1 / 36

Bohatei: Flexible and Elastic DDoS Defense

Bohatei is a practical ISP-scale system that provides flexible and elastic DDoS defense through Software-Defined Networking (SDN) and Network Functions Virtualization (NFV). It allows for effective defense against DDoS attacks, even up to 500 Gbps in scale, in just one minute.

barbaran
Download Presentation

Bohatei: Flexible and Elastic DDoS Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey https://github.com/ddos-defense/bohatei

  2. DDoS attacks are getting worse High cost on victims Increasing in number Increasing in volume Increasing in diversity Incapsula, 11/12/2014 Threatpost, 7/31/2015 The New York Times, 3/30/2015 Imperva, 2015 Cloudflare, 3/27/2013 Techworld, 7/16/2014 Arbor Networks, 2/14/2014 Radware, 10/7/2014

  3. DDoS Defense Today: Expensive Proprietary Hardware Assets Intranet

  4. Limitation: Fixed functionality What if new types of attacks emerge? Assets Intranet

  5. Limitation: Fixed capacity attack vol.(Gbps) fixed capacity waste waste t1 t2 t4 t3 time Intranet Assets

  6. Limitation: Fixed location • Additional traffic latency due to waypointing • Routing hacks to enforce defense destination ✗ shortest path source

  7. Need flexibility w.r.t. attack type Assets Today: Hardware appliance res. footprint=240Gbps Today: Hardware appliance res. footprint=240Gbps

  8. Need Flexibility w.r.t Attack Locations B A Assets C Today: Hardware appliance res. footprint=240Gbps Today: Hardware appliance res. footprint=240Gbps

  9. Need Elasticity w.r.t. Attack Volume Assets Today: Hardware appliance res. footprint=240Gbps Today: Hardware appliance res. footprint=240Gbps

  10. Bohatei in a nutshell.. A practical ISP-scale system for Flexible and Elastic DDoS Defense via Software-Defined Networking (SDN) &Network Functions Virtualization (NFV)  React to 500 Gbps scale attacks in 1 min!

  11. Outline Motivation Background on SDN/NFV Bohatei overview and challenges System design Implementation Evaluation Conclusions

  12. Software-Defined Networking (SDN) Centralized management + Open configAPIs Controller

  13. Network Functions Virtualization (NFV) Today: Standalone and Specialized Proxy Firewall IDS/IPS AppFilter Commodity hardware

  14. Why are SDN/NFV useful for DDoS defense? Expensive Fixed functionality Fixed capacity Fixed location NFV SDN Our Work: Bring these benefits to DDoS Defense

  15. Outline Motivation Background on SDN/NFV Bohatei overview and challenges System design Implementation Evaluation Conclusions

  16. Bohatei Vision: Flexible + Elastic Defense via SDN/NFV defense policy SDN/NFV Controller attack traffic VM DC2 customer intranet DC1 ISP

  17. Bohatei Controller Workflow Strategy layer Predict attack pattern Resource management Decide how many VMs, what types, where Network orchestration Configure network to route traffic

  18. Threat model: general, dynamic adversaries • Targets one or more customers • Attacker has a fixed “budget” w.r.t. total attack volume do{ Pick_Target() Pick_Attack_Type() Pick_Attack_Volume() Pick_Attack_Ingress() Observe_and_Adapt() }

  19. Bohatei Design Challenges Resilient to adaptation? Strategy layer Predict attack pattern Resource management Fast algorithms? Decide how many VMs, what types, where Network orchestration Scalable SDN? Configure network to route traffic

  20. Outline Motivation Background on SDN/NFV Bohatei overview and challenges System design Implementation Evaluation Conclusions

  21. Naïve resource management is too slow! Compute/network resources Suspicious traffic predictions Defense library Global optimization Types, numbers, and locations of VMs? Routing decisions? Takes hours to solve…

  22. Our Approach: Hierarchical + Greedy Compute/network resources Suspicious traffic predictions Defense library ISP-level Greedy How much traffic to DCN How much traffic to DC1 … Per datacenter 1 … Per datacenter N Which VM slots in DC1 Which VM slots in DCN

  23. Reactive, per-flow isn’t scalable Controller VM2 Port2 packet1 Port1 VM1 Port3 SW packet100 VM3 Switch Forwarding Table Flow1 Port 2 … … Flow100 Port 3 A reactive, per-flow controller will be a new vulnerability

  24. Idea: Proactive tag-based steering Proactive set up Controller VM2 packet1 Port 2 Port1 VM1 VM3 Port 3 SW packet100 Port 2 Benign 1 1 packet100 2 Port 3 Suspicious 2 2 packet1 1 Proactive per-VM tagging enables scaling

  25. Dynamic adversaries can game the defense Attack vol.(Gbps) SYN flood predicted attack volumefor t4 DNS amp. t1 t2 t4 t3 time Simple prediction (e.g., prev. epoch, avg) can be gamed Adversary’s goals: 1. Increase defense resource consumption 2. Succeed in delivering attack traffic

  26. Our approach: Online adaptation Metric of Success = “Regretminimization” How worse than best static strategy in hindsight? Borrow idea from online algorithms:Follow the perturbed leader (FPL) strategy Intuition: Prediction = F (Obs. History + Random Noise) This provably minimizes the regretmetric

  27. Putting it together predicts volume of suspicious traffic of each attack type at each ingress Prediction strategy Resource management quantity, type, location of VMs Orchestration suspicious trafficspec. defense policy launching VMs, traffic path set up attack traffic VM DC2 customer intranet DC1 ISP

  28. Outline Motivation Background on SDN/NFV Bohatei overview and challenges System design Implementation Evaluation Conclusions

  29. Defense policy library Example (SYN flood defense) OK [Legitimate] [Legitimate] Analyze Srces:count SYN – SYN/ACK per source [Unknown] SYNPROXY [Attack] [Attack] DROP LOG A defense graph per attack type Customized interconnection of defense modules Open source defense VMs

  30. Implementation resource manager defense library … Control Plane OpenDaylight FlowTags (Fayaz et al., NSDI’14) OpenFlow Data Plane Switches (OVS) FlowTags-enabled defense VMs (e.g., Snort) KVM 13 20-core Intel Xeon machines https://github.com/ddos-defense/bohatei

  31. Outline Motivation Background on SDN/NFV Bohatei overview and challenges System design Implementation Evaluation Conclusions

  32. Evaluation questions Does Bohatei respond to attacks rapidly? Can Bohatei handle ≈500 Gbps attacks? Can Bohatei successfully cope with dynamic adversaries?

  33. Responsiveness Bohatei restores performance of benign traffic ≈ 1 min. • Hierarchicalresource management: • A few milliseconds (vs. hours) • Optimality gap < 1%

  34. Scalability: Forwarding table size Per-VM tagging cuts #rules by 3-4 orders of magnitude Proactive setup reduces time by 3-4 orders of magnitude

  35. Adversarial resilience Bohatei online adaptation strategy minimizes regret.

  36. Conclusions • DDoS defense today : Expensive, Inflexible, and Inelastic • Bohatei: SDN/NFV for flexible and elastic DDoS defense • Key Challenges: Responsiveness, scalability, resilience • Main solution ideas: • Hierarchical resource management • Proactive, tag-based orchestration • Online adaptation strategy • Scalable + Can react to very large attacks quickly! • Ideas may be applicable to other security problems

More Related