Upload
ezra-mills
View
225
Download
0
Tags:
Embed Size (px)
Citation preview
Bohatei: Flexible and Elastic DDoS Defense
Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey
https://github.com/ddos-defense/bohatei
DDoS attacks are getting worse
Increasing in number
Threatpost, 7/31/2015
The New York Times, 3/30/2015
Increasing in volumeIncreasing in diversity
Incapsula, 11/12/2014
2Arbor Networks, 2/14/2014 Radware, 10/7/2014
Cloudflare, 3/27/2013
Imperva, 2015
Techworld, 7/16/2014
High cost on victims
Intranet
DDoS Defense Today: Expensive Proprietary Hardware
3
Assets
Limitation: Fixed functionality
4
Intranet
Assets
What if new types of attacks emerge?
Limitation: Fixed capacity
t1 t2 t3 time
fixed capacity
attack vol.(Gbps)
t4
5
wastewaste
Intranet
Assets
Limitation: Fixed location
• Additional traffic latency due to waypointing• Routing hacks to enforce defense
6
source
destination
✗shortest path
7
Need flexibility w.r.t. attack type
Assets
8
Need Flexibility w.r.t Attack Locations
AssetsA
B
C
9
Need Elasticity w.r.t. Attack Volume
Assets
10
Bohatei in a nutshell..
A practical ISP-scale system for Flexible and Elastic DDoS Defense via Software-Defined Networking (SDN) &Network Functions Virtualization (NFV)
React to 500 Gbps scale attacks in 1 min!
11
Outline• Motivation• Background on SDN/NFV • Bohatei overview and challenges• System design• Implementation• Evaluation• Conclusions
12
Centralized management + Open config APIs
Controller
“Flow” FwdAction… …
“Flow” FwdAction… …
“Flow” FwdAction… …
Software-Defined Networking (SDN)
Network Functions Virtualization (NFV)
13
Proxy Firewall IDS/IPS AppFilterToday: Standalone and Specialized
Commodity hardware
Why are SDN/NFV useful for DDoS defense?
14
ExpensiveFixed functionalityFixed capacityFixed location
NFV
SDN
Our Work: Bring these benefits to DDoS Defense
15
Outline• Motivation• Background on SDN/NFV • Bohatei overview and challenges• System design• Implementation• Evaluation• Conclusions
Bohatei Vision: Flexible + Elastic Defense via SDN/NFV
16
SDN/NFV Controller
DC2DC1customerintranet
VM
attack traffic
defense policy
ISP
17
Bohatei Controller Workflow
Predict attack pattern
Decide how many VMs, what types, where
Configure network to route traffic
Strategy layer
Resource management
Network orchestration
Threat model: general, dynamic adversaries• Targets one or more customers• Attacker has a fixed “budget” w.r.t. total attack volume
18
do{Pick_Target()Pick_Attack_Type()Pick_Attack_Volume() Pick_Attack_Ingress()Observe_and_Adapt()
}
19
Bohatei Design Challenges
Strategy layer
Resource management
Network orchestration
Resilient toadaptation?
Fast algorithms?
Scalable SDN?
Predict attack pattern
Decide how many VMs, what types, where
Configure network to route traffic
20
Outline• Motivation• Background on SDN/NFV • Bohatei overview and challenges• System design• Implementation• Evaluation• Conclusions
Naïve resource management is too slow!
21
Global optimization
Takes hours to solve…
Types, numbers, and locations of VMs?Routing decisions?
Suspicious traffic predictionsDefense library
Compute/network resources
Our Approach: Hierarchical + Greedy
22
ISP-level Greedy
… Per datacenter NPer datacenter 1
How much traffic to DC1
Which VM slots in DC1
How much traffic to DCN
Which VM slots in DCN
Suspicious traffic predictionsDefense library
Compute/network resources
…
Port1 Port2
Port3
A reactive, per-flow controller will be a new vulnerability
23
VM1
VM2
SW
Controller
packet1
VM3
Flow outPortSwitch Forwarding Table
Flow1 Port 2
Flow100 Port 3
packet100
Reactive, per-flow isn’t scalable
… …
Port1
Port 3
Port 2
VM1
VM2
VM3
Idea: Proactive tag-based steering
24
Port 2
SW
Controller
Port 3
Context Tag Tag outPort
Proactive set up
Proactive per-VM tagging enables scaling
Benign
Suspicious
1
2
1
2
2packet100
packet1 1packet1
packet100
Dynamic adversaries can game the defenseAdversary’s goals:
1. Increase defense resource consumption 2. Succeed in delivering attack traffic
Simple prediction (e.g., prev. epoch, avg) can be gamed
t1 t2 t3 time
SYN floodpredicted attack
volume for t4
Attack vol.(Gbps)
t4
DNS amp.
25
26
Our approach: Online adaptation• Metric of Success = “Regret minimization” How worse than best static strategy in hindsight?
• Borrow idea from online algorithms:Follow the perturbed leader (FPL) strategy
• Intuition: Prediction = F (Obs. History + Random Noise)
• This provably minimizes the regret metric
Putting it together
Predictionstrategy
launching VMs,traffic path set up
predicts volume of suspicious traffic of each attack type at
each ingress
Orchestration
quantity, type, location of VMs
suspicious traffic spec.
27
DC2DC1customerintranet
VM
attack traffic
ISP
Resource management
defense policy
28
Outline• Motivation• Background on SDN/NFV • Bohatei overview and challenges• System design• Implementation• Evaluation• Conclusions
29
Defense policy library
Analyze Srces:count
SYN – SYN/ACKper source
SYNPROXY
[Legitimate]
OK
LOG DROP
[Unknown]
[Attack] [Attack]
• A defense graph per attack type• Customized interconnection of defense modules• Open source defense VMs
Example (SYN flood defense)
[Legitimate]
Implementation
30
FlowTags-enabled defense VMs (e.g., Snort)
OpenDaylight
resourcemanager
FlowTags (Fayaz et al., NSDI’14)
13 20-core Intel Xeon machines
OpenFlow
https://github.com/ddos-defense/bohatei
KVM
Control Plane
Data Plane
defense library
Switches (OVS)
…
31
Outline• Motivation• Background on SDN/NFV • Bohatei overview and challenges• System design• Implementation• Evaluation• Conclusions
32
Evaluation questions
• Does Bohatei respond to attacks rapidly?
• Can Bohatei handle ≈500 Gbps attacks?
• Can Bohatei successfully cope with dynamic adversaries?
33
Responsiveness
Bohatei restores performance of benign traffic ≈ 1 min.
• Hierarchical resource management:– A few milliseconds (vs. hours)– Optimality gap < 1%
34
Scalability: Forwarding table size
Per-VM tagging cuts #rules by 3-4 orders of magnitudeProactive setup reduces time by 3-4 orders of magnitude
35
Adversarial resilience
Bohatei online adaptation strategy minimizes regret.
36
Conclusions• DDoS defense today : Expensive, Inflexible, and Inelastic
• Bohatei: SDN/NFV for flexible and elastic DDoS defense
• Key Challenges: Responsiveness, scalability, resilience
• Main solution ideas:– Hierarchical resource management– Proactive, tag-based orchestration– Online adaptation strategy
• Ideas may be applicable to other security problems
• Scalable + Can react to very large attacks quickly!