Bohatei: Flexible and Elastic DDoS Defense

Slides:



Advertisements
Similar presentations
Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Advertisements

Software-defined networking: Change is hard Ratul Mahajan with Chi-Yao Hong, Rohan Gandhi, Xin Jin, Harry Liu, Vijay Gill, Srikanth Kandula, Mohan Nanduri,
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
SIMPLE-fying Middlebox Policy Enforcement Using SDN
VCRIB: Virtual Cloud Rule Information Base Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan HotCloud 2012.
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Nanxi Kang Princeton University
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Traffic engineering – Identify large traffic aggregates, traffic changes.
Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Software Defined Networking.
SDN and Openflow.
Towards Virtual Routers as a Service 6th GI/ITG KuVS Workshop on “Future Internet” November 22, 2010 Hannover Zdravko Bozakov.
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
Reconfigurable Network Topologies at Rack Scale
Keith Wiles DPACC vNF Overview and Proposed methods Keith Wiles – v0.5.
An Overview of Software-Defined Network
ProActive Routing In Scalable Data Centers with PARIS Joint work with Dushyant Arora + and Jennifer Rexford* + Arista Networks *Princeton University Theophilus.
FireFly: A Reconfigurable Wireless Datacenter Fabric using Free-Space Optics Navid Hamedazimi, Zafar Qazi, Himanshu Gupta, Vyas Sekar, Samir Das, Jon.
1© Copyright 2015 EMC Corporation. All rights reserved. SDN INTELLIGENT NETWORKING IMPLICATIONS FOR END-TO-END INTERNETWORKING Simone Mangiante Senior.
1 Indirect Adaptive Routing on Large Scale Interconnection Networks Nan Jiang, William J. Dally Computer System Laboratory Stanford University John Kim.
A Scalable, Commodity Data Center Network Architecture Mohammad Al-Fares, Alexander Loukissas, Amin Vahdat Presented by Gregory Peaker and Tyler Maclean.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Class 3: SDN Stack Theophilus Benson. Outline Background – Routing in ISP – Cloud Computing SDN application stack revisited Evolution of SDN – The end.
Layer-3 Routing Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.
Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.
An Overview of Software-Defined Network Presenter: Xitao Wen.
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Cellular Core Network Architecture
Enabling Innovation Inside the Network Jennifer Rexford Princeton University
Extreme Networks Confidential and Proprietary. © 2010 Extreme Networks Inc. All rights reserved.
Networking Virtualization Using FPGAs Russell Tessier, Deepak Unnikrishnan, Dong Yin, and Lixin Gao Reconfigurable Computing Group Department of Electrical.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K. Fayazbakhsh *, Luis Chiang ¶, Vyas Sekar *, Minlan.
Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan.
1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.
Architectures and Algorithms for Future Wireless Local Area Networks  1 Chapter Architectures and Algorithms for Future Wireless Local Area.
SDN AND OPENFLOW SPECIFICATION SPEAKER: HSUAN-LING WENG DATE: 2014/11/18.
Extending OVN Forwarding Pipeline Topology-based Service Injection
CellSDN: Software-Defined Cellular Core networks Xin Jin Princeton University Joint work with Li Erran Li, Laurent Vanbever, and Jennifer Rexford.
SOFTWARE DEFINED NETWORKING/OPENFLOW: A PATH TO PROGRAMMABLE NETWORKS April 23, 2012 © Brocade Communications Systems, Inc.
SIMPLE-fying Middlebox Policy Enforcement Using SDN
Shadow MACs: Scalable Label- switching for Commodity Ethernet Author: Kanak Agarwal, John Carter, Eric Rozner and Colin Dixon Publisher: HotSDN 2014 Presenter:
Presented By: Mohammed Al-Mehdhar Presentation Outline Introduction Approaches Implementation Evaluation Conclusion Q & A.
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar, Rui Miao, Minlan Yu Presenter : ChoongHee.
NEWS: Network Function Virtualization Enablement within SDN Data Plane.
BUZZ: Testing Context-Dependent Policies in Stateful Networks Seyed K. Fayaz, Tianlong Yu, Yoshiaki Tobioka, Sagar Chaki, Vyas Sekar.
sRoute: Treating the Storage Stack Like a Network
Preliminaries: EE807 Software-defined Networked Computing KyoungSoo Park Department of Electrical Engineering KAIST.
Software Defined Networking BY RAVI NAMBOORI. Overview  Origins of SDN.  What is SDN ?  Original Definition of SDN.  What = Why We need SDN ?  Conclusion.
Network Virtualization Ben Pfaff Nicira Networks, Inc.
NFP: Enabling Network Function Parallelism in NFV
SDN and Security Security as a service in the cloud
Xin Li, Chen Qian University of Kentucky
SDN challenges Deployment challenges
Yotam Harchol The Hebrew University of Jerusalem
Software defined networking: Experimental research on QoS
HybNET: Network Manager for a Hybrid Network Infrastructure
University of Maryland College Park
Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.
Praveen Tammana† Rachit Agarwal‡ Myungjin Lee†
15-744: Computer Networking
Next Generation Network Security using Software-Defined Networking
SoftMoW: Recursive and Reconfigurable Cellular WAN Architecture
of Dynamic NFV-Policies
Sana Tariq Sr. Architect Service Orchestration March 26th, 2018
NFP: Enabling Network Function Parallelism in NFV
NFP: Enabling Network Function Parallelism in NFV
Autonomous Network Alerting Systems and Programmable Networks
Towards Predictable Datacenter Networks
Presentation transcript:

Bohatei: Flexible and Elastic DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey https://github.com/ddos-defense/bohatei

DDoS attacks are getting worse High cost on victims Increasing in number Increasing in volume Increasing in diversity Incapsula, 11/12/2014 Threatpost, 7/31/2015 The New York Times, 3/30/2015 Imperva, 2015 Cloudflare, 3/27/2013 Techworld, 7/16/2014 Arbor Networks, 2/14/2014 Radware, 10/7/2014

DDoS Defense Today: Expensive Proprietary Hardware Intranet Assets

Limitation: Fixed functionality What if new types of attacks emerge? Intranet Assets

Limitation: Fixed capacity attack vol.(Gbps) fixed capacity waste waste t1 t2 t3 t4 time Intranet Assets

Limitation: Fixed location Additional traffic latency due to waypointing Routing hacks to enforce defense destination ✗ shortest path source

Need flexibility w.r.t. attack type Assets Today: Hardware appliance res. footprint=240Gbps Today: Hardware appliance res. footprint=240Gbps

Need Flexibility w.r.t Attack Locations Assets C Today: Hardware appliance res. footprint=240Gbps Today: Hardware appliance res. footprint=240Gbps

Need Elasticity w.r.t. Attack Volume Assets Today: Hardware appliance res. footprint=240Gbps Today: Hardware appliance res. footprint=240Gbps

Bohatei in a nutshell.. A practical ISP-scale system for Flexible and Elastic DDoS Defense via Software-Defined Networking (SDN) & Network Functions Virtualization (NFV)  React to 500 Gbps scale attacks in 1 min!

Outline Motivation Background on SDN/NFV Bohatei overview and challenges System design Implementation Evaluation Conclusions

Software-Defined Networking (SDN) Centralized management + Open config APIs Controller “Flow” FwdAction … “Flow” FwdAction … “Flow” FwdAction …

Network Functions Virtualization (NFV) Today: Standalone and Specialized Proxy Firewall IDS/IPS AppFilter Commodity hardware

Why are SDN/NFV useful for DDoS defense? Expensive Fixed functionality Fixed capacity Fixed location NFV SDN Our Work: Bring these benefits to DDoS Defense

Outline Motivation Background on SDN/NFV Bohatei overview and challenges System design Implementation Evaluation Conclusions

Bohatei Vision: Flexible + Elastic Defense via SDN/NFV defense policy SDN/NFV Controller attack traffic VM DC2 DC1 customer intranet ISP

Bohatei Controller Workflow Strategy layer Predict attack pattern Resource management Decide how many VMs, what types, where Network orchestration Configure network to route traffic

Threat model: general, dynamic adversaries Targets one or more customers Attacker has a fixed “budget” w.r.t. total attack volume do{ Pick_Target() Pick_Attack_Type() Pick_Attack_Volume() Pick_Attack_Ingress() Observe_and_Adapt() }

