Bohatei: Flexible and Elastic DDoS Defense

Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey

https://github.com/ddos-defense/bohatei

DDoS attacks are getting worse

Increasing in number

Threatpost, 7/31/2015

The New York Times, 3/30/2015

Increasing in volumeIncreasing in diversity

Incapsula, 11/12/2014

2Arbor Networks, 2/14/2014 Radware, 10/7/2014

Cloudflare, 3/27/2013

Imperva, 2015

Techworld, 7/16/2014

High cost on victims

Intranet

DDoS Defense Today: Expensive Proprietary Hardware

3

Assets

Limitation: Fixed functionality

4

Intranet

Assets

What if new types of attacks emerge?

Limitation: Fixed capacity

t1 t2 t3 time

fixed capacity

attack vol.(Gbps)

t4

5

wastewaste

Intranet

Assets

Limitation: Fixed location

• Additional traffic latency due to waypointing• Routing hacks to enforce defense

6

source

destination

✗shortest path

7

Need flexibility w.r.t. attack type

Assets

8

Need Flexibility w.r.t Attack Locations

AssetsA

B

C

9

Need Elasticity w.r.t. Attack Volume

Assets

10

Bohatei in a nutshell..

A practical ISP-scale system for Flexible and Elastic DDoS Defense via Software-Defined Networking (SDN) &Network Functions Virtualization (NFV)

React to 500 Gbps scale attacks in 1 min!

11

Outline• Motivation• Background on SDN/NFV • Bohatei overview and challenges• System design• Implementation• Evaluation• Conclusions

12

Centralized management + Open config APIs

Controller

“Flow” FwdAction… …

“Flow” FwdAction… …

“Flow” FwdAction… …

Software-Defined Networking (SDN)

Network Functions Virtualization (NFV)

13

Proxy Firewall IDS/IPS AppFilterToday: Standalone and Specialized

Commodity hardware

Why are SDN/NFV useful for DDoS defense?

14

ExpensiveFixed functionalityFixed capacityFixed location

NFV

SDN

Our Work: Bring these benefits to DDoS Defense

15

Outline• Motivation• Background on SDN/NFV • Bohatei overview and challenges• System design• Implementation• Evaluation• Conclusions

Bohatei Vision: Flexible + Elastic Defense via SDN/NFV

16

SDN/NFV Controller

DC2DC1customerintranet

VM

attack traffic

defense policy

ISP

17

Bohatei Controller Workflow

Predict attack pattern

Decide how many VMs, what types, where

Configure network to route traffic

Strategy layer

Resource management

Network orchestration

Threat model: general, dynamic adversaries• Targets one or more customers• Attacker has a fixed “budget” w.r.t. total attack volume

18

do{Pick_Target()Pick_Attack_Type()Pick_Attack_Volume() Pick_Attack_Ingress()Observe_and_Adapt()

}

19

Bohatei Design Challenges

Strategy layer

Resource management

Network orchestration

Resilient toadaptation?

Fast algorithms?

Scalable SDN?

Predict attack pattern

Decide how many VMs, what types, where

Configure network to route traffic

20

Outline• Motivation• Background on SDN/NFV • Bohatei overview and challenges• System design• Implementation• Evaluation• Conclusions

Naïve resource management is too slow!

21

Global optimization

Takes hours to solve…

Types, numbers, and locations of VMs?Routing decisions?

Suspicious traffic predictionsDefense library

Compute/network resources

Our Approach: Hierarchical + Greedy

22

ISP-level Greedy

… Per datacenter NPer datacenter 1

How much traffic to DC1

Which VM slots in DC1

How much traffic to DCN

Which VM slots in DCN

Suspicious traffic predictionsDefense library

Compute/network resources

…

Port1 Port2

Port3

A reactive, per-flow controller will be a new vulnerability

23

VM1

VM2

SW

Controller

packet1

VM3

Flow outPortSwitch Forwarding Table

Flow1 Port 2

Flow100 Port 3

packet100

Reactive, per-flow isn’t scalable

… …

Port1

Port 3

Port 2

VM1

VM2

VM3

Idea: Proactive tag-based steering

24

Port 2

SW

Controller

Port 3

Context Tag Tag outPort

Proactive set up

Proactive per-VM tagging enables scaling

Benign

Suspicious

1

2

1

2

2packet100

packet1 1packet1

packet100

Dynamic adversaries can game the defenseAdversary’s goals:

1. Increase defense resource consumption 2. Succeed in delivering attack traffic

Simple prediction (e.g., prev. epoch, avg) can be gamed

t1 t2 t3 time

SYN floodpredicted attack

volume for t4

Attack vol.(Gbps)

t4

DNS amp.

25

26

Our approach: Online adaptation• Metric of Success = “Regret minimization” How worse than best static strategy in hindsight?

• Borrow idea from online algorithms:Follow the perturbed leader (FPL) strategy

• Intuition: Prediction = F (Obs. History + Random Noise)

• This provably minimizes the regret metric

Putting it together

Predictionstrategy

launching VMs,traffic path set up

predicts volume of suspicious traffic of each attack type at

each ingress

Orchestration

quantity, type, location of VMs

suspicious traffic spec.

27

DC2DC1customerintranet

VM

attack traffic

ISP

Resource management

defense policy

28

Outline• Motivation• Background on SDN/NFV • Bohatei overview and challenges• System design• Implementation• Evaluation• Conclusions

29

Defense policy library

Analyze Srces:count

SYN – SYN/ACKper source

SYNPROXY

[Legitimate]

OK

LOG DROP

[Unknown]

[Attack] [Attack]

• A defense graph per attack type• Customized interconnection of defense modules• Open source defense VMs

Example (SYN flood defense)

[Legitimate]

Implementation

30

FlowTags-enabled defense VMs (e.g., Snort)

OpenDaylight

resourcemanager

FlowTags (Fayaz et al., NSDI’14)

13 20-core Intel Xeon machines

OpenFlow

https://github.com/ddos-defense/bohatei

KVM

Control Plane

Data Plane

defense library

Switches (OVS)

…

31

Outline• Motivation• Background on SDN/NFV • Bohatei overview and challenges• System design• Implementation• Evaluation• Conclusions

32

Evaluation questions

• Does Bohatei respond to attacks rapidly?

• Can Bohatei handle ≈500 Gbps attacks?

• Can Bohatei successfully cope with dynamic adversaries?

33

Responsiveness

Bohatei restores performance of benign traffic ≈ 1 min.

• Hierarchical resource management:– A few milliseconds (vs. hours)– Optimality gap < 1%

34

Scalability: Forwarding table size

Per-VM tagging cuts #rules by 3-4 orders of magnitudeProactive setup reduces time by 3-4 orders of magnitude

35

Adversarial resilience

Bohatei online adaptation strategy minimizes regret.

36

Conclusions• DDoS defense today : Expensive, Inflexible, and Inelastic

• Bohatei: SDN/NFV for flexible and elastic DDoS defense

• Key Challenges: Responsiveness, scalability, resilience

• Main solution ideas:– Hierarchical resource management– Proactive, tag-based orchestration– Online adaptation strategy

• Ideas may be applicable to other security problems

• Scalable + Can react to very large attacks quickly!