Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.
-
Upload
caroline-marsh -
Category
Documents
-
view
217 -
download
2
Transcript of Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.
![Page 1: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/1.jpg)
Shutup
An E2E Approach to DoS Defense
Paul FrancisSaikat Guha
Cornell
![Page 2: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/2.jpg)
Most approaches to DoS prevention involve the middle
Is a pure E2E approach possible?
A packet recipient can tell a packet sender to stop sending or slow down
Partially or exclusively
![Page 3: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/3.jpg)
Yes!
Requires that the majority of end hosts don’t opt out.
Only applies to botnet-based attacks
With some caveats....
We call it the Shutup Protocol
![Page 4: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/4.jpg)
This is not just an interesting academic exercise
Although we don’t see a good business model for them
A small number of OS vendors could achieve broad deployment quickly
Unlike ISPs.....
![Page 5: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/5.jpg)
We’re not the first.....
Marianne Shaw suggested the basic idea of pure E2E DoS prevention on the basis of cooperative hosts (SRUTI’06)
Katarina Argyraki and Cheriton suggest a “trust but verify” approach, where the middle can punish the end host (Usenix 2005)
Dave Andersen et.tus. propose AIP, E2E DoS control, but which is clean slate and requires address spoofing enforcement in the network
![Page 6: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/6.jpg)
![Page 7: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/7.jpg)
![Page 8: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/8.jpg)
This works as long as....
All these messages are received, and
Third parties don’t insert additional messages
![Page 9: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/9.jpg)
Spoofed source addresses
Initiator spoofs source address
Shutup request goes somewhere else
![Page 10: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/10.jpg)
Solution exploits notion of “return reachability”
Its hard to authenticate the address assignment process
A host can always assign its own address
SM interprets existence of received packet as evidence that the address is legit
Need to protect against collaborator on same LAN sending packets with bogus destination address
![Page 11: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/11.jpg)
Packets are rate-limited until address is validated
Normally that is the MAC of the router
Packets are validated by one received packet, but only for MAC address of sender
SM prevents MAC address spoofing
![Page 12: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/12.jpg)
![Page 13: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/13.jpg)
![Page 14: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/14.jpg)
![Page 15: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/15.jpg)
![Page 16: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/16.jpg)
![Page 17: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/17.jpg)
![Page 18: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/18.jpg)
Our assumption is that such colluding opportunities are rare
Local colluder with disabled SM allows spoofed source addresses
By spoofing MAC of router
Hard to build a big botnet this way
![Page 19: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/19.jpg)
Shutup request blocked by firewall
Initially thought we’d have to transmit shutup request inline with 5-tuple flow
But using ICMP with associated 5-tuple in payload works well
Firewall interprets as a legitimate ICMP message (which it is!)
![Page 20: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/20.jpg)
3rd party inserts bogus shutup
Initiator SM only accepts Shutup message for recently sent flow packet
If 3rd party not on path, hard to guess response Nonce_I
Eavesdropping 3rd party can disrupt flow anyway (TCP RST, etc.)
![Page 21: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/21.jpg)
Heavy forward volume prevents challenge from getting through
Initially SM allows a heavy flow, but later slows down flow if recipient doesn’t explicitly authorize higher rate
Authorized with “throttle” request handshake
“Later” = 5 to 10 seconds
This is effectively a capability
![Page 22: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/22.jpg)
Actually, we allow full rate for a while as long as any packet received from recipient...
What about legacy recipients?They cannot send an explicit throttle
But use random-ish port numbers, TCP seq numbers, etc. to try to “authenticate” received packets
Yeah, this is a bit lame....recipients that want protection should deploy shutup
![Page 23: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/23.jpg)
ns2 simulated attack, attack BW = 240X of bottleneck, 2500 attackers, throttle time = 10s, throttle aggregate BW > bottleneck
Attack starts
Most challenges are dropped
Attackers start to self-throttle. Bottleneck still saturated, but more challenges get through Number of shutup’d
attackers drops quickly
![Page 24: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/24.jpg)
![Page 25: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/25.jpg)
We experimented with having the SM try to detect scanning attacks
What about other unwanted traffic?
Characterized as a large proportion of shutups from many recipients
Tricky part is applications that expect a number of failures, as well as black-holed spam error messages
Some promising results, but. . . .
![Page 26: Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.](https://reader036.fdocuments.in/reader036/viewer/2022062511/5514f836550346a80c8b5015/html5/thumbnails/26.jpg)
The case for network witnesses, feng schluessler