Intro duction - users.ics.forth.gr

Introdu tion

Analyti al Modeling of Cross�re Atta ks

Simulations

Con luding remarks

A Novel Framework for Modeling and Mitigating

Distributed Link Flooding Atta ks

Christos Liaskos

1

V. Kotronis

2

X. Dimitropoulos

1

1

Foundation of Resear h and Te hnology - Hellas (FORTH), Gree e

2

ETH Zuri h, Switzerland

Emails: liaskos�i s.forth.gr, vkotroni�tik.ee.ethz. h, fontas�i s.forth.gr

Funding sour e: European Resear h Coun il, Grant Agreement

no. 338402, proje t �NetVolution�

Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks

Introdu tion


Simulations

Con luding remarks

S ope & Motivation

DDoS Link-Flooding atta ks have great potential:

Deplete the bandwidth of ertain network links, dis onne ting

entire domains�even ountries�from the Internet.

DDoS atta ks are a reality:

Spamhaus (2013): 300 Gbit/s of mali ious tra� upon the

intended target [1℄.

DDoS atta ks are evolving in stealth:

Cross�re, Coremelt [2, 3℄: Flood links indire tly, with

seemingly legit tra� .

S ope: De�ne a framework to Model, Understand, and Expose

evolved DDoS atta ks.

Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks 2

Introdu tion


Simulations

Con luding remarks

Key-requirements for Defense

M. Nikkhah, C. Dovrolis and R. Guerin, "Why didn't my (great!)

proto ol get adopted?", Pro eedings of ACM HOTNETS,

November 2015.

1

Deliver as promised:

1

Expose Cross�re atta ks. (Mitigation is ontext-spe i� ).

2

Be thin & non-disruptive:

1

Do not upset the network's operation.

3

Add value to existing network me hanisms!

1

Don't start your own, independent path!


Introdu tion


Simulations

Con luding remarks

Relevant Existing Network Me hanisms

Tra� Engineering (TE):

Existing & riti al network me hanism.

Natural rea tion to link-�ooding events, regardless of ause.

A omplished in two phases:

Cal ulate optimal load per network path (load-balan ing).

Map tra� �ows to paths, upholding the optimal loads.

Note: The mapping is done randomly!

Key-idea: Optimize �ow mapping for atta k exposure.


44

Introdu tion


Simulations

Con luding remarks

Our Contributions

An analyti al framework to understand Cross�re atta ks.

Wide appli ability (multigraphs, multipath routing, generi bot

behavior).

A thin and s alable way to implement the framework in

pra ti e.

All done in an SQL DB, standard SQL queries only.

SDN and NFV- ompliant design.

An open-sour e simulator to experiment with Cross�re atta ks.

Christos Liaskos, V. Kotronis, X. Dimitropoulos Modeling and Exposing Cross�re Atta ks

55

Introdu tion


Simulations

Con luding remarks

Modeling the Cross�re Atta k

BOTS

RANDOM

DESTINATIONS

Flooded

LinkOrigin Target


Introdu tion


Simulations

Con luding remarks

Modeling the Atta k Cy le: Rea tive Cross�re

Attacker: Discover path(s)

- Using distributed tracert

O T

Attacker: Execute link(s) flooding

- Using indirect traffic

O T

Defender: (TE) Flow mapping

- Source-based routing.

- Uphold optimal quotas.

Defender: (TE) Load Balancing

- Use alternative paths.

-Define optimal traffic quotas per

path (%),

- E.g., using Linear Programming .

O T

%

%

%O T

%

Flooded

Links

Detected!!!


Introdu tion


Simulations

Con luding remarks

Modeling the Atta k Exposure with Asso iative Relations

Nodes

affected by

Flood eventsO

!

!

!

!

T - Traffic sources (IPs),

- over congested links.

Nodes affected by

Flood events

Relation at time t:

Strength, S

An atta k at y le t �oods a set of links, a�e ting nodes

N (t).

E (t): Tra� sour es (IPs) over ongested links.


Introdu tion


Simulations

Con luding remarks

Modeling the Atta k Exposure with Asso iative Relations

For all y les 0...t, form the relation:

R(t) : ∪∀t

E (t)−→ ∪∀t

N (t).

e

s

→ n, �entity e atta ks node n� .

*

s

→ n, �node n is an atta k target� .

e

s

→ *, �entity e is a bot� .

Strength s: # of observations for a relation (running).


Introdu tion


Simulations

Con luding remarks

E�e ts of Atta ker's A tions on the Dete tion Pro ess

The atta ker seeks to remain hidden.

Hide the identity of bots and targets.

Ensures E −→ N ontains many false bots e and targets n.

Terminology:

In rease ‖E ‖, (Left-spe i� ity).

In rease ‖N ‖, (Right-spe i� ity).


Introdu tion


Simulations

Con luding remarks

E�e ts of Load Balan ing on the Dete tion Pro ess

TARGET AREA

Distance from target (Hops)

Presently flooded link

} Additional links

deployed by TE

"Vertical" Attack (V)

"Horizontal - Afferent" Attack (H )

"Horizontal - Efferent" Attack (H )e a

Figure: TE re laims/adds apa ity around ongested areas. The atta ker

responds to keep a�e ting the target.

Table: E�e ts on the L / R spe i� ity of observed relations.

