ddos defense for a community of peers...all trademarks, service marks, trade names, trade dress,...
TRANSCRIPT
Jem Berkes (Project PI) and Adam Wick (Transition Lead)
DDoS Defense for a Community of Peers
About DDoS
© 2016 Galois, Inc.3 © 2016 Galois, Inc.3
A DDoS Attack
© 2016 Galois, Inc.4 © 2016 Galois, Inc.4
Source data: Arbor Networks Worldwide Infrastructure Security Report, and recent media reports
0
200
400
600
800
1000
1200
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Gbp
sPeak Attack Size
© 2016 Galois, Inc.5 © 2016 Galois, Inc.5
Network Capacities (Gbps)
Med. Organization
ISP
Internet Exchange
Internet Backbone
DDoS Attack
When DDoS Becomes a Problem ...
250 500 750 1000
…
Critical bottleneck
© 2016 Galois, Inc.6 © 2016 Galois, Inc.6
Current Attacks Now Exceed Bottlenecks• Mirai / IoT botnets• Enormous increase from 500 Gbps to 1,200+ Gbps• Can’t stop this alone
• Tier 1 ISPs• Cloud providers – not immune
• Aggregate, world-wide capacity is not the issue
© 2016 Galois, Inc.7 © 2016 Galois, Inc.7
Networks Must Collaborate• Effective defense requires collaboration between networks• Must stop traffic closer to sources• Automate response/coordination under attack stress
We’re creating a tool to do this – 3DCoP
Handling DDoS with 3DCoP
© 2016 Galois, Inc.9 © 2016 Galois, Inc.9
IPIPIP
SRCIP SPORT DSTIP DPORT PROTO COUNT
… … … … … …
… … … … … …
… … … … … …
Flow representation of traffic
• Big• Packet bodies
• Compact summary• NetFlow, IPFIX
© 2016 Galois, Inc.10 © 2016 Galois, Inc.10
Our approach• Decentralized collaboration between networks• Share flow information (clues) from distributed sensors via P2P• Use clues to compute
• Sources of attacks• Spoofed traffic• Optimal blocking
© 2016 Galois, Inc.11 © 2016 Galois, Inc.11
Decentralized P2P Network• Out-of-band P2P• Can operate using cell phone tethering – during attack• IPFS: Kademlia-based DHT swarm
• Every node has public key
© 2016 Galois, Inc.12 © 2016 Galois, Inc.12
What is shared?• Subset of flow data, classified as
• Anomalies• Undesirable traffic (attacks)• Assertions: present or not present
• Each node pushes data• Decide what you want to share
© 2016 Galois, Inc.13 © 2016 Galois, Inc.13
Who is it shared with?• Strict/private mode
• Flow data only shared with owner of flow endpoint• Enforced with public key cryptography
• Global announcements• For very anomalous traffic, or attacks
• Groups/associations
Each site always controls what they share, and with whom
© 2016 Galois, Inc.14 © 2016 Galois, Inc.14
Data Processing
RouterTraffic NetFlow SiLK
Analysis Pipeline
3DCoP Engine
© 2016 Galois, Inc.15 © 2016 Galois, Inc.15
3DCoP Engine
Site policy and configuration
P2P Network
SiLK flow data
© 2016 Galois, Inc.16 © 2016 Galois, Inc.16
3DCoP EngineI see
anomalies
Site policy and configuration
P2P Network
SiLK flow data
© 2016 Galois, Inc.17 © 2016 Galois, Inc.17
3DCoP EngineI see
anomalies
You’re sending an
attack
Site policy and configuration
P2P Network
SiLK flow data
© 2016 Galois, Inc.18 © 2016 Galois, Inc.18
Engine• State tables
• Local anomalies, peer-reported anomalies, etc.• Rules-based algorithm• State iterations with real-time updates• Automatic traffic analysis leading to actions
© 2016 Galois, Inc.19 © 2016 Galois, Inc.19
Rules in the Engineif I see anomalous outbound flows
and others report anomalies from methen
increase oddness score for flows
foreach anomalous flow
if oddness score > THRESHOLDand network utilization is highand many src_ip are sending to few dst_ip
then
promote anomaly to attack
© 2016 Galois, Inc.20 © 2016 Galois, Inc.20
More Rules…foreach peer-reported anomaly
if local anomaly matches port numberthen
// might be related attackif port is a known amplifier servicethen
increase oddness score// we might all be part of// the same DDoS attack
Example
© 2016 Galois, Inc.22 © 2016 Galois, Inc.22
Demo scenario
A
B
700 Mbps
C
700 Mbps30 Mbps
30 Mbps
Spoofing as C
© 2016 Galois, Inc.23 © 2016 Galois, Inc.23
Demo scenario
A
B
700 Mbps
C
700 Mbps30 Mbps
30 Mbps
Spoofing as C
Seeing attacks from A
© 2016 Galois, Inc.24 © 2016 Galois, Inc.24
Demo scenario
A
B
700 Mbps
C
700 Mbps30 Mbps
30 Mbps
