Ripple: A Programmable, Decentralized Link-Flooding Defense Against Adaptive Adversaries

Link-flooding attacks (LFAs) aim to cut off an edge network from the Internet by congesting core network links. Such an adversary can further change the attack strategy dynamically (e.g., target links, traffic types) to evade mitigation and launch persistent attacks. We develop Ripple, a programmable, decentralized linkflooding defense against dynamic adversaries. Ripple can be programmed using a declarative policy language to emulate a range of state-of-the-art SDN defenses, but it enables the defenses to shapeshift on their own without a central controller. To achieve this, Ripple develops new defense primitives in programmable switches, which are configured by the policy language to implement a desired defense. The Ripple compiler generates a distributed set of switch programs to extract a panoramic view of attack signals and act against them in a fully decentralized manner, enabling successive waves of defenses against fast-changing attacks. We show that Ripple has low overheads, and that it can effectively recover traffic throughput where SDN-based defenses fail.

[1]  Fernando Pedone,et al.  NetPaxos: consensus at network speed , 2015, SOSR.

[2]  Adrian Perrig,et al.  The Coremelt Attack , 2009, ESORICS.

[3]  S. Muthukrishnan,et al.  Heavy-Hitter Detection Entirely in the Data Plane , 2016, SOSR.

[4]  Michael Menth,et al.  P4-IPsec: Implementation of IPsec Gateways in P4 with SDN Control for Host-to-Site Scenarios , 2019, ArXiv.

[5]  H. Jonathan Chao,et al.  SDNShield: Towards more comprehensive defense against DDoS attacks on SDN control plane , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[6]  Yaoqing Liu,et al.  LAMP: Prompt Layer 7 Attack Mitigation with Programmable Data Planes , 2018, 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA).

[7]  Virgil D. Gligor,et al.  CoDef: collaborative defense against large-scale link-flooding attacks , 2013, CoNEXT.

[8]  Vyas Sekar,et al.  Simplifying Software-Defined Network Optimization Using SOL , 2016, NSDI.

[9]  Bo Zhao,et al.  Detecting and Mitigating Target Link-Flooding Attacks Using SDN , 2019, IEEE Transactions on Dependable and Secure Computing.

[10]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[11]  Vyas Sekar,et al.  SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks , 2016, NDSS.

[12]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[13]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[14]  Xiaozhou Li,et al.  DistCache: Provable Load Balancing for Large-Scale Storage Systems with Distributed Caching , 2019, FAST.

[15]  Minlan Yu,et al.  SilkRoad: Making Stateful Layer-4 Load Balancing Fast and Cheap Using Switching ASICs , 2017, SIGCOMM.

[16]  Nick Feamster,et al.  SPINE: Surveillance Protection in the Network Elements , 2019, FOCI @ USENIX Security Symposium.

[17]  Michael Menth,et al.  P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection With MACsec in P4-Based SDN , 2020, IEEE Access.

[18]  Vincent Liu,et al.  Synchronized network snapshots , 2018, SIGCOMM.

[19]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[20]  Anirudh Sivaraman,et al.  Language-Directed Hardware Design for Network Performance Monitoring , 2017, SIGCOMM.

[21]  George Varghese,et al.  Forwarding metamorphosis: fast programmable match-action processing in hardware for SDN , 2013, SIGCOMM.

[22]  Walter Willinger,et al.  Sonata: query-driven streaming network telemetry , 2018, SIGCOMM.

[23]  Adam J. Aviv,et al.  Scaling Hardware Accelerated Network Monitoring to Concurrent and Dynamic Queries With *Flow , 2018, USENIX Annual Technical Conference.

[24]  Jiarong Xing,et al.  Secure State Migration in the Data Plane , 2020, SPIN@SIGCOMM.

[25]  Jennifer Rexford,et al.  Dapper: Data Plane Performance Diagnosis of TCP , 2016, SOSR.

[26]  Jennifer Rexford,et al.  HULA: Scalable Load Balancing Using Programmable Data Planes , 2016, SOSR.

[27]  Xenofontas A. Dimitropoulos,et al.  Towards Defeating the Crossfire Attack using SDN , 2014, ArXiv.

[28]  David K. Y. Yau,et al.  Realtime DDoS Defense Using COTS SDN Switches via Adaptive Correlation Analysis , 2018, IEEE Transactions on Information Forensics and Security.

[29]  Michael J. Franklin,et al.  Resilient Distributed Datasets: A Fault-Tolerant Abstraction for In-Memory Cluster Computing , 2012, NSDI.

[30]  Kuo-Feng Hsu,et al.  Contra: A Programmable System for Performance-aware Routing , 2019, NSDI.

[31]  Giuseppe Bianchi,et al.  LOcAl DEcisions on Replicated States (LOADER) in programmable data planes: programming abstraction and experimental evaluation , 2021, Comput. Networks.

[32]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[33]  Srikanth Kandula,et al.  Achieving high utilization with software-driven WAN , 2013, SIGCOMM.

[34]  Graham Cormode,et al.  An improved data stream summary: the count-min sketch and its applications , 2004, J. Algorithms.

[35]  Jiarong Xing,et al.  NetWarden: Mitigating Network Covert Channels while Preserving Performance , 2020, USENIX Security Symposium.

[36]  Nate Foster,et al.  NetCache: Balancing Key-Value Stores with Fast In-Network Caching , 2017, SOSP.

[37]  Xiapu Luo,et al.  Programmable In-Network Security for Context-aware BYOD Policies , 2019, USENIX Security Symposium.

[38]  Jared M. Smith,et al.  Routing Around Congestion: Defeating DDoS Attacks and Adverse Network Conditions via Reactive BGP Routing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[39]  Xiaoqi Chen Implementing AES Encryption on Programmable Switches via Scrambled Lookup Tables , 2020, SPIN@SIGCOMM.

[40]  Wenqing Wu,et al.  Architecting Programmable Data Plane Defenses into the Network with FastFlex , 2019, HotNets.

[41]  Laurent Vanbever,et al.  Swing State: Consistent Updates for Stateful and Programmable Data Planes , 2017, SOSR.

[42]  Jianping Wu,et al.  Woodpecker: Detecting and mitigating link-flooding attacks via SDN , 2018, Comput. Networks.

[43]  Xiaozhou Li,et al.  NetChain: Scale-Free Sub-RTT Coordination , 2018, NSDI.

[44]  Vern Paxson,et al.  Temporal Lensing and Its Application in Pulsing Denial-of-Service Attacks , 2015, 2015 IEEE Symposium on Security and Privacy.

[45]  Min Zhu,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.

[46]  Urs Hölzle,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.