logging in or signing up lsad07 psp Breezy Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 69 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 09, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Minimizing Collateral Damage by Proactive Surge Protection: Minimizing Collateral Damage by Proactive Surge Protection Jerry Chou, Bill Lin University of California, San Diego Subhabrata Sen, Oliver Spatscheck AT&T Labs-ResearchProblem: Problem Large-scale bandwidth-based DDoS attacks can quickly knock out substantial parts of the network before reactive defenses can respond All traffic that share common route links will suffer collateral damage even if OD pair is not under direct attackProblem: Problem Potential for large-scale bandwidth-based DDoS attacks exist e.g. large botnets with more than 100,000 bots exist today that, when combined with the prevalence of high-speed Internet access, can give attackers multiple tens of Gb/s of attack capacity Moreover, core networks are oversubscribed (e.g. some core routers in Abilene have more than 30 Gb/s incoming traffic from access networks, but only 20 Gb/s of outgoing capacity to the coreProblem: Problem Router-based defenses like Random Early Drop (RED, RED-PD, etc) can prevent congestion by dropping packets early before congestion But may drop normal traffic indiscriminately, causing responsive TCP flows to severely degrade Approximate fair dropping schemes aim to provide fair sharing between flows But attackers can launch many seemingly legitimate TCP connections with spoofed IP addresses and port numbers Both aggregate-based and flow-based router defense mechanisms can be defeatedProblem: Problem Router-based defenses like Random Early Drop (RED, RED-PD, etc) can prevent congestion by dropping packets early before congestion But may drop normal traffic indiscriminately, causing responsive TCP flows to severely degrade Approximate fair dropping schemes aim to provide fair sharing between flows But attackers can launch many seemingly legitimate TCP connections with spoofed IP addresses and port numbers Both aggregate-based and flow-based router defense mechanisms can be defeatedExample Scenario: Example Scenario Suppose under normal condition Traffic between Seattle/NY + Sunnyvale/NY under 10 Gb/s New York Seattle 10G 10G 10G Houston Atlanta Indianapolis Kansas City SunnyvaleExample Scenario: Example Scenario Suppose sudden attack between Houston/Atlanta Congested links suffer high rate of packet loss Serious collateral damage on crossfire OD pairs New York Sunnyvale Seattle 10G 10G 10G Houston Atlanta Indianapolis Kansas CityImpact on Collateral Damage: Impact on Collateral Damage OD pairs are classified into 3 types with respect to the attack traffic Even a small percentage of attack flows can affect substantial parts of the network Our Solution: Our Solution Provide bandwidth isolation between OD pairs, independent of IP spoofing or number of TCP/UDP connections We call this method Proactive Surge Protection (PSP) as it aims to proactively limit the damage that can be caused by sudden demand surges, e.g. sudden bandwidth-based DDoS attacksBasic Idea: Bandwidth Isolation: Traffic received in NY: Seattle: 3 Gb/s Sunnyvale: 3 Gb/s … Basic Idea: Bandwidth Isolation Reserve bandwidth for expected OD pair demand Meter and tag packets on ingress as HIGH or LOW Drop LOW packets under congestion inside network New York Sunnyvale Seattle 10G 10G 10G Houston Atlanta Indianapolis Kansas CityBasic Idea: Bandwidth Isolation: Traffic received in NY: Seattle: 3 Gb/s Sunnyvale: 3 Gb/s … Basic Idea: Bandwidth Isolation Reserve bandwidth for expected OD pair demand Meter and tag packets on ingress as HIGH or LOW Drop LOW packets under congestion inside network New York Sunnyvale Seattle 10G 10G 10G Houston Atlanta Indianapolis Kansas CityArchitecture: Forecaster Bandwidth Allocator Architecture Forecast Matrix Bandwidth Allocation Matrix tagged packets forwarded packets dropped packets Data Plane Policy Plane Deployed at Network Routers Deployed at Network Perimeter arriving packets High priority Low priorityForecasting and Allocation: Forecasting and Allocation We use historical network measurements as a forecast of expected normal traffic e.g. average weekday traffic demand at 3pm EDT over past 2 months More sophisticated forecasting methods (e.g. Bayesian schemes) possible, but already good results with simple forecasting To account for forecasting inaccuracies and to provide headroom for traffic burstiness, proportionally scale forecast matrix to fully allocate available network capacityProportional