Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dispersing Asymmetric DDoS Attacks with SplitStack

Published byFelix Douglas Modified over 6 years ago

Similar presentations

Presentation on theme: "Dispersing Asymmetric DDoS Attacks with SplitStack"— Presentation transcript:

1 Dispersing Asymmetric DDoS Attacks with SplitStack
Ang Chen, Akshay Sriraman, Tavish Vaidya+, Yuankai Zhang+ Andreas Haeberlen, Boon Thau Loo, Linh Thi Xuan Phan, Micah Sherr+ Clay Shields+, and Wenchao Zhou+ University of Pennsylvania Georgetown University+

2 Motivation: Defending against DDoS attacks
Distributed Denial-of-Service (DDoS) attacks happen almost on a daily basis They cause serious damage We need effective defenses!

3 Challenge: Asymmetric attacks
Brute-force attacks Asymmetric attacks Brute-force attacks: Overwhelm the network link with UDP packets Defense  Match the resource on the attacker’s side Asymmetric attacks: Small attack resource, larger attack scale David vs. Goliath  Trickier to defend against!

4 ... Example: SSL regenotiation SSL renegotiation attack
client--hello server--hello renegotiate Server does 10x more computation than the client! renegotiate ... SSL renegotiation attack Overwhelms the server’s CPU resources by continuously asking for new cryptographic keys

5 Attack-specific defenses are not enough!
SYN flood SYN cookie SSL renegotiation SSL accelerator Attacks Defenses Approach: Develop a different defense for each attack Limitation 1: Cannot defend against attacks with unknown vectors Limitation 2: Need a new defense for each attack Can we build a better software architecture to defend against DDoS attacks in general?

6 Limitation of today’s software architecture
Memory + > CPU Disk Today’s software stacks are monolithic Not flexible: either replicate the entire server, or nothing Cannot use available resources effectively!

7 What can we do? + = SSL Key observation: If we can replicate smaller components (e.g., SSL) instead of the entire service, we can use available resources more effectively But the current software architecture doesn’t permit this!

8 Approach: SplitStack SSL SSL SSL Replication with SplitStack Approach: Re-design the architecture of software stacks SplitStack: Partition the software stack into small components that can be replicated separately Benefit: Fine-grained replication can use available resources better Analogous to microservices, but with much finer granularity

9 The vision of SplitStack
Naïve replication runs out of resources SplitStack runs out of resources Performance SplitStack Naïve replication No defense Strength of the DoS attack Vision: Use fine-grained replication, so that the amount of available resources is the only limit (not the software architecture)!

10 Outline Motivation: Mitigating asymmetric DDoS attacks
Existing defenses Approach: SplitStack SplitStack architecture How should the partitions look like? How should the MSUs interact? Dataflow transformation Routing tables The SplitStack controller MSU scheduling Case study: Mitigating SSL renegotiation attacks Ongoing work Conclusion

11 What should the partitions look like?
Buffering HTTP layer I/O SSL Cache Buffer management TCP layer Parsing Checksum Assembly Handshaking Minimal Splittable Units (MSUs) Small, self-contained, with narrow interfaces to other MSUs Can be replicated independently from other MSUs Example: SSL handling, TCP handshaking, …

12 How would the MSUs interact?
END Buffering I/O SSL Cache BEGIN MSUs form dataflow graphs Nodes  MSUs, edges  communication Requests are routed through the stack (network-in-a-SW-stack!)

13 Dataflow transformation
END Buffering I/O SSL SSL SSL Cache BEGIN MSUs are monitored to detect attacks MSUs can be replicated to disperse attacks (add, clone) Dataflow graph can be reconfigured (reassign) MSUs can be torn down (remove)

14 Routing tables Each MSU has a set of reconfigurable routing tables
Buffering HTTP layer Routing keys I/O SSL Routing dest. Cache Incoming queue Incoming queue Buffer management TCP layer Parsing Five-tuple Checksum Assembly Handshaking Each MSU has a set of reconfigurable routing tables SDN-in-a-SW-stack! Routing entries: Routing keys  five-tuple, key-value hash, … Routing dest.  routes requests to through the stack Incoming queue  stores incoming requests

15 The SplitStack controller
SSL SSL SSL Analogous to SDN controllers Has a global view of available resources Monitors the MSUs Invokes the graph transformation primitives Updates the routing tables

16 MSU scheduling The controller schedules dataflow graphs Controller
END Buffering Controller I/O SSL Cache BEGIN The controller schedules dataflow graphs Makes optimized, global decisions Meets real-time guarantees Schedules should be resilient to attacks

17 Outline Motivation: Mitigating asymmetric DDoS attacks
Existing defenses Approach: SplitStack SplitStack architecture How should the partitions look like? How should the MSUs interact? Dataflow transformation Routing tables The SplitStack controller MSU scheduling Case study: Dispersing SSL renegotiation attacks Ongoing work Conclusion

