Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar
DDoS Attacks • A persistent threat on the global Internet • Working from home new online tools for collaboration • New tools new attack vectors • 2019 Q4 largest attack was 200 Gbps (https://www.nexusguard.com/threat-report-q4-2019) • Attacks are numerous in variety: • Direct, Transit-Link, DNS-Amplification, SYN-Flooding, etc.
DDoS Defenses • Defense has been an infrastructure problem • Add packet filters, cloud scrubbing facilities, middle-boxes, etc. • Infrastructure solutions lead to attacker/defender arms races • Stronger attacks more scrubbers stronger attacks …
Routing Around Congestion (RAC) • Smith et al. proposed routing around congestion at S&P 2018. • Relies on BGP route poisoning to recover traffic from a critical AS • Tran et al. show this defense is infeasible at S&P 2019. • Trade off between path availability and isolation • New detour-learning attacks
My Research: Optical-Aware RAC • Deploy RAC defense at the optical layer • Physically separate suspicious/trusted traffic • Remove the trade-off from BGP-poisoning RAC defense.
Benefits of • Better performance for trusted traffic Optical Aware • Scrubbers can handle larger attacks RAC
System Architecture • Integrating optical systems with other network control and automation systems is complex but not infeasible • In fact, it is necessary for defending against future attacks of growing scale • Open Network Operating System (ONOS) is a system that can be used to achieve this goal • Optical-Aware DDoS defense can be implemented as an ONOS application
Lab • Two servers host a set of VMs Evaluation • VMs use the optical network with four links (Work in • ONSET dynamically switches trusted traffic to an isolated link progress) during an attack.
Future work Collect data from lab Simulate optical-aware RAC evaluation for larger topologies 1) Possibly use CAIDA’s AS graph 1) Throughput for trusted traffic 2) Internet Topology Zoo, or Internet Atlas graphs. 2) Switching time
Recommend
More recommend