On the Feasibility of Rerouting-based DDoS

Defenses Muoi Tran, Min Suk Kang, Hsu-Chun Hsiao,

Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA

Transit-linkDDoSattack:apowerfultypeofvolumetricDDoSattack

2

Coremeltattack(ESORICS‘09)

Crossfireattack(S&P‘13)

(distributeddenialofservice)

Traditional:volumetricattacktraffictargetingendservers

Non-traditional:volumetricattacktraffictargetingtransitlinks

AS

AS

AS AS

Realincidents:

Academicstudies:

2013 2015

Handlingtransit-linkDDoSattackischallenging

AS

AS

AS

AS

AS

Indistinguishablelow-ratetraffic

Victimsareindirectlyaffected

3

Destination Source

AS

AS

AS

Transit-linkDDoSattacksstillremainanopenproblem

Coremeltattack(Studeretal.)

Crossfireattack(Kangetal.)

2009

2013

2016

2014

4

2018

RoutingAroundCongestion(Smithetal.S&P’18)

“Readilydeployablesolution"

SPIFFY(Kangetal.)

CoDefdefense(Leeetal.)

LinkScope(Xueetal.)

Partialsolutions RADAR(Zhengetal.)

NetHide(Meieretal.)

STRIDE(Hsiaoetal.)

SIBRA(Basescuetal.)

NotavailableinthecurrentInternet

Background:HowBGProutingworks?

5

{D}

BorderGatewayProtocol(BGP)

ASD ASZ ASX ASC ASY

{Z,D} {Y,Z,D} {X,Y,Z,D}

Trafficpath

BGPpropagationTrafficforwarding

SourceDestination

Nocontrolovertrafficpathbydesign

Loop-freeAS-path

RoutingAroundCongestion(RAC):ReroutingusingBGPpoisoning[Smithetal.,S&P’18]

6

ASD ASZ

ASW

ASX ASC

ASY

Goal:reroutetoavoidASW

{D,W,D}

xLoopdetected!

Criticalsource

Detourpath

BGPpoisoningmessage

Originalpath

Victimdestination

Switchtodetourpath

AScollaborationisnotneeded!

7

WillRACdefensestillworkagainstadaptiveattackers?

Futuredirectionsfortransit-linkDDoSdefenses

Practicalchallengeofmitigatingadaptivedetour-learningattack

Ourcontributions

8

Adaptivedetour-learningattackagainstreroutingsolutions

Adaptivedetour-learningattack:Threatmodel

9

Goals:(1)Todetectreroutinginreal-time(2)Tolearnnewdetourpathaccurately(3)Tocongestnewdetourpath(seethepaper)

Capabilities:-Samebotnetsusedintransit-linkDDoSattack

Victimdestination

Adaptivedetour-learningattack:(1)howtodetectreroutinginreal-time

10

ASD ASZ

ASW

ASX ASC

ASY Criticalsource

Detourpath

Originalpath

ASI traceroute

Reroutingisdetected!

Adaptiveadversary

Adaptivedetour-learningattack:(2)howtolearndetourpathaccurately

11

ASD ASY

ASG

ASC ASX

ASE ASJ

ASI

ASH

(3)congestdetourpath(seethepaper)

Challenge:Whichismoreaccurateroutemeasurementofactualdetourpath?

Victimdestination Criticalsource Solution:Prioritizemeasurementfrombotclosertotrafficsource

Detourpath closerAS(e.g.,shorterAS-path)

Results:94%oflearneddetourpathsarecorrect

Futuredirectionsfortransit-linkDDoSdefenses

Adaptivedetour-learningattackagainstreroutingsolutions

Ourcontributions

12

Practicalchallengeofmitigatingadaptivedetour-learningattack

ASI

ASJ

Howtodefendagainstdetour-learningattack?

13

Exclusivelyusedforcriticalflows

PoisonallpeersofASesondetourpath!

ASD ASZ

ASW

ASX ASC

ASY CriticalsourceVictimdestination

Detourpathmustbeisolated!

Detourlearned!

Howtoisolate?

0.8

102 103 1040

0.2

0.4

0.6

0.8

1

Detourpathisolation=>poisoningtoomanyASes

14

CDF

100100010000

NumberofASesthatshouldbepoisoned

ThousandsASesshouldbepoisoned Butwhy?

Tier-1orlargeTier-2onthedetourpaths(moreinthepaper)

0

0.2

0.4

0.6

1

0.8

102 103 1040

0.2

0.4

0.6

0.8

1

CanwepoisonthatmanyASes?

15

CDF

100100010000

NumberofASesthatshouldbepoisoned255 2034

Specificationupto2034

Implementationupto255

Configurationupto30-50

0

0.2

0.4

0.6

1

Specification

Implementation

Confirmed:ISPsdonotsupportpoisoning>255ASes

16

Numberofobserved

BGPmessages

99.99%

1 10100100030

slowlydecreaseinfrequency

50xdropinfrequency

255

NumberofASesseeninaBGPmessage16

Poisoning>1,000ASesisnearlyimpossible

=>Detourpathisolationisinfeasible=>Detour-learningattackisalmostalwayspossible

Practicalchallengeofmitigatingadaptivedetour-learningattack

Adaptivedetour-learningattackagainstreroutingsolutions

Ourcontributions

17

Futuredirectionsfortransit-linkDDoSdefenses

Desireddefenseproperty:destination-controlledrouting

18

Clean-slateInternetarchitecture

HackingBGP

e.g.,STRIDE,SIBRAe.g.,RoutingAroundCongestion

?

e.g.,explicitBGPreroutingforcriticalflowsunderemergency ✕Toocostlytodeploy✕Doesnotwork

TwoLessonsLearned

19

Lesson1

HackingthecurrentInternetroutingisaflawedidea!

20

ü Adaptiveattacksarepossible

ü Mitigationishard

ü Adaptivedefenseisslowerthanadaptiveattacker(moreinthepaper)

21

Lesson2

Analysisofprotocolspecificationsaloneisinsufficient!

22

23

Specification Implementation Configuration

Conclusion• Detour-learningattacksareeffectiveandhardtomitigate

ü Transit-linkDDoSattacksstillremainanopenproblem

• Suggestiononresearchdirectionü Balancedestination-controlledroutinganddeployability

• 2lessonslearned:ü HackingBGPforreroutingisaflawedideaü Analysiswithspecificationonlycanbedangerous

24

Question?

MuoiTranmuoitran@comp.nus.edu.sg