Me Love (SYN-)Cookies: SYN Flood Mitigation in Programmable Data Planes

The SYN flood attack is a common attack strategy on the Internet, which tries to overload services with requests leading to a Denial-of-Service (DoS). Highly asymmetric costs for connection setup - putting the main burden on the attackee - make SYN flooding an efficient and popular DoS attack strategy. Abusing the widely used TCP as an attack vector complicates the detection of malicious traffic and its prevention utilizing naive connection blocking strategies. Modern programmable data plane devices are capable of handling traffic in the 10 Gbit/s range without overloading. We discuss how we can harness their performance to defend entire networks against SYN flood attacks. Therefore, we analyze different defense strategies, SYN authentication and SYN cookie, and discuss implementation difficulties when ported to different target data planes: software, network processors, and FPGAs. We provide prototype implementations and performance figures for all three platforms. Further, we fully disclose the artifacts leading to the experiments described in this work.

[1]  Daniel Raumer,et al.  Performance Implications of Packet Filtering with Linux eBPF , 2018, 2018 30th International Teletraffic Congress (ITC 30).

[2]  Daniel Raumer,et al.  MoonGen: A Scriptable High-Speed Packet Generator , 2014, Internet Measurement Conference.

[3]  B. Brodsky,et al.  Nonparametric Methods in Change Point Problems , 1993 .

[4]  Emil Simion,et al.  Approach to Prevent SYN Flood DoS Attacks in Cloud , 2018, 2018 International Conference on Communications (COMM).

[5]  Daniel Raumer,et al.  Performance Exploration of Software-based Packet Processing Systems , 2015 .

[6]  NFP-4000 Theory of Operation , 2018 .

[7]  Daniel Raumer,et al.  Building Fast but Flexible Software Routers , 2017, 2017 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[8]  Ruby B. Lee,et al.  Remote Denial of Service Attacks and Countermeasures , 2001 .

[9]  Saravanan Kumarasamy,et al.  An Active Defense Mechanism for TCP SYN flooding attacks , 2012, ArXiv.

[10]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[11]  Raffaele Bolla,et al.  Linux Software Router: Data Plane Optimization and Performance Evaluation , 2007, J. Networks.

[12]  Jean-Philippe Aumasson,et al.  SipHash: A Fast Short-Input PRF , 2012, INDOCRYPT.

[13]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[14]  Luigi Rizzo,et al.  netmap: A Novel Framework for Fast Packet I/O , 2012, USENIX ATC.

[15]  Jonathan Lemon,et al.  Resisting SYN Flood DoS Attacks with a SYN Cache , 2002, BSDCon.

[16]  Peter Druschel,et al.  TCP Implementation Enhancements for Improving Webserver Performance , 1999 .

[17]  Kostas Pentikousis,et al.  Quantifying the deployment of TCP options - a comparative study , 2004, IEEE Communications Letters.

[18]  Wei Chen,et al.  Defending Against TCP SYN Flooding Attacks Under Different Types of IP Spoofing , 2006, International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06).

[19]  Sebastian Gallenmüller,et al.  High-performance packet processing and measurements , 2018, 2018 10th International Conference on Communication Systems & Networks (COMSNETS).

[20]  Daniel Raumer,et al.  Comparison of frameworks for high-performance packet IO , 2015, 2015 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[21]  Katerina J. Argyraki,et al.  RouteBricks: exploiting parallelism to scale software routers , 2009, SOSP '09.

[22]  Mor Harchol-Balter,et al.  Web servers under overload: How scheduling can help , 2006, TOIT.

[23]  C. Chellappan,et al.  CNoA: Challenging Number Approach for uncovering TCP SYN flooding using SYN spoofing attack , 2011, ArXiv.

[24]  Wesley M. Eddy,et al.  TCP SYN Flooding Attacks and Common Mitigations , 2007, RFC.

[25]  Michael K. Reiter,et al.  Defending against denial-of-service attacks with puzzle auctions , 2003, 2003 Symposium on Security and Privacy, 2003..

[26]  José Luis García-Dorado,et al.  High-Performance Network Traffic Processing Systems Using Commodity Hardware , 2013, Data Traffic Monitoring and Analysis.

[27]  Nick McKeown,et al.  The P4->NetFPGA Workflow for Line-Rate Packet Processing , 2019, FPGA.

[28]  Fabien Geyer,et al.  Cryptographic Hashing in P4 Data Planes , 2019, 2019 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[29]  Raimo Kantola,et al.  Securing the Private Realm Gateway , 2016, 2016 IFIP Networking Conference (IFIP Networking) and Workshops.

[30]  Pekka Nikander,et al.  DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[31]  Ari Juels,et al.  $evwu Dfw , 1998 .

[32]  C. N. Maregeli A study on TCP-SYN attacks and their effects on a network infrastructure , 2010 .