SENSS Security Service for the Internet Jelena Mirkovic (USC/ISI), Minlan Yu (USC), Ying Zhang (HP Labs), Sivaram Ramanathan (USC) 1 Motivation and Insights 2 Growing DDoS Attacks* Frequent and large *source Arbor Networks 2/3rd of respondents have experienced at least one DDoS attack 400, 602, 750 Gbps attacks 3 Growing BGP Prefix Hijacking* • • • In 2013, hijacking affected 1,500 prefixes, in 150 cities Live interception attacks are on for more than 60 days Traffic from major companies, govs, ISPs diverted *source Renesys 4 Attack Variants • DDoS Direct flood Reflector Crossfire • BGP prefix hijacking – Attacker announces victim’s prefix (origin) or short AS path to the victim (closeness) – Blackholing (drop traffic) or interception (sniff or modify then forward to victim) 5 Attack Mitigation Today • DDoS – Local device does traffic analysis, sometimes DPI (lowvolume and application attacks; cannot handle highvolume or reflected traffic) – Cloud-based defense, traffic goes to cloud for scrubbing (high-volume attacks; takes time to set up, expensive, redirects traffic, special handling for encrypted traffic) • BGP prefix hijacking – BGP anycast (distributes prefix presence; takes time to set up, expensive, needs content replication too) • Most solutions focus on resource replication and withstand attacks 6 SENSS Enables the Victim to • … observe own traffic – Going to the victim’ prefixes – Carrying sources from the victim’s prefixes • … observe own routes – For the victim’s prefixes • … control own traffic – Filter, allow, request bw guarantee • … control own routes – Demote a route that may contain a hijacker or correct it In any willing ISP (even non-neighbor)! Aligns control with ownership of traffic/routes Remote ISP must be able to verify the requestor’s authority for a prefix 7 SENSS 8 Operation • ISPs run SENSS servers • Victim identifies ISPs to interact with using public SENSS directory 1. Lookup SENSS ISPs 2. Query and reply 3. Control SENSS servers Customized SENSS program SENSS directory Attacker SENSS ISP ISP ISP Victim Network 2. Query & reply ISP SENSS servers 3. ControlISP SENSS ISP – Sends to each a query – ISPs authenticate prefix ownership, process query, charge the victim and return replies • Victim decides which control actions to apply and where – Sends messages about this to chosen ISPs – ISPs authenticate prefix ownership, charge the victim, implement requested actions 9 SENSS APIs at ISPs neighbor’s AS number (+ geolocation) • • • • Exposed as Web services – Leverage existing functionalities for robustness (replication), security (HTTPS), charging (e-commerce) Type Fields Action/Reply Traffic query Flow, dir, obs_time List of <tag, dir, volume> Traffic filter/allow Flow, dir, tag, duration Deploy filter/allow actions Route query Prefix List of best paths to prefix Route demote Prefix, segment, duration Demote routes with given segment Message authentication: Proof of authority for a prefix – – – Signed proof that owner of a given public key is authorized to speak for a set of prefixes in the SENSS messages RPKI, extension of SSL certs, … … or manually populate a DB of known customers and prefixes TLS for communication security Victim can delegate a proxy if it cannot communicate itself 10 Example: Isolated Deployment Direct flood V A: traffic_query A V: 1 (D-A), 0.5 (E-A), 5 (F-A), 0.5 (C-A) V A: traffic_filter(tag=F-A, dest=V) Reflector V NATs all DNS traffic through VN, ports 1000-2000 V A: traffic_allow(dest=VN, sport=53, dport=(1000,2000)) 11 V A: traffic_filter(dest=V, sport=53) Example: ISP-Only Deployment S periodically collects traffic reports from A,B,C,D,E,F,G,H Analyzes traffic Detects attack on V Identifies E as ingress router, which sends most of the attack to V Deploys blackholing at E for destination V 12 Example: Sparse Deployment V A, D, G, J, L: traffic_query Assemble the traffic tree from replies V L: traffic_filter(tag=S2-L, dest=V) 13 Deploying SENSS in an ISP 14 What SENSS Can Do For You? • • • Help you defend your customers from DDoS with existing infrastructure Automate DDoS handling within your ISP Help detect and diagnose attacks (separate module) 15 Integrating SENSS With Your ISP • SENSS is a Web application, which can be ran on any Web server within your ISP: – – – • Admin account requires 2-factor authentication Use RPKI or set up DB for proof of authority for a prefix Supply IP addresses of switches SENSS needs traffic/route observation and filtering: – – – For traffic observation: SDN or SNMP For traffic filtering: SDN or Flowspec or ACLs For route observation/filtering: interact with router software (Quagga) 16 Deploying SENSS at a customer 17 What SENSS Can Do For You? • • Help you engage your ISP in attack mitigation in an automated fashion Help detect and diagnose attacks (separate module) 18 Integrating SENSS With Your Network • SENSS client is a stand-alone Python program, which can be ran on any node within your ISP – – – Admin account requires 2-factor authentication The node which runs SENSS must have adequate proof of authority for your prefixes Supply IP address of your ISP’s SENSS server (in isolated deployment) 19 Performance 20 Simulation • On AS topology: – • Legitimate traffic patterns from Edgecast and random attacker distributions Findings: – – – – Early adopters can mitigate 100% of direct floods and reflector attacks for their customers As adoption grows, protection grows for everyone. Higher range of attacks mitigated and higher effectiveness Deployment at any tier helps. But deployment at Tier 1 and Tier 2 is especially effective Most attacks can be mitigated with deployment at just 1–2% of all ISPs, with under 10 sec delay 21 Emulation • On Deterlab testbed (www.deterlab.net) with topologies from Topology Zoo – – – – • 186 switches (OpenVSwitch+Quagga) 1 SDN controller (RYU) 1 SENSS server 1-100 concurrent SENSS clients Response time (including RPKI validation): – – – Up to 4.32 sec for 100 concurrent SENSS queries Up to 24.95 sec for 100 concurrent SENSS control msgs Most attacks are handled within 10 seconds 22 Conclusions 23 Conclusions • Distributed attacks not handled well today – Redundancy to sustain attacks. Cost is still high and attack traffic still clogs the Internet – Smaller businesses can be affected for days • SENSS enables inter-ISP collaboration to detect and mitigate distributed attacks – Useful in a variety of settings – Complements other solutions • Test-drive it on Deterlab or in your network – http://steel.isi.edu/Projects/SENSS/ 24 Thanks for coming! Reach out if interested [email protected] http://steel.isi.edu/Projects/SENSS/ Jelena Mirkovic Minlan Yu Ying Zhang Sivaram Ramanathan
© Copyright 2026 Paperzz