Bohatei Design Challenges Resilient to adaptation? Strategy layer Predict attack pattern Resource management Decide how many VMs, what types, where Fast algorithms? Network orchestration Scalable SDN? Configure network to route traffic

Outline Motivation Background on SDN/NFV Bohatei overview and challenges System design Implementation Evaluation Conclusions

Naïve resource management is too slow! Compute/network resources Suspicious traffic predictions Defense library Global optimization Types, numbers, and locations of VMs? Routing decisions? Takes hours to solve…

Our Approach: Hierarchical + Greedy Compute/network resources Suspicious traffic predictions Defense library ISP-level Greedy How much traffic to DC1 How much traffic to DCN … Per datacenter 1 … Per datacenter N Which VM slots in DC1 Which VM slots in DCN

Reactive, per-flow isn’t scalable Controller VM2 Port2 packet1 Port1 VM1 packet100 SW Port3 VM3 Switch Forwarding Table Flow outPort Flow1 Port 2 … … Flow100 Port 3 A reactive, per-flow controller will be a new vulnerability

Idea: Proactive tag-based steering Proactive set up Controller VM2 packet1 1 packet1 Port 2 Port1 VM1 VM3 SW Port 3 packet100 2 packet100 Context Tag Tag outPort Benign 1 1 Port 2 Suspicious 2 2 Port 3 Proactive per-VM tagging enables scaling

Dynamic adversaries can game the defense Adversary’s goals: 1. Increase defense resource consumption 2. Succeed in delivering attack traffic Attack vol.(Gbps) SYN flood predicted attack volume for t4 DNS amp. t1 t2 t3 t4 time Simple prediction (e.g., prev. epoch, avg) can be gamed

Our approach: Online adaptation Metric of Success = “Regret minimization”  How worse than best static strategy in hindsight? Borrow idea from online algorithms: Follow the perturbed leader (FPL) strategy Intuition: Prediction = F (Obs. History + Random Noise) This provably minimizes the regret metric

quantity, type, location of VMs Putting it together predicts volume of suspicious traffic of each attack type at each ingress Prediction strategy Resource management quantity, type, location of VMs Orchestration suspicious traffic spec. defense policy launching VMs, traffic path set up attack traffic VM DC2 DC1 customer intranet ISP

Outline Motivation Background on SDN/NFV Bohatei overview and challenges System design Implementation Evaluation Conclusions

Defense policy library A defense graph per attack type Customized interconnection of defense modules Open source defense VMs Example (SYN flood defense) OK [Legitimate] [Legitimate] Analyze Srces: count SYN – SYN/ACK per source [Unknown] SYNPROXY [Attack] [Attack] LOG DROP

Implementation Control Plane Data Plane resource manager defense library … Control Plane OpenDaylight OpenFlow FlowTags (Fayaz et al., NSDI’14) Data Plane Switches (OVS) FlowTags-enabled defense VMs (e.g., Snort) KVM 13 20-core Intel Xeon machines https://github.com/ddos-defense/bohatei

Outline Motivation Background on SDN/NFV Bohatei overview and challenges System design Implementation Evaluation Conclusions

Evaluation questions Does Bohatei respond to attacks rapidly? Can Bohatei handle ≈500 Gbps attacks? Can Bohatei successfully cope with dynamic adversaries?

Bohatei restores performance of benign traffic ≈ 1 min. Responsiveness Hierarchical resource management: A few milliseconds (vs. hours) Optimality gap < 1% Bohatei restores performance of benign traffic ≈ 1 min.

Scalability: Forwarding table size Per-VM tagging cuts #rules by 3-4 orders of magnitude Proactive setup reduces time by 3-4 orders of magnitude

Adversarial resilience Bohatei online adaptation strategy minimizes regret.

Conclusions DDoS defense today : Expensive, Inflexible, and Inelastic Bohatei: SDN/NFV for flexible and elastic DDoS defense Key Challenges: Responsiveness, scalability, resilience Main solution ideas: Hierarchical resource management Proactive, tag-based orchestration Online adaptation strategy Scalable + Can react to very large attacks quickly! Ideas may be applicable to other security problems

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.