ddos defense by offense
DESCRIPTION
DDoS Defense by Offense. Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker, SIGCOMM ‘06. Presented by Nikki Benecke, Nov. 7 th , 2006, for CS577. Outline. Introduction Design Implementation Evaluation Concerns Conclusions. Introduction. Basic Idea. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/1.jpg)
DDoS: Defense by Offense 1
DDoS Defense by OffenseMichael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker, SIGCOMM ‘06
Presented by Nikki Benecke, Nov. 7th, 2006, for CS577
![Page 2: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/2.jpg)
DDoS: Defense by Offense 2
Outline
• Introduction• Design• Implementation• Evaluation• Concerns• Conclusions
![Page 3: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/3.jpg)
DDoS: Defense by Offense 3
Introduction
![Page 4: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/4.jpg)
DDoS: Defense by Offense 4
Basic Idea
• Defense against application level DDoS attacks– Way of dealing with attack as it
occurs, not a prevention scheme
![Page 5: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/5.jpg)
DDoS: Defense by Offense 5
Application-level attacks
• Attacker sends proper looking requests to waste server’s resources
• Overwhelms server, not access links• Cheaper than link-level attacks (for
the attacker)• Attack traffic is harder to identify
![Page 6: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/6.jpg)
DDoS: Defense by Offense 6
Application-level attacks
Current defenses focus on slowing down attackers/stopping the attack.
But good clients are totally drowned out in these defense systems – authors say it’s time for them to speak-up.
![Page 7: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/7.jpg)
DDoS: Defense by Offense 7
3 Types of Defenses
• Overprovision computation resources massively
• Detect and block attackers• Charge all clients a currency
![Page 8: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/8.jpg)
DDoS: Defense by Offense 8
Speak-up
• It’s a currency-based defense that uses bandwidth as the currency– Claim: attackers use most of their
available bandwidth during attacks, victims don’t
– Use encouragement to make victims send more traffic so they are better represented at the server
![Page 9: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/9.jpg)
DDoS: Defense by Offense 9
Two conditions to make it work…
• Adequate Link Bandwidth: there must be enough spare bandwidth to allow for speak-up inflated traffic
• Adequate Client Bandwidth: the aggregate bandwidth of all good clients must be on the same order as the attackers’
![Page 10: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/10.jpg)
DDoS: Defense by Offense 10
Three conditions where it wins…
• No predefined clientele: Makes filtering impossible, so use speak-up.
• Non-human clientele: Makes “human” tests (type in the word, etc) impossible, so use speak-up.
• Unequal requests or spoofing or smart bots: No method for dealing with the first, can’t use methods for the second two… use speak-up!!!
![Page 11: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/11.jpg)
DDoS: Defense by Offense 11
Design
![Page 12: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/12.jpg)
DDoS: Defense by Offense 12
Design Goal
Allocate resources to competing clients in proportion to bandwidth
[math]
![Page 13: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/13.jpg)
DDoS: Defense by Offense 13
3 Required Mechanisms
1. Way to limit the total requests to the server to its max, c
2. Mechanism to reveal available bandwidth/provide encouragement
3. Proportional allocation mechanism – let clients in proportional to delivered bandwidth
Hence, the thinner appears.
![Page 14: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/14.jpg)
DDoS: Defense by Offense 14
Explicit Payment Channel
Thinner wants to pad client traffic with dummy bytes, but how many should we pad with?
We don’t want to need to know that information!
