1 / 23

The Role of Indirection and Diffusion in DDoS Defense

The Role of Indirection and Diffusion in DDoS Defense. Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University. Capacity and Path Diversity. DDoS seems to be largely a “last-3-hops” problem Informal survey of ISPs shows 20-40Gbps per POP

kizzy
Download Presentation

The Role of Indirection and Diffusion in DDoS Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University

  2. Capacity and Path Diversity • DDoS seems to be largely a “last-3-hops” problem • Informal survey of ISPs shows 20-40Gbps per POP • Many redundant paths (some are better than the route-converged path!) • Similar characteristics likely to hold for any future “Internet” • Unless we abandon statistical mux model and adopt single-authority/ISP (think phone network) • FiOS or similar network upgrades unlikely to significantly change the situation (wireless may make things worse!) • Must be intelligent about traffic monitoring/admission/handling • Intelligence inside the network is hard to come by Increasing Preference for SW Restriction to Control Plane POTS/ISDN T1 Increasing SW Service Deploy- ment Times 10M Ethernet OC3 OC12 MoreNodes OC192 Increasing Traffic Aggregation Decreasing cycles/bps

  3. Indirection and Diffusion • Send the traffic to the intelligence • Put the intelligence where you can (technology, • cost/benefit, deployment limitations) • Intelligence be pretty invasive, e.g., full-blown • authentication, payment, CAPTCHA, attestation ... • Intelligence must not be point of vulnerability • Scalable, distributed, restricted interface (attack surface) • But: easier proposition than same and doing it at line speeds inside the network • Diffusion helps to eliminate single-failure points • Challenges: interference, sensing, knowledge, guarantees? • Intelligence must be efficient • Performance, reliability, low-cost (shared & on-demand?) • Transparent vs. explicit intelligence/indirection • Complement intelligence with simple in-network mechanisms • Routing, limited filtering abilities, deflections, ??? • Use what you can, where it makes sense (to paraphrase e2e)

  4. Simple Filtering

  5. SOS/WebSOS [SIGCOMM2002, CCS2003]

  6. Human-centric Authentication [CCS2003]

  7. Diffusion [CCS2005]

  8. Local Perimeter Establishment [IAMCOM2007] • Limited-scope PushBack (inside home ISP only) • Much simpler trust issues, pay-per-use possibility [ACNS2004] • RSVP might do the trick, too...

  9. Backup Slides

  10. MOVE [NDSS2005]

  11. MOVE [NDSS2005] Attack

  12. MOVE [NDSS2005] Attack

  13. Old fashioned DoS Attack

  14. New Attack: “Stalker” Attack

  15. New Attack: “Stalker” Attack

  16. New Attack: “Stalker” Attack

  17. New Attack: “Stalker” Attack

  18. New Attack: Sweeping Attack

  19. New Attack: Sweeping Attack

  20. New Attack: Sweeping Attack

  21. Latency with Diffusion End-to-End Latency with Client Packet Replication Overlay / Direct Client Packet Replication

  22. Resilience & Latency End-to-End Latency vs Node Failure No Repl. 1.5x 2x 3x Text

  23. Resilience & Throughput Throughput vs Node Failure KB/Sec % Node Failure

More Related