Atta ker's response types

Verti al Horizontal-e�erent Horizontal-a�erent

+, ± +, − −, +


Introdu tion


Simulations

Con luding remarks

Optimizing TE Flow Mapping for Atta k Exposure

Defender's goal

At t, reroute tra� �ows su h as, at t+1: min{s} es

→ n, ∀r⊂ R (t)

BOT (e)

FLOW DESTINATION (d)

OriginTarget

(n)

FLOW (f)

BOT (e)

FLOW DESTINATION (d)

OriginTarget

(n)

FLOW (f)

Shortest Path

Qualitative meaning:

i) If �ow retains destination

t+1

→ No atta k, (RED is disjoint).

ii) If it hanges

t+1

→ Minimal probability of a idental atta k (GREEN).


Introdu tion


Simulations

Con luding remarks

Pra ti al Implementation of the Exposure Pro ess

Intuitive implementation via SQL.

Maintain two, simple tables, updated on link ongestion

events.

Relation exposure:

e→* : SELECT Sr _IP, ount(PK) AS strength from

PROBABLE_BOTS GROUP BY Sr _IP

*→n : SELECT NodeID, ount(PK) AS strength from

PROBABLE_TARGETS GROUP BY NodeID

e→n : ... INNER JOIN on FLOODED_LINK ...


Introdu tion


Simulations

Con luding remarks

Simulations / Setup

We evaluate:

1

E�e tiveness of atta ker's bot/target obfus ation attempts

(L/R spe i� ity)

1

Atta k using some of the the bots only.

2

Atta k more than one targets.

3

Also: Natural re-homing of legit �ows.

2

The role of the topology.

50 real ISP topologies (Internet Topology-Zoo).

s enario: ut-o� an ISP POP from the Internet.


Introdu tion


Simulations

Con luding remarks

Results I: Obfus ation E�e ts

Easier to obfus ate the target than the bots

0 5 10 15 200

5

10

15

Time step t

∆s = E[sbots] −E[sbenign]

for ǫs→ ⋆ relations

20%60%80%100%

(a) L-spe i� ity (ε → ⋆ relations):

Probabilisti bot parti ipation to an

atta k. %→allowed bot re-use.

0 5 10 15 200

5

10

15

20

25

Time step t

∆s = E[starget node ] −E[sbenign]

for ⋆s→ n relations

20%60%80%100%

(b) R-spe i� ity (⋆→ n relations):

E�e ts of atta king random nodes.

% is the �ow rehome_ratio.


(∆s)

Bot

exp

osur

e -

(∆s)

Tar

get e

xpos

ure

-

Introdu tion


Simulations

Con luding remarks

Results II: Topologi al E�e ts

De entralized topologies (i.e., not star-like): easier to atta k, easier

to dete t.

0

10

20

30

40

50

Abi

lene

Abv

tA

cone

tA

gis

Ai3

Am

res

Ans Arn

Arn

esA

rpan

et19

719

Arp

anet

1972

3A

rpan

et19

728

Atm

net

AttM

pls

Bbn

plan

etB

elne

t200

7B

elne

t200

8B

elne

t200

9B

elne

t201

0B

izne

tB

ren

Bso

netE

urop

eB

tNor

thA

mer

ica

Can

erie

Cer

net

Ces

net1

997

Ces

net2

001

Ces

net2

0030

4C

esne

t200

511

Cla

rane

tC

ompu

serv

eC

rlNet

Ser

vice

sC

wix

Cyn

etD

arks

tran

dD

igex

Een

etE

liBac

kbon

eE

poch

Ern

etF

unet

Gam

bia

Gar

r199

901

Gar

r199

904

Gar

r199

905

Gar

r200

109

Gar

r200

112

Gar

r200

212

Gar

r200

404

Gbl

net1

2

3

4

5

6

Avg

. Sho

rtes

t Pat

h Le

ngth∆ s

Avg. SPL

Figure: E�e t of topology on the spe i� ity of the ε → ⋆ relations.

Strong orrelation to the average-shortest-path-length (avg. SPL)

topology metri .


Bot

exp

osur

e af

ter

20 c

ycle

s

Introdu tion


Simulations

Con luding remarks

Summary

Introdu ed a novel framework for studying stealthy DDoS

link-�ooding atta ks.

Goal: Fa ilitate dete tion of sus eptible bots and targets.

Use relational algebra to formulate bots→ target relations.

Bene�t: Ease & s alability of implementation (SQL).

Entry point: the TE pro ess.

Use same inputs, leave TE load-balan ing obje tive untou hed.

Dete tion-optimal mapping of �ows-to-paths.

Key-idea: keep probable bots targets � separate paths, punish

persisten e.


Introdu tion


Simulations

Con luding remarks

Outlook

Build upon the analyti al framework:

Express Atta k/Defense strategies (Game-theory).

Quantify the vulnerability of a given topology as a metri .

Distribute the defense s heme as an SDN se urity app.

FRESCO framework.

Shin, Seungwon, et al.

FRESCO: Modular Composable Se urity Servi es for

Software-De�ned Networks. NDSS. 2013.


Introdu tion


Simulations

Con luding remarks

Thank you!

JAVA Simulator available at:

http://users.i s.forth.gr/ liaskos/#PUBLICATIONS

Referen es

The DDoS That Almost Broke The Internet, (2014)

http://blog. loud�are. om/the-ddos-that-almost-broke-the-

internet.

Kang M. et al., The Cross�re Atta k,

Pro . of Se urity & Priva y (SP'13).

Studer A. et al., The Coremelt Atta k,

Pro . of ESORICS'09.


Date post:	16-Oct-2021
Category:	Documents
Upload:	others
View:	5 times
Download:	0 times

Intro duction - users.ics.forth.gr

Documents