230 likes | 348 Views
The Role of Indirection and Diffusion in DDoS Defense. Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University. Capacity and Path Diversity. DDoS seems to be largely a “last-3-hops” problem Informal survey of ISPs shows 20-40Gbps per POP
E N D
The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University
Capacity and Path Diversity • DDoS seems to be largely a “last-3-hops” problem • Informal survey of ISPs shows 20-40Gbps per POP • Many redundant paths (some are better than the route-converged path!) • Similar characteristics likely to hold for any future “Internet” • Unless we abandon statistical mux model and adopt single-authority/ISP (think phone network) • FiOS or similar network upgrades unlikely to significantly change the situation (wireless may make things worse!) • Must be intelligent about traffic monitoring/admission/handling • Intelligence inside the network is hard to come by Increasing Preference for SW Restriction to Control Plane POTS/ISDN T1 Increasing SW Service Deploy- ment Times 10M Ethernet OC3 OC12 MoreNodes OC192 Increasing Traffic Aggregation Decreasing cycles/bps
Indirection and Diffusion • Send the traffic to the intelligence • Put the intelligence where you can (technology, • cost/benefit, deployment limitations) • Intelligence be pretty invasive, e.g., full-blown • authentication, payment, CAPTCHA, attestation ... • Intelligence must not be point of vulnerability • Scalable, distributed, restricted interface (attack surface) • But: easier proposition than same and doing it at line speeds inside the network • Diffusion helps to eliminate single-failure points • Challenges: interference, sensing, knowledge, guarantees? • Intelligence must be efficient • Performance, reliability, low-cost (shared & on-demand?) • Transparent vs. explicit intelligence/indirection • Complement intelligence with simple in-network mechanisms • Routing, limited filtering abilities, deflections, ??? • Use what you can, where it makes sense (to paraphrase e2e)
Local Perimeter Establishment [IAMCOM2007] • Limited-scope PushBack (inside home ISP only) • Much simpler trust issues, pay-per-use possibility [ACNS2004] • RSVP might do the trick, too...
MOVE [NDSS2005] Attack
MOVE [NDSS2005] Attack
Latency with Diffusion End-to-End Latency with Client Packet Replication Overlay / Direct Client Packet Replication
Resilience & Latency End-to-End Latency vs Node Failure No Repl. 1.5x 2x 3x Text
Resilience & Throughput Throughput vs Node Failure KB/Sec % Node Failure