Bohatei:)Flexible)and)Elas2c)) DDoSDefense - USENIX · Bohatei:)Flexible)and)Elas2c)) DDoSDefense...
36
Bohatei: Flexible and Elas2c DDoS Defense Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey h5ps://github.com/ddosdefense/bohatei
Transcript of Bohatei:)Flexible)and)Elas2c)) DDoSDefense - USENIX · Bohatei:)Flexible)and)Elas2c)) DDoSDefense...
Bohatei: Flexible and Elas2c DDoS Defense
Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey
h5ps://github.com/ddos-‐defense/bohatei
DDoS a5acks are geCng worse
Increasing in number
Threatpost, 7/31/2015
The New York Times, 3/30/2015
Increasing in volume Increasing in diversity
Incapsula, 11/12/2014
2 Arbor Networks, 2/14/2014 Radware, 10/7/2014
Cloudflare, 3/27/2013
Imperva, 2015
Techworld, 7/16/2014
High cost on vicIms
Intranet
DDoS Defense Today: Expensive Proprietary Hardware
3
Assets
LimitaIon: Fixed funcIonality
4
Intranet
Assets
What if new types of a5acks emerge?
LimitaIon: Fixed capacity
t1 t2 t3 Ime
fixed capacity
a5ack vol.(Gbps)
t4
5
waste waste
Intranet
Assets
LimitaIon: Fixed locaIon
• AddiIonal traffic latency due to waypoinIng • RouIng hacks to enforce defense
6
source
desInaIon
✗ shortest path
Need flexibility w.r.t. a5ack type
7
Today: Hardware appliance res. footprint=240Gbps Today: Hardware appliance res. footprint=240Gbps
Assets
Need Flexibility w.r.t A5ack LocaIons
8
Today: Hardware appliance res. footprint=240Gbps Today: Hardware appliance res. footprint=240Gbps
Assets A
B
C
Need ElasIcity w.r.t. A5ack Volume
9
Today: Hardware appliance res. footprint=240Gbps Today: Hardware appliance res. footprint=240Gbps
Assets
Bohatei in a nutshell..
A pracIcal ISP-‐scale system for Flexible and ElasIc DDoS Defense via Socware-‐Defined Networking (SDN) & Network FuncIons VirtualizaIon (NFV) à React to 500 Gbps scale a5acks in 1 min!
10
Outline • MoIvaIon • Background on SDN/NFV • Bohatei overview and challenges • System design • ImplementaIon • EvaluaIon • Conclusions
11
12
Centralized management + Open config APIs
Controller
“Flow” FwdAc2on … …
“Flow” FwdAc2on … …
“Flow” FwdAc2on … …
Socware-‐Defined Networking (SDN)
Network FuncIons VirtualizaIon (NFV)
13
Proxy Firewall IDS/IPS AppFilter Today: Standalone and Specialized
Commodity hardware
Why are SDN/NFV useful for DDoS defense?
14
Expensive
Fixed funcIonality
Fixed capacity
Fixed locaIon
NFV
SDN
Our Work: Bring these benefits to DDoS Defense
Outline • MoIvaIon • Background on SDN/NFV • Bohatei overview and challenges • System design • ImplementaIon • EvaluaIon • Conclusions
15
Bohatei Vision: Flexible + ElasIc Defense via SDN/NFV
16
SDN/NFV Controller
DC2 DC1 customer intranet
VM
aJack traffic
defense policy
ISP
Bohatei Controller Workflow
17
Predict a5ack pa5ern
Decide how many VMs, what types, where
Configure network to route traffic
Strategy layer
Resource management
Network orchestraIon
Threat model: general, dynamic adversaries • Targets one or more customers • A5acker has a fixed “budget” w.r.t. total a5ack volume
18
do{ Pick_Target() Pick_Attack_Type() Pick_Attack_Volume() Pick_Attack_Ingress() Observe_and_Adapt()
}
Bohatei Design Challenges
19
Strategy layer
Resource management
Network orchestraIon
Resilient to adaptaIon?
Fast algorithms?
Scalable SDN?
Predict a5ack pa5ern
Decide how many VMs, what types, where
Configure network to route traffic
Outline • MoIvaIon • Background on SDN/NFV • Bohatei overview and challenges • System design • ImplementaIon • EvaluaIon • Conclusions
20
Naïve resource management is too slow!
21
Global opImizaIon
Takes hours to solve…
Types, numbers, and locaIons of VMs? RouIng decisions?