![Page 15: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/15.jpg)
DDoS: Defense by Offense 15
Explicit Payment Channel
• When server is overloaded, thinner asks clients to open separate payment channels
• Client sends bytes on this channel, becomes a contender
• Thinner tracks how much each contender sends
• When server is free, thinner admits the highest bidder and closes the channel
![Page 16: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/16.jpg)
DDoS: Defense by Offense 16
Heterogeneous requests
Charging the same amount for unequal requests gives unfair advantage to attacker
So charge per “chunk” instead of per request
![Page 17: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/17.jpg)
DDoS: Defense by Offense 17
Heterogeneous requests
Instead of closing the bid channel after accepting a client, keep it open until request is served
Every unit of service time, reopen the auction
![Page 18: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/18.jpg)
DDoS: Defense by Offense 18
Heterogeneous requests
1. At time t, v is active connection, u is the highest contender
2. u > v, SUSPEND v, ADMIT (RESUME) u3. v > u, let v continue sending, but reset
its payment counter for time t+14. ABORT requests that have been
suspended too long
![Page 19: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/19.jpg)
DDoS: Defense by Offense 19
Implementation
![Page 20: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/20.jpg)
DDoS: Defense by Offense 20
Implementation
• Clients send by Poisson process, limited windows (open requests)
• Deterministic service time (all reqs equal)
• Bad clients send faster, and have bigger windows
• Good client: = 2, w = 1• Bad client: = 40, w = 20
![Page 21: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/21.jpg)
DDoS: Defense by Offense 21
Implementation
• Max. number of clients limited to 50 by testbed
• Small scale for representing DDoS• However, they think it’ll still work
on a larger scale
![Page 22: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/22.jpg)
DDoS: Defense by Offense 22
Evaluation
![Page 23: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/23.jpg)
DDoS: Defense by Offense 23
Evaluation
• Validating the thinner’s allocation• Latency and byte cost• Adversarial advantage• Heterogeneous network conditions• Good and bad clients sharing
bottlenecks• Impact of speak-up on other traffic
![Page 24: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/24.jpg)
DDoS: Defense by Offense 24
Validating the thinner’s allocation
Question 1: Do groups get service in proportion to bandwidth?
Setup: 50 clients over 100 Mb/s LANEach gets 2Mb/sc = 100 req/sVary f, the fraction of good clients
![Page 25: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/25.jpg)
DDoS: Defense by Offense 25
Validating the thinner’s allocation
![Page 26: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/26.jpg)
DDoS: Defense by Offense 26
Validating the thinner’s allocation
• Speak-up defended clients are always a little behind ideal– Gaming
• Always fare better than undefended
![Page 27: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/27.jpg)
DDoS: Defense by Offense 27
Validating the thinner’s allocation
Question 2: What happens when we vary the capacity of the server?
Setup: 25 good clients, 25 bad clients
cid = 100c = 50, 100, 200
![Page 28: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/28.jpg)
DDoS: Defense by Offense 28
Validating the thinner’s allocation
![Page 29: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/29.jpg)
DDoS: Defense by Offense 29
Validating the thinner’s allocation
![Page 30: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/30.jpg)
DDoS: Defense by Offense 30
Validating the thinner’s allocation
• Good clients do best when the server has ability to process all requests (i.e., large c)
• Service proportional to bandwidth even when server can’t process all requests
![Page 31: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/31.jpg)
DDoS: Defense by Offense 31
Latency cost
• Same setup as last experiment• Measures the length of time clients
spend uploading dummy bytes
![Page 32: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/32.jpg)
DDoS: Defense by Offense 32
Latency cost
![Page 33: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/33.jpg)
DDoS: Defense by Offense 33
Latency cost
• With a large c, cost isn’t very high• Even with a small c, worst added
delay is 1s.– Pretty bad, but not as bad as getting
no service during an attack, right?
![Page 34: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/34.jpg)
DDoS: Defense by Offense 34
Byte Cost
• Still the same setup• Measure the average number of
bytes uploaded for served requests
![Page 35: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/35.jpg)
DDoS: Defense by Offense 35
Byte Cost
![Page 36: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/36.jpg)
DDoS: Defense by Offense 36
Byte Cost
• Bad clients do end up paying more than good clients– But do they pay significantly more?
