on the feasibility of rerouting based ddos defenses
play

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min - PowerPoint PPT Presentation

Aug 28, 2022 •179 likes •438 views

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA Transit-link DDoS attack: a powerful type of volumetric DDoS attack

  1. On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA

  2. Transit-link DDoS attack: a powerful type of volumetric DDoS attack (distributed denial of service) Traditional: volumetric attack traffic targeting end servers Non-traditional: volumetric attack traffic targeting transit links Academic studies : AS Coremelt attack (ESORICS ‘09) AS AS Crossfire attack AS (S&P ‘13) Real incidents : 2015 2013 2

  3. Handling transit-link DDoS attack is challenging Indistinguishable low-rate traffic AS AS AS AS AS Victims are AS indirectly affected AS AS Destination Source 3

  4. Transit-link DDoS attacks still remain an open problem Partial solutions RADAR CoDef defense (Zheng et al. ) (Lee et al. ) SPIFFY NetHide Crossfire attack LinkScope (Kang et al. ) (Meier et al .) (Kang et al. ) (Xue et al. ) 2016 2009 2018 2013 2014 Routing Around Congestion Not available in the Coremelt attack (Studer et al. ) current Internet (Smith et al. S&P’18) “Readily deployable solution" SIBRA STRIDE (Basescu et al. ) (Hsiao et al. ) 4

  5. Background: How BGP routing works? Border Gateway Protocol (BGP) No control over traffic path by design Traffic path AS Z AS Y AS C AS D AS X Destination Source Loop-free AS-path {D} { Z, D} { Y, Z, D} { X, Y, Z, D} BGP propagation Traffic forwarding 5

  6. Routing Around Congestion (RAC) : Rerouting using BGP poisoning [Smith et al ., S&P ’18] Loop detected! x AS collaboration Goal : reroute to avoid AS W is not needed! AS W Original path AS C AS X AS Z AS D AS Y Critical source Victim destination Switch to Detour path {D, W , D} detour path BGP poisoning message 6

  7. Will RAC defense still work against adaptive attackers ? 7

  8. Our contributions Adaptive detour-learning attack against rerouting solutions Practical challenge of mitigating adaptive detour-learning attack Future directions for transit-link DDoS defenses 8

  9. Adaptive detour-learning attack: Threat model Goals: (1) To detect rerouting in real-time (2) To learn new detour path accurately (3) To congest new detour path (see the paper) Capabilities: - Same botnets used in transit-link DDoS attack 9

  10. Adaptive detour-learning attack: (1) how to detect rerouting in real-time Rerouting is detected ! AS I traceroute AS W Original path Adaptive adversary AS C AS X AS Z AS D AS Y Critical source Victim destination Detour path 10

  11. Adaptive detour-learning attack: (2) how to learn detour path accurately Challenge : Which is more AS H accurate route measurement (3) congest detour path of actual detour path? (see the paper) AS G AS I Results: 94% of learned detour paths are correct closer AS Detour path (e.g., shorter AS-path) AS D AS Y AS X AS C Solution : Prioritize Critical source Victim destination measurement from bot closer AS E AS J to traffic source 11

  12. Our contributions Adaptive detour-learning attack against rerouting solutions Practical challenge of mitigating adaptive detour-learning attack Future directions for transit-link DDoS defenses 12

  13. How to defend against detour-learning attack? Detour AS I Detour path must be learned! isolated! AS W AS C AS X AS Z AS D AS Y Critical source Victim destination Exclusively used AS J for critical flows How to isolate? Poison all peers of ASes on detour path! 13

  14. Detour path isolation => poisoning too many ASes 1 1 Tier-1 or large Tier-2 Thousands 0.8 0.8 on the detour paths ASes should 0.6 0.6 (more in the paper) be poisoned CDF 0.4 But why ? 0.4 0.2 0.2 0 0 2 3 4 100 1000 10000 Number of ASes that should be poisoned 14

  15. Can we poison that many ASes? 1 1 Specification 0.8 0.8 0.6 0.6 0.4 CDF 0.4 0.2 0.2 Implementation 0 0 2034 2 3 4 100 1000 10000 255 Number of ASes that should be poisoned Specification Implementation Configuration up to 2034 up to 255 up to 30-50 15

  16. Confirmed : ISPs do not support poisoning > 255 ASes slowly decrease Number of in frequency Poisoning > 1,000 ASes is nearly impossible 50x drop observed 99.99% BGP in frequency => Detour path isolation is infeasible messages => Detour-learning attack is almost always possible 1 10 100 1000 30 255 Number of ASes seen in a BGP message 16 16

  17. Our contributions Adaptive detour-learning attack against rerouting solutions Practical challenge of mitigating adaptive detour-learning attack Future directions for transit-link DDoS defenses 17

  18. Desired defense property: destination-controlled routing Clean-slate Internet ? Hacking BGP architecture e.g., Routing Around e.g., explicit BGP rerouting e.g., STRIDE, SIBRA Congestion for critical flows under emergency ✕ Too costly to deploy ✕ Does not work 18

  19. Two Lessons Learned 19

  20. Lesson 1 Hacking the current Internet routing is a flawed idea! 20

  21. ü Adaptive attacks are possible ü Mitigation is hard ü Adaptive defense is slower than adaptive attacker (more in the paper) 21

  22. Lesson 2 Analysis of protocol specifications alone is insufficient ! 22

  23. Specification Implementation Configuration 23

  24. Conclusion • Detour-learning attacks are effective and hard to mitigate ü Transit-link DDoS attacks still remain an open problem • Suggestion on research direction ü Balance destination-controlled routing and deployability • 2 lessons learned: ü Hacking BGP for rerouting is a flawed idea ü Analysis with specification only can be dangerous 24

