Memento: Making Sliding Windows Efficient for Heavy Hitters

Slides:



Advertisements
Similar presentations
Data Streaming Algorithms for Accurate and Efficient Measurement of Traffic and Flow Matrices Qi Zhao*, Abhishek Kumar*, Jia Wang + and Jun (Jim) Xu* *College.
Advertisements

Measurement in Networks & SDN Applications. Interesting Questions Who is sending a lot to a subnet? – Heavy Hitters Is someone doing a port Scan? Is someone.
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
Measuring Large Traffic Aggregates on Commodity Switches Lavanya Jose, Minlan Yu, Jennifer Rexford Princeton University, NJ 1.
Extensible Scalable Monitoring for Clusters of Computers Eric Anderson U.C. Berkeley Summer 1997 NOW Retreat.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
New Streaming Algorithms for Fast Detection of Superspreaders Shobha Venkataraman* Joint work with: Dawn Song*, Phillip Gibbons ¶,
CEDAR Counter-Estimation Decoupling for Approximate Rates Erez Tsidon (Technion, Israel) Joint work with Iddo Hanniel and Isaac Keslassy ( Technion ) 1.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
CEDAR Counter-Estimation Decoupling for Approximate Rates Erez Tsidon Joint work with Iddo Hanniel and Isaac Keslassy Technion, Israel 1.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
CS1001 Lecture 7. Overview Computer Networks Computer Networks The Internet The Internet Internet Services Internet Services Markup Languages Markup Languages.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
RIP Routing Protocol. 2 Routing Recall: There are two parts to routing IP packets: 1. How to pass a packet from an input interface to the output interface.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
SCREAM: Sketch Resource Allocation for Software-defined Measurement Masoud Moshref, Minlan Yu, Ramesh Govindan, Amin Vahdat (CoNEXT’15)
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 OSI network layer CCNA Exploration Semester 1 – Chapter 5.
1 Computer Networks Chapter 5. Network layer The network layer is concerned with getting packets from the source all the way to the destination. Getting.
SketchVisor: Robust Network Measurement for Software Packet Processing
Stepping Stone Detection at The Server Side
Denial of Service Mitigation with OpenFlow using SciPass
MAC Protocols for Sensor Networks
An Introduction To ARP Spoofing & Other Attacks
SDN and Security Security as a service in the cloud
Kapitel 19: Routing. Kapitel 21: Routing Protocols
Constant Time Updates in Hierarchical Heavy Hitters
DDoS Attacks on Financial Institutions Presentation
Dynamic Routing Protocols part2
Jennifer Rexford Princeton University
Architecture and Algorithms for an IEEE 802
Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.
Network Address Translation (NAT)
Riptide: Jump-Starting Back-Office Connections in Cloud Systems
Revisiting Ethernet: Plug-and-play made scalable and efficient
Routing Information Protocol (RIP)
Data Streaming in Computer Networking
NOX: Towards an Operating System for Networks
What Are Routers? Routers are an intermediate system at the network layer that is used to connect networks together based on a common network layer protocol.
Network Address Translation (NAT)
TCP Transport layer Er. Vikram Dhiman LPU.
Virtual LANs.
SWITCHING Switched Network Circuit-Switched Network Datagram Networks
Aled Edwards, Anna Fischer, Antonio Lain HP Labs
Transport Layer Unit 5.
Defending Against DDoS
HWP2 – Distributed search
DDoS Attack Detection under SDN Context
AKAMAI INTELLIGENT PLATFORM™
Optimal Elephant Flow Detection Presented by: Gil Einziger,
Qun Huang, Patrick P. C. Lee, Yungang Bao
SCREAM: Sketch Resource Allocation for Software-defined Measurement
IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where.
Constant Time Updates in Hierarchical Heavy Hitters
By: Ran Ben Basat, Technion, Israel
Network-Wide Routing Oblivious Heavy Hitters
Heavy Hitters in Streams and Sliding Windows
By: Ran Ben Basat, Technion, Israel
Ran Ben Basat, Xiaoqi Chen, Gil Einziger, Ori Rottenstreich
Chapter 5 Transport Layer Introduction
IPv6 Addressing By Aman Agrawal Archisman Bhattacharya
Network Address Translation (NAT)
Outline The spoofing problem Approaches to handle spoofing
Lu Tang , Qun Huang, Patrick P. C. Lee
NitroSketch: Robust and General Sketch-based Monitoring in Software Switches Alan (Zaoxing) Liu Joint work with Ran Ben-Basat, Gil Einziger, Yaron Kassner,
Presentation transcript:

Memento: Making Sliding Windows Efficient for Heavy Hitters Ran Ben Basat (Harvard University), Gil Einziger (Ben Gurion University), Isaac Keslassy (VMWare and Technion), Ariel Orda and Shay Vargaftik (Technion), and Erez Waisbard (Nokia Bell Labs)

Distributed Denial of Service

Heavy Hitters How many packets has sent? Which flows are larger than 𝑇? Traditionally – must fit in the SRAM 1 5 3 7 8 4 2 Year 2012 2014 2016 SRAM (MB) 10-20 30-60 50-100 (SilkRoad, SIGCOMM 2017) Can’t allocate a counter for each flow!

