1 / 11

SENSS: Software-defined Security Service

SENSS: Software-defined Security Service. Minlan Yu, Ying Zhang*, Jelena Mirkovic , Abdulla Alwabel USC, Ericsson Research*. Motivation. Network attacks are becoming more frequent and more damaging DDoS attacks targeting both the end hosts and the network infrastructure

knut
Download Presentation

SENSS: Software-defined Security Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SENSS: Software-defined Security Service Minlan Yu, Ying Zhang*, JelenaMirkovic, Abdulla Alwabel USC, Ericsson Research*

  2. Motivation • Network attacks are becoming more frequent and more damaging • DDoS attacks targeting both the end hosts and the network infrastructure • Prefix hijacking to blackhole and eavesdroptraffic • Victim or local ISP based detection and mitigation is not sufficient • Inter ISP solutions are not adopted • Focused on detection or mitigation for individualattacks • Complex changes on the router • Lack of incentives for ISPs to deploy • SENSS: a wide-scale, general service for automatedinter-ISP collaboration on security problems • Victim network can request help from remote networks to observe and control its own traffic and routes

  3. SENSS Architecture • Victim-oriented programming for diverse attacks • Victim has the incentives and knowledge of its network, business and priorities • Victim requests data and control actions from local and remote ISPs • Can only query/manipulate for traffic that goes to/from their prefixes • Simple and expressive interfaces at ISPs

  4. SENSS interfaces and use cases • Simple and expressive interfaces at ISPs • SENSS Uses

  5. Example: DDoSwithout signature • The victim periodically queries ISPs about its incoming traffic distribution. 0.4 0.3 0.3 0.3 H L E V C 0.1 J 0.2 F M I D 0.1 K B G N

  6. Example: DDoSwithout signature • Compares the traffic distributions before and during the attack • Identifies upstream ASes that have previously routed little traffic but now route significantly more during the attack 0.41.6 0.31.6 0.30.8 0.10.8 0.30.8 H L V E C 0.8 0.1 J 0.2 0.8 F M I D 0.1 K 0.8 B G N

  7. Example: DDoSmitigation • Install traffic filters on these ASes E: filter, dst = V, ingress=I L: filter, dst = V 0.40.8 0.30.8 0.30.8 0.30.8 0.10.8 H L E V C 0.1 J 0.2 F M I D 0.1 K B N: filter, dst = V G N

  8. Discussion • High incentives for SENSS adoption • Victim has strong incentives • ISPs can charge the victims for new services • Aligned with ISP’s interests and capabilities • Securing SENSS communications • Secure key exchange and authentication via RPKI • Encrypt, authenticate and timestamp messages • Protect against message flooding and resource exhaustion • Incremental deployment • DDoS attack: 94% attack traffic eliminated with 30 SENSS ASes • Prefix hijacking: 82%polluted ASes corrected with 18 SENSS Ases

  9. Backup

  10. Use case II: Interception attack • Detect the traffic distribution changes before and after the attack • Identify upstream ASes that have previously routed a lot of traffic but now route a little new route: SMAV 0.1 0.5 0.2 0.6 C C 0.3 M 0.7 M B B 0.5 0.9 A A V V E E 0.1 0.1 D 0.1 0.5 D G F G 0.4 F H H S S old route: FHGDV

  11. Use case II: Interception attack • Query these ASes for the routes to reach the victim • Perform hop-by-hop traceback to detect the inconsistency between the routing and data plane • Ask SENSS ISPs to modify the bogus route Upstream AS for traffic from S to V: B C M B A V E D F G Data plane path from S to V: SMCBAV H S Route to V: SMAV

More Related