140 likes | 337 Views
SENSS: Software-defined Security Service. Minlan Yu, Ying Zhang*, Jelena Mirkovic , Abdulla Alwabel USC, Ericsson Research*. Motivation. Network attacks are becoming more frequent and more damaging DDoS attacks targeting both the end hosts and the network infrastructure
E N D
SENSS: Software-defined Security Service Minlan Yu, Ying Zhang*, JelenaMirkovic, Abdulla Alwabel USC, Ericsson Research*
Motivation • Network attacks are becoming more frequent and more damaging • DDoS attacks targeting both the end hosts and the network infrastructure • Prefix hijacking to blackhole and eavesdroptraffic • Victim or local ISP based detection and mitigation is not sufficient • Inter ISP solutions are not adopted • Focused on detection or mitigation for individualattacks • Complex changes on the router • Lack of incentives for ISPs to deploy • SENSS: a wide-scale, general service for automatedinter-ISP collaboration on security problems • Victim network can request help from remote networks to observe and control its own traffic and routes
SENSS Architecture • Victim-oriented programming for diverse attacks • Victim has the incentives and knowledge of its network, business and priorities • Victim requests data and control actions from local and remote ISPs • Can only query/manipulate for traffic that goes to/from their prefixes • Simple and expressive interfaces at ISPs
SENSS interfaces and use cases • Simple and expressive interfaces at ISPs • SENSS Uses
Example: DDoSwithout signature • The victim periodically queries ISPs about its incoming traffic distribution. 0.4 0.3 0.3 0.3 H L E V C 0.1 J 0.2 F M I D 0.1 K B G N
Example: DDoSwithout signature • Compares the traffic distributions before and during the attack • Identifies upstream ASes that have previously routed little traffic but now route significantly more during the attack 0.41.6 0.31.6 0.30.8 0.10.8 0.30.8 H L V E C 0.8 0.1 J 0.2 0.8 F M I D 0.1 K 0.8 B G N
Example: DDoSmitigation • Install traffic filters on these ASes E: filter, dst = V, ingress=I L: filter, dst = V 0.40.8 0.30.8 0.30.8 0.30.8 0.10.8 H L E V C 0.1 J 0.2 F M I D 0.1 K B N: filter, dst = V G N
Discussion • High incentives for SENSS adoption • Victim has strong incentives • ISPs can charge the victims for new services • Aligned with ISP’s interests and capabilities • Securing SENSS communications • Secure key exchange and authentication via RPKI • Encrypt, authenticate and timestamp messages • Protect against message flooding and resource exhaustion • Incremental deployment • DDoS attack: 94% attack traffic eliminated with 30 SENSS ASes • Prefix hijacking: 82%polluted ASes corrected with 18 SENSS Ases
Use case II: Interception attack • Detect the traffic distribution changes before and after the attack • Identify upstream ASes that have previously routed a lot of traffic but now route a little new route: SMAV 0.1 0.5 0.2 0.6 C C 0.3 M 0.7 M B B 0.5 0.9 A A V V E E 0.1 0.1 D 0.1 0.5 D G F G 0.4 F H H S S old route: FHGDV
Use case II: Interception attack • Query these ASes for the routes to reach the victim • Perform hop-by-hop traceback to detect the inconsistency between the routing and data plane • Ask SENSS ISPs to modify the bogus route Upstream AS for traffic from S to V: B C M B A V E D F G Data plane path from S to V: SMCBAV H S Route to V: SMAV