  25. Question? Muoi Tran muoitran@comp.nus.edu.sg

Recommend

On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens

On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens

On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens nses Mu Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA Transit-link DDoS

548 views • 29 slides
When the Dike Breaks: Dissecting DNS Defenses During DDoS Giovane C. M. Moura 1 , 2 , John

When the Dike Breaks: Dissecting DNS Defenses During DDoS Giovane C. M. Moura 1 , 2 , John

When the Dike Breaks: Dissecting DNS Defenses During DDoS Giovane C. M. Moura 1 , 2 , John Heidemann 3 , Moritz Mller 1 , 4 , Ricardo de O. Schmidt 5 , Marco Davids 1 RIPE 77, Amsterdam, The Netherlands 2018-10-15 1 SIDN Labs, 2 TU Delft, 3

648 views • 38 slides
DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
DDoS: Barbarians At The Gate(way) Examination of actors, tools and defenses #whoami Dave Lewis

DDoS: Barbarians At The Gate(way) Examination of actors, tools and defenses #whoami Dave Lewis

Text DDoS: Barbarians At The Gate(way) Examination of actors, tools and defenses #whoami Dave Lewis @gattaca dave@akamai.com It left me wanting Game Plan Actors Attacks Tools Trends Data Now what? Actors: For Hire Current(ish)

1.03k views • 77 slides
Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent the access to a computer system to it's legitimate users. DDoS: DoS attack on the network using a lot of different source IP Why:

327 views • 16 slides
Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Introduction: Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation Attacker signals slaves to launch an attack on a specific target address (victim). Slaves then respond by Comp290: Network

275 views • 9 slides
.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS A)ack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos A)acks Few Qmes

150 views • 13 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

1 DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology of work DDoS tactics in-the-wild and how to improve Ready, set, FACEPALM! Q&A ~$ whoami 3 Moshe Zioni, Head of Research,

656 views • 47 slides
Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim to DDoS mitigation service SOS "I am getting DoSd" 2 DDoS Transport Choice SOS : Requirements Emergency signal.

247 views • 5 slides
Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense e Quan Jia, Huangxin Wang, Dan Fleck, Fei Li, Angelos Stavrou, Walter Powell Presented by Surya Mani Content u Motivation u Related Work u

262 views • 23 slides
Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&D division of Nexusguard building next

764 views • 44 slides
Preference Defenses: New Value Ordinary Preference Defenses: New Value, Ordinary Course and

Preference Defenses: New Value Ordinary Preference Defenses: New Value, Ordinary Course and

Presenting a live 90 minute webinar with interactive Q&A Preference Defenses: New Value Ordinary Preference Defenses: New Value, Ordinary Course and Contemporaneous Exchange Managing the Audit Process, Mitigating Regulatory Sanctions, and

893 views • 52 slides
Bypassing ISP and Enterprise Anti- DDoS with 90s technology Dennis Rand

Bypassing ISP and Enterprise Anti- DDoS with 90s technology Dennis Rand

So you think IoT DDoS botnets are dangerous Bypassing ISP and Enterprise Anti- DDoS with 90s technology Dennis Rand https://www.ecrimelabs.com @DennisRand About me Im a security researcher and founder of eCrimeLabs, based out of Denmark.

674 views • 48 slides
DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How DDoS works UDP Data Client Server Response TCP DDoS Distributed denial-of-service attack Attacker targets a victim from a number of

356 views • 22 slides
A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon guillaume.valadon@ssi.gouv.fr RIPE 70 - May, 11 2015 ANSSI - http://www.ssi.gouv.fr/guide-ddos & https://goo.gl/UL8M1 1/12 ANSSI Created on July 7th 2009,

142 views • 12 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C.

Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C.

Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C. Rossow (1) , F. J. Ryba (2) , T. C. Schmidt (3) , M. Whlisch (2) (1) CISPA / MMCI, Saarland University (2) Freie Universitt Berlin (3) HAW Hamburg

520 views • 36 slides
Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall

Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall

Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall 2011 Distributed Denial of Service (DDoS) Exhaust resources of a target, or the resources it depends on Resources: CPU, Memory, Bandwidth

427 views • 23 slides
Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim fons.mijnen@os3.nl max.grim@os3.nl 2 DDoS attacks DDoS attacks are a problem internet users have faced for many years, and is still relevant today. 3 DDoS

531 views • 52 slides
A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter Reiher Manu Shantharam & David Hadka What is DoS? DoS A type of attack wherein access to computer resource / service is denied or

380 views • 18 slides
National Cybersecurity Center of Excellence Mitigating IoT-Based DDoS Build 1 Demonstration

National Cybersecurity Center of Excellence Mitigating IoT-Based DDoS Build 1 Demonstration

National Cybersecurity Center of Excellence Mitigating IoT-Based DDoS Build 1 Demonstration Presentation April 10, 2019 Challenge There will be 20.4 billion connected IoT devices by 2020 (per Gartner) As IoT devices become more common

671 views • 41 slides
DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service attacks are a fact of life on the Internet Service disruption Sometimes employed as a smoke screen What this talk is and

799 views • 23 slides
RSVP-TE Extensions for LSP Rerouting in NS2 D. Adami, C. Callegari, S. Giordano, M. Pagano

RSVP-TE Extensions for LSP Rerouting in NS2 D. Adami, C. Callegari, S. Giordano, M. Pagano

Workshop on IP QoS and Traffic Control RSVP-TE Extensions for LSP Rerouting in NS2 D. Adami, C. Callegari, S. Giordano, M. Pagano Department of Information Engineering - University of Pisa 6-7 December 2007 IST Congress Center, Lisbon,

590 views • 20 slides

More recommend