Spoofing as C
Seeing heavy traffic from C
© 2016 Galois, Inc.25 © 2016 Galois, Inc.25
Demo scenario
A
B
700 Mbps
C
700 Mbps30 Mbps
30 Mbps
Spoofing as C
We didn’t send that traffic
Seeing heavy traffic from C
We didn’t send that
© 2016 Galois, Inc.26 © 2016 Galois, Inc.26
Demo scenario
A
B
700 Mbps
C
700 Mbps30 Mbps
30 Mbps
Spoofing as C
Aha! That’s spoofed traffic
© 2016 Galois, Inc.27 © 2016 Galois, Inc.27
Demo scenario
A
B
CSpoofing as C
Block inbound
© 2016 Galois, Inc.28 © 2016 Galois, Inc.28
Demo scenario
A
B
CSpoofing as C
Optimal mitigation
© 2016 Galois, Inc.29 © 2016 Galois, Inc.29
Demo scenario
A
B
CSpoofing as C
© 2016 Galois, Inc.30 © 2016 Galois, Inc.30
State Iterations
Network containing C (victim)Network containing A (amplifier)
© 2016 Galois, Inc.31 © 2016 Galois, Inc.31
State Iterations
Network containing C (victim)
Inbound AttacksA --> C
Network containing A (amplifier)
Inbound AnomaliesC --> A
Outbound AnomaliesA --> C
© 2016 Galois, Inc.32 © 2016 Galois, Inc.32
State Iterations
Network containing C (victim)
Inbound AttacksA --> C
Network containing A (amplifier)
Inbound AnomaliesC --> A
Outbound AnomaliesA --> C
© 2016 Galois, Inc.33 © 2016 Galois, Inc.33
State Iterations
Network containing A (amplifier)
Inbound AnomaliesC --> A
Outbound Attacks, Must StopA --> C
Network containing C (victim)
Inbound AttacksA --> C
© 2016 Galois, Inc.34 © 2016 Galois, Inc.34
State Iterations
Network containing C (victim)
Inbound AttacksA --> C
Check flow repository…
Network containing A (amplifier)
Inbound AnomaliesC --> A
Outbound Attacks, Must StopA --> C
© 2016 Galois, Inc.35 © 2016 Galois, Inc.35
State Iterations
Network containing C (victim)
Inbound AttacksA --> C
Someone is spoofing my IPC --> A
Network containing A (amplifier)
Inbound AnomaliesC --> A
Outbound Attacks, Must StopA --> C
Assertions that Peers Did Not SendC --> A
© 2016 Galois, Inc.36 © 2016 Galois, Inc.36
State Iterations
Network containing C (victim)
Inbound AttacksA --> C
Someone is spoofing my IPC --> A
Network containing A (amplifier)
Inbound Spoofed AttacksC --> A
Outbound Attacks, Must StopA --> C
Assertions that Peers Did Not SendC --> A
© 2016 Galois, Inc.37 © 2016 Galois, Inc.37
We’ve learned a lot!
Network containing A (amplifier)
Inbound Spoofed AttacksC --> A
Outbound Attacks, Must StopA --> C
Assertions that Peers Did Not SendC --> A
Network containing C (victim)
Inbound AttacksA --> C
Someone is spoofing my IPC --> A
© 2016 Galois, Inc.38 © 2016 Galois, Inc.38
We’ve learned a lot!
Vital informationlearned through
collaboration
Network containing A (amplifier)
Inbound Spoofed AttacksC --> A
Outbound Attacks, Must StopA --> C
Assertions that Peers Did Not SendC --> A
© 2016 Galois, Inc.39 © 2016 Galois, Inc.39
What About Mischief and Lies?• We have considered this• Peers make statements about their own traffic
• “I don’t want this traffic”• Public key crypto ties ownership/responsibility
Status
© 2016 Galois, Inc.41 © 2016 Galois, Inc.41
Status• Have an early prototype
• We are seeking pilot and evaluation partners.• Correctly computes results with a simple attack
• Identifies attack sources• Identifies spoofed traffic
Next steps• Construct larger, more complex attack scenarios• Develop the engine further
• Accuracy• Better reasoning
© 2016 Galois, Inc.42 © 2016 Galois, Inc.42
Contact Us!Jem Berkes: [email protected]
Galois 3DCoP Team: [email protected]
We are actively seeking evaluation partners for 3DCoP.Please contact us if you’d be interested in trying3DCoP out in your organization.
All trademarks, service marks, trade names, trade dress, product names, and logos appearing in these slides are theproperty of their respective owners, including in some instances Galois, Inc.
This project is the result of funding provided by the Science and Technology Directorate of the United States Departmentof Homeland Security under contract number D15PC00185. The views and conclusions contained herein are those of theauthors and should not be interpreted as necessarily representing the official policies or endorsements, either expressedor implied, of the Department of Homeland Security, or the U.S. Government.