The role of indirection and diffusion in ddos defense
Download
1 / 23

The Role of Indirection and Diffusion in DDoS Defense - PowerPoint PPT Presentation


  • 88 Views
  • Uploaded on

The Role of Indirection and Diffusion in DDoS Defense. Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University. Capacity and Path Diversity. DDoS seems to be largely a “last-3-hops” problem Informal survey of ISPs shows 20-40Gbps per POP

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' The Role of Indirection and Diffusion in DDoS Defense' - kizzy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
The role of indirection and diffusion in ddos defense
The Role of Indirection and Diffusion in DDoS Defense

Angelos D. Keromytis

Network Security Lab

Computer Science Department, Columbia University


Capacity and path diversity
Capacity and Path Diversity

  • DDoS seems to be largely a “last-3-hops” problem

    • Informal survey of ISPs shows 20-40Gbps per POP

    • Many redundant paths (some are better than the route-converged path!)

  • Similar characteristics likely to hold for any future “Internet”

    • Unless we abandon statistical mux model and adopt single-authority/ISP (think phone network)

    • FiOS or similar network upgrades unlikely to significantly change the situation (wireless may make things worse!)

  • Must be intelligent about traffic monitoring/admission/handling

  • Intelligence inside the network is hard to come by

Increasing Preference for SW

Restriction to Control

Plane

POTS/ISDN

T1

Increasing SW

Service Deploy-

ment Times

10M Ethernet

OC3

OC12

MoreNodes

OC192

Increasing

Traffic Aggregation

Decreasing cycles/bps


Indirection and diffusion
Indirection and Diffusion

  • Send the traffic to the intelligence

    • Put the intelligence where you can (technology,

    • cost/benefit, deployment limitations)

    • Intelligence be pretty invasive, e.g., full-blown

    • authentication, payment, CAPTCHA, attestation ...

  • Intelligence must not be point of vulnerability

    • Scalable, distributed, restricted interface (attack surface)

    • But: easier proposition than same and doing it at line speeds inside the network

    • Diffusion helps to eliminate single-failure points

      • Challenges: interference, sensing, knowledge, guarantees?

  • Intelligence must be efficient

    • Performance, reliability, low-cost (shared & on-demand?)

  • Transparent vs. explicit intelligence/indirection

  • Complement intelligence with simple in-network mechanisms

    • Routing, limited filtering abilities, deflections, ???

    • Use what you can, where it makes sense (to paraphrase e2e)



SOS/WebSOS [SIGCOMM2002, CCS2003]



Diffusion ccs2005
Diffusion [CCS2005]


Local perimeter establishment iamcom2007
Local Perimeter Establishment [IAMCOM2007]

  • Limited-scope PushBack (inside home ISP only)

    • Much simpler trust issues, pay-per-use possibility [ACNS2004]

  • RSVP might do the trick, too...



MOVE [NDSS2005]


MOVE [NDSS2005]

Attack


MOVE [NDSS2005]

Attack



New attack stalker attack
New Attack: “Stalker” Attack


New attack stalker attack1
New Attack: “Stalker” Attack


New attack stalker attack2
New Attack: “Stalker” Attack


New attack stalker attack3
New Attack: “Stalker” Attack


New attack sweeping attack
New Attack: Sweeping Attack


New Attack: Sweeping Attack


New Attack: Sweeping Attack


Latency with diffusion
Latency with Diffusion

End-to-End Latency with Client Packet Replication

Overlay / Direct

Client Packet Replication


Resilience latency
Resilience & Latency

End-to-End Latency vs Node Failure

No Repl.

1.5x

2x

3x

Text


Resilience throughput
Resilience & Throughput

Throughput vs Node Failure

KB/Sec

% Node Failure


ad