1 / 109

Defending Against Distributed Denial-of-Service Attack with Max-Min Fair Server-Centric Router Throttles Networking

This research paper discusses the deployment issues, system model, throttle algorithms, and simulation results for defending against distributed denial-of-service (DDoS) attacks. The goal is to protect servers from excessive service request arrivals over a global network.

hlyles
Download Presentation

Defending Against Distributed Denial-of-Service Attack with Max-Min Fair Server-Centric Router Throttles Networking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defending Against Distributed Denial-of-Service Attack With Max-Min Fair Server-Centric Router Throttles Networking, IEEE/ACM Transactions Feb. 2005 Volume: 13,  Issue: 1 On page(s): 29- 42 Dept. of Comput. Sci., Purdue Univ., West Lafayette, IN, USA Presented by: Henrry, C.Y. Chiang (江政祐) OPLAB, Dep. of Information Management, NTU

  2. (1/11) About Authors • David K. Y. Yau (尤) • John C.S. Lui (呂) • Feng Liang (梁馮) • Yeung Yam (任楊) OPLAB, Dep. of Information Management, NTU

  3. (2/11) About Authors - David K. Y. Yau (尤) • David K. Y. Yau received the B.Sc. (first class honors) degree from the Chinese University of Hong Kong, and the M.S. and Ph.D. degrees from the University of Texas at Austin, all in computer science. OPLAB, Dep. of Information Management, NTU

  4. (3/11) About Authors - David K. Y. Yau (尤) • He was the recipient of an IBM graduate fellowship, and is currently an Associate Professor of Computer Science at Purdue University, West Lafayette, IN. • His other research interests are in network security, value-added services routers, and mobile wireless networking. OPLAB, Dep. of Information Management, NTU

  5. (4/11) About Authors - John C.S. Lui (呂) • John C.S. Lui received the Ph.D. degree in computer science from the University of California at Los Angeles. OPLAB, Dep. of Information Management, NTU

  6. (5/11) About Authors - John C.S. Lui (呂) (His current research interests) • Theoretical/applied topics in data networks • Distributed multimedia systems • Networks Security • OS design • Mathematical optimization • Performance evaluation OPLAB, Dep. of Information Management, NTU

  7. (6/11) About Authors - Feng Liang (梁馮) • Feng Liang received the B.S. and M.S. degrees in optical instruments from Zhejiang(浙江) University, P.R. China, in 1989 and 1992. OPLAB, Dep. of Information Management, NTU

  8. (7/11) About Authors - Feng Liang (梁馮) • He received the Ph.D. degree in optical instruments from the Shanghai Institute of Optics and Fine Mechanics, Chinese Academy of Sciences, Beijing, in 1995. • He is currently a Professor of telecommunications at Zhejiang(浙江) University of Technology. OPLAB, Dep. of Information Management, NTU

  9. (8/11) About Authors - Feng Liang (梁馮)(His current research interests) • Network Security • QoS in WLAN • Network management systems • Multimedia communications OPLAB, Dep. of Information Management, NTU

  10. (9/11) About Authors - Yeung Yam (任楊) • Yeung Yam received the B.S. and M.S. degrees in physics from the Chinese University of Hong Kong. OPLAB, Dep. of Information Management, NTU

  11. (10/11) About Authors - Yeung Yam (任楊) • He received the M.S. and Sc.D. degrees in aeronautics(航空學) and astronautics(太空航行學/航天學) from the Massachusetts Institute of Technology, Cambridge, MA, IN 1979 and 1983, respectively. • He joined the Chinese University of Hong Kong in 1992 and is currently a Professor in the Department of Automation and Computer-Aided Engineering. OPLAB, Dep. of Information Management, NTU

  12. (11/11) About Authors - Yeung Yam (任楊) (His current research interests) • Analysis • Design • Identification of control systems OPLAB, Dep. of Information Management, NTU

  13. Today’s Agenda • Introduction • Deployment Issues • System Model • Throttle Algorithms • General Mathematical Model • Packet Network Simulation Results • System Implementation • Related Work • Conclusion OPLAB, Dep. of Information Management, NTU

  14. Today’s Agenda • Introduction • Deployment Issues • System Model • Throttle Algorithms • General Mathematical Model • Packet Network Simulation Results • System Implementation • Related Work • Conclusion OPLAB, Dep. of Information Management, NTU

  15. (1/15) ①Introduction • In A DISTRIBUTED denial-of-service (DDoS) attack, a cohort of malicious or compromised hosts (the “zombies”) coordinate to send a large volume of aggregate traffic to a victim server. • In such an episode, server resources are usually under much more stress than resources of the connecting network. OPLAB, Dep. of Information Management, NTU

