Withstanding Multimillion-Node Botnets

WithstandingWithstandingMultimillion-Node BotnetsMultimillion-Node Botnets

Colin DixonColin DixonArvind Krishnamurthy