Mitigating denial-of-service flooding attacks with source authentication

Denial-of-Service (DoS) flooding attacks have become a serious threat to the reliability of the Internet. For instance, a report published by Arbor Networks reveals that the largest DoS flooding attack observed in 2010 reaches 100Gbps in attack traffic volume. The defense against DoS flooding attacks is significantly complicated by the fact that the Internet lacks accountability at the network layer: it is very difficult, if not impossible, for the receiver of an IP packet to associate the packet with its real sender, as the sender is free to craft any part of the packet. This dissertation proposes to mitigate DoS flooding attacks with a two-step process: first to establish accountability at the network layer, and second to utilize the accountability to efficiently and scalably mitigate the attacks. It proposes Passport, a source authentication system that enables any router forwarding a packet to cryptographically verify the source Autonomous System (AS) of the packet. Passport uses symmetric key cryptography to enable high-speed verification and piggy-backs its key exchange into the inter-domain routing system for efficiency and independence from non-routing infrastructures. On top of Passport, this dissertation proposes NetFence, a DoS flooding attack mitigation system that provides two levels of protection against the attacks: if a victim can receive and identify the attack traffic, it can throttle the attack traffic close to the attack sources; otherwise, the attack traffic cannot be eliminated, but it would not be able to consume more than the attack sources' fair shares of the capacity of any bottleneck link. NetFence achieves its goals by putting unforgeable congestion policing feedback into each packet. The feedback allows bottleneck routers to convey congestion information back to the access routers that police the traffic accordingly. A destination host can throttle unwanted traffic by not returning the feedback to the source host. We have implemented prototypes of Passport and NetFence in both ns-2 simulator and Linux. We have also implement a prototype of Passport on a NetFPGA board. Our evaluation of the prototypes as well as our security and theoretical analysis demonstrate that both Passport and NetFence are practical for high-speed router implementation and could mitigate a wider range of attacks in a more scalable way compared to previous work.

[1]  Ran Canetti,et al.  Efficient and Secure Source Authentication for Multicast , 2001, NDSS.

[2]  Yin Zhang,et al.  BGP routing stability of popular destinations , 2002, IMW '02.

[3]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[4]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[5]  Mark Handley,et al.  Using Routing and Tunneling to Combat DoS Attacks , 2005, SRUTI.

[6]  Ratul Mahajan,et al.  Controlling high-bandwidth flows at the congested router , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[7]  Ted Krovetz,et al.  UMAC: Message Authentication Code using Universal Hashing , 2006, RFC.

[8]  EDDIE KOHLER,et al.  The click modular router , 2000, TOCS.

[9]  Jeffrey S. Chase,et al.  ExoGENI: A Multi-Domain Infrastructure-as-a-Service Testbed , 2012, The GENI Book.

[10]  Angelos D. Keromytis,et al.  Countering DoS attacks with stateless multipath overlays , 2005, CCS '05.

[11]  Jun Li,et al.  SAVE: source address validity enforcement protocol , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[12]  David L. Black,et al.  The Addition of Explicit Congestion Notification (ECN) to IP , 2001, RFC.

[13]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[14]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[15]  Thomas E. Anderson,et al.  Phalanx: Withstanding Multimillion-Node Botnets , 2008, NSDI.

[16]  Jose Nizario,et al.  Georgia DDoS Attacks—A Quick Summary of Observations , 2008 .

[17]  Raj Jain,et al.  Analysis of the Increase and Decrease Algorithms for Congestion Avoidance in Computer Networks , 1989, Comput. Networks.

[18]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[19]  David R. Cheriton,et al.  Active Internet Traffic Filtering: Real-time Response to Denial of Service Attacks , 2003, ArXiv.

[20]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[21]  Katerina J. Argyraki,et al.  RouteBricks: exploiting parallelism to scale software routers , 2009, SOSP '09.

[22]  Damien Magoni,et al.  Analysis of the autonomous system network topology , 2001, CCRV.

[23]  Radia J. Perlman,et al.  Network layer protocols with Byzantine robustness , 1988 .

[24]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM 2002.

[25]  Martín Casado,et al.  Cookies Along Trust-Boundaries (CAT): Accurate and Deployable Flood Protection , 2006, SRUTI.

