1 / 41

DaaS : DDoS Mitigation-as-a-Service

DaaS : DDoS Mitigation-as-a-Service. 2011 IEEE/IPSJ International Symposium on Applications and the Internet Author : Soon Hin Khor & Akihiro Nakao Speaker: 101065511 沈 祈恩. Outline. INTRODUCTION DESIGN A RCHITECTURE EVALUATION CONCLUSION. Outline. INTRODUCTION DESIGN

jett
Download Presentation

DaaS : DDoS Mitigation-as-a-Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DaaS: DDoSMitigation-as-a-Service 2011 IEEE/IPSJ International Symposium on Applications and the Internet Author: Soon HinKhor & Akihiro Nakao Speaker: 101065511 沈祈恩

  2. Outline INTRODUCTION DESIGN ARCHITECTURE EVALUATION CONCLUSION

  3. Outline INTRODUCTION DESIGN ARCHITECTURE EVALUATION CONCLUSION

  4. INTRODUCTION • DaaS is a service that protects a server against all 3 types of Distributed Denial-of-Service (DDoS) • Arbitrary packet (Network Layer) • Legit user-mimicking (Application Layer) • Economic attacks(EDDoS).

  5. INTRODUCTION Most research concur that using widely distributed Internet-edge or core intermediaries that possess more resource than DDoS bots, receive traffic on behalf of a server is an effective technique to overcome the three issues.

  6. INTRODUCTION For defense against application-layer DDoS, a Proof-of Work (PoW) mechanism empowers legit clients (legits, forshort) to attain differentiated service based on the difficulty of PoW "puzzles" solved.

  7. Outline INTRODUCTION DESIGN ARCHITECTURE EVALUATION CONCLUSION

  8. DESIGN • On-Demand Idle Resource Pool : • DaaS’sframework can recruit any existing or future system/service as an intermediary. • Ex: IRC, Amazon’s S3, forums

  9. DESIGN • Ephemeral Initial Channels : • Channels: a named entity on an intermediary. EX:a channel name on IRC, a storage bucket in S3. • I-Channel: Ephemeral initial channels. • C-Channel:Communication channels.

  10. DESIGN • Prioritize traffic: • Prioritize existing connection traffic over initial connection request traffic. • Prioritizeamong the initial connection requests using sPoW(self-proof-of-work). Prioritizing by puzzle difficulty.

  11. Outline INTRODUCTION DESIGN ARCHITECTURE EVALUATION CONCLUSION

  12. ARCHITECTURE DaaS consists of a framework and sPoW. Implemented as DaaS name servers, client-side and server-side components

  13. ARCHITECTURE

  14. DaaSutilizes highly scalable Cloud #1 as a meteredintermediary to protect a metered-server in Cloud #2.

  15. A client that wants to contact the server performs aDNS resolution to obtain the location of the client-sidecomponent on the CDN

  16. Proceeds to download it togetherwith the server-side component’s public key embedded in itsSSL certificate

  17. The client-side component then performsa DaaS name resolution, specifying the server hostnameand the puzzle difficulty, k, to obtain a crypto-puzzle forthe server.

  18.  The DaaS name server forwards the puzzle request to the server-side puzzle generator

  19.  The server side component randomly creates an ephemeral i-channel

  20.  Serverencrypts the channel details and sends back both the encrypted details and the encryption key with k bits undisclosed as the crypto-puzzle.

  21.  The client-side component brute-forces and recovers the i-channel details, submits an initial connection request includes a randomly generated secret key, encrypted using the server-side component’s public key through i-channel.

  22.  If the initial connection request is not handled within a timeout period, it can request for a more difficult crypto-puzzle and re-submit the connection request through the higher priority i-channel.

  23.  The server-side component receives the initial connection request

  24.  Server creates a c-channel

  25.  Server encrypts the channel details using the client generated secret key and sends the information back to the client-side component

  26.  Server also informs the name server to invalidate the cached puzzle associated with that consumed i-channel.

  27. ARCHITECTURE • Hide DaaS server detail: • Using intermediary and multipath stack of client/server side component.

  28. ARCHITECTURE • Enable any system/service to be used as an intermediary: • Using different intermediary plug-in to enable communication between client and server.

  29. ARCHITECTURE • sPoW Threats : • Puzzle Generation Resource Exhaustion:Bots request a lot of puzzles without solving them. leads to:1. processing power exhaustion2. network connectivity exhaustion • Solution:Channel Sharing.

  30. ARCHITECTURE • sPoW Threats : • PoW Violation with Channel Sharing:Clients can obtain high priority service by reusing high priority channels discovered by others. • Solution:Only the quickest puzzle solver being successful in connection request submission.

  31. ARCHITECTURE • sPoW Threats : • Puzzle Level Inflation:attckers can inflate puzzle difficulty by repeatedly requesting for the most difficult puzzles results in clients having to solve unnecessarily high-level puzzles to submit connection • Solution:requires the algorithm to track puzzle resolution capacity of the user-base (legits and bots) within a designated period.

  32. ARCHITECTURE • Puzzle Level Inflation: • Detecting algorithm: if the sum of required capacity to solve all open puzzles in the current period exceeds the user-base puzzle resolution capability estimated in the last period—a possible attack indicator.

  33. C: Server capacity for i-channle handling • rt: capacity required to solve all unique puzzles for open i-channels in the current period. • st-1: estimated user-base capacity in the previous period. • k_lowest: the lowest protection level of the channel

  34. Outline INTRODUCTION DESIGN ARCHITECTURE EVALUATION CONCLUSION

  35. Average transmission time of various file sizes through different intermediary types

  36. Average transmission time of various file sizes through I3 and IRC when different percentages of multipaths fail due to congestion.

  37. Tardiness=

  38. Tardiness=

  39. Outline INTRODUCTION DESIGN ARCHITECTURE EVALUATION CONCLUSION

  40. CONCLUSION Contribution:Employs sPoW, a unique scheme to enable legits to compete and reduce indistinguishable DDoS. Advantage:1. Shield the location of server2. sPoWfrees a server from traffic verification burden. Disadvantage:1. Didn’t give a clear explanation of how to utilize systems as intermediaries.2. Have to implements many kinds of intermediaries plug-in.3. Clients have to install many plug-in of intermediaries.4. Cost burden to other system/service.

  41. Thank youQ&A

More Related