senss: software-defined security service · pdf filesenss: software-defined security service...

38
SENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang, Jelena Mirkovic

Upload: duongkhanh

Post on 05-Feb-2018

225 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

SENSS: Software-defined Security Service

Minlan Yu University of Southern California

1

Joint work with Abdulla Alwabel, Ying Zhang, Jelena Mirkovic

Page 2: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Growing DDoS Attacks

2

Average monthly size of DDoS attacks (Gbps)

Page 3: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Growing DDoS Attacks

At March 2013, DDoS flooded Spamhaus at 300Gbps, 200 times faster than average

3

Arbor: Peak DDoS Attack Size (Jan 2010-Mar. 2013)

Page 4: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Growing Prefix Hijacking In 2013, prefix hijacking affects 1,500 prefixes, 150 cities Live interception attacks are on for more than 60 days Traffic from major financial companies, govs, ISPs diverted

4

A map of 150 cities with at least one victim of interception attacks

Page 5: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Motivation •  Network attacks are more frequent and

powerful –  In Q1 2014: 47% increase in total DDoS attacks. – Attack size more than 300Gbps.

•  Network attacks are more damaging – 71% of data center operators report DDoS

attacks – DDoS on Bitcoin Exchanges lowered bitcoin

price from 700$ to 540$ •  Diverse attacks

– Data plane: Direct flooding, reflector attacks – Control plane: Prefix hijacking, interception

5

Page 6: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Traditional Solutions

•  Victim-based solutions are not sufficient – Leverage IDS boxes, or outsource to security

services – Hard to diagnose remote root causes or trace

sources – Have to manually call ISPs on the phone

•  Research inter-ISP solutions are not adopted – Focus on individual attacks – Require complex changes on routers – No economic incentive for ISPs 6

Need a flexible, deployable solution for diverse attacks

Page 7: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Software-defined Security Service (SENSS)

•  Victim-oriented programming for diverse attacks – Victims have the incentives – Victims have knowledge of their traffic and

priorities •  Victims request help from remote networks

– To observe and control their own traffic and routes

– Using simple and expressive interfaces at ISPs, easily implemented in today’s ISPs

•  Difficult trade-offs: all the intelligence implemented at the victim

7

Page 8: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

SENSS Design

8

1) Initiate

2) Query

3) Reply

4) Control

Page 9: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

SENSS is Practical

•  ISPs – SENSS-needed interfaces already exist in their

infrastructure –  ISPs already provide manual support for victims –  ISPs can charge victims for the security services

•  Victims – Strong incentives to fix their own problems – Effective solutions even with partial deployment

9

Page 10: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Challenges

•  What’s the right interface at ISPs? – Easy to implement at today’s ISPs – Useful for a wide variety of attack defenses

•  How can victims program the defenses? – With SENSS deployment on a few ASes – Without missing information (spoofing, privacy, etc)

•  Security and Privacy

10

Page 11: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Simple, Flexible Interfaces at ISPs

11

Page 12: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

SENSS Interfaces: Traffic •  Traffic query

– Query flows using TCP/IP header fields – Answer #bytes/pkts from/to each neighbor

•  Traffic control – Filter, rate limit traffic matching a traffic flow

•  Similar to OpenFlow rules – Only allow victims to query/control traffic to/from

them

12

1.  src=1.2.*.*, dest=3.4.5.* ! query 2.  src port=80, dest=3.4.*.* ! filter

Page 13: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

SENSS Interfaces: Routes

•  Route query – Query the best route to the victim prefix – Similar to BGP route queries to neighbors – But we extend to remote ASes

•  Route control – Modify the route from the AS to the victim – Demote all the routes with given AS segments – To get around the malicious/polluted ASes

13

Page 14: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Automated Detection/Mitigation at Victims

14

Page 15: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

DDoS w/ Signature – The victim identifies the attack and header

signature – The victim installs filtering rules at deployed AS

100 100 100 100

100

10 10

10

8 8 8 8 209

3 3 3 3 3

201

TrafficFilter (<header_signatur

e>

200 201 201

1

Page 16: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

DDoS w/ Signature – The victim identifies the attack and header

signature – The victim installs filtering rules at deployed AS

100 100 100 100

100

10 10

8 8

3 3 3 3 3

1 200

Page 17: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

DDoS Without Signature •  Victims may not find a signature

– Spoofing; randomize packet header and contents •  Cannot simply block high traffic aggregates

– May lead to high collateral damage •  SENSS: Compare traffic distribution across

ASes before and after the attack – Track normal traffic distribution periodically – Compare with traffic distribution during attack – Filter on those AS links with big traffic growth – Only victim can decide which collateral damage is

OK 17

Page 18: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

DDoS Without Signature

18

100 100 100 100

100

3 3 3 3 3

Traffic Query, Periodically

Page 19: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

DDoS Without Signature

19

100 100 100 100

100

3 3 3 3 3

Knowledge Base A:<B,100> D: <S4,100> G: <> J: <K,3> L: <S3,3>

<B,100>

<S5,100>

< >

<K,3>

<S3,3>

Page 20: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

DDoS Without Signature

20

100 100 100 100

100

10 10

10

8 8 8 8 209

3 3 3 3 3

201

200 201 201

1

Traffic Query(<dst=V>,

1s,IN)

Knowledge Base A:<B,100> D: <S4,100> G: <> J: <K,3> L: <S3,3>

Page 21: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

DDoS Without Signature

21

100 100 100 100

100

10 10

10

8 8 8 8 209

3 3 3 3 3

201

200 201 201

1

<B,110>

<S5,100>

<H,8 >

<K,205>

<S3,3>,<S2,200>

Knowledge Base A:<B,100> D: <S4,100> G: <> J: <K,3> L: <S3,3> A:<B,100> D: <S4,100> G: <H, 8> J: <K,205> L: <S3,3> <S2, 200>

