Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bohatei: Flexible and Elastic DDoS Defense

Published byEzra Mills Modified over 9 years ago

Similar presentations

Presentation on theme: "Bohatei: Flexible and Elastic DDoS Defense"— Presentation transcript:

1 Bohatei: Flexible and Elastic DDoS Defense
Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey

2 DDoS attacks are getting worse
High cost on victims Increasing in number Increasing in volume Increasing in diversity Incapsula, 11/12/2014 Threatpost, 7/31/2015 The New York Times, 3/30/2015 Imperva, 2015 Cloudflare, 3/27/2013 Techworld, 7/16/2014 Arbor Networks, 2/14/2014 Radware, 10/7/2014

3 DDoS Defense Today: Expensive Proprietary Hardware
Intranet Assets

4 Limitation: Fixed functionality
What if new types of attacks emerge? Intranet Assets

5 Limitation: Fixed capacity
attack vol.(Gbps) fixed capacity waste waste t1 t2 t3 t4 time Intranet Assets

6 Limitation: Fixed location
Additional traffic latency due to waypointing Routing hacks to enforce defense destination shortest path source

7 Need flexibility w.r.t. attack type
Assets Today: Hardware appliance res. footprint=240Gbps Today: Hardware appliance res. footprint=240Gbps

8 Need Flexibility w.r.t Attack Locations
Assets C Today: Hardware appliance res. footprint=240Gbps Today: Hardware appliance res. footprint=240Gbps

9 Need Elasticity w.r.t. Attack Volume
Assets Today: Hardware appliance res. footprint=240Gbps Today: Hardware appliance res. footprint=240Gbps

10 Bohatei in a nutshell.. A practical ISP-scale system for Flexible and Elastic DDoS Defense via Software-Defined Networking (SDN) & Network Functions Virtualization (NFV)  React to 500 Gbps scale attacks in 1 min!

11 Outline Motivation Background on SDN/NFV
Bohatei overview and challenges System design Implementation Evaluation Conclusions

12 Software-Defined Networking (SDN)
Centralized management + Open config APIs Controller “Flow” FwdAction “Flow” FwdAction “Flow” FwdAction

13 Network Functions Virtualization (NFV)
Today: Standalone and Specialized Proxy Firewall IDS/IPS AppFilter Commodity hardware

14 Why are SDN/NFV useful for DDoS defense?
Expensive Fixed functionality Fixed capacity Fixed location NFV SDN Our Work: Bring these benefits to DDoS Defense

15 Outline Motivation Background on SDN/NFV
Bohatei overview and challenges System design Implementation Evaluation Conclusions

16 Bohatei Vision: Flexible + Elastic Defense via SDN/NFV
defense policy SDN/NFV Controller attack traffic VM DC2 DC1 customer intranet ISP

17 Bohatei Controller Workflow
Strategy layer Predict attack pattern Resource management Decide how many VMs, what types, where Network orchestration Configure network to route traffic

18 Threat model: general, dynamic adversaries
Targets one or more customers Attacker has a fixed “budget” w.r.t. total attack volume do{ Pick_Target() Pick_Attack_Type() Pick_Attack_Volume() Pick_Attack_Ingress() Observe_and_Adapt() }

19 Bohatei Design Challenges
Resilient to adaptation? Strategy layer Predict attack pattern Resource management Decide how many VMs, what types, where Fast algorithms? Network orchestration Scalable SDN? Configure network to route traffic

20 Outline Motivation Background on SDN/NFV
Bohatei overview and challenges System design Implementation Evaluation Conclusions

21 Naïve resource management is too slow!
Compute/network resources Suspicious traffic predictions Defense library Global optimization Types, numbers, and locations of VMs? Routing decisions? Takes hours to solve…

22 Our Approach: Hierarchical + Greedy
Compute/network resources Suspicious traffic predictions Defense library ISP-level Greedy How much traffic to DC1 How much traffic to DCN Per datacenter 1 Per datacenter N Which VM slots in DC1 Which VM slots in DCN

23 Reactive, per-flow isn’t scalable
Controller VM2 Port2 packet1 Port1 VM1 packet100 SW Port3 VM3 Switch Forwarding Table Flow outPort Flow1 Port 2 Flow100 Port 3 A reactive, per-flow controller will be a new vulnerability

24 Idea: Proactive tag-based steering
Proactive set up Controller VM2 packet1 1 packet1 Port 2 Port1 VM1 VM3 SW Port 3 packet100 2 packet100 Context Tag Tag outPort Benign 1 1 Port 2 Suspicious 2 2 Port 3 Proactive per-VM tagging enables scaling

25 Dynamic adversaries can game the defense
Adversary’s goals: 1. Increase defense resource consumption 2. Succeed in delivering attack traffic Attack vol.(Gbps) SYN flood predicted attack volume for t4 DNS amp. t1 t2 t3 t4 time Simple prediction (e.g., prev. epoch, avg) can be gamed

26 Our approach: Online adaptation
Metric of Success = “Regret minimization”  How worse than best static strategy in hindsight? Borrow idea from online algorithms: Follow the perturbed leader (FPL) strategy Intuition: Prediction = F (Obs. History + Random Noise) This provably minimizes the regret metric

