the role of indirection and diffusion in ddos defense angelos d. keromytis network security lab...
TRANSCRIPT
![Page 1: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/1.jpg)
The Role of Indirection and Diffusion in DDoS Defense
Angelos D. KeromytisNetwork Security Lab
Computer Science Department, Columbia University
![Page 2: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/2.jpg)
NSLCapacity and Path Diversity
POTS/ISDNT1
10M EthernetOC3
OC192OC12
IncreasingTraffic Aggregation
Increasing SWService Deploy-ment Times
Increasing Preference for SWRestriction to Control Plane
More Nodes
DDoS seems to be largely a “last-3-hops” problem Informal survey of ISPs shows 20-40Gbps per POP Many redundant paths (some are better than the route-
converged path!) Similar characteristics likely to hold for any future
“Internet” Unless we abandon statistical mux model and adopt
single-authority/ISP (think phone network) FiOS or similar network upgrades unlikely to
significantly change the situation (wireless may make things worse!)
Must be intelligent about traffic monitoring/admission/handling
Intelligence inside the network is hard to come by
Decreasing cycles/bps
![Page 3: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/3.jpg)
NSLIndirection and Diffusion
Send the traffic to the intelligence Put the intelligence where you can (technology, cost/benefit, deployment limitations) Intelligence be pretty invasive, e.g., full-blown authentication, payment, CAPTCHA, attestation ...
Intelligence must not be point of vulnerability Scalable, distributed, restricted interface (attack surface) But: easier proposition than same and doing it at line
speeds inside the network Diffusion helps to eliminate single-failure points
Challenges: interference, sensing, knowledge, guarantees?
Intelligence must be efficient Performance, reliability, low-cost (shared & on-demand?)
Transparent vs. explicit intelligence/indirection Complement intelligence with simple in-network
mechanisms Routing, limited filtering abilities, deflections, ??? Use what you can, where it makes sense (to paraphrase
e2e)
![Page 4: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/4.jpg)
NSLSimple Filtering
![Page 5: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/5.jpg)
NSLSOS/WebSOS [SIGCOMM2002, CCS2003]
![Page 6: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/6.jpg)
NSLHuman-centric Authentication [CCS2003]
![Page 7: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/7.jpg)
NSLDiffusion [CCS2005]
![Page 8: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/8.jpg)
NSLLocal Perimeter Establishment [IAMCOM2007]
Limited-scope PushBack (inside home ISP only) Much simpler trust issues, pay-per-use possibility
[ACNS2004] RSVP might do the trick, too...
![Page 9: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/9.jpg)
NSL
Backup Slides
![Page 10: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/10.jpg)
NSLMOVE [NDSS2005]
![Page 11: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/11.jpg)
NSLMOVE [NDSS2005]
Attack
![Page 12: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/12.jpg)
NSLMOVE [NDSS2005]
Attack
![Page 13: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/13.jpg)
NSLOld fashioned DoS Attack
![Page 14: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/14.jpg)
NSLNew Attack: “Stalker” Attack
![Page 15: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/15.jpg)
NSLNew Attack: “Stalker” Attack
![Page 16: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/16.jpg)
NSLNew Attack: “Stalker” Attack
![Page 17: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/17.jpg)
NSLNew Attack: “Stalker” Attack
![Page 18: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/18.jpg)
NSLNew Attack: Sweeping Attack
![Page 19: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/19.jpg)
NSLNew Attack: Sweeping Attack
![Page 20: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/20.jpg)
NSLNew Attack: Sweeping Attack
![Page 21: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/21.jpg)
NSLLatency with Diffusion
Client Packet Replication
Ove
rlay
/ D
irec
tEnd-to-End Latency with Client Packet Replication
![Page 22: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/22.jpg)
NSLResilience & Latency
End-to-End Latency vs Node Failure
Text
No Repl.1.5x2x3x
![Page 23: The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University](https://reader035.vdocuments.net/reader035/viewer/2022070305/55148c2a550346f06e8b4f84/html5/thumbnails/23.jpg)
NSLResilience & Throughput
Throughput vs Node Failure
KB
/Sec
% Node Failure