Page 22: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

DDoS Without Signature

22

100 100 100 100

100

10 10

10

8 8 8 8 209

3 3 3 3 3

201

200 201 201

1

TrafficFilter(<dst=V, tag=K>}

Knowledge Base A:<B,100> D: <S4,100> G: <> J: <K,3> L: <S3,3> A:<B,100> D: <S4,100> G: <H, 8> J: <K,205> L: <S3,3> <S2, 200>

Page 23: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

DDoS Without Signature

23

100 100 100 100

100

10 10

10

8 8 8 8 8

3 3 3 3 3

200 201 201

1

Knowledge Base A:<B,100> D: <S4,100> G: <> J: <K,3> L: <S3,3> A:<B,100> D: <S4,100> G: <H, 8> J: <K,205> L: <S3,3> <S2, 200>

Page 24: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Interception Attacks

24

•  Interception attacks –  Introduce false information into the routing system – Claim shorter AS-PATH, hijack victim prefix – Traffic still reaches the victim

•  Detection and mitigation – Data plane alone cannot reveal the root causes – Control plane info may be inaccurate or outdated

•  SENSS: Check inconsistency between control and data planes via route and traffic query

Page 25: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Interception

25 5/20/14 Copyright USC/ISI. All rights reserved. 25

RouteQuery(V)

Page 26: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Interception

26 5/20/14 Copyright USC/ISI. All rights reserved. 26

<FMAV>

<MAV>

Knowledge Base Control Plane S to V: <FMAV> F to V: <MAV>

Page 27: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Interception

27 5/20/14 Copyright USC/ISI. All rights reserved. 27

TrafficQuery(<src=S, dst=V>, 1s, INOUT)

Knowledge Base Control Plane S to V: <FMAV> F to V: <MAV>

Page 28: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Interception

28 5/20/14 Copyright USC/ISI. All rights reserved. 28

<B, 10, IN> <V, 10, OUT>

Knowledge Base Control Plane S to V: <FMAV> F to V: <MAV>

<M, 10, IN> <B, 10, OUT>

Data Plane Traffic from S to V passes through B and C!!

Page 29: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Interception

29 5/20/14 Copyright USC/ISI. All rights reserved. 29

RouteDemote (<dst=V, segment=M>)

Knowledge Base Control Plane S to V: <FMAV> F to V: <MAV>

Data Plane Traffic from S to V passes through B and C!!

Page 30: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Interception

30 5/20/14 Copyright USC/ISI. All rights reserved. 30

Knowledge Base Control Plane S to V: <FMAV> F to V: <MAV>

Data Plane Traffic from S to V passes through B and C!!

Page 31: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

SENSS Use Cases

31

Attacks Query Control DDoS w/ signature Traffic queries Traffic filter

DDoS w/o signature

Traffic queries Traffic filter

DDoS reflection Reduces to DDoS w/ or w/o signature Crossfire Traffic queries Bandwidth

guarantees Blackholing Route queries Route demotion

Interception Route and Traffic queries

Route modification

Page 32: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Simulation Setup

•  AS-Level Internet topology from RouteViews/RIPE – 41K ASes with 92K links, including 11 Tier-1 ASes

•  Simulate DDoS – Real traffic from CDN traces and DDoS attack

traces – Simulated traffic with different distributions

•  Simulate Prefix-Hijacking – Select victims and attackers from different tiers in

the AS hierarchy 32

Page 33: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

DDoS Results

•  Eliminate attack traffic – To eliminate 95% attack traffic – Need only 10-30 SENSS ASes – Less than 36 messages are needed – Hold for a wide range of traffic distributions

•  Small collateral damage – Outperforms traceback solutions with the same # of

deployed ASes

33

Page 34: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Prefix Hijacking Results

•  Detection – With 30 ASes deployed, the detection accuracy can

reach 90% for blackholing and 70% for interception – The median number of queries is 3-10 for

blackholing and 6-15 for interception •  Mitigation

– Correct > 80% of polluted Ases with 18 SENSS ASes

34

Page 35: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

SENSS Implementation

•  ISPs – Openvswitch as data plane, Quagga as control

plane – Floodlight as controller for Openvswitch – Apache SENSS server

•  Victim – Sends HTTPs

requests to SENSS server

•  Response time – 600 ms

35

Page 36: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Security and Privacy

•  Security – Operations allowed on traffic from/to own prefixes

and routes to own prefixes – Ownership verification via RPKI, communication

via SSL – Outsource to cloud if victim has no path to SENSS

server •  Privacy

–  ISPs only need to share traffic information for peer indexes, without revealing the actual peer

– Routing information is already publicly available 36

Page 37: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Conclusion

•  Software-defined security service – Simple, flexible interfaces at ISP – Victim-oriented programming for diverse attacks

•  Practical security detection/mitigation services – Effective to mitigate large-scale attacks –  Incentive for adoption from ISP and victims – Flexible for supporting new defenses for new

attacks

37

Page 38: SENSS: Software-defined Security Service · PDF fileSENSS: Software-defined Security Service Minlan Yu University of Southern California 1 Joint work with Abdulla Alwabel, Ying Zhang,

Adopting SENSS

•  We will release SENSS for deployment – Contact Minlan Yu ([email protected])

•  We want to hear from operators – What are your concerns in deploying SENSS? – Economics? Privacy? Effectiveness? Deployment?

http://www-bcf.usc.edu/~minlanyu/writeup/ons14-senss.pdf

38