27 quantity, type, location of VMs
Putting it together predicts volume of suspicious traffic of each attack type at each ingress Prediction strategy Resource management quantity, type, location of VMs Orchestration suspicious traffic spec. defense policy launching VMs, traffic path set up attack traffic VM DC2 DC1 customer intranet ISP

28 Outline Motivation Background on SDN/NFV
Bohatei overview and challenges System design Implementation Evaluation Conclusions

29 Defense policy library
A defense graph per attack type Customized interconnection of defense modules Open source defense VMs Example (SYN flood defense) OK [Legitimate] [Legitimate] Analyze Srces: count SYN – SYN/ACK per source [Unknown] SYNPROXY [Attack] [Attack] LOG DROP

30 Implementation Control Plane Data Plane
resource manager defense library Control Plane OpenDaylight OpenFlow FlowTags (Fayaz et al., NSDI’14) Data Plane Switches (OVS) FlowTags-enabled defense VMs (e.g., Snort) KVM 13 20-core Intel Xeon machines

31 Outline Motivation Background on SDN/NFV
Bohatei overview and challenges System design Implementation Evaluation Conclusions

32 Evaluation questions Does Bohatei respond to attacks rapidly?
Can Bohatei handle ≈500 Gbps attacks? Can Bohatei successfully cope with dynamic adversaries?

33 Bohatei restores performance of benign traffic ≈ 1 min.
Responsiveness Hierarchical resource management: A few milliseconds (vs. hours) Optimality gap < 1% Bohatei restores performance of benign traffic ≈ 1 min.

34 Scalability: Forwarding table size
Per-VM tagging cuts #rules by 3-4 orders of magnitude Proactive setup reduces time by 3-4 orders of magnitude

35 Adversarial resilience
Bohatei online adaptation strategy minimizes regret.

36 Conclusions DDoS defense today : Expensive, Inflexible, and Inelastic
Bohatei: SDN/NFV for flexible and elastic DDoS defense Key Challenges: Responsiveness, scalability, resilience Main solution ideas: Hierarchical resource management Proactive, tag-based orchestration Online adaptation strategy Scalable + Can react to very large attacks quickly! Ideas may be applicable to other security problems

Download ppt "Bohatei: Flexible and Elastic DDoS Defense"

Similar presentations

Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul

Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Software-defined networking: Change is hard Ratul Mahajan with Chi-Yao Hong, Rohan Gandhi, Xin Jin, Harry Liu, Vijay Gill, Srikanth Kandula, Mohan Nanduri,

Software-defined networking: Change is hard Ratul Mahajan with Chi-Yao Hong, Rohan Gandhi, Xin Jin, Harry Liu, Vijay Gill, Srikanth Kandula, Mohan Nanduri,
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
SIMPLE-fying Middlebox Policy Enforcement Using SDN

SIMPLE-fying Middlebox Policy Enforcement Using SDN
VCRIB: Virtual Cloud Rule Information Base Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan HotCloud 2012.

VCRIB: Virtual Cloud Rule Information Base Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan HotCloud 2012.
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Nanxi Kang Princeton University

Nanxi Kang Princeton University
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Traffic engineering – Identify large traffic aggregates, traffic changes.

OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Traffic engineering – Identify large traffic aggregates, traffic changes.
Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.

Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Software Defined Networking.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Software Defined Networking.
SDN and Openflow.

SDN and Openflow.
Towards Virtual Routers as a Service 6th GI/ITG KuVS Workshop on “Future Internet” November 22, 2010 Hannover Zdravko Bozakov.

Towards Virtual Routers as a Service 6th GI/ITG KuVS Workshop on “Future Internet” November 22, 2010 Hannover Zdravko Bozakov.
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.

Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
Reconfigurable Network Topologies at Rack Scale

Reconfigurable Network Topologies at Rack Scale
Keith Wiles Keith.Wiles@Intel.com DPACC vNF Overview and Proposed methods Keith Wiles Keith.Wiles@Intel.com 2015.04.03 – v0.5.

Keith Wiles DPACC vNF Overview and Proposed methods Keith Wiles – v0.5.
An Overview of Software-Defined Network

An Overview of Software-Defined Network
ProActive Routing In Scalable Data Centers with PARIS Joint work with Dushyant Arora + and Jennifer Rexford* + Arista Networks *Princeton University Theophilus.

ProActive Routing In Scalable Data Centers with PARIS Joint work with Dushyant Arora + and Jennifer Rexford* + Arista Networks *Princeton University Theophilus.
FireFly: A Reconfigurable Wireless Datacenter Fabric using Free-Space Optics Navid Hamedazimi, Zafar Qazi, Himanshu Gupta, Vyas Sekar, Samir Das, Jon.

FireFly: A Reconfigurable Wireless Datacenter Fabric using Free-Space Optics Navid Hamedazimi, Zafar Qazi, Himanshu Gupta, Vyas Sekar, Samir Das, Jon.
1© Copyright 2015 EMC Corporation. All rights reserved. SDN INTELLIGENT NETWORKING IMPLICATIONS FOR END-TO-END INTERNETWORKING Simone Mangiante Senior.

1© Copyright 2015 EMC Corporation. All rights reserved. SDN INTELLIGENT NETWORKING IMPLICATIONS FOR END-TO-END INTERNETWORKING Simone Mangiante Senior.

Similar presentations

Ads by Google