1 / 42

Extensible Security Services on the CROSS/Linux Programmable Router

Extensible Security Services on the CROSS/Linux Programmable Router. David K. Y. Yau Department of Computer Sciences Purdue University yau@cs.purdue.edu. Motivations. Internet is an open and democratic environment increasingly used for mission-critical work

walter
Download Presentation

Extensible Security Services on the CROSS/Linux Programmable Router

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extensible Security Services on the CROSS/Linux Programmable Router David K. Y. Yau Department of Computer Sciences Purdue University yau@cs.purdue.edu

  2. Motivations • Internet is an open and democratic environment • increasingly used for mission-critical work • Many security threats are present or appearing • need effective and flexible defenses to detect/trace/counter attacks • protect innocent users, prosecute criminals

  3. Routing Infrastructure • Router software critical to network health • patches for security bugs • new defenses against new attacks • Scalable distribution of router software to many routing points • minimal disruptions to existing services • little human intervention • Exploit software-programmable router technology (CROSS platform)

  4. Existing Networks ISP server router: simple forwarding client

  5. Denial-of-service defense router: processing + forwarding Intelligent congestion control CROSS Network Architecture Web code server ISP client

  6. dispatch send subscribe Cut- through Per-flow processing Active packet Cross Forwarding Paths Function dispatcher Input queues Resource allocation manager Output network queues Packet classifier

  7. Example Security Problem: Network Denial-of-service Attacks • Some attacks quite subtle • at routing infrastructure, malicious dropping of packets, etc • securing protocols and intrusion detection • Others by brute force: flooding attacks • cripples victim; precludes any sophisticated defense at point under attack • viewed as resource management problem

  8. Flooding Attack Server

  9. Server-centric Router Throttle • Installed by server when under stress, at a set deployment routers • can be sent by multicast • Specifies leaky bucket rate at which router can forward traffic to the server • aggressive traffic for server dropped before reaching server • rate determined by a control algorithm

  10. Securely installed by S Throttle for S Throttle for S’ To S’ Router Throttle Aggressive flow To S Deployment router

  11. Key Design Problems • Resource allocation: who is entitled to what? • need to keep server operating within load limits • notion of fairness, and how to achieve it? • Need global, rather than router-local, fairness • How to respond to network and user dynamics? • Feedback control strategy needed

  12. What is being fair? • Baseline approach of dropping a fraction f of traffic for each flow won’t work well • a flow can cause more damage to other flows simply by being more aggressive! • Rather, no flow should get a higher rate than another flow that has unmet demands • this way, we penalize aggressive flows only, but protect the well-behaving ones

  13. Level-k Deployment Points • Deployment points parameterized by an integer k • R(k) -- set of routers that are either k hops away from server S or less than k hops away from S but are directly connected to a host • Fairness across global routing points R(k)

  14. Level-3 Deployment Server

  15. Feedback Control Strategy • Hysteresis control • high and low water marks for server load, to strengthen or relax router throttle • Additive increase/multiplicative decrease rate adjustment • increases when server load exceeds US, and decreases when server load falls below LS • throttle removed when a relaxed rate does not result in significant server load increase

  16. Fairness Definition • A resource control algorithm achieves level-k max-min fairness among the routers R(k) if the allowed forwarding rate of traffic for S at each router is the router’s max-min fair share of some rate r satisfying LS r US

  17. Fair Throttle Algorithm

  18. 18.23 6.65 24.88 6.25 0.22 0.22 14.1 15.51 0.01 59.9 6.25 17.73 6.25 1.40 17.73 20.53 0.61 0.95 0.61 0.95 Example Max-min Rates (L=18, H=22) Server

  19. Interesting Questions • Can we preferentially drop attacker traffic over good user traffic? • Can we successfully keep server operating within design limits, so that good user traffic that makes it gets acceptable service? • How stable is such a control algorithm? How does it converge?

  20. Algorithm Evaluation • Control-theoretic analysis • algorithm stability and convergence under different system parameters • Packet network simulations • good user protection under both UDP and TCP traffic • System implementation • deployment costs

  21. Control-theoretic Model

  22. Throttle Rate (L=900; U=1100)

  23. Server Load (L = 900; U = 1100)

  24. Throttle Rate (U = 1100)

  25. Server Load (U = 1100)

  26. Throttle Rate (L=1050;U=1100)

  27. Server Load (L=1050; U=1100)

  28. UDP Simulation Experiments • Global network topology reconstructed from real traceroute data • AT&T Internet mapping project: 709,310 traceroute paths, single source to 103,402 other destinations • randomly select 5,000 paths, with 135,821 nodes of which 3879 are hosts • Randomly select x% of hosts to be attackers • good users send at rate [0,r], attackers at rate [0,R]

  29. 20% Evenly Distributed Aggressive (10:1) Attackers

  30. 40% Evenly Distributed Aggressive (5:1) Attackers

  31. Evenly Distributed “meek” Attackers

  32. Deployment Extent

  33. TCP Simulation Experiment • Clients access web server via HTTP 1.0 over TCP Reno • Simulated network subset of AT&T traceroute topology • 85 hosts, 20% attackers • Web clients make request probabilistically with empirical document size and inter-request time distributions

  34. Web Server Protection

  35. Web Server Traffic Control

  36. System Implementation • On CROSS/Linux router • as Click element kernel service (loadable kernel module) • code can be remotely downloaded through anetd daemon • Deployment platform • Pentium III/864 MHz PC • multiple 10/100 Mb/s ethernet interfaces

  37. Module Load Overhead

  38. Memory and Delay Results • Memory overhead • 7.5 bytes of memory per throttle • Delay through throttle element about 200 ns • independent of number of throttles installed

  39. Throughput Result

  40. Future Work • Offered load-aware control algorithm for computing throttle rate • impact on convergence and stability • Policy-based notion of fairness • heterogeneous network regions, by size, susceptibility to attacks, tariff payment • Selective deployment issues • Impact on real user applications

  41. Conclusions • Extensible routers can help improve network health • Presented a server-centric router throttle mechanism for DDoS flooding attacks • can better protect good user traffic from aggressive attacker traffic • can keep server operational under an ongoing attack • has efficient implementation

  42. Acknowledgements • CROSS Implementation • Prem Gopalan, Seung Chul Han, Xuxian Jiang, Puneet Zaroo • Funding has been provided by • NSF, CERIAS, Purdue Research Foundation

More Related