18 Experimental setup SSL Platform: DETERLab
Naïve replication SplitStack Platform: DETERLab Server-side: Apache web server, MySQL, PHP SSL MSU approximated by stunnel Attacker-side: thc-ssl-dos tool (SSL renegotiation) Baseline: No defense at all

19 Results 3.77 1.98 1 No-defense Naïve-repl. SplitStack
Normalized throughput 3.77 4 3 2 1 1.98 1 No-defense Naïve-repl SplitStack SplitStack can use available resources better when mitigating DDoS attacks

20 Ongoing work How should we partition the software stack?
Currently manual partitions (SSL, TCP handshaking, …) Long term program slicing [ICSE’81], control-flow graph analysis [PLDI’88], … How should we keep the overheads low? Normal modes  Shim layers to keep overheads at a minimum Under attack  Should deliver much bigger benefits! Needs to identify good partitions! Are there consistency requirements to be considered? Stateless MSUs  Easier Stateful MSUs, coordinating MSUs  Need to provide consistency guarantees

21 Conclusion Motivation: Mitigating asymmetric DDoS attacks
Existing approaches Attack-specific defenses All-or-nothing replication Problem: Existing software stacks are monolithic; they cannot use all the available resources! New software architecture: SplitStack Key approach: Split a monolithic software stack into MSUs to enable fine-grained replication Preliminary result: SplitStack can mitigate higher volume attacks (Project website: Questions?

Download ppt "Dispersing Asymmetric DDoS Attacks with SplitStack"

Similar presentations

SDN Controller Challenges

SDN Controller Challenges
Detecting Covert Timing Channels with Time-deterministic Replay Ang Chen * W. Brad Moore + Hanjun Xiao * Andreas Haeberlen * Linh Thi Xuan Phan * Micah.

Detecting Covert Timing Channels with Time-deterministic Replay Ang Chen * W. Brad Moore + Hanjun Xiao * Andreas Haeberlen * Linh Thi Xuan Phan * Micah.
CS162 Section Lecture 9. KeyValue Server Project 3 KVClient (Library) Client Side Program KVClient (Library) Client Side Program KVClient (Library) Client.

CS162 Section Lecture 9. KeyValue Server Project 3 KVClient (Library) Client Side Program KVClient (Library) Client Side Program KVClient (Library) Client.
SDN and Openflow.

SDN and Openflow.
Towards High-Availability for IP Telephony using Virtual Machines Devdutt Patnaik, Ashish Bijlani and Vishal K Singh.

Towards High-Availability for IP Telephony using Virtual Machines Devdutt Patnaik, Ashish Bijlani and Vishal K Singh.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.

Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
Multiprocessing Memory Management

Multiprocessing Memory Management
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Database System Architectures  Client-server Database System  Parallel Database System  Distributed Database System Wei Jiang.

Database System Architectures  Client-server Database System  Parallel Database System  Distributed Database System Wei Jiang.
Dynamic and Decentralized Approaches for Optimal Allocation of Multiple Resources in Virtualized Data Centers Wei Chen, Samuel Hargrove, Heh Miao, Liang.

Dynamic and Decentralized Approaches for Optimal Allocation of Multiple Resources in Virtualized Data Centers Wei Chen, Samuel Hargrove, Heh Miao, Liang.
1 Moshe Shadmon ScaleDB Scaling MySQL in the Cloud.

1 Moshe Shadmon ScaleDB Scaling MySQL in the Cloud.
Scalable Web Server on Heterogeneous Cluster CHEN Ge.

Scalable Web Server on Heterogeneous Cluster CHEN Ge.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
11 CLUSTERING AND AVAILABILITY Chapter 11. Chapter 11: CLUSTERING AND AVAILABILITY2 OVERVIEW  Describe the clustering capabilities of Microsoft Windows.

11 CLUSTERING AND AVAILABILITY Chapter 11. Chapter 11: CLUSTERING AND AVAILABILITY2 OVERVIEW  Describe the clustering capabilities of Microsoft Windows.
PHP Performance w/APC + thaicyberpoint.com thaithinkpad.com thaihi5.com.

PHP Performance w/APC + thaicyberpoint.com thaithinkpad.com thaihi5.com.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 DISTRIBUTED SYSTEMS.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
CS 6401 Overlay Networks Outline Overlay networks overview Routing overlays Resilient Overlay Networks Content Distribution Networks.

CS 6401 Overlay Networks Outline Overlay networks overview Routing overlays Resilient Overlay Networks Content Distribution Networks.
Motivation: Finding the root cause of a symptom

Motivation: Finding the root cause of a symptom
Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.

Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.

Similar presentations

Ads by Google