  16. (2/15) ①IntroductionThere are two reasons • First, commercial servers are typically hosted by ISP’s at web centers quite close to the backbone network with high capacity pipes. • Second, the server will generally see the full force of the attack traffic, which has gone through aggregation inside the network. OPLAB, Dep. of Information Management, NTU

  17. (3/15) ①Introduction • Hence, the server system can become totally incapacitated under extreme overload conditions. • We view DDoS attacks as a resource management problem. • Our goal in this paper is to protect a server from having to deal with excessive service request arrivals over a global network OPLAB, Dep. of Information Management, NTU

  18. (4/15) ①IntroductionTo do so, we adopt a proactive approach • Before aggressive packets can converge to overwhelm a server, we ask routers along forwarding paths to regulate the contributing packet rates to more moderate levels, thus forestalling an impending attack. • The basic mechanism is for a server under stress, say S, to install a router throttle at an upstream router several hops away. OPLAB, Dep. of Information Management, NTU

  19. (5/15) ①IntroductionTo do so, we adopt a proactive approach • The throttle limits the rate at which packets destined for S will be forwarded by the router. • Traffic that exceeds the rate limit can either be dropped or rerouted to an alternate server. • We will focus exclusively on the dropping solution in this paper OPLAB, Dep. of Information Management, NTU

  20. (6/15) ①IntroductionOur negotiation approach is server-initiated • The appropriate throttles should depend on the current demand distributions, and so must be negotiated dynamically between server and network. • A server operating below the designed load limit needs no protection, and need notinstall any router throttles OPLAB, Dep. of Information Management, NTU

  21. (7/15) ①Introduction • As server load increases and crosses the designed load limit Us, however, the server may start to protect itself by installing and activating a rate throttle at a subset of its upstream routers. • On the other hand, if the server load falls below a low-water mark Ls ( where Ls < Us ), then the throttle rate is increased (i.e., relaxed). OPLAB, Dep. of Information Management, NTU

  22. (8/15) ①Introduction • The goal of the control algorithm is to keep the server load within [Ls, Us] whenever a throttle is in effect. OPLAB, Dep. of Information Management, NTU

  23. (9/15) ①IntroductionOur implementation results indicate (i) • Throttling requires only looking up the IP destination address of a packet • It has essentially the same processing complexity as standard IP forwarding • Adds little computational overhead at deployment router. OPLAB, Dep. of Information Management, NTU

  24. (10/15) ①IntroductionOur implementation results indicate (ii) • The amount of state information needed at a router is nevertheless linear in the number of installed throttles. • Hence, it may not be possible for the routers to maintain state about every Internet server. OPLAB, Dep. of Information Management, NTU

  25. (11/15) ①Introduction • The approach can be feasible as an on-demand and selective protection mechanism. • The premise is that DDoS attacks are the exception rather than the norm. • At any given time, we expect at most only a minor portion of the network to be under attack. OPLAB, Dep. of Information Management, NTU

  26. (13/15) ①IntroductionOur Contributions: • We contribute to the fundamental understanding of router throttling as mechanism against DDoS attacks. • We present an adaptive throttle algorithm that can effectively protect a server from resource overload. OPLAB, Dep. of Information Management, NTU

  27. (14/15) ①IntroductionOur Contributions: • And increase the ability of good user traffic to arrive at the intended server. • We show how max-min fairness can be achieved across a potentially large number of flows. • And the implication of a notion of level-k max-min fairness on DDoS attacks. OPLAB, Dep. of Information Management, NTU

  28. (15/15) ①IntroductionOur Contributions: • We study how throttling may impact real application performance.(HTTP web server) • We present system implementation results to quantify the deployment overhead of router throttling. OPLAB, Dep. of Information Management, NTU

  29. Today’s Agenda • Introduction • Deployment Issues • System Model • Throttle Algorithms • General Mathematical Model • Packet Network Simulation Results • System Implementation • Related Work • Conclusion OPLAB, Dep. of Information Management, NTU

  30. (1/7) ②Deployment Issues • First, our trust model is that routers in the defense network trust each other, but they do not necessarily trust the network users. • Establishing trust relationships between the different domains, such that requests domains, is challenging and not addressed in the present work. OPLAB, Dep. of Information Management, NTU

  31. (2/7) ②Deployment Issues • Second, our approach is most useful under the assumption that attackers are significantly more aggressive than regular users. • However, it does require more effort on the part of a malicious entity to assemble a large number of attack machines each behaving as a regular machine. OPLAB, Dep. of Information Management, NTU

  32. (3/7) ②Deployment Issues • Third, since attackers can be highly unpredictable, it is inherently difficult to exhaustively model attacker behavior using only simulation experiments. • Currently, these parameters must be chosen based on estimates of the operating conditions and user policies to balance system stability versus responsiveness. OPLAB, Dep. of Information Management, NTU

