Presentation is loading. Please wait.

Presentation is loading. Please wait.

1.1 Operating System Concepts Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles David K.Y. Yau John C.S. Lu CS Dept, Purdue.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1.1 Operating System Concepts Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles David K.Y. Yau John C.S. Lu CS Dept, Purdue."— Presentation transcript:

1 1.1 Operating System Concepts Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles David K.Y. Yau John C.S. Lu CS Dept, Purdue University CS&E Dept,CUHK

2 1.2 Operating System Concepts Motivations n Internet is an open and democratic environment F increasingly used for mission-critical work and commercial applications. n Many security threats are present or appearing F Easy to launch, even for naïve users. F need effective and flexible defenses to detect/trace/counter attacks F Goals: 4 protect innocent users; 4 prosecute criminals Ambitious goals

3 1.3 Operating System Concepts Network Denial-of-service Attacks n Some attacks quite subtle F securing protocols and intrusion detection (e.g., BGP, TCP-syn attack) F at routing infrastructure, malicious dropping of packets, etc (low-rate TCP) n Others by brute force: - flooding (e.g., UDP, valid Web Request) n Cripples victim: - precludes any sophisticated defense at victim site F Philosophical question: what is an “attacker”? F Viewed as resource management problem

4 1.4 Operating System Concepts Flooding Attack Server

5 1.5 Operating System Concepts Server-centric Router Throttle n Installed by server when under stress, at a set deployment routers F can be sent by multicast n Specifies leaky bucket rate at which router can forward traffic to the server F aggressive traffic for server dropped before reaching server F rate determined by a feedbak control algorithm Issues: (1) Which set of routers? (2) What is the “proper” dropping rate?

6 1.6 Operating System Concepts To S Router Throttle Aggressive flow Throttle for S’ To S’ Throttle for S Securely installed by S Deployment router C: Each victim has a leaky bucket for rate limit. Small memory and computationoverhead!

7 1.7 Operating System Concepts Key Design Problems n Resource allocation: who is entitled to what? F need to keep server operating within load limits F notion of fairness, and how to achieve it? 4 Need global, rather than router-local, fairness n How to respond to network and user dynamics (e.g., fluctuation of traffic)? F Feedback control strategy is needed

8 1.8 Operating System Concepts What is being fair? n Baseline approach of dropping a fraction “f”, say ½, of traffic for each flow won’t work well F a flow can cause more damage to other flows simply by being more aggressive! n Rather, no flow should get a higher rate than another flow that has unmet demands F this way, we penalize “aggressive” flows only, but protect the well-behaving ones

9 1.9 Operating System Concepts Fairness Notion n Since we “proactively” drop packets ahead of congestion point, we need a global fairness notion F max-min fairness among level-k routing points, R(k), i.e., routers about k hops away from destination Standard knowledge we learn Deployment points

10 1.10 Operating System Concepts Level-k Deployment Points n Deployment points parameterized by an integer k n R(k) -- set of routers that are either k hops away from server S, or less than k hops away from S but are directly connected to a host n Fairness across global routing points R(k)

11 1.11 Operating System Concepts Level-3 Deployment Server

12 1.12 Operating System Concepts Feedback Control Strategy n Hysteresis control F high and low water marks for server load, to strengthen or relax router throttle n Additive increase/multiplicative decrease rate adjustment F increases when server load exceeds U S, and decreases when server load falls below L S F throttle removed when a relaxed rate does not result in significant server load increase

13 1.13 Operating System Concepts Fairness Definition n A resource control algorithm achieves level-k max-min fairness among the routers R(k) if the allowed forwarding rate of traffic for S at each router is the router’s max-min fair share of some rate r satisfying L S r U S

14 1.14 Operating System Concepts Fair Throttle Algorithm

15 1.15 Operating System Concepts Example Max-min Rates (L=18, H=22) Server 18.23 6.65 14.1 0.01 1.40 0.22 17.73 0.61 0.95 6.25 20.53 24.88 15.51 17.73 0.22 0.61 0.95 59.9

16 1.16 Operating System Concepts Interesting Questions n Can we preferentially drop attacker traffic over good user traffic? n Can we successfully keep server operating within design limits, so that good user traffic that makes it gets acceptable service? n How stable is such a control algorithm? How does it converge?

