the role of indirection and diffusion in ddos defense
DESCRIPTION
The Role of Indirection and Diffusion in DDoS Defense. Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University. Capacity and Path Diversity. DDoS seems to be largely a “last-3-hops” problem Informal survey of ISPs shows 20-40Gbps per POP - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/1.jpg)
The Role of Indirection and Diffusion in DDoS Defense
Angelos D. KeromytisNetwork Security Lab
Computer Science Department, Columbia University
![Page 2: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/2.jpg)
NSLCapacity and Path Diversity
POTS/ISDNT1
10M EthernetOC3
OC192OC12
IncreasingTraffic Aggregation
Increasing SWService Deploy-ment Times
Increasing Preference for SWRestriction to Control Plane
More Nodes
DDoS seems to be largely a “last-3-hops” problem Informal survey of ISPs shows 20-40Gbps per POP Many redundant paths (some are better than the route-
converged path!) Similar characteristics likely to hold for any future
“Internet” Unless we abandon statistical mux model and adopt
single-authority/ISP (think phone network) FiOS or similar network upgrades unlikely to
significantly change the situation (wireless may make things worse!)
Must be intelligent about traffic monitoring/admission/handling
Intelligence inside the network is hard to come by
Decreasing cycles/bps
![Page 3: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/3.jpg)
NSLIndirection and Diffusion
Send the traffic to the intelligence Put the intelligence where you can (technology, cost/benefit, deployment limitations) Intelligence be pretty invasive, e.g., full-blown authentication, payment, CAPTCHA, attestation ...
Intelligence must not be point of vulnerability Scalable, distributed, restricted interface (attack surface) But: easier proposition than same and doing it at line
speeds inside the network Diffusion helps to eliminate single-failure points
Challenges: interference, sensing, knowledge, guarantees?
Intelligence must be efficient Performance, reliability, low-cost (shared & on-demand?)
Transparent vs. explicit intelligence/indirection Complement intelligence with simple in-network
mechanisms Routing, limited filtering abilities, deflections, ??? Use what you can, where it makes sense (to paraphrase
e2e)
![Page 4: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/4.jpg)
NSLSimple Filtering
![Page 5: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/5.jpg)
NSLSOS/WebSOS [SIGCOMM2002, CCS2003]
![Page 6: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/6.jpg)
NSLHuman-centric Authentication [CCS2003]
![Page 7: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/7.jpg)
NSLDiffusion [CCS2005]
![Page 8: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/8.jpg)
NSLLocal Perimeter Establishment [IAMCOM2007]
Limited-scope PushBack (inside home ISP only) Much simpler trust issues, pay-per-use possibility
[ACNS2004] RSVP might do the trick, too...
![Page 9: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/9.jpg)
NSL
Backup Slides
![Page 10: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/10.jpg)
NSLMOVE [NDSS2005]
![Page 11: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/11.jpg)
NSLMOVE [NDSS2005]
Attack
![Page 12: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/12.jpg)
NSLMOVE [NDSS2005]
Attack
![Page 13: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/13.jpg)
NSLOld fashioned DoS Attack
![Page 14: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/14.jpg)
NSLNew Attack: “Stalker” Attack
![Page 15: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/15.jpg)
NSLNew Attack: “Stalker” Attack
![Page 16: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/16.jpg)
NSLNew Attack: “Stalker” Attack
![Page 17: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/17.jpg)
NSLNew Attack: “Stalker” Attack
![Page 18: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/18.jpg)
NSLNew Attack: Sweeping Attack
![Page 19: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/19.jpg)
NSLNew Attack: Sweeping Attack
![Page 20: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/20.jpg)
NSLNew Attack: Sweeping Attack
![Page 21: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/21.jpg)
NSLLatency with Diffusion
Client Packet Replication
Ove
rlay
/ D
irec
tEnd-to-End Latency with Client Packet Replication
![Page 22: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/22.jpg)
NSLResilience & Latency
End-to-End Latency vs Node Failure
Text
No Repl.1.5x2x3x
![Page 23: The Role of Indirection and Diffusion in DDoS Defense](https://reader035.vdocuments.us/reader035/viewer/2022062315/5681592c550346895dc657d6/html5/thumbnails/23.jpg)
NSLResilience & Throughput
Throughput vs Node Failure
KB
/Sec
% Node Failure