Hierarchical Heavy Hitters (HHH) identify traffic clusters. If we find the attacking networks we can stop the attack! DDoS attack (Aug. 2014) DREAM: dynamic resource allocation for software-defined Counting. ACM SIGCOMM 2014 LADS: Large-scale Automated DDoS Detection System. USENIX ATC 2006 Automatically Inferring Patterns of Resource Consumption in Network Traffic. ACM SIGCOMM 2003

Deterministic HHH “Count each prefix independently.” Level0 Counting Level0 Counting Level1 Counting Level1 Counting Compute all prefixes 181.7.20.6 181.7.20.* Level2 Counting Level2 Counting 181.7.20.6 181.7.*.* 181.*.*.* Level3 Counting Level3 Counting *.*.*.* Level4 Counting Level4 Counting Mitzenmacher et al., Hierarchical Heavy Hitters with the Space Saving Algorithm, ALENEX 2012

Compute a random prefix Randomized HHH “Select a prefix at random and count it” Level0 Counting Level1 Counting Level1 Counting Compute a random prefix Level2 Counting 181.7.20.6 181.7.20.* Level3 Counting Level4 Counting Ben Basat et al., Constant Time Updates in Hierarchical Heavy Hitters, ACM SIGCOMM 2017

Why Sliding Windows? They were considered in the past Often, we only care about the recent data. Sliding windows detect new heavy hitters quicker. They were considered in the past “it may be desirable to compute HHHs over only a sliding window of the last n items” (Mitzenmacher et al., 2012) And were dismissed as “markedly slower and less space-efficient in practice”

Sliding Windows Algorithms have Improved – the WCSS algorithm 𝑶 𝟏 𝝐 𝑶 𝟏 Ben Basat et al., Heavy Hitters in Streams and Sliding Windows, IEEE INFOCOM 2016

Markedly slower and less space-efficient in practice? “Count each prefix independently.” WCSS Almost as fast as the (non-window) MST algorithm. But far slower than RHHH. WCSS Compute all prefixes 181.7.20.6 181.7.20.6 181.7.20.* WCSS 181.7.*.* 181.*.*.* WCSS *.*.*.* WCSS Mitzenmacher et al., Hierarchical Heavy Hitters with the Space Saving Algorithm, ALENEX 2012

Strawman #1 “Select a prefix at random and count it” Problem: WCSS (W/5) WCSS (W/5) Problem: The WCSS instances go out of sync Compute a random prefix WCSS (W/5) 181.7.20.6 181.7.20.* WCSS (W/5) WCSS (W/5)

Instead of looking at W packets this reflects 𝑊±Θ 𝑊 Strawman #2 “Flip a coin to choose if to update” Add with probability 𝝉 Problem: Instead of looking at W packets this reflects 𝑊±Θ 𝑊 181.7.20.6 Otherwise discard

Challenges How to apply sampling for accelerating sliding window algorithms? How to keep synchronization and reflect exactly 𝑊 packets? In addition, we want extend the single- switch solution to network-wide monitoring.

Memento – Efficient HH on Sliding Windows Key idea: decouple the (lightweight) sliding operation from the (computationally expensive) counting step.

Performance Evaluation on Internet Traces Ben Basat et al., Heavy Hitters in Streams and Sliding Windows, IEEE INFOCOM 2016

En route to HHH - Strawman #3 “Count each prefix efficiently .” (but independently) Memento Still requires 𝑂(𝐻) update time Memento Compute all prefixes 181.7.20.6 181.7.20.* Memento 181.7.20.6 181.7.*.* 181.*.*.* Memento *.*.*.* Memento

H-Memento – HHH on Sliding Windows “One prefix, one data structure.” Random prefix 181.7.20.* 181.7.20.13 ¥ Memento H-Memento ¥ Same space as previous works, different structure

D-Memento – From single node to network wide Operators care about the entire network and require network-wide view. port scans and superspreaders are not identifiable from a single node. “Distributed Sliding Window”: reflect the last W packets that were measured anywhere in the network No (direct) communication between measurement nodes Minimal control bandwidth (configurable) Different nodes may have different traffic rates

D-Memento – From single switch to network wide

D-Memento – From single switch to network wide Aggregation: run a local algorithm at each point and sync with the controller as frequently as possible. Sample: each measurement point samples each packet with probability 𝜏 and sends samples to the controller that runs H-Memento. Batch: collect samples before sending the report. Increases the effective sampling rate. Introduces reporting delay.

Evaluation: Distributed HTTP Flood attack using limited resources How can we simulate O(10K) stateful connections from “distinct” IP addresses using a single attacking device? 𝑠𝑟𝑐𝑖 𝑝 𝟏 𝑠𝑟𝑐𝑖 𝑝 𝟐 𝑠𝑟𝑐𝑖 𝑝 𝟑 𝑠𝑟𝑐𝑖 𝑝 𝟒 𝑠𝑟𝑐𝑖 𝑝 𝟓 𝑠𝑟𝑐𝑖 𝑝 𝟔 𝑠𝑟𝑐𝑖 𝑝 𝟕 …

Evaluation: Distributed HTTP Flood attack using limited resources How can we simulate O(10K) stateful connections from “distinct” IP addresses using a single attacking device? Attacker side: Server side: Create a mapping between port numbers and source IPs Change IP tables to redirect all packets back to the attacker’s interface. In egress, translate from port number to determine “source” IP Make sure to compute checksum, etc. At ingress, translate from destination IP to port number

Evaluation: Distributed HTTP Flood attack using limited resources We use legitimate data and inject malicious traffic from 50 random 16-bit subnets which make up for 70% of the traffic. We deployed 10 HAProxy load balancer instances that report to a centralized controller using 1 byte/request control bandwidth. The attackers perform a TCP handshake and send an HTTP POST request.

Evaluation: Distributed HTTP Flood attack using limited resources

Conclusions Sliding window solutions can be (nearly) as efficient as interval ones. We extended HAProxy to network rate-limiting. Open source: https://github.com/DHMementoz/Memento Memento provides a measurement infrastructure for DDoS identification, mitigation, and evaluation.

Any Questions

Any Questions

Any Questions

Any Questions

Any Questions

Any Questions

Any Questions