17 1.17 Operating System Concepts Algorithm Evaluation n Control-theoretic analysis (fluid analysis) F algorithm stability and convergence under different system parameters n Packet network simulations (packet level analysis) F Test under UDP and TCP traffic. Also test with Web traces n System implementation (the real thing, baby !!!) F deployment costs

18 1.18 Operating System Concepts Control-theoretic Model Adjusted traffic from source i Throttle signal from victim Step size When throttle signal is high, server is underloaded. When throttle signal is low, server is overloaded. ANALOGY!!!

19 1.19 Operating System Concepts Feedback Control Model (Us=1750;Ls=1650) Constant Source of 20 Constant Source of 30 Constant Source of 25 Constant Source of 4000 Constant Source of 2800

20 1.20 Operating System Concepts Output for good traffic (total from source 1)

21 1.21 Operating System Concepts Output for attack traffic (total from source 5)

22 1.22 Operating System Concepts Output for attack traffic (total from source 6)

23 1.23 Operating System Concepts Total traffic to server (Us=1750;Ls=1650)

24 1.24 Operating System Concepts Case 2: variable attack traffic (Us=1750,Ls=1650) Square Pulse

25 1.25 Operating System Concepts Output of attack traffic 1

26 1.26 Operating System Concepts Output of attack traffic 2

27 1.27 Operating System Concepts Total traffic to server (Us=1750;Ls=1650)

28 1.28 Operating System Concepts Feedback Control Model (sources and server)

29 1.29 Operating System Concepts Feedback Control Model (server throttle signal)

30 1.30 Operating System Concepts Feedback Control Model (sources process throttle)

31 1.31 Operating System Concepts Throttle Rate (L=900; U=1100)

32 1.32 Operating System Concepts Server Load (L = 900; U = 1100)

33 1.33 Operating System Concepts Throttle Rate (U = 1100)

34 1.34 Operating System Concepts Server Load (U = 1100)

35 1.35 Operating System Concepts Throttle Rate (L=1050;U=1100)

36 1.36 Operating System Concepts Server Load (L=1050; U=1100)

37 1.37 Operating System Concepts NS2: UDP Simulation Experiments n Global network topology reconstructed from real traceroute data F AT&T Internet mapping project: 709,310 traceroute paths, single source to 103,402 other destinations F randomly select 5,000 paths, with 135,821 nodes of which 3879 are hosts n Randomly select x% of hosts to be attackers F good users send at rate [0,r], attackers at rate [0,R]

38 1.38 Operating System Concepts 20% Evenly Distributed Aggressive (10:1) Attackers

39 1.39 Operating System Concepts 40% Evenly Distributed Aggressive (5:1) Attackers

40 1.40 Operating System Concepts Evenly Distributed “meek” Attackers

41 1.41 Operating System Concepts Deployment Extent

42 1.42 Operating System Concepts NS2: TCP Simulation Experiment n Clients access web server via HTTP 1.0 over TCP Reno n Simulated network subset of AT&T traceroute topology F 85 hosts, 20% attackers n Web clients make request probabilistically with empirical document size and inter-request time distributions

43 1.43 Operating System Concepts Web Server Protection

44 1.44 Operating System Concepts Web Server Traffic Control

45 1.45 Operating System Concepts System Implementation n On Linux router F loadable kernel module F CPU resource reservation n Deployment platform F Pentium 4/2G Hz PC F multiple 10/100 Mb/s Ethernet interfaces

46 1.46 Operating System Concepts System Implementation: cont n OPERA: An Open-Source Extensible Router Architecture http://www.cse.cuhk.edu.hk/~cslui/ANSRlab/software/opera/ n A Linux-based package for implementing a software programmable router architecture with the aim to facilitate networking experiments for the research community. Using this architecture, one can dynamically load new extension and services into the programmable router. Some interesting extensions include QoS support and traceback of DDoS attacks.) n Dynamic module loading n Resource reservation n General extension framework n Secured Communication

47 1.47 Operating System Concepts Network Architecture client router: processing + forwarding Web code server Denial-of- service defense Intelligent congestion control ISP

48 1.48 Operating System Concepts Future Work n Offered load-aware control algorithm for computing throttle rate F impact on convergence and stability n Policy-based notion of fairness F heterogeneous network regions, by size, susceptibility to attacks, tariff payment n Selective deployment issues n Impact on real user applications n Defense for other forms of DDoS like the reflector attack, BGP cascading failure..etc.

