the role of indirection and diffusion in ddos defense
Download
Skip this Video
Download Presentation
The Role of Indirection and Diffusion in DDoS Defense

Loading in 2 Seconds...

play fullscreen
1 / 23

The Role of Indirection and Diffusion in DDoS Defense - PowerPoint PPT Presentation


  • 89 Views
  • Uploaded on

The Role of Indirection and Diffusion in DDoS Defense. Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University. Capacity and Path Diversity. DDoS seems to be largely a “last-3-hops” problem Informal survey of ISPs shows 20-40Gbps per POP

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' The Role of Indirection and Diffusion in DDoS Defense' - kizzy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the role of indirection and diffusion in ddos defense
The Role of Indirection and Diffusion in DDoS Defense

Angelos D. Keromytis

Network Security Lab

Computer Science Department, Columbia University

capacity and path diversity
Capacity and Path Diversity
  • DDoS seems to be largely a “last-3-hops” problem
    • Informal survey of ISPs shows 20-40Gbps per POP
    • Many redundant paths (some are better than the route-converged path!)
  • Similar characteristics likely to hold for any future “Internet”
    • Unless we abandon statistical mux model and adopt single-authority/ISP (think phone network)
    • FiOS or similar network upgrades unlikely to significantly change the situation (wireless may make things worse!)
  • Must be intelligent about traffic monitoring/admission/handling
  • Intelligence inside the network is hard to come by

Increasing Preference for SW

Restriction to Control

Plane

POTS/ISDN

T1

Increasing SW

Service Deploy-

ment Times

10M Ethernet

OC3

OC12

MoreNodes

OC192

Increasing

Traffic Aggregation

Decreasing cycles/bps

indirection and diffusion
Indirection and Diffusion
  • Send the traffic to the intelligence
    • Put the intelligence where you can (technology,
    • cost/benefit, deployment limitations)
    • Intelligence be pretty invasive, e.g., full-blown
    • authentication, payment, CAPTCHA, attestation ...
  • Intelligence must not be point of vulnerability
    • Scalable, distributed, restricted interface (attack surface)
    • But: easier proposition than same and doing it at line speeds inside the network
    • Diffusion helps to eliminate single-failure points
      • Challenges: interference, sensing, knowledge, guarantees?
  • Intelligence must be efficient
    • Performance, reliability, low-cost (shared & on-demand?)
  • Transparent vs. explicit intelligence/indirection
  • Complement intelligence with simple in-network mechanisms
    • Routing, limited filtering abilities, deflections, ???
    • Use what you can, where it makes sense (to paraphrase e2e)
local perimeter establishment iamcom2007
Local Perimeter Establishment [IAMCOM2007]
  • Limited-scope PushBack (inside home ISP only)
    • Much simpler trust issues, pay-per-use possibility [ACNS2004]
  • RSVP might do the trick, too...
latency with diffusion
Latency with Diffusion

End-to-End Latency with Client Packet Replication

Overlay / Direct

Client Packet Replication

resilience latency
Resilience & Latency

End-to-End Latency vs Node Failure

No Repl.

1.5x

2x

3x

Text

resilience throughput
Resilience & Throughput

Throughput vs Node Failure

KB/Sec

% Node Failure

ad