Dispersing Asymmetric DDoS Attacks with SplitStack

Slides:



Advertisements
Similar presentations
SDN Controller Challenges
Advertisements

Detecting Covert Timing Channels with Time-deterministic Replay Ang Chen * W. Brad Moore + Hanjun Xiao * Andreas Haeberlen * Linh Thi Xuan Phan * Micah.
CS162 Section Lecture 9. KeyValue Server Project 3 KVClient (Library) Client Side Program KVClient (Library) Client Side Program KVClient (Library) Client.
SDN and Openflow.
Towards High-Availability for IP Telephony using Virtual Machines Devdutt Patnaik, Ashish Bijlani and Vishal K Singh.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
Multiprocessing Memory Management
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Database System Architectures  Client-server Database System  Parallel Database System  Distributed Database System Wei Jiang.
Dynamic and Decentralized Approaches for Optimal Allocation of Multiple Resources in Virtualized Data Centers Wei Chen, Samuel Hargrove, Heh Miao, Liang.
1 Moshe Shadmon ScaleDB Scaling MySQL in the Cloud.
Scalable Web Server on Heterogeneous Cluster CHEN Ge.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
11 CLUSTERING AND AVAILABILITY Chapter 11. Chapter 11: CLUSTERING AND AVAILABILITY2 OVERVIEW  Describe the clustering capabilities of Microsoft Windows.
PHP Performance w/APC + thaicyberpoint.com thaithinkpad.com thaihi5.com.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
CS 6401 Overlay Networks Outline Overlay networks overview Routing overlays Resilient Overlay Networks Content Distribution Networks.
Motivation: Finding the root cause of a symptom
Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.
Technical Overview of Microsoft’s NetDMA Architecture Rade Trimceski Program Manager Windows Networking & Devices Microsoft Corporation.
KEYNOTE OF THE FUTURE 3: DAVID BECKETT CSIT PhD Student QUEEN’S UNIVERSITY BELFAST.
Cofax Scalability Document Version Scaling Cofax in General The scalability of Cofax is directly related to the system software, hardware and network.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Spark on Entropy : A Reliable & Efficient Scheduler for Low-latency Parallel Jobs in Heterogeneous Cloud Huankai Chen PhD Student at University of Kent.
SketchVisor: Robust Network Measurement for Software Packet Processing
Computer System Structures
CLOUD ARCHITECTURE Many organizations and researchers have defined the architecture for cloud computing. Basically the whole system can be divided into.
Denial of Service detection and mitigation on GENI
HULA: Scalable Load Balancing Using Programmable Data Planes
Problem: Internet diagnostics and forensics
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
Web Server Load Balancing/Scheduling
Apache Ignite Data Grid Research Corey Pentasuglia.
Software defined networking: Experimental research on QoS
University of Maryland College Park
Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.
Netscape Application Server
Web Server Load Balancing/Scheduling
Hydra: Leveraging Functional Slicing for Efficient Distributed SDN Controllers Yiyang Chang, Ashkan Rezaei, Balajee Vamanan, Jahangir Hasan, Sanjay Rao.
Distributed Network Traffic Feature Extraction for a Real-time IDS
The Multikernel: A New OS Architecture for Scalable Multicore Systems
Process-to-Process Delivery, TCP and UDP protocols
Web Server Protection against Application Layer DDoS Attacks using Machine Learning and Traffic Authentication Jema David Nidbwile*, Kazuya Okada**, Youki.
NOX: Towards an Operating System for Networks
Chris Meullion Preston Burden Dwight Philpotts John C. Jones-Walker
Parallel Algorithm Design
SCTP v/s TCP – A Comparison of Transport Protocols for Web Traffic
Load Balancing Memcached Traffic Using SDN
Software Architecture in Practice
Automated Detection and Mitigation of
Be Fast, Cheap and in Control
DDoS Attack Detection under SDN Context
A Cryptographic Defense Against Connection Depletion Attacks
Replication-based Fault-tolerance for Large-scale Graph Processing
SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke
Hadoop Technopoints.
Starting Design: Logical Architecture and UML Package Diagrams
AWS Cloud Computing Masaki.
Distributed File Systems
Distributed File Systems
Distributed File Systems
Memento: Making Sliding Windows Efficient for Heavy Hitters
Prof. Leonardo Mostarda University of Camerino
CS510 - Portland State University
Distributed File Systems
Operating Systems Structure
Distributed File Systems
Control-Data Plane Separation
NetWarden: Mitigating Network Covert Channels without Performance Loss
Presentation transcript:

Dispersing Asymmetric DDoS Attacks with SplitStack Ang Chen, Akshay Sriraman, Tavish Vaidya+, Yuankai Zhang+ Andreas Haeberlen, Boon Thau Loo, Linh Thi Xuan Phan, Micah Sherr+ Clay Shields+, and Wenchao Zhou+ University of Pennsylvania Georgetown University+

Motivation: Defending against DDoS attacks Distributed Denial-of-Service (DDoS) attacks happen almost on a daily basis They cause serious damage We need effective defenses!

Challenge: Asymmetric attacks Brute-force attacks Asymmetric attacks Brute-force attacks: Overwhelm the network link with UDP packets Defense  Match the resource on the attacker’s side Asymmetric attacks: Small attack resource, larger attack scale David vs. Goliath  Trickier to defend against!

