daas : ddos mitigation-as-a-service

DaaS: DDoS Mitigation-as-a-Service

2011 IEEE/IPSJ International Symposium on Applications and the Internet

Author: Soon Hin Khor & Akihiro NakaoSpeaker: 101065511 沈祈恩

1

2

Outline

• INTRODUCTION • DESIGN• ARCHITECTURE• EVALUATION• CONCLUSION

3

Outline


4

INTRODUCTION

• DaaS is a service that protects a server against all 3 types of Distributed Denial-of-Service (DDoS)– Arbitrary packet (Network Layer)– Legit user-mimicking (Application Layer)– Economic attacks (EDDoS).

5

INTRODUCTION

• Most research concur that using widely distributed Internet-edge or core intermediaries that possess more resource than DDoS bots, receive traffic on behalf of a server is an effective technique to overcome the three issues.

6

INTRODUCTION

• For defense against application-layer DDoS, a Proof-of Work (PoW) mechanism empowers legit clients (legits, forshort) to attain differentiated service based on the difficulty of PoW "puzzles" solved.

7

Outline


8

DESIGN

On-Demand Idle Resource Pool :– DaaS’s framework can recruit any existing or

future system/service as an intermediary.– Ex: IRC, Amazon’s S3, forums

9

DESIGN

Ephemeral Initial Channels :– Channels:

a named entity on an intermediary. EX: a channel name on IRC, a storage bucket in S3.

– I-Channel: Ephemeral initial channels.

– C-Channel:Communication channels.

10

DESIGN

Prioritize traffic:– Prioritize existing connection traffic over initial

connection request traffic. – Prioritize among the initial connection requests

using sPoW(self-proof-of-work). Prioritizing by puzzle difficulty.

11

Outline


12

ARCHITECTURE

• DaaS consists of a framework and sPoW.• Implemented as DaaS name servers, client-

side and server-side components

13

ARCHITECTURE

14DaaS utilizes highly scalable Cloud #1 as a metered intermediary to protect a metered-server in Cloud #2.

15

A client that wants to contact the server performs a DNS resolution to obtain the location of the client-side component on the CDN

16

Proceeds to download it together with the server-side component’s public key embedded in its SSL certificate

17

The client-side component then performs a DaaS name resolution, specifying the server host name and the puzzle difficulty, k, to obtain a crypto-puzzle for the server.

18

The DaaS name server forwards the puzzle request to the server-side puzzle generator

19

The server side component randomly creates an ephemeral i-channel

20

Server encrypts the channel details and sends back both the encrypted details and the encryption key with k bits undisclosed as the crypto-puzzle.

21

The client-side component brute-forces and recovers the i-channel details, submits an initial connection request includes a randomly generated secret key, encrypted using the server-side component’s public key through i-channel.

22

If the initial connection request is not handled within a timeout period, it can request for a more difficult crypto-puzzle and re-submit the connection request through the higher priority i-channel.

23

The server-side component receives the initial connection request

24

Server creates a c-channel

25

Server encrypts the channel details using the client generated secret key and sends the information back to the client-side component

26

Server also informs the name server to invalidate the cached puzzle associated with that consumed i-channel.

27

ARCHITECTURE

Hide DaaS server detail:– Using intermediary and multipath stack of

client/server side component.

28

ARCHITECTURE

Enable any system/service to be used as an intermediary:– Using different intermediary plug-in to enable

communication between client and server.

29

ARCHITECTURE

sPoW Threats :– Puzzle Generation Resource Exhaustion:

Bots request a lot of puzzles without solving them. leads to:1. processing power exhaustion2. network connectivity exhaustion

– Solution:Channel Sharing.

30

ARCHITECTURE

sPoW Threats :– PoW Violation with Channel Sharing:

Clients can obtain high priority service by reusing high priority channels discovered by others.

– Solution:Only the quickest puzzle solver being successful in connection request submission.

31

ARCHITECTURE

sPoW Threats :– Puzzle Level Inflation:

attckers can inflate puzzle difficulty by repeatedly requesting for the most difficult puzzles results in clients having to solve unnecessarily high-level puzzles to submit connection

– Solution:requires the algorithm to track puzzle resolution capacity of the user-base (legits and bots) within a designated period.

32

ARCHITECTURE

Puzzle Level Inflation:– Detecting algorithm:

if the sum of required capacity to solve all open puzzles in the current period exceeds the user-base puzzle resolution capability estimated in the last period—a possible attack indicator.

33

• C: Server capacity for i-channle handling• rt: capacity required to solve all unique puzzles for open i-

channels in the current period.• st-1: estimated user-base capacity in the previous period.• k_lowest: the lowest protection level of the channel

34

Outline


35

Average transmission time of various file sizes through different intermediary types

36

Average transmission time of various file sizes through I3 and IRC when different percentages of multipaths fail due to congestion.

37

Tardiness=

38

Tardiness=

39

Outline


40

CONCLUSION

• Contribution:Employs sPoW, a unique scheme to enable legits to compete and reduce indistinguishable DDoS.

• Advantage:1. Shield the location of server2. sPoW frees a server from traffic verification burden.

• Disadvantage:1. Didn’t give a clear explanation of how to utilize systems as intermediaries.2. Have to implements many kinds of intermediaries plug-in.3. Clients have to install many plug-in of intermediaries.4. Cost burden to other system/service.

Thank youQ&A

41

daas : ddos mitigation-as-a-service

Documents

server host

puzzle request

ephemeral ichannel20

initial connection requests

ichannel details

puzzle difficulty

existing connection

puzzle generator19