Scaling: Proportional Scaling Iteratively scale bandwidth allocation in “water-filling” manner 0 2 4 6 8 10 BW BA CB BC AB Links 1st round A B C 1 1.5 1 0.5 2 0.5 1 1.5 1 Forecast Matrix A B C Networks: Networks Abilene US public academic network 11 nodes, 14 links (10Gb/s) Traffic data: 10/01/06-12/06/06 US Backbone US Private ISP tier1 backbone network 700 nodes, 2000 links (1.5Mb/s – 10Gb/s) Traffic data: 09/01/06-11/17/06 Europe Backbone Europe private ISP tier1 backbone network 900 nodes, 3000 links (1.5Mb/s – 10Gb/s) Traffic data: 11/18/06-12/18/06DDoS Attack Data: DDoS Attack Data Abilene Bottleneck links Denver, Kansas City, Indianapolis Chicago (5G each) US Backbone Commercial anomaly detection alarm Pick the alarm with most flows, and scale their demand by 1000x Europe Backbone Synthetic attack flow generator Randomly generate attack flows among 0.1% OD pairs. Seattle Sunnyvale Indianapolis Denver Los Angeles Kansas City Chicago New York Washington Atlanta Houston Packet Drop Rate Comparison: Packet Drop Rate Comparison AbilenePacket Drop Rate Comparison: Packet Drop Rate Comparison USPacket Drop Rate Comparison: Packet Drop Rate Comparison EuropeBehavior Under Scaled Attacks: Behavior Under Scaled Attacks Packet drop rate under attack demand scaled by factor 0 to 3x PSP provides greater improvement as attack scale increases AbileneBehavior Under Scaled Attacks: Packet drop rate under attack demand scaled by factor 0 to 3x PSP provides greater improvement as attack scale increases Behavior Under Scaled Attacks USBehavior Under Scaled Attacks: Packet drop rate under attack demand scaled by factor 0 to 3x PSP provides greater improvement as attack scale increases Behavior Under Scaled Attacks EuropeSummary of Contributions: Summary of Contributions Proposed proactive solution provides network operators with first line of defense when sudden DDoS attacks occur Solution not dependent on unauthenticated header information, thus robust to IP and TCP sproofing Minimize collateral damage by providing bandwidth isolation between traffic Solution readily deployable using existing router mechanism Simulation results show up to 95.5% of network could suffer collateral damage Solution reduced collateral damage by 60.5-97.8% Questions?: Questions? You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
lsad07 psp Breezy Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 69 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 09, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Minimizing Collateral Damage by Proactive Surge Protection: Minimizing Collateral Damage by Proactive Surge Protection Jerry Chou, Bill Lin University of California, San Diego Subhabrata Sen, Oliver Spatscheck AT&T Labs-ResearchProblem: Problem Large-scale bandwidth-based DDoS attacks can quickly knock out substantial parts of the network before reactive defenses can respond All traffic that share common route links will suffer collateral damage even if OD pair is not under direct attackProblem: Problem Potential for large-scale bandwidth-based DDoS attacks exist e.g. large botnets with more than 100,000 bots exist today that, when combined with the prevalence of high-speed Internet access, can give attackers multiple tens of Gb/s of attack capacity Moreover, core networks are oversubscribed (e.g. some core routers in Abilene have more than 30 Gb/s incoming traffic from access networks, but only 20 Gb/s of outgoing capacity to the coreProblem: Problem Router-based defenses like Random Early Drop (RED, RED-PD, etc) can prevent congestion by dropping packets early before congestion But may drop normal traffic indiscriminately, causing responsive TCP flows to severely degrade Approximate fair dropping schemes aim to provide fair sharing between flows But attackers can launch many seemingly legitimate TCP connections with spoofed IP addresses and port numbers Both aggregate-based and flow-based router defense mechanisms can be defeatedProblem: Problem Router-based defenses like Random Early Drop (RED, RED-PD, etc) can prevent congestion by dropping packets early before congestion But may drop normal traffic indiscriminately, causing responsive TCP flows to severely degrade Approximate fair dropping schemes aim to provide fair sharing between flows But attackers can launch many seemingly legitimate TCP connections with spoofed IP addresses and port numbers Both aggregate-based and flow-based router defense mechanisms can be defeatedExample Scenario: Example Scenario Suppose under normal condition Traffic between Seattle/NY + Sunnyvale/NY under 10 Gb/s