Tiered Incentives for Integrity Based Queuing

Fariba Khan, Carl A. GunterUniversity of Illinois at Urbana-Champaign

2

• Problem setting• Challenges and existing work• Infrastructures for IBQ• Queuing• Analytic and experimental results

Outline

3

• Finding the source of an attack is difficult

• It is often difficult to detect an attack packet

Internet DDoS Attack

4

Internet DDoS Attack

• Finding the source of an attack is difficult

• It is often difficult to detect an attack packet

• Legitimate client has to get through• Could we make it so that the

magnitude of the attack packet is less important

5

Fair-queuing• Figure she is the good guy and

skip the long line?• No? Cannot tell if a packet is

from an Alice or Eve• May be give everybody

opportunity to send one packet

• No one gets to send a million

Head of line blocking

Eve 1

Eve 2

Alice 1

Eve 3

Alice 2

Eve 4

Alice 3

All Alice’s

All Eve’s

6

Fair-queue: Head of Line Blocking

Alice 1

Alice 2

Alice 3

Alice 4

Alice 5

Alice 6

Alice 7

Eve

7

Performance of Integrity Protection and Fairness

ns2 Simulation Setup: Depth 10, 1024 clients/flows, 10Mbps links, 102 attackers, 10 Mbps/attacker, Client bandwidth 0.01 Mbps

No attack, no defense

Attack, no defense

Attack, FQ,

no spoofing

Attack, FQ,

spoofing

Attack, FQ,

spoofing (20%)

0

20

40

60

80

100100

3.78

100

4.34

45

Client Packet Success (%)

8

• Ingress Filtering: Neither a complete nor verifiable • IP of a filtered domain can be spoofed

– In the same domain– From an unfiltered domain

Source Address Validation

1 2 3 4 5 6 7 8

1,2

3,4 3,4

3,4

1-4

1-8 1-8 1-8 1-8

1-8

1 2

1-81-8

RFC 2827

9

• Effectiveness of fair-queuing is dependent on accurate flow classification.

• Even with partial authentication legitimate flows can be spoofed by the spoofed origin flows.

• As the legitimate flows are choked, an ISP cannot see the benefit of deploying filtering or an advanced protocol.

Client: received level of service participation∝

Motivation

10

Concept: Integrity Based Queuing (IBQ)

High

Integrit

y

• Highly effective queuing• Each flow gets its own bucket

Medium

Integrit

y

• Less effective service• Rate-limited flows• Shared buckets

Low

Integrit

y

• Generic service• Rate limited• Least priority

11

Effort

Integrity

Defense

Service

Incentive

Cycle of Network Assurance

12

• Integrity Levels• MAC• Queue

Design

13

• Strict filtering vs Regular filtering: – The address range is divided in smaller subdomains – Spoofing is restricted within that subdomain only

• Example– In University of Illinois a host can spoof 511 neighboring

addresses within its /23 prefix– Spoofing index = 9 for University of Illinois or AS3

• Spoofing index table for all autonomous systems available for routers

Integrity Levels: Spoofing Index Table

BB05

14

MAC

RFC4301, YPS03, YWA05, LLY08, GH09, YL09

15

Queue

15

MAC verified?

N

Spoofing Index ?

Y

=0

>0

Per source high integrity queues

Per integrity-block queues

Low integrity queue

16

• α >> s >> β• Spoofing index, i• Probability that A and B

are in the same domain, p = 1/232 – i

• Loss rate,

Analytic Results

17

Experimental Results

• 2000 clients, 256 AS, 16-512 attackers• Client rate 64kbps, attacker 64 Mbps

Effort = Integrity level = Success

Experimental Results – Example Traffic VoIP

18

• 2000 clients, 256 AS, 16-512 attackers

• Client rate 64kbps, attacker 64 Mbps

19

Experimental Results: Two Attack Styles

0 5 10 15 20 25 300.0

0.2

0.4

0.6

0.8

1.0

FQ, lo integrityIBQ, hi integrity IBQ, mid integrity, si = 8, no of attacker increased

Attacker BW (Gbps)

Lo

ss

Ra

te

20

• Thesis– Using IBQ gives legitimate users an avenue to

communicate with a server while the network is under attack. The service they get directly relates to the effort their ISP spent for integrity protection and validation thus incentivizing its investment.

• Future Work– Experiment with real DDoS attack data– Overhead Measurement– Use of IBQ for network assurance

Conclusion

Thank You

Questions?

21

22

23

[0] Adaptive Selective Verification: An Efficient Adaptive Countermeasure to Thwart DoS Attacks. S. Khanna, S. S. Venkatesh, O. Fatemieh, F. Khan, and C. A. Gunter. (Submission) IEEE Transactions on Network (ToN).

[1] Attribute-Based Messaging: Access Control and Confidentiality. R. Bobba, O. Fatemieh, F. Khan, A. Khan, C. A. Gunter, H. Khurana, and M. Prabhakaran. (First three authors in alphabetic order)IN ACM Transactions on Information and System Security (TISSEC).

[2] Adaptive Selective Verification,Sanjeev Khanna, Santosh S. Venkatesh, Omid Fatemieh, Fariba Khan, and Carl A. Gunter,IEEE Conference on Computer Communications (INFOCOM '08), Phoenix, AZ, April 2008.

[3] Using Attribute-Based Access Control to Enable Attribute-Based Messaging,Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter, and Himanshu Khurana. (First three authors in alphabetic order) IEEE Annual Computer Security Applications Conference (ACSAC '06) , Miami, FL, December 2006.

[4] Using Attribute-Based Access Control to Enable Attribute-Based Messaging. Fariba KhanMaster's Thesis, University of Illinois, October 2006.

Other Work

24

•1974: The Internet was designed with an openness

•1989: FQ->active research for congestion control ->RED

•1999: FQ-> again for congestion control -> 40Gbps•2005: FQ-> active research for DDoS defenses

Fairness

25

• 1024 hosts• 33 routers• 32 subdomains• Spoofing index: 8 (scaled

down for small topology)• Links

– 200 Mbps links, 10 ms delay

– 5% of channel for request (10 Mbps)

– Bottleneck 1Gbps– Comparative to 40-100

Gbps Internet links.

Related Work Analysis

• 10% hosts are attackers• Attack bandwidth 100-700

Mbps• 50B request from a client