![Page 37: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/37.jpg)
DDoS: Defense by Offense 37
Heterogeneous Network Conditions
• First, look at varied bandwidth• 5 client categories, 10 clients in
each category• Bandwidth for category i = 0.5i
Mbps (1 <= i <= 5)• All clients are good clients• c = 10
![Page 38: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/38.jpg)
DDoS: Defense by Offense 38
Heterogeneous Network Conditions
![Page 39: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/39.jpg)
DDoS: Defense by Offense 39
Heterogeneous Network Conditions
• Roughly proportional to bandwidth of clients
• Close to ideal
![Page 40: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/40.jpg)
DDoS: Defense by Offense 40
Heterogeneous Network Conditions
• Now look at effect of varied RTT• 5 client categories, with 10 clients in
each• RTT for category i = 100i ms (1 <= i
<= 5)• Bandwidth per client = 2 Mbps• c = 10• Run with all good or all bad clients
![Page 41: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/41.jpg)
DDoS: Defense by Offense 41
Heterogeneous Network Conditions
![Page 42: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/42.jpg)
DDoS: Defense by Offense 42
Heterogeneous Network Conditions
• Good clients with long RTTs do worse than any bad clients
• “Effect is limited”– No one gets > 2*ideal– No one gets < 1/2*ideal
![Page 43: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/43.jpg)
DDoS: Defense by Offense 43
Good and Bad Sharing a Bottleneck
• 30 clients, each with 2 Mbps, connect to thinner through link l
• l ‘s bandwidth = 40 Mbps• 10 good, 10 bad clients, each with
2Mbps, connect directly to thinner• C = 50 req/s• Vary number of good/bad behind l
![Page 44: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/44.jpg)
DDoS: Defense by Offense 44
Good and Bad Sharing a Bottleneck
![Page 45: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/45.jpg)
DDoS: Defense by Offense 45
Good and Bad Sharing a Bottleneck
• Clients behind l capture half of the server’s capacity
• Good behind l suffer some, especially with greater number of bad clients
• Effect on good clients greater when bottleneck is smaller
![Page 46: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/46.jpg)
DDoS: Defense by Offense 46
Impact of speak-up on other traffic
• Bottleneck, m, shared between speak-up clients and TCP endpoint, H
• Run with H as a sender, m is shared fairly
• Run with H as a receiver, H’s ACKs will get lost, H’s requests will be delayed
![Page 47: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/47.jpg)
DDoS: Defense by Offense 47
Impact of speak-up on other traffic
• Experimented specifically with H as a receiver
• 10 good speak-up clients, 1 HTTP client downloading with wget
• m = 1Mbps, rest = 2Mbps• c = 2
![Page 48: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/48.jpg)
DDoS: Defense by Offense 48
Impact of speak-up on other traffic
![Page 49: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/49.jpg)
DDoS: Defense by Offense 49
Impact of speak-up on other traffic
• Huge impact on H• “Pessimistic” result according to
authors• Only happens during attack, might
be worth it to help “defend the Internet”
![Page 50: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/50.jpg)
DDoS: Defense by Offense 50
Concerns
![Page 51: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/51.jpg)
DDoS: Defense by Offense 51
Concerns/Cautions/Objections
• Does speak-up hurt small sites?– Yes, for current sized botnets– But this might get better with smaller botnets
• Does speak-up hurt the whole Internet?– Not really– Only for servers under attack– Core overprovisioning dampens the effect– Congestion control will keep speak-up under
control
![Page 52: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/52.jpg)
DDoS: Defense by Offense 52
Concerns/Cautions/Objections
• Bandwidth envy– Only “more better off” during attacks– ISPs could offer high bw proxies to
low bw clients• Variable bandwidth costs
– Again, offer a high bw proxy– Or let customers decide whether or
not to bid
![Page 53: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/53.jpg)
DDoS: Defense by Offense 53
Concerns/Cautions/Objections
• Incentives for ISPs– The basic goodness of society will protect
us!!!• Solving the wrong problem
– Cleaning up botnets is good, but we need to do something in the meantime
• Flash crowds– Reasonable to treat them as attacks– Wouldn’t effect low bw sites in the first
place
![Page 54: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/54.jpg)
DDoS: Defense by Offense 54
Conclusions
![Page 55: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/55.jpg)
DDoS: Defense by Offense 55
Conclusions
• Not sure who wants/needs speak-up– Survey to find out
• Speak-up does what it proposes to do
![Page 56: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/56.jpg)
DDoS: Defense by Offense 56
Conclusions
• Main advantages– Network elements don’t need to change– Only need to modify servers and add thinners
• Main disadvantages– Everyone floods, so harder to detect bad
clients– Hurts edge networks– Rendered useless if access links to thinner
are saturated
![Page 57: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/57.jpg)
DDoS: Defense by Offense 57
My Questions
• Are speak-up’s assumptions reasonable?
![Page 58: DDoS Defense by Offense](https://reader036.vdocument.in/reader036/viewer/2022062521/56816811550346895ddd9fad/html5/thumbnails/58.jpg)
DDoS: Defense by Offense 58
Questions?