New York Seattle 10G 10G 10G Houston Atlanta Indianapolis Kansas City SunnyvaleExample Scenario: Example Scenario Suppose sudden attack between Houston/Atlanta Congested links suffer high rate of packet loss Serious collateral damage on crossfire OD pairs New York Sunnyvale Seattle 10G 10G 10G Houston Atlanta Indianapolis Kansas CityImpact on Collateral Damage: Impact on Collateral Damage OD pairs are classified into 3 types with respect to the attack traffic Even a small percentage of attack flows can affect substantial parts of the network Our Solution: Our Solution Provide bandwidth isolation between OD pairs, independent of IP spoofing or number of TCP/UDP connections We call this method Proactive Surge Protection (PSP) as it aims to proactively limit the damage that can be caused by sudden demand surges, e.g. sudden bandwidth-based DDoS attacksBasic Idea: Bandwidth Isolation: Traffic received in NY: Seattle: 3 Gb/s Sunnyvale: 3 Gb/s … Basic Idea: Bandwidth Isolation Reserve bandwidth for expected OD pair demand Meter and tag packets on ingress as HIGH or LOW Drop LOW packets under congestion inside network New York Sunnyvale Seattle 10G 10G 10G Houston Atlanta Indianapolis Kansas CityBasic Idea: Bandwidth Isolation: Traffic received in NY: Seattle: 3 Gb/s Sunnyvale: 3 Gb/s … Basic Idea: Bandwidth Isolation Reserve bandwidth for expected OD pair demand Meter and tag packets on ingress as HIGH or LOW Drop LOW packets under congestion inside network New York Sunnyvale Seattle 10G 10G 10G Houston Atlanta Indianapolis Kansas CityArchitecture: Forecaster Bandwidth Allocator Architecture Forecast Matrix Bandwidth Allocation Matrix tagged packets forwarded packets dropped packets Data Plane Policy Plane Deployed at Network Routers Deployed at Network Perimeter arriving packets High priority Low priorityForecasting and Allocation: Forecasting and Allocation We use historical network measurements as a forecast of expected normal traffic e.g. average weekday traffic demand at 3pm EDT over past 2 months More sophisticated forecasting methods (e.g. Bayesian schemes) possible, but already good results with simple forecasting To account for forecasting inaccuracies and to provide headroom for traffic burstiness, proportionally scale forecast matrix to fully allocate available network capacityProportional Scaling: Proportional Scaling Iteratively scale bandwidth allocation in “water-filling” manner 0 2 4 6 8 10 BW BA CB BC AB Links 1st round A B C 1 1.5 1 0.5 2 0.5 1 1.5 1 Forecast Matrix A B C Networks: Networks Abilene US public academic network 11 nodes, 14 links (10Gb/s) Traffic data: 10/01/06-12/06/06 US Backbone US Private ISP tier1 backbone network 700 nodes, 2000 links (1.5Mb/s – 10Gb/s) Traffic data: 09/01/06-11/17/06 Europe Backbone Europe private ISP tier1 backbone network 900 nodes, 3000 links (1.5Mb/s – 10Gb/s) Traffic data: 11/18/06-12/18/06DDoS Attack Data: DDoS Attack Data Abilene Bottleneck links Denver, Kansas City, Indianapolis Chicago (5G each) US Backbone Commercial anomaly detection alarm Pick the alarm with most flows, and scale their demand by 1000x Europe Backbone Synthetic attack flow generator Randomly generate attack flows among 0.1% OD pairs. Seattle Sunnyvale Indianapolis Denver Los Angeles Kansas City Chicago New York Washington Atlanta Houston Packet Drop Rate Comparison: Packet Drop Rate Comparison AbilenePacket Drop Rate Comparison: Packet Drop Rate Comparison USPacket Drop Rate Comparison: Packet Drop Rate Comparison EuropeBehavior Under Scaled Attacks: Behavior Under Scaled Attacks Packet drop rate under attack demand scaled by factor 0 to 3x PSP provides greater improvement as attack scale increases AbileneBehavior Under Scaled Attacks: Packet drop rate under attack demand scaled by factor 0 to 3x PSP provides greater improvement as attack scale increases Behavior Under Scaled Attacks USBehavior Under Scaled Attacks: Packet drop rate under attack demand scaled by factor 0 to 3x PSP provides greater improvement as attack scale increases Behavior Under Scaled Attacks EuropeSummary of Contributions: Summary of Contributions Proposed proactive solution provides network operators with first line of defense when sudden DDoS attacks occur Solution not dependent on unauthenticated header information, thus robust to IP and TCP sproofing Minimize collateral damage by providing bandwidth isolation between traffic Solution readily deployable using existing router mechanism Simulation results show up to 95.5% of network could suffer collateral damage Solution reduced collateral damage by 60.5-97.8% Questions?: Questions?