 2013 2014 Routing Around Congestion Not available in the Coremelt attack (Studer et al. ) current Internet (Smith et al. S&P’18) “Readily deployable solution" SIBRA STRIDE (Basescu et al. ) (Hsiao et al. ) 4

  5. Background: How BGP routing works? Border Gateway Protocol (BGP) No control over traffic path by design Traffic path AS Z AS Y AS C AS D AS X Destination Source Loop-free AS-path {D} { Z, D} { Y, Z, D} { X, Y, Z, D} BGP propagation Traffic forwarding 5

  6. Routing Around Congestion (RAC) : Rerouting using BGP poisoning [Smith et al ., S&P ’18] Loop detected! x Goal : reroute to avoid AS W AS W Original path AS C AS X AS Z AS D Critical source AS Y Victim destination Detour path {D, W , D} BGP poisoning message 6

  7. Routing Around Congestion (RAC) : Rerouting using BGP poisoning [Smith et al ., S&P ’18] AS collaboration is not needed! AS W Original path AS C AS X AS Z AS D Critical source AS Y Victim destination Switch to Detour path {D, W , D} detour path BGP poisoning message 7

  8. Will RAC defense still work against adaptive attackers ? 8

  9. Our contributions Adaptive detour-learning attack against rerouting solutions Practical challenge of mitigating adaptive detour-learning attack Future directions for transit-link DDoS defenses 9

  10. Adaptive detour-learning attack: Threat model Goals: (1) To detect rerouting in real-time (2) To learn new detour path accurately (3) To congest new detour path (see the paper) Capabilities: - Same botnets used in transit-link DDoS attack 10

  11. Adaptive detour-learning attack: (1) how to detect rerouting in real-time AS I traceroute AS W Original path Adaptive adversary AS C AS X AS Z AS D Critical source AS Y Victim destination 11

  12. Adaptive detour-learning attack: (1) how to detect rerouting in real-time Rerouting is detected ! AS I traceroute AS W Adaptive adversary AS C AS X AS Z AS D Critical source AS Y Victim destination Detour path 12

  13. Adaptive detour-learning attack: (2) how to learn detour path accurately Challenge : Which is more AS H accurate route measurement (3) congest detour path of actual detour path? (see the paper) AS G AS I closer AS Detour path (e.g., shorter AS-path) AS D AS X AS C AS Y Solution : Prioritize Critical source Victim destination measurement from bot AS E AS J closer to traffic source 13

  14. Adaptive detour-learning attack: (2) how to learn detour path accurately Challenge : Which is more AS H accurate route measurement (3) congest detour path of actual detour path? (see the paper) AS G AS I Results: 94% of learned detour paths are correct closer AS Detour path (e.g., shorter AS-path) AS D AS X AS C AS Y Solution : Prioritize Critical source Victim destination measurement from bot AS E AS J closer to traffic source 14

  15. Our contributions Adaptive detour-learning attack against rerouting solutions Practical challenge of mitigating adaptive detour-learning attack Future directions for transit-link DDoS defenses 15

  16. How to defend against detour-learning attack? Detour Detour path must be AS I learned! isolated! AS W AS C AS X AS Z AS D Critical source AS Y Victim destination Exclusively used AS J for critical flows How to isolate? Poison all peers of ASes on detour path! 16

  17. Detour path isolation => poisoning too many ASes 1 1 Tier-1 or large Tier-2 Thousands 0.8 0.8 on the detour paths ASes should 0.6 0.6 (more in the paper) be poisoned CDF 0.4 0.4 But why ? 0.2 0.2 0 0 100 1000 10000 2 3 4 Number of ASes that should be poisoned 17

  18. Can we poison that many ASes? 1 1 Specification 0.8 0.8 0.6 0.6 0.4 CDF 0.4 0.2 0.2 Implementation 0 0 2 3 2034 4 100 1000 10000 255 Number of ASes that should be poisoned Specification Implementation Configuration up to 2034 up to 255 up to 30-50 18

  19. Confirmed : ISPs do not support poisoning > 255 ASes slowly decrease Number of in frequency 50x drop observed 99.99% BGP in frequency messages 1 10 100 1000 30 255 Number of ASes seen in a BGP message 19 19

  20. Confirmed : ISPs do not support poisoning > 255 ASes slowly decrease Number of in frequency Poisoning > 1,000 ASes is nearly impossible 50x drop observed 99.99% BGP in frequency => Detour path isolation is infeasible messages => Detour-learning attack is almost always possible 1 10 100 1000 30 255 Number of ASes seen in a BGP message 20 20

  21. Our contributions Adaptive detour-learning attack against rerouting solutions Practical challenge of mitigating adaptive detour-learning attack Future directions for transit-link DDoS defenses 21

  22. Desired defense property: destination-controlled routing Clean-slate Internet ? Hacking BGP architecture e.g., Routing Around e.g., explicit BGP rerouting e.g., STRIDE, SIBRA Congestion for critical flows under emergency ✕ Too costly to deploy ✕ Does not work 22

  23. Two Lessons Learned 23

  24. Lesson 1 Hacking the current Internet routing is a flawed idea! 24

  25. ü Adaptive attacks are possible ü Mitigation is hard ü Adaptive defense is slower than adaptive attacker (more in the paper) 25

  26. Lesson 2 Analysis of protocol specifications alone is insufficient ! 26

  27. Specification Implementation Configuration 27

  28. Conclusion • Detour-learning attacks are effective and hard to mitigate ü Transit-link DDoS attacks still remain an open problem • Suggestion on research direction ü Balance destination-controlled routing and deployability • 2 lessons learned: ü Hacking BGP for rerouting is a flawed idea ü Analysis with specification only can be dangerous 28

  29. Question? Muoi Tran muoitran@comp.nus.edu.sg

Recommend


More recommend