49 1.49 Operating System Concepts Conclusions n Extensible routers can help improve network health n Presented a server-centric router throttle mechanism for DDoS flooding attacks F can better protect good user traffic from aggressive attacker traffic F can keep server operational under an ongoing attack F has efficient implementation

50 1.50 Operating System Concepts Existing Networks client router: simple forwarding ISP server

51 1.51 Operating System Concepts Level-3 Deployment Server

52 1.52 Operating System Concepts Router’s Forwarding Paths Resource allocation manager Function dispatcher Cut- through subscribe dispatch Active packet send Per-flow processing Output network queues Input queues Packet classifier

53 1.53 Operating System Concepts Level-3 Deployment

54 1.54 Operating System Concepts Example Level-k Max-min Fair Rates (L=18, H=22)

55 1.55 Operating System Concepts Routing Infrastructure n Router software critical to network health F patches for security bugs F new defenses against new attacks n Scalable distribution of router software to many routing points F minimal disruptions to existing services F little human intervention n Exploit software-programmable router technology

Download ppt "1.1 Operating System Concepts Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles David K.Y. Yau John C.S. Lu CS Dept, Purdue."

Similar presentations

Scheduling in Web Server Clusters CS 260 LECTURE 3 From: IBM Technical Report.

Scheduling in Web Server Clusters CS 260 LECTURE 3 From: IBM Technical Report.
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
1 CONGESTION CONTROL. 2 Congestion Control When one part of the subnet (e.g. one or more routers in an area) becomes overloaded, congestion results. Because.

1 CONGESTION CONTROL. 2 Congestion Control When one part of the subnet (e.g. one or more routers in an area) becomes overloaded, congestion results. Because.
TELE202 Lecture 8 Congestion control 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »X.25 »Source: chapter 10 ¥This Lecture »Congestion control »Source:

TELE202 Lecture 8 Congestion control 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »X.25 »Source: chapter 10 ¥This Lecture »Congestion control »Source:
William Stallings Data and Computer Communications 7 th Edition Chapter 13 Congestion in Data Networks.

William Stallings Data and Computer Communications 7 th Edition Chapter 13 Congestion in Data Networks.
 Liang Guo  Ibrahim Matta  Computer Science Department  Boston University  Presented by:  Chris Gianfrancesco and Rick Skowyra.

 Liang Guo  Ibrahim Matta  Computer Science Department  Boston University  Presented by:  Chris Gianfrancesco and Rick Skowyra.
Cloud Control with Distributed Rate Limiting Raghaven et all Presented by: Brian Card CS 577 - Fall 2014 - Kinicki 1.

Cloud Control with Distributed Rate Limiting Raghaven et all Presented by: Brian Card CS Fall Kinicki 1.
Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.

Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.
CSE 30264 Computer Networks Prof. Aaron Striegel Department of Computer Science & Engineering University of Notre Dame Lecture 20 – March 25, 2010.

CSE Computer Networks Prof. Aaron Striegel Department of Computer Science & Engineering University of Notre Dame Lecture 20 – March 25, 2010.
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)
Congestion Control An Overview -Jyothi Guntaka. Congestion  What is congestion ?  The aggregate demand for network resources exceeds the available capacity.

Congestion Control An Overview -Jyothi Guntaka. Congestion  What is congestion ?  The aggregate demand for network resources exceeds the available capacity.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson
Traffic Engineering With Traditional IP Routing Protocols

Traffic Engineering With Traditional IP Routing Protocols
Criticisms of I3 Jack Lange. General Issues ► Design ► Performance ► Practicality.

Criticisms of I3 Jack Lange. General Issues ► Design ► Performance ► Practicality.
Multiple constraints QoS Routing Given: - a (real time) connection request with specified QoS requirements (e.g., Bdw, Delay, Jitter, packet loss, path.

Multiple constraints QoS Routing Given: - a (real time) connection request with specified QoS requirements (e.g., Bdw, Delay, Jitter, packet loss, path.

Similar presentations

Ads by Google