... Example: SSL regenotiation SSL renegotiation attack client--hello server--hello renegotiate Server does 10x more computation than the client! renegotiate ... SSL renegotiation attack Overwhelms the server’s CPU resources by continuously asking for new cryptographic keys

Attack-specific defenses are not enough! SYN flood SYN cookie SSL renegotiation SSL accelerator Attacks Defenses Approach: Develop a different defense for each attack Limitation 1: Cannot defend against attacks with unknown vectors Limitation 2: Need a new defense for each attack Can we build a better software architecture to defend against DDoS attacks in general?

Limitation of today’s software architecture Memory + > CPU Disk Today’s software stacks are monolithic Not flexible: either replicate the entire server, or nothing Cannot use available resources effectively!

What can we do? + = SSL Key observation: If we can replicate smaller components (e.g., SSL) instead of the entire service, we can use available resources more effectively But the current software architecture doesn’t permit this!

Approach: SplitStack SSL SSL SSL Replication with SplitStack Approach: Re-design the architecture of software stacks SplitStack: Partition the software stack into small components that can be replicated separately Benefit: Fine-grained replication can use available resources better Analogous to microservices, but with much finer granularity

The vision of SplitStack Naïve replication runs out of resources SplitStack runs out of resources Performance SplitStack Naïve replication No defense Strength of the DoS attack Vision: Use fine-grained replication, so that the amount of available resources is the only limit (not the software architecture)!

Outline Motivation: Mitigating asymmetric DDoS attacks Existing defenses Approach: SplitStack SplitStack architecture How should the partitions look like? How should the MSUs interact? Dataflow transformation Routing tables The SplitStack controller MSU scheduling Case study: Mitigating SSL renegotiation attacks Ongoing work Conclusion

What should the partitions look like? Buffering HTTP layer I/O SSL Cache Buffer management TCP layer Parsing Checksum Assembly Handshaking Minimal Splittable Units (MSUs) Small, self-contained, with narrow interfaces to other MSUs Can be replicated independently from other MSUs Example: SSL handling, TCP handshaking, …

How would the MSUs interact? END Buffering I/O SSL Cache BEGIN MSUs form dataflow graphs Nodes  MSUs, edges  communication Requests are routed through the stack (network-in-a-SW-stack!)

Dataflow transformation END Buffering I/O SSL SSL SSL Cache BEGIN MSUs are monitored to detect attacks MSUs can be replicated to disperse attacks (add, clone) Dataflow graph can be reconfigured (reassign) MSUs can be torn down (remove)

Routing tables Each MSU has a set of reconfigurable routing tables Buffering HTTP layer Routing keys I/O SSL Routing dest. Cache Incoming queue Incoming queue Buffer management … TCP layer Parsing Five-tuple Checksum Assembly Handshaking Each MSU has a set of reconfigurable routing tables SDN-in-a-SW-stack! Routing entries: Routing keys  five-tuple, key-value hash, … Routing dest.  routes requests to through the stack Incoming queue  stores incoming requests

The SplitStack controller SSL SSL SSL Analogous to SDN controllers Has a global view of available resources Monitors the MSUs Invokes the graph transformation primitives Updates the routing tables

MSU scheduling The controller schedules dataflow graphs Controller END Buffering Controller I/O SSL Cache BEGIN The controller schedules dataflow graphs Makes optimized, global decisions Meets real-time guarantees Schedules should be resilient to attacks

Outline Motivation: Mitigating asymmetric DDoS attacks Existing defenses Approach: SplitStack SplitStack architecture How should the partitions look like? How should the MSUs interact? Dataflow transformation Routing tables The SplitStack controller MSU scheduling Case study: Dispersing SSL renegotiation attacks Ongoing work Conclusion

Experimental setup SSL Platform: DETERLab Naïve replication SplitStack Platform: DETERLab Server-side: Apache web server, MySQL, PHP SSL MSU approximated by stunnel Attacker-side: thc-ssl-dos tool (SSL renegotiation) Baseline: No defense at all

Results 3.77 1.98 1 No-defense Naïve-repl. SplitStack Normalized throughput 3.77 4 3 2 1 1.98 1 No-defense Naïve-repl. SplitStack SplitStack can use available resources better when mitigating DDoS attacks

Ongoing work How should we partition the software stack? Currently manual partitions (SSL, TCP handshaking, …) Long term program slicing [ICSE’81], control-flow graph analysis [PLDI’88], … How should we keep the overheads low? Normal modes  Shim layers to keep overheads at a minimum Under attack  Should deliver much bigger benefits! Needs to identify good partitions! Are there consistency requirements to be considered? Stateless MSUs  Easier Stateful MSUs, coordinating MSUs  Need to provide consistency guarantees

Conclusion Motivation: Mitigating asymmetric DDoS attacks Existing approaches Attack-specific defenses All-or-nothing replication Problem: Existing software stacks are monolithic; they cannot use all the available resources! New software architecture: SplitStack Key approach: Split a monolithic software stack into MSUs to enable fine-grained replication Preliminary result: SplitStack can mitigate higher volume attacks (Project website: http://dedos-project.net) Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.