Proactive Surge Protection:
A Defense Mechanism
for Bandwidth-Based Attacks
Jerry Chou, Bill Lin
University of California, San Diego
Subhabrata Sen, Oliver Spatscheck
Outline
• Problem
• Approach
• Experimental Results
Motivation
• Large-scale bandwidth-based DDoS attacks can quickly knock out substantial parts of a network before reactive defenses can respond
• All traffic that share common route links will suffer collateral damage even if it is not under direct attack
Seattle
Sunnyvale Denver
Los Angeles
Chicago New York
Washington
Atlanta
Houston Kansas City
Motivation
• Potential for large-scale bandwidth-based DDoS attacks exist
• e.g. large botnets with more than 100,000 bots exist today that, when combined with the prevalence of high-speed Internet access, can give attackers multiple tens of Gb/s of attack capacity
• Moreover, core networks are oversubscribed (e.g. some core routers in Abilene have more than 30 Gb/s incoming traffic from access networks, but only 20 Gb/s of outgoing capacity to the core
Example Scenario
• Suppose under normal condition
¾ Traffic between Seattle/NY + Sunnyvale/NY under 10
Gb/s New York Seattle 10G 10G 10G Seattle/NY: 3 Gb/s Houston Atlanta Indianapolis Kansas City Sunnyvale Sunnyvale/NY: 3 Gb/s
Example Scenario
• Suppose sudden attack between Houston/Atlanta
¾ Congested links suffer high rate of packet loss ¾ Serious collateral damage on crossfire OD pairs
New York Sunnyvale Seattle 10G 10G 10G Sunnyvale/NY: 3 Gb/s Seattle/NY: 3 Gb/s
Houston Atlanta Houston/Atlanta: Attack 10 Gb/s Indianapolis Kansas
Impact on Collateral Damage
• OD pairs are classified into 3 types with respect to the attack traffic
¾ Attacked: OD pairs with attack traffic
¾ Crossfire: OD pairs sharing route links with attack traffic
¾ Non-crossfire: OD pairs not sharing route links with attack traffic
• Collateral damage occurs on crossfire OD pairs
• Even a small percentage of attack flows can affect substantial parts of the network
Related Works
• Most existing DDoS defense solutions are reactive in nature
• However, large-scale bandwidth-based DDoS attacks can quickly knock out substantial parts of a network before reactive defenses can respond
• Therefore, we need a proactive defense mechanism that works immediately when an attack occurs
Related Works (cont’d)
• Router-based defenses like Random Early Drop (RED,
RED-PD, etc) can prevent congestion by dropping packets early before congestion
¾ But may drop normal traffic indiscriminately, causing
responsive TCP flows to severely degrade
• Approximate fair dropping schemes aim to provide fair sharing between flows
¾ But attackers can launch many seemingly legitimate
TCP connections with spoofed IP addresses and port numbers
• Both aggregate-based and flow-based router defense mechanisms can be defeated
Previous Solutions (cont’d)
• Router-based defenses like Random Early Drop (RED,
RED-PD, etc) can prevent congestion by dropping packets early before congestion
¾ But may drop normal traffic indiscriminately, causing
responsive TCP flows to severely degrade
• Approximate fair dropping schemes aim to provide fair sharing between flows
¾ But attackers can launch many seemingly legitimate
TCP connections with spoofed IP addresses and port numbers
• Both aggregate-based and flow-based router defense mechanisms can be defeated
In general, defenses based on
unauthenticated header information such as
IP addresses and port numbers
may not be reliable
In general, defenses based on
unauthenticated header information such as
IP addresses and port numbers
Outline
• Problem • Approach
• Experimental Results • Summary
Our Solution
• Provide bandwidth isolation between OD pairs, independent of IP spoofing or number of TCP/UDP connections
• We call this method Proactive Surge Protection (PSP) as it aims to proactively limit the damage that can be caused by sudden demand surges, e.g. sudden
Traffic received in NY:
Seattle: 3 Gb/s Sunnyvale: 3 Gb/s …
Basic Idea: Bandwidth Isolation
• Meter and tag packets on ingress as HIGH or LOW priority
¾ Based on historical traffic demands and network capacity
• Drop LOW packets under congestion inside network