[26]  Daniel Massey,et al.  An analysis of BGP multiple origin AS (MOAS) conflicts , 2001, IMW '01.

[27]  Michael Walfish,et al.  A Policy Framework for the Future Internet , 2009, HotNets.

[28]  George Varghese,et al.  Efficient fair queueing using deficit round robin , 1995, SIGCOMM '95.

[29]  Scott Shenker,et al.  Core-stateless fair queueing: a scalable architecture to approximate fair bandwidth allocations in high-speed networks , 2003, TNET.

[30]  Glen Gibb,et al.  NetFPGA: reusable router architecture for experimental research , 2008, PRESTO '08.

[31]  Erik Nordmark,et al.  Stateless IP/ICMP Translation Algorithm (SIIT) , 2000, RFC.

[32]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[33]  Dawn Xiaodong Song,et al.  FIT: fast Internet traceback , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[34]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[35]  J. Turner,et al.  New directions in communications (or which way to the information age?) , 1986, IEEE Communications Magazine.

[36]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[37]  Tony Bates,et al.  Guidelines for creation, selection, and registration of an Autonomous System (AS) , 1996, RFC.

[38]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[39]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[40]  Nick Feamster,et al.  Accountable internet protocol (aip) , 2008, SIGCOMM '08.

[41]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[42]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[43]  Vitaly Shmatikov,et al.  dFence: Transparent Network-based Denial of Service Mitigation , 2007, NSDI.

[44]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[45]  Deborah Estrin,et al.  Visa protocols for controlling interorganizational datagram flow , 1989, IEEE J. Sel. Areas Commun..

[46]  Fred Baker,et al.  Ingress Filtering for Multihomed Networks , 2004, RFC.

[47]  Xin Liu,et al.  Passport: Secure and Adoptable Source Authentication , 2008, NSDI.

[48]  Gerald A. Marin,et al.  Realistic Internet traffic simulation through mixture modeling and a case study , 2005, Proceedings of the Winter Simulation Conference, 2005..

[49]  Xin Liu,et al.  Efficient and Secure Source Authentication with Packet Passports , 2006, SRUTI.

[50]  X. Yuan,et al.  Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[51]  Lazy Susan: dumb waiting as proof of work , 2007 .

[52]  J. Crowcroft,et al.  Using Packet Symmetry to Curtail Malicious Traffic , 2005 .

[53]  Lakshminarayanan Subramanian,et al.  One more bit is enough , 2005, SIGCOMM '05.

[54]  Toby Moncaster,et al.  Re-ECN: A Framework for adding Congestion Accountability to TCP/IP , 2010 .

[55]  Anat Bremler-Barr,et al.  Spoofing prevention method , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[56]  David L. Black,et al.  Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers , 1998, RFC.

[57]  Enke Chen,et al.  BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP) , 2006, RFC.

[58]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[59]  David G. Andersen,et al.  Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .

[60]  David Wetherall,et al.  TVA: a DoS-limiting network architecture , 2008, TNET.

[61]  David A. Maltz,et al.  AS-Based Accountability as a Cost-Effective DDoS Defense , 2007, HotBots.

[62]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Public Key Cryptography.

[63]  Matthew Mathis,et al.  The macroscopic behavior of the TCP congestion avoidance algorithm , 1997, CCRV.

[64]  Arnaud Jacquet,et al.  Policing congestion response in an internetwork using re-feedback , 2005, SIGCOMM '05.

[65]  Jia Wang,et al.  Towards an accurate AS-level traceroute tool , 2003, SIGCOMM '03.

[66]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[67]  Van Jacobson,et al.  Random early detection gateways for congestion avoidance , 1993, TNET.

[68]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[69]  Dawn Xiaodong Song,et al.  StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense , 2006, IEEE Journal on Selected Areas in Communications.

[70]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM 2007.

[71]  Martín Casado,et al.  Flow-Cookies: Using Bandwidth Amplification to Defend Against DDoS Flooding Attacks , 2006, 200614th IEEE International Workshop on Quality of Service.

[72]  Pavlin Radoslavov,et al.  Designing extensible IP router software , 2005, NSDI.