terminus
play

Terminus: Towards a Network-Level Deployable Architecture Against - PowerPoint PPT Presentation

Terminus: Towards a Network-Level Deployable Architecture Against Distributed Denial-of- Service Attacks Felipe Huici and Mark Handley Networks Research Group Department of Computer Science Overview Terminus architecture Protecting


  1. Terminus: Towards a Network-Level Deployable Architecture Against Distributed Denial-of- Service Attacks Felipe Huici and Mark Handley Networks Research Group Department of Computer Science

  2. Overview • Terminus architecture • Protecting the architecture • Performance results 2

  3. Terminus Architecture 3

  4. No Magic Bullet • Need minimal IP-level changes that can raise the bar for the attacker • Difficult deployment issues: – Can’t change the hosts – Too expensive to change network core • These point towards reactive solutions at edge ISPs 4

  5. Architecture Introduction detect filter Internet A S ISP ISP • General idea – Identify attack traffic at destination – Request that traffic be filtered – Block attack traffic at source ISP’s filtering box • Pretty obvious… – Architecture’s novelty lies in meeting these criteria robustly and with minimum mechanism. 5

  6. Terminus Architecture ISP A Block A C BM C BP Internet ISP C A FM IDS S ISP B C BM C BP IDS = intrusion detection C BP = border patrol BM = border manager FM = filter manager 6

  7. Traffic Marking • Problem – Need to know origin of attack packets • Must send filter request to the right place – IP source address cannot be trusted • Can be spoofed • Solve by adding a “true-source” bit to packets – Only Terminus ISPs with ingress filtering can set bit 7

  8. Preventing True-Source Bit Spoofing • Edge router at Terminus ISP connected to legacy ISP unsets this bit for all packets Router E1 ISP A ISP E TS = 0 Router G1 ISP B Router E2 S ISP G TS = 0 Router F1 ISP C Router G2 ISP F Terminus ISP ISP D Router F2 8 Legacy ISP

  9. Protecting the Architecture 1. Attackers in legacy ISPs 2. Malicious filtering requests 3. Spoofed traffic triggering filtering requests 4. Reflection attacks 9

  10. Problem 1: Defending Against Attackers at Legacy ISPs • During initial stages, legacy ISPs will be the norm • Use true-source bit to prioritize traffic at the destination ISP’s peering routers – Implement true-source bit as a diffserv code point Legacy ISP A ISP C ISP D A TS = 0 R1 Router D1 S R3 ISP B R2 TS = 1 C prioritize 10

  11. BM FM Problem 2: A S BP Filtering Requests • Where to send request? – Digitally-signed p2p mechanism used to distribute source-to-BM mappings • Where can it come from? – Same mechanism distributes signed destination-to-FM mappings – BM checks if FM allowed to request filter for destination • BM must validate source of a filtering request – Cannot rely on TS=1 since path may be asymmetric – Simple nonce exchange validates FM 11

  12. Problem 3: Triggering Requests Through Spoofing ISP A Erroneous request: Block C BM C BP Internet ISP C FM IDS S Legacy ISP B TS = 0 src = C A Scenario: attacker is in a legacy ISP that allows spoofing Solution: do not issue filtering request if TS = 0 12

  13. Problem 4: Reflection Attacks • In a reflection attack – The attacker spoofs requests using victim’s address – The requests are sent to third-party servers (reflectors) – Response flood overwhelms victim • For most part, Terminus unaffected, except when: – Reflector is in a Terminus ISP – Terminus path between reflector and victim 13

  14. Reflection Attacks Terminus ISP B R TS: 0 EP BP ISP D TS: 0 TS: 1 SRC: S SRC: S Terminus ISP C TS: 1 A S Terminus ISP E Legacy ISP A 14

  15. Performance Results 15

  16. Border Patrol Parallelism 64-byte packets UP border patrol SMP border patrol cpu cpu0 filter filter filter = interface cpu1 16

  17. Summary • Presented Terminus, a deployable architecture against large DDoS that uses minimum mechanism • Robust against attack • Performs well even on cheap hardware Terminus: God of boundaries Paper under submission, URL: 17 http://www.cs.ucl.ac.uk/staff/F.Huici/publications/terminus-lsad.pdf

  18. Additional Slides 18

  19. Motivation • Majority of operators spend more resources on DDoS than any other security threat • Attack firepower increasing • Majority of ISPs mitigate attacks by filtering all traffic to victim • Attacks happen in the thousands per day Sources: Symantec Internet Security Threat Report XI and Arbour Worldwide Infrastructure Security Report 2006 19

  20. Triggering Requests Through Spoofing ISP A Internet ISP B C BP1 S A BP2 src = C Scenario 2: Attacker is in same Terminus ISP as victim, but behind different BP 20

  21. Triggering Requests Through Spoofing ISP A Internet ISP B C BP S A src = C Scenario 3: Attacker is behind same BP as victim 21

  22. Control Plane Performance • Filter manager – 75,000 requests/sec – Biggest botnets about 1,500,000 hosts, filter in 20 secs • Border manager – 87,000 requests/sec • Border patrol – 354,000 requests/sec (in batches of 100 filters) 22

  23. Setup • Testbed – Non-blocking Force10 E1200 switch • Computers – Inexpensive 1U servers – Two dual-core processors at 2.66GHz – Two dual-port Gigabit Ethernet cards • Software – Linux 2.6 – Click modular router for forwarding plane – C++ for control plane 23

  24. Protecting Terminus’ Components • Border and egress patrols – Not externally visible • Border manager – Off fast-path – Low return on investment for attacker • Filter manager – Off fast-path – Only has to handle incoming nonces, which have priority at edge 24

  25. BP Forwarding Plane – HashFilter UP border patrol SMP border patrol cpu0 IF HF IF HF IF = Ingress Filter IF HF HF = Hash Filter cpu1 = interface 25

  26. BP Forwarding Plane – HashFilter • All filters hash to same chain • All packets fully traverse chain before being forwarded 26

  27. BP Forwarding Plane – IngressFilter • Packets force look-up against all prefixes before being forwarded 27

Recommend


More recommend