  33. (4/7) ②Deployment Issues • Adaptively and automatically learning the best control parameters in a general setting is interesting and requires future research. OPLAB, Dep. of Information Management, NTU

  34. (5/7) ②Deployment Issues(we do not need full IP multicast support between routers) • Fourth, we assume that a protected server will send throttle requests to deployment routers by multicast because it is the most natural communication paradigm for our purpose. • Using topology information known to routers in an ISP, routers can simply forward a throttle request to upstream routers. OPLAB, Dep. of Information Management, NTU

  35. (6/7) ②Deployment Issues • Fifth, our study assumes that router throttling is supported in a specified set of deployment routers. • If the assumption is not true, then we must be able to identify at least one alternative supporting router on each network path. • This will then add the overhead of control message exchanges between routers to identify supporting routers OPLAB, Dep. of Information Management, NTU

  36. (7/7) ②Deployment Issues • Lastly, priority transmission techniques should be investigated to ensure the reliable and timely delivery of throttle messages from source to destination. OPLAB, Dep. of Information Management, NTU

  37. Today’s Agenda • Introduction • Deployment Issues • System Model • Throttle Algorithms • General Mathematical Model • Packet Network Simulation Results • System Implementation • Related Work • Conclusion OPLAB, Dep. of Information Management, NTU

  38. (1/9) ③System Model • We model a network as a connected graph G = (V,E), where V is the set of nodes and E is the set of edges. • All leaf nodes are hosts and thus can be a traffic source. Hosts are not trusted. • An internal node is a router; a router cannot generate traffic, but can forward traffic received from its connected hosts or peer routers. OPLAB, Dep. of Information Management, NTU

  39. (2/9) ③System Model • We denote by R the set of internal routing nodes (routers). All routers are assumed to be trusted. • The set of hosts, H = V – R, is partitioned into the set of ordinary “good” users, Hg, and the set of attackersHa. • E models the network links, which are assumed to be bi-directional. OPLAB, Dep. of Information Management, NTU

  40. (3/9) ③System Model • Router do not exchange control information between each other beyond passing on throttle requests. • The target server makes all control decisions and then instructs the deployment routers to implement the decisions accordingly. OPLAB, Dep. of Information Management, NTU

  41. (4/9) ③System Model • A good user sends packets to S at some rate chosen from the range [0,rg]. • An attacker sends packets to S at some rate chosen from the range [0, ra]. • rgcan usually be set to a reasonable level according to how users normally access the service at S (we assume rg << Us). • We target the kind of attack in which ra is significantly higher than rg. OPLAB, Dep. of Information Management, NTU

  42. (5/9) ③System Model • This is because if every attacker sends at a rate comparable to a good user, then an attacker must recruit or compromisea large number of hosts to launch an attack with sufficient traffic volume. OPLAB, Dep. of Information Management, NTU

  43. (6/9) ③System Model • The throttle does not have to be deployed at every router. • The deployment points are parameterized by a positive integer k and are given by R(k)⊆ R. • Specifically, R(k) contains all the routers that are either k hops away from S or less than k hops away from S but are directly connected to a host. OPLAB, Dep. of Information Management, NTU

  44. (7/9) ③System Model(Square:Host Round:Router) OPLAB, Dep. of Information Management, NTU

  45. (8/9) ③System Model • Given our system model, an important research problem is how to achieve fair rate allocation of the server capacity among the routers in R(k). • To that end, we define the following notion of level-k max-min fairness: OPLAB, Dep. of Information Management, NTU

  46. (9/9) ③System Model OPLAB, Dep. of Information Management, NTU

  47. Today’s Agenda • Introduction • Deployment Issues • System Model • Throttle Algorithms • General Mathematical Model • Packet Network Simulation Results • System Implementation • Related Work • Conclusion OPLAB, Dep. of Information Management, NTU

  48. (1/15) ④Throttle Algorithms(A. Baseline Algorithm) • We first present a baseline algorithm in which each router throttles traffic for S by forwarding only a fraction f (0 ≤ f ≤ 1) of the traffic. • In adjusting f according to current server congestion, the algorithm mimics TCP congestion control. OPLAB, Dep. of Information Management, NTU

  49. (2/15) ④Throttle Algorithms(A. Baseline Algorithm) • Specifically, f is reduced by a multiplicative factor αwhen S is congested and sends the router a rate reduction signal. • It is increased by an additive constant β- subject to the condition that f ≤ 1 – when S has extra capacity and sends the router a rate increase signal. OPLAB, Dep. of Information Management, NTU

  50. (3/15) ④Throttle Algorithms(A. Baseline Algorithm) • The baseline algorithm that S runs is specified in Fig. 2. • It is to be invoked when either : • the current server load (measured as traffic arrival rate to S) crosses Us, or • a throttle is in effect and the current server load drops below Ls. OPLAB, Dep. of Information Management, NTU

More Related