on the feasibility of rerouting-based ddos defenses · nethide (meier et al.) stride (hsiao et al.)...
TRANSCRIPT
On the Feasibility of Rerouting-based DDoS
Defenses Muoi Tran, Min Suk Kang, Hsu-Chun Hsiao,
Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA
Transit-linkDDoSattack:apowerfultypeofvolumetricDDoSattack
2
Coremeltattack(ESORICS‘09)
Crossfireattack(S&P‘13)
(distributeddenialofservice)
Traditional:volumetricattacktraffictargetingendservers
Non-traditional:volumetricattacktraffictargetingtransitlinks
AS
AS
AS AS
Realincidents:
Academicstudies:
2013 2015
Handlingtransit-linkDDoSattackischallenging
AS
AS
AS
AS
AS
Indistinguishablelow-ratetraffic
Victimsareindirectlyaffected
3
Destination Source
AS
AS
AS
Transit-linkDDoSattacksstillremainanopenproblem
Coremeltattack(Studeretal.)
Crossfireattack(Kangetal.)
2009
2013
2016
2014
4
2018
RoutingAroundCongestion(Smithetal.S&P’18)
“Readilydeployablesolution"
SPIFFY(Kangetal.)
CoDefdefense(Leeetal.)
LinkScope(Xueetal.)
Partialsolutions RADAR(Zhengetal.)
NetHide(Meieretal.)
STRIDE(Hsiaoetal.)
SIBRA(Basescuetal.)
NotavailableinthecurrentInternet
Background:HowBGProutingworks?
5
{D}
BorderGatewayProtocol(BGP)
ASD ASZ ASX ASC ASY
{Z,D} {Y,Z,D} {X,Y,Z,D}
Trafficpath
BGPpropagationTrafficforwarding
SourceDestination
Nocontrolovertrafficpathbydesign
Loop-freeAS-path
RoutingAroundCongestion(RAC):ReroutingusingBGPpoisoning[Smithetal.,S&P’18]
6
ASD ASZ
ASW
ASX ASC
ASY
Goal:reroutetoavoidASW
{D,W,D}
xLoopdetected!
Criticalsource
Detourpath
BGPpoisoningmessage
Originalpath
Victimdestination
Switchtodetourpath
AScollaborationisnotneeded!
7
WillRACdefensestillworkagainstadaptiveattackers?
Futuredirectionsfortransit-linkDDoSdefenses
Practicalchallengeofmitigatingadaptivedetour-learningattack
Ourcontributions
8
Adaptivedetour-learningattackagainstreroutingsolutions
Adaptivedetour-learningattack:Threatmodel
9
Goals:(1)Todetectreroutinginreal-time(2)Tolearnnewdetourpathaccurately(3)Tocongestnewdetourpath(seethepaper)
Capabilities:-Samebotnetsusedintransit-linkDDoSattack
Victimdestination
Adaptivedetour-learningattack:(1)howtodetectreroutinginreal-time
10
ASD ASZ
ASW
ASX ASC
ASY Criticalsource
Detourpath
Originalpath
ASI traceroute
Reroutingisdetected!
Adaptiveadversary
Adaptivedetour-learningattack:(2)howtolearndetourpathaccurately
11
ASD ASY
ASG
ASC ASX
ASE ASJ
ASI
ASH
(3)congestdetourpath(seethepaper)
Challenge:Whichismoreaccurateroutemeasurementofactualdetourpath?
Victimdestination Criticalsource Solution:Prioritizemeasurementfrombotclosertotrafficsource
Detourpath closerAS(e.g.,shorterAS-path)
Results:94%oflearneddetourpathsarecorrect
Futuredirectionsfortransit-linkDDoSdefenses
Adaptivedetour-learningattackagainstreroutingsolutions
Ourcontributions
12
Practicalchallengeofmitigatingadaptivedetour-learningattack
ASI
ASJ
Howtodefendagainstdetour-learningattack?
13
Exclusivelyusedforcriticalflows
PoisonallpeersofASesondetourpath!
ASD ASZ
ASW
ASX ASC
ASY CriticalsourceVictimdestination
Detourpathmustbeisolated!
Detourlearned!
Howtoisolate?
0.8
102 103 1040
0.2
0.4
0.6
0.8
1
Detourpathisolation=>poisoningtoomanyASes
14
CDF
100100010000
NumberofASesthatshouldbepoisoned
ThousandsASesshouldbepoisoned Butwhy?
Tier-1orlargeTier-2onthedetourpaths(moreinthepaper)
0
0.2
0.4
0.6
1
0.8
102 103 1040
0.2
0.4
0.6
0.8
1
CanwepoisonthatmanyASes?
15
CDF
100100010000
NumberofASesthatshouldbepoisoned255 2034
Specificationupto2034
Implementationupto255
Configurationupto30-50
0
0.2
0.4
0.6
1
Specification
Implementation
Confirmed:ISPsdonotsupportpoisoning>255ASes
16
Numberofobserved
BGPmessages
99.99%
1 10100100030
slowlydecreaseinfrequency
50xdropinfrequency
255
NumberofASesseeninaBGPmessage16
Poisoning>1,000ASesisnearlyimpossible
=>Detourpathisolationisinfeasible=>Detour-learningattackisalmostalwayspossible
Practicalchallengeofmitigatingadaptivedetour-learningattack
Adaptivedetour-learningattackagainstreroutingsolutions
Ourcontributions
17
Futuredirectionsfortransit-linkDDoSdefenses
Desireddefenseproperty:destination-controlledrouting
18
Clean-slateInternetarchitecture
HackingBGP
e.g.,STRIDE,SIBRAe.g.,RoutingAroundCongestion
?
e.g.,explicitBGPreroutingforcriticalflowsunderemergency ✕Toocostlytodeploy✕Doesnotwork
TwoLessonsLearned
19
Lesson1
HackingthecurrentInternetroutingisaflawedidea!
20
ü Adaptiveattacksarepossible
ü Mitigationishard
ü Adaptivedefenseisslowerthanadaptiveattacker(moreinthepaper)
21
Lesson2
Analysisofprotocolspecificationsaloneisinsufficient!
22
23
Specification Implementation Configuration
Conclusion• Detour-learningattacksareeffectiveandhardtomitigate
ü Transit-linkDDoSattacksstillremainanopenproblem
• Suggestiononresearchdirectionü Balancedestination-controlledroutinganddeployability
• 2lessonslearned:ü HackingBGPforreroutingisaflawedideaü Analysiswithspecificationonlycanbedangerous
24
Question?