1 / 27

Practical Verifiable In-network Filtering for DDoS Defense

This paper discusses verifiable in-network filtering as a practical and scalable solution for mitigating large-scale volumetric DDoS attacks. It explores the challenges and proposes a design using Trusted Execution Environments (TEEs) for auditable filters and bypass detection at Internet Exchange Points (IXPs).

ryanr
Download Presentation

Practical Verifiable In-network Filtering for DDoS Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran, Shweta Shinde, Hao Jin, Vyas Sekar, Prateek Saxena, Min Suk Kang July 8, 2019 | Dallas, TX

  2. Large-scale volumetric DDoS attacks are common (distributed denial of service) • Hundreds DDoS attacks occur daily* • Volume of DDoS traffic is escalating • New attack vectors (e.g., amplification) and attack source (e.g., botnets) * According to Kaspersky Lab’s report on DDoS attacks in Q1 2019 (2013) (2018)

  3. In-network filtering: a promising DDoS mitigation Filter rule: Drop 50% HTTPflows coming to my network • In-network filtering • allows the DDoS victim to install traffic filters nearer to attack source • not a new idea: e.g., Pushback [SIGCOMM’02], D-WARD [ICNP’02], AITF [USENIX ATC’05], StopIt [SIGCOMM’08] • installs at 1% of ISPs can mitigate 90% of DDoS attacks (SENSS [ACSAC’18]) AS* A DDoS victim network (* autonomous system) AS B filtering network transit networks

  4. One ignored problem: In-network filtering creates ambiguity about packet drops Within-network filtering Withoutin-network filtering Network faults or legitimate filtering? Network faults! Packet drops Packet drops AS A AS A AS B AS B transit network with in-network filtering transit network • What can go wrong because of this ambiguity?

  5. Filtering can be used as an excuse for discriminating neighboring ASes (2013) Filter rule: Drop 50% HTTPflows coming to my network Drop 0% traffic from A, 100% traffic from B AS A DDoS victim network (e.g., AT&T) (2014) AS B filtering network transit networks (e.g., Level3) (e.g., Comcast) Several disputes alreadyexist between transit networks

  6. How to remove such an ambiguity? Verifiability of filtering distinguishes legitimate DDoS mitigation from network faults Packets are being legitimately dropped! verify filtering policy & operation verify filtering operation Filter rule AS A DDoS victim network AS B filtering network transit networks 6

  7. How to make the operations of in-network filtering verifiable?

  8. Our contributions • We propose Verifiable In-network Filtering (VIF): • Software networking functions with Trusted Execution Environments (e.g., Intel SGX) as root of trust. Scalable design Auditable filter Practical deployment • multiple filters run in parallel • uses TEEs • is stateless • detects bypass • at Internet Exchange Points (IXPs)

  9. VIF design: auditable filter with TEEs protected memory audit enclaved code and state • Filtering within Trusted Execution Environments (TEEs) (e.g., Intel SGX) • Isolated execution • Remote attestation enclave victim network

  10. TEEs alone is insufficient for auditable filter design!

  11. Challenge 1: Influence from malicious inputs Trusted clock can be tampered • Abstract model of the filtering function for packet : ALLOW or DROP? Malicious packets inserted … Previous packets/ packet order Arrival time

  12. Solution: Stateless filter design ALOW or DROP? • No reliance on packet arrival time and packet order … • 5-tuple(srcIP, srcPort, dstIP, dstPort, protocol)

  13. Challenge 2: Traffic may be redirected to bypass filter redirect enclave

  14. Solution to filter bypass:Accountable logs for bypass detection does not reach filter! Bypass detected! How to check if packets are dropped by a transit network? is droppedoutside TEEs! • Accountable packet logging before and after filtering • Compare logs to detect bypass drop packet logs packet logs logs logs packet logs victim network transit networks neighboring networks filtering network

  15. How does victim know who is dropping packets? Packets are still dropped!  Filtering network misbehaved! avoid AS B • Victim network tests individual intermediate ASes • Rerouting inbound traffic using BGP poisoning (LIFEGUARD[SIGCOMM’12]) • Detour takes place in a few minutes and no collaboration needed (Nyx [S&P’18]) logs logs AS B victim network AS A AS C filtering network