New York Sunnyvale Seattle 10G 10G 10G Seattle/NY: Limit: 3.5 Gb/s Actual: 3 Gb/s
All admitted as High
Houston Atlanta Indianapolis Kansas City Sunnyvale/NY: Limit: 3.5 Gb/s Actual: 3 Gb/s
All admitted as High
Houston/Atlanta:
Limit: 3 Gb/s
Actual: 2 Gb/s
All admitted as High Houston/Atlanta:
Limit: 3 Gb/s
Actual: 10 Gb/s High: 3 Gb/s Low: 7 Gb/s
Proposed mechanism proactively drop attack
traffic immediately when attacks occur
Proposed mechanism proactively drop attack
traffic immediately when attacks occur
Traffic Data Collector Traffic Data
Collector BandwidthBandwidthAllocatorAllocator
Preferential Dropping Preferential
Dropping DifferentialDifferentialTaggingTagging
Architecture
Traffic Measurement
Bandwidth Allocation Matrix
tagged packets forwarded packets dropped packets Data Plane Policy Plane Deployed at Network Routers Deployed at Network Perimeter arriving packets High priority Low priority
Proposed mechanism readily available in
modern routers
Proposed mechanism readily available in
modern routers
Allocation Algorithms
• Aggregate traffic at the core is very smooth and variations are predictable
• Compute a bandwidth allocation matrix for each hour based on historical traffic measurements
¾ e.g. allocation at 3pm is computed by traffic
measurements during 3-4pm in the past 2 months
Allocation Algorithms
• To account for measurement inaccuracies and provide headroom for traffic burstiness, we fully allocate the entire network capacity as an utility max-min fair allocation problem
¾ Mean-PSP: based on the mean of traffic demands ¾ CDF-PSP: based on the Cumulative Distribution
Function (CDF) of traffic demands • Utility Max-min fair allocation
¾ Iteratively allocate bandwidth in “water-filling” manner ¾ Each iteration maximize the common utility of all flows ¾ Remove the flows without residual capacity after each
Utility Max-min Fair Bandwidth Allocation
5 A 5 5 B 5 C 0 1 2 3 4 5 BW BC AB 1st round AÆC 20 2 1 3 4 5 40 60 80 100 BW Utility(%) AÆB 20 40 60 80 100 Utility(%) 2 1 3 4 5 BW BÆC 20 40 60 80 100 Utility(%) 2 1 3 4 5 BW 0 1 2 3 4 5 BW BC AB 2nd round Utility functions Network AllocationMean-PSP
(Mean-based Max-min)
• Use mean traffic
demand as the utility function • Iteratively allocate bandwidth in “water-filling” manner 0 2 4 6 8 10 BW BA CB BC AB Links 1st round 0 2 4 6 8 10 BW BA CB BC AB Links 2nd round A B C - 1.5 1 0.5 - 0.5 -1.5 1 Mean Demand -A B C A B C 6 4 4 6 6 4 BW Allocation Bij 10G A 10G 10G B 10G C A B C t measuremen d B B f ij ij ij ij /# ) (
∑
=CDF-PSP
(CDF-based Max-min)
• Explicitly capture the traffic variance by using a
Cumulative Distribution Function (CDF) model as utility functions
• Maximize utility is equivalent to minimizing the drop probabilities for all flows in a max-min fair manner
]
[
)
(
ij ij ij ijB
PROB
d
B
f
=
≤
)
5
3,
1,
1,
1,
(
:
E.g
d
ij=
20 2 1 3 4 5 40 60 80 100 Utility(%)When allocated 3 unit bandwidth, drop probability is 20%
Outline
• Problem • Approach
• Experimental Results
Networks
• US Backbone
¾ Large tier1 backbone network in US
¾ ~700 nodes, ~2000 links (1.5Mb/s – 10Gb/s) ¾ 1-minute traffic traces: 07/01/07-09/03/07
• Europe Backbone
¾ Large tier1 backbone network in Europe
¾ ~900 nodes, ~3000 links (1.5Mb/s – 10Gb/s) ¾ 1-minute traffic traces: 07/01/07-09/03/07
Evaluation Methodology
• NS2 Simulation
• Normal traffic: Based on actual traffic demands over 24 hour period for each backbone
• Attack traffic:
¾ US Backbone: highly distributed attack scenario
• Based on commercial anomaly detection systems • From 40% ingress routers to 25% egress routers
¾ Europe Backbone: targeted attack scenario
• Created by synthetic attack flow generator
Packet Loss Rate Comparison
US Europe
• Both PSP schemes greatly reduced packet loss rates
Relative Loss Rate Comparison
US Europe
Behavior Under Scaled Attacks
• Packet drop rate under attack demand scaled by factor up to 3x
• Under PSP, the loss remains small throughout the range !
Summary of Contributions
• Proactive solution for protecting networks that provides a first line of defense when sudden DDoS attacks occur
• Very effective in protecting network traffic from collateral damage
• Not dependent on unauthenticated header information, thus robust to IP spoofing