Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates...
-
Upload
william-nathaniel-kennedy -
Category
Documents
-
view
215 -
download
0
Transcript of Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates...
WithstandingWithstandingMultimillion-Node BotnetsMultimillion-Node Botnets
Colin DixonColin DixonArvind Krishnamurthy, Tom AndersonArvind Krishnamurthy, Tom Anderson
Affiliates Day, 2007Affiliates Day, 2007
BotnetsBotnets
A botnet is a large group of infected A botnet is a large group of infected computers controlled by a hackercomputers controlled by a hacker
Used toUsed to Send spamSend spam Steal personal informationSteal personal information Launch DDoS attacksLaunch DDoS attacks
Extortion/Protection RacketsExtortion/Protection Rackets Attack rivalsAttack rivals
Botnets are BigBotnets are Big
Total bots:Total bots: 6 million [Symantec]6 million [Symantec] 150 million [Vint Cerf]150 million [Vint Cerf]
Single botnets have numbered 1.5 Single botnets have numbered 1.5 millionmillion
Average upload bandwidth: 3 Mb/sAverage upload bandwidth: 3 Mb/s Back of the envelope: 4.5-450 Tb/sBack of the envelope: 4.5-450 Tb/s
Flood many core links, small-medium ISPsFlood many core links, small-medium ISPs
How DoS WorksHow DoS Works
How DoS WorksHow DoS Works
How DoS WorksHow DoS Works
Our ApproachOur Approach
Swarm of Swarm of machines machines forward trafficforward traffic
Explicitly Explicitly request each request each packetpacket
Attacks must Attacks must down all down all mailboxes and mailboxes and thus all pathsthus all paths
MailboxesMailboxes
A large number of machines offer to A large number of machines offer to carry traffic for certain destinationscarry traffic for certain destinations
Rather than immediately forward it, Rather than immediately forward it, they buffer traffic until a request is they buffer traffic until a request is receivedreceived
This building block provides two key This building block provides two key advantagesadvantages Filtering logic is left at the destinationFiltering logic is left at the destination The system as a whole is fail-stopThe system as a whole is fail-stop
The MailboxThe Mailbox
Many MailboxesMany Mailboxes
Send traffic Send traffic randomly among randomly among mailboxesmailboxes
Many MailboxesMany Mailboxes
Send traffic Send traffic randomly among randomly among mailboxesmailboxes
Botnet can take Botnet can take down one mailboxdown one mailbox
Many MailboxesMany Mailboxes
Send traffic Send traffic randomly among randomly among mailboxesmailboxes
Botnet can take Botnet can take down one mailboxdown one mailbox
But communication But communication continuescontinues
Many MailboxesMany Mailboxes
Send traffic randomly Send traffic randomly among mailboxesamong mailboxes
Botnet can take Botnet can take down one mailboxdown one mailbox
But communication But communication continuescontinues
Diluted attacks Diluted attacks against all mailboxes against all mailboxes failfail
Remaining DetailsRemaining Details
Attackers can Attackers can ignore the ignore the mailboxes and just mailboxes and just attack the server attack the server (Filtering Ring)(Filtering Ring)
Remaining DetailsRemaining Details
Attackers can ignore Attackers can ignore the mailboxes and the mailboxes and just attack the just attack the server (Filtering server (Filtering Ring)Ring)
Before a connection Before a connection starts, the server starts, the server has no idea to has no idea to request packetsrequest packets(General Requests)(General Requests)
Filtering RingFiltering Ring
Keeps a list of Keeps a list of requested packetsrequested packets
Drops all Drops all unrequested packetsunrequested packets
Protects thin access Protects thin access linkslinks
Deployed in depth to Deployed in depth to counter “insider counter “insider attacks”attacks”
General RequestsGeneral Requests
First packets unexpected => can’t First packets unexpected => can’t requestrequest
Filtering ring prevents unrequested Filtering ring prevents unrequested packets from reaching the serverpackets from reaching the server
Solution: Issue some small number of Solution: Issue some small number of general requests to the mailboxesgeneral requests to the mailboxes Allow “first packets” through the filtering ringAllow “first packets” through the filtering ring Provides admission controlProvides admission control Limit access by auth tokens & crypto-puzzlesLimit access by auth tokens & crypto-puzzles
Complete SystemComplete System
Lookup mailboxes for a server from a Lookup mailboxes for a server from a distributed name service (CoDoNs)distributed name service (CoDoNs)
Contact one mailbox for a puzzleContact one mailbox for a puzzle Present a solution and waitPresent a solution and wait Mailbox forwards solution to the Mailbox forwards solution to the
serverserver Server responds and begins to Server responds and begins to
request packetsrequest packets
Key FeaturesKey Features
Unilaterally DeployableUnilaterally Deployable Pay Akamai for mailboxesPay Akamai for mailboxes Pay upstream ISP to install filtering ringPay upstream ISP to install filtering ring
Server is in complete controlServer is in complete control Explicitly asks for each packetExplicitly asks for each packet Is not required to trust any given Is not required to trust any given
mailboxmailbox System is fail-stopSystem is fail-stop
LatencyLatency
DoS ResilienceDoS Resilience
Established Established connectionconnection
DoS ResilienceDoS Resilience
Established Established connectionconnection
Attack kills some Attack kills some mailboxesmailboxes
DoS ResilienceDoS Resilience
Established Established connectionconnection
Attack kills some Attack kills some mailboxesmailboxes
““Goodput” Goodput” decreasesdecreases
DoS ResilienceDoS Resilience
Established Established connectionconnection
Attack kills some Attack kills some mailboxesmailboxes
““Goodput” Goodput” decreasesdecreases
Client sends faster Client sends faster (more redundantly) (more redundantly) to compensateto compensate
DoS ResilienceDoS Resilience
ConclusionsConclusions
We have presented a system to We have presented a system to mitigate Denial of Service attacks which mitigate Denial of Service attacks which can be unilaterally deployed todaycan be unilaterally deployed today
Performance is reasonable with few Performance is reasonable with few optimizations, still room for optimizations, still room for improvementimprovement
Can scale to deal with the massive Can scale to deal with the massive botnets of today and tomorrowbotnets of today and tomorrow
Questions?Questions?