  16. Our contributions Scalable design Auditable filter Practical deployment • multiple filters run in parallel • TEEs • stateless • bypass detection • at Internet Exchange Points (IXPs)

  17. Deployment issue: Scalability Mpps MB • Performance issues when filtering within a single enclave: • Memory footprint grows linearly with number of rules • Throughput degrades when number of rules exceeds ~3,000 EPC limit (e.g., 92 MB) Number of rules

  18. Solution to scalability issue: multiple SGX filters VIF Filtering Network • E0 • En-1 • More in our paper: • How trusted filters detect misbehaviors from untrusted components • A greedy solution to calculate filter rules among filters • Filter rules redistribution untrusted controller per-enclave limitations: (1) # rules (3,000) (2) bandwidth (10 Gb/s)* filter filter … victim network load balance untrusted switching fabric * Demonstrated by mbTLS (CoNEXT’17) on four SGX-core machines.

  19. Our contributions Scalable design Auditable filter Practical deployment • multiple filters run in parallel • TEEs • stateless • bypass detection • at Internet Exchange Points (IXPs)

  20. Deployment example remote attestation victim network rules rules rules filter filter filter filter rule insertion • Internet Exchange Points (IXPs) : • have peering relationship with hundreds ISPs • have flexible software-defined architecture IXP SDX [SIGCOMM’15] iSDX [NSDI’16] FLANC [SOSR’16] controller route control AS A • Enclave • Enclave • Enclave VIF filters AS C AS B switch fabric

  21. Implementation • Overview • Intel SGX SDK for Linux 2.1 • Data Plane Development Kit (DPDK) 17.05.2 • Trusted computing base: • modification of DPDK ip_pipeline(1,044 SLoC) • packet logging and optimizations (162 SLoC) • Two optimizations: • Reducing context switches (more in our paper) • Near-zero copy approach 1,206SLoC

  22. Optimization: near-zero copy NIC NIC sketch (srcIP) packet logs packet logs sketch (5T) filter filter Enclave memory Enclave memory allow! allow! drop! Full packet copy a/d? Near- zero copy packet drop! a/d? Untrusted packet memory pool Untrusted packet memorypool allow or drop! allow or drop! packet packet only when allowed only when allowed Tx Queues Rx Queues Tx Queues Rx Queues Forwarded packets Incomingpackets Incomingpackets Forwarded packets • low memory usage • low packet-logging overhead

  23. Testbed PacketgeneratorFiltermachine Measurementisdoneatpacketgenerator Data-plane implementation • Synthetic data • 3,000 random filter rules • 10 Gb/s traffic Intel SGX PacketGenerator • Intel E5-2630 v3 CPU • (2.40 GHz, 8 cores) • 32 GB memory • Ubuntu 16.04.3 LTS • Kernelversion4.10 • 10 GbE Intel X540-AT2 FilterMachine • Intel i7-6700 CPU (3.40 GHz, 4 cores) • 8 GB memory • Ubuntu 16.04.3 LTS • Kernelversion4.10 • 10 GbE Intel X540-AT2

  24. Evaluation: Data-plane performance Throughput (Gb/s) • Throughput of near-zero copy: • 8 Gb/s throughput even with smallest packet size (64 bytes) Native (no SGX) SGX with full packet copy SGX with near-zero copy

  25. Evaluation: VIF deployment at IXPs Ratio of attack source IPs handled by top-n IXPs per region • Simulation setup: • Two real attack source data: 3 millions DNS resolvers and 250KMirai botnets • CAIDA AS relationship and IXP peering for building inter-domain topology VIF at only top-5 IXPs per region mitigate up to 90% of attack

  26. Conclusion • VIF addresses the core issue of in-network filtering • Lack of filtering verifiability  ambiguity in handling packet drops which can be exploited by malicious ISPs • VIF: the first auditable and scalable DDoS traffic filter • VIF takes advantages of: • Trusted execution environments as the root of trust • Software-defined, line-rate packet processing • IXPs for practical deployment

  27. Question? Muoi Tran muoitran@comp.nus.edu.sg

More Related