SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang Virgil D. Gligor Vyas Sekar ECE Department and CyLab, Carnegie Mellon University Feb 22, 2016
Large-scale link-flooding attacks Massive DDoS attacks against chosen target links in Internet Infrastructure bots ISP end-point … ISP target server(s) • Real-world examples Spamhaus (March 2013), ProtonMail (Nov 2015) • “ Indistinguishability ” of attack flows Bot-to-bot or bot-to-server attack flows (e.g., Coremelt [ESORICS’09], Crossfire [S&P’13]) 2
Fundamental defense approach requires inter-ISP coordination “ Routing Bottlenecks ” [CCS’14] become the vulnerabilities exploitable by link-flooding attacks end-point target server(s) Removing routing bottlenecks => inter-ISP coordination Inter-ISP coordination requires global deployment of new protocols, bilateral agreement, and added infrastructure => Thus, we need a first-line of defense that can be offered by a single ISP and can be immediately deployed 3
First-line of defense without inter-ISP coordination Goal: attack deterrence Deter rational Indistinguishable link-flooding adversaries rational : cost-sensitive and stealthy Majority of DDoS adversaries are rational [Png et al. 2008] Sketch of solution Bot detection at local ISP exploiting adversary’s cost-sensitive behavior Bot detection can be circumvented when adversary accepts significant cost increase Bot detection => cost-detectability tradeoff 4
Problem statement and solutions Problem: First-line of defense for link-flooding attacks Solutions: Deterrence of rational link-flooding adversaries Cost-detectability tradeoffs based on bot detection SPIFFY: system design for ISP networks 5
SPIFFY’s bot detection mechanism legitimate degraded sender rate indistinguishable targeted link L attack bot rate 6
SPIFFY’s bot detection mechanism legitimate increased degraded sender rate rate Distinguishable! Temporary Bandwidth not-increased Expansion (TBE) rate attack bot rate must have already saturated upstream bandwidth 6
Why bots are supposed to be saturated ? Buy some Let’s plan bots an attack Goal Budget cost-sensitive Launch! optimal operation strategy : … saturate upstream bandwidth 8
Why legitimate senders would increase rates in response to TBE? flow rate ≤ degraded rate 8
Why legitimate senders would increase rates in response to TBE? recovered normal flow rate TBE (guaranteed) normal rate = BEF ideal degraded rate ( Ideal Bandwidth Expansion Factor) 8
Bot detection circumvention => highly increased attack cost legitimate degraded increased sender rate rate indistinguishable targeted link L Temporary Bandwidth increased Expansion (TBE) rate degraded bot rate 11
Bot detection circumvention => highly increased attack cost legitimate degraded increased sender rate rate indistinguishable Strategy => massive reduction of bots’ bandwidth utilization => massive increase in the number of required bots (by a factor of BEF ideal ) targeted link L SPIFFY forces unpleasant tradeoff : Temporary Bandwidth increased Expansion (TBE) (1) undetectability but at highly increased cost; rate degraded bot (2) low cost but easily detectable rate 12
SPIFFY challenges and solutions Challenge : fast TBE in typical ISPs legitimate Solution: coordinated route degraded increased sender changes rate rate Challenge : false identification of low-rate users Solution: exemption for low-rate users Temporary Bandwidth not-increased Expansion (TBE) rate Challenge: rate-change C attack bot detection mechanism at scale det rate Solution: sketch-based rate- So change detection [NSDI’13] 13
Design of temporary bandwidth expansion Solution : coordinated, sudden route changes that handle large bandwidth expansion Software-defined networking (SDN) provides centralized control and traffic visibility SDN controller sudden bandwidth expansion! targeted link L Linear programming formulation: We find the maximum available bandwidth expansion factor ( BEF avail ) and new routes for a target link and a given network topology 14
Maximum available bandwidth expansion factor (BEF avail ) for 5 ISP networks BEF avail uniform link bandwidth non-uniform link bandwidth (1:2:8) How to implement TBE with large BEF ideal when BEF avail < BEF ideal ? randomized sequential TBE: we sequentially test only a random subset of senders at each TBE, providing them the ideal bandwidth expansion factor BEF ideal 15
Simulation for rate change behaviors Topology ( BEF ideal = 10) ns 2 simulator with HTTP traffic generator (PackMime) 16
Simulation for rate change behaviors per-sender rate changes individual per-sender rate mean and stdev TBE starts at 10.0 sec Large rate-change ratio can be quickly measured (e.g., < 5 sec) Robust rate change behavior of legitimate senders in various environments (e.g., TCP variants, RTT changes, short flows) 17
Rate-increase ratios of bot and legitimate sender in SDN testbed TBE TBE starts at t = 10 TBE ends at t = 15 11 10 with TBE operation Rate increase ratio bot 9 8 legitimate sender 7 normal rate 6 degraded rate = 10 5 4 bot identified bot blocked 3 2 1 0 0 5 10 15 20 Time (sec) 18
Conclusion • First-line of defense for indistinguishable link-flooding attacks – Attack deterrence of rational adversaries – Cheaper/easier than inter-ISP coordination based defenses • SPIFFY: system design for cost-detectability tradeoffs – Practical bot detection mechanism for large ISPs – SDN-based design for temporary bandwidth expansion 19
Thank you minsukkang@cmu.edu 20
Recommend
More recommend