Suspicious traffic predicIons Defense library
Compute/network resources
Our Approach: Hierarchical + Greedy
22
ISP-‐level Greedy
… Per datacenter N Per datacenter 1
How much traffic to DC1
Which VM slots in DC1
How much traffic to DCN
Which VM slots in DCN
Suspicious traffic predicIons Defense library
Compute/network resources
…
Port1 Port2
Port3
A reacIve, per-‐flow controller will be a new vulnerability
23
VM1
VM2
SW
Controller
packet1
VM3
Flow outPort Switch Forwarding Table
Flow1 Port 2
Flow100 Port 3
packet100
ReacIve, per-‐flow isn’t scalable
… …
Port1
Port 3
Port 2
VM1
VM2
VM3
Idea: ProacIve tag-‐based steering
24
Port 2
SW
Controller
Port 3
Context Tag Tag outPort
ProacMve set up
ProacIve per-‐VM tagging enables scaling
Benign Suspicious
1 2
1 2
2 packet100
packet1 1 packet1
packet100
Dynamic adversaries can game the defense Adversary’s goals:
1. Increase defense resource consumpIon 2. Succeed in delivering a5ack traffic
Simple predicIon (e.g., prev. epoch, avg) can be gamed
t1 t2 t3 Ime
SYN flood predicted aJack volume for t4
A5ack vol.(Gbps)
t4
DNS amp.
25
Our approach: Online adaptaIon • Metric of Success = “Regret minimizaIon” à How worse than best staIc strategy in hindsight?
• Borrow idea from online algorithms: Follow the perturbed leader (FPL) strategy
• IntuiIon: PredicIon = F (Obs. History + Random Noise) • This provably minimizes the regret metric
26
PuCng it together
PredicIon strategy
launching VMs, traffic path set up
predicts volume of suspicious traffic of each a5ack type at
each ingress
OrchestraIon
quanIty, type, locaIon of VMs
suspicious traffic spec.
27
DC2 DC1 customer intranet
VM
aJack traffic
ISP
Resource management
defense policy
Outline • MoIvaIon • Background on SDN/NFV • Bohatei overview and challenges • System design • ImplementaIon • EvaluaIon • Conclusions
28
Defense policy library
29
Analyze Srces: count
SYN – SYN/ACK per source
SYNPROXY
[LegiImate]
OK
LOG DROP
[Unknown]
[A5ack] [A5ack]
• A defense graph per a5ack type • Customized interconnecIon of defense modules • Open source defense VMs
Example (SYN flood defense)
[LegiImate]
ImplementaIon
30
FlowTags-‐enabled defense VMs (e.g., Snort)
OpenDaylight
resource manager
FlowTags (Fayaz et al., NSDI’14)
13 20-‐core Intel Xeon machines
OpenFlow
h5ps://github.com/ddos-‐defense/bohatei
KVM
Control Plane
Data Plane
defense library
Switches (OVS)
…
Outline • MoIvaIon • Background on SDN/NFV • Bohatei overview and challenges • System design • ImplementaIon • EvaluaIon • Conclusions
31
EvaluaIon quesIons • Does Bohatei respond to a5acks rapidly?
• Can Bohatei handle ≈500 Gbps a5acks?
• Can Bohatei successfully cope with dynamic adversaries?
32
Responsiveness
33
Bohatei restores performance of benign traffic ≈ 1 min.
• Hierarchical resource management: – A few milliseconds (vs. hours) – OpImality gap < 1%
26
10
0 20 40 60 80 100 120 140
Benig
n tra
ffic
thro
ughput (G
bps)
Time (s)
attack starts
SYN floodDNS amp.
Elephant flowUDP flood
Scalability: Forwarding table size
34
Per-‐VM tagging cuts #rules by 3-‐4 orders of magnitude ProacIve setup reduces Ime by 3-‐4 orders of magnitude
10
1,000
100,000
10e+06
100 200 300 400 500Ma
x re
qu
ire
d n
um
be
ro
f ru
les
on
a s
witc
h
Attack traffic volume (Gbps)
Bohateiper-flow rules
Adversarial resilience
35
Bohatei online adaptaIon strategy minimizes regret.
0
10
20
30
40
50
60
RandIngress
RandAttack
RandHybrid
SteadyFlipPrevEpoch
Re
gre
t w
.r.t
. vo
lum
eo
f su
cce
ssfu
l att
ack
s (%
)
UniformPrevEpoch
Bohatei
Conclusions
36
• DDoS defense today : Expensive, Inflexible, and InelasIc
• Bohatei: SDN/NFV for flexible and elasIc DDoS defense
• Key Challenges: Responsiveness, scalability, resilience
• Main soluIon ideas: – Hierarchical resource management – ProacIve, tag-‐based orchestraIon – Online adaptaIon strategy
• Ideas may be applicable to other security problems
• Scalable + Can react to very large a5acks quickly!
