Tiered Incentives for Integrity Based
Queuing
Fariba Khan, Carl A. Gunter
University of Illinois at Urbana-Champaign
Outline
•
•
•
•
•
Problem setting
Challenges and existing work
Infrastructures for IBQ
Queuing
Analytic and experimental results
2
Internet DDoS Attack
• Finding the source of an attack is
difficult
• It is often difficult to detect an
attack packet
3
Internet DDoS Attack
• Finding the source of an attack is
difficult
• It is often difficult to detect an attack
packet
• Legitimate client has to get through
• Could we make it so that the
magnitude of the attack packet is less
important
4
Head of line blocking
All Eve’s
All Alice’s
•
•
•
•
Fair-queuing
Figure she is the good guy and
skip the long line?
No? Cannot tell if a packet is
from an Alice or Eve
May be give everybody
opportunity to send one
packet
No one gets to send a million
Eve 1
Eve 2
Alice 1
Eve 3
Alice 2
Eve 4
Alice 3
5
Fair-queue: Head of Line Blocking
Eve
Alice 1
Alice 2
Alice 3
Alice 4
Alice 5
Alice 6
Alice 7
6
Performance of Integrity Protection and
Fairness
ns2 Simulation Setup: Depth 10, 1024 clients/flows, 10Mbps links, 102 attackers, 10
Mbps/attacker, Client bandwidth 0.01 Mbps
100
100
Client Packet Success (%)
100
80
60
45
40
20
4.34
3.78
0
No attack,
no defense
Attack,
no defense
Attack,
FQ,
no spoofing
Attack,
FQ,
spoofing
Attack,
FQ,
spoofing (20%)
7
Source Address Validation
• Ingress Filtering: Neither a complete nor verifiable
• IP of a filtered domain can be spoofed
– In the same domain
– From an unfiltered domain
1-4
1,2
1
1
RFC 2827
2
2
1-8
1-8
3,4
3,4
3
3,4
4
1-8
5
1-8
6
1-8
1-8
7
1-8
8
8
Motivation
• Effectiveness of fair-queuing is dependent on accurate
flow classification.
• Even with partial authentication legitimate flows can be
spoofed by the spoofed origin flows.
• As the legitimate flows are choked, an ISP cannot see
the benefit of deploying filtering or an advanced
protocol.
Client: received level of service ∝ participation
9
Concept: Integrity Based Queuing (IBQ)
High
Integrity
• Highly effective queuing
• Each flow gets its own bucket
• Less effective service
Medium • Rate-limited flows
Integrity • Shared buckets
• Generic service
• Rate limited
Low
Integrity • Least priority
10
Cycle of Network Assurance
11
Design
• Integrity Levels
• MAC
• Queue
12
Integrity Levels: Spoofing Index Table
• Strict filtering vs Regular filtering:
– The address range is divided in smaller subdomains
– Spoofing is restricted within that subdomain only
• Example
– In University of Illinois a host can spoof 511 neighboring
addresses within its /23 prefix
– Spoofing index = 9 for University of Illinois or AS3
• Spoofing index table for all autonomous systems available for
routers
BB05
13
MAC
RFC4301, YPS03, YWA05, LLY08, GH09, YL09
14
Queue
Per source high integrity queues
=0
Spoofing
Index ?
>0
Per integrity-block queues
Y
MAC
verified?
N
Low integrity queue
15
Analytic Results
• α >> s >> β
• Spoofing index, i
• Probability that A and B
are in the same domain,
p = 1/232 – i
• Loss rate,
16
Experimental Results
• 2000 clients, 256 AS, 16-512 attackers
• Client rate 64kbps, attacker 64 Mbps
Effort = Integrity level = Success
17
Experimental Results – Example
Traffic VoIP
• 2000 clients, 256
AS, 16-512
attackers
• Client rate 64kbps,
attacker 64 Mbps
18
Experimental Results: Two Attack Styles
FQ, lo integrity
IBQ, hi integrity
IBQ, mid integrity, si = 8, no of attacker increased
IBQ, mid, integrity, only bandwidth increased
Loss Rate
1.0
0.5
0.0
0
10
20
30
Attacker BW (Gbps)
19
Conclusion
• Thesis
– Using IBQ gives legitimate users an avenue to
communicate with a server while the network is under
attack. The service they get directly relates to the effort
their ISP spent for integrity protection and validation thus
incentivizing its investment.
• Future Work
– Experiment with real DDoS attack data
– Overhead Measurement
– Use of IBQ for network assurance
20
Thank You
Questions?
21
22
Other Work
[0] Adaptive Selective Verification: An Efficient Adaptive Countermeasure to Thwart DoS Attacks.
S. Khanna, S. S. Venkatesh, O. Fatemieh, F. Khan, and C. A. Gunter.
(Submission) IEEE Transactions on Network (ToN).
[1] Attribute-Based Messaging: Access Control and Confidentiality.
R. Bobba, O. Fatemieh, F. Khan, A. Khan, C. A. Gunter, H. Khurana, and M. Prabhakaran.
(First three authors in alphabetic order)
IN ACM Transactions on Information and System Security (TISSEC).
[2] Adaptive Selective Verification,
Sanjeev Khanna, Santosh S. Venkatesh, Omid Fatemieh, Fariba Khan, and Carl A. Gunter,
IEEE Conference on Computer Communications (INFOCOM '08), Phoenix, AZ, April 2008.
[3] Using Attribute-Based Access Control to Enable Attribute-Based Messaging,
Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter, and Himanshu Khurana.
(First three authors in alphabetic order)
IEEE Annual Computer Security Applications Conference (ACSAC '06) , Miami, FL, December 2006.
[4] Using Attribute-Based Access Control to Enable Attribute-Based Messaging.
Fariba Khan
Master's Thesis, University of Illinois, October 2006.
23
Fairness
•1974: The Internet was designed with an
openness
•1989: FQ->active research for congestion control >RED
•1999: FQ-> again for congestion control -> 40Gbps
•2005: FQ-> active research for DDoS defenses
24
Related Work Analysis
•
•
•
•
1024 hosts
33 routers
32 subdomains
Spoofing index: 8 (scaled
down for small topology)
• Links
– 200 Mbps links, 10 ms
delay
– 5% of channel for request
(10 Mbps)
– Bottleneck 1Gbps
– Comparative to 40-100
Gbps Internet links.
• 10% hosts are attackers
• Attack bandwidth 100-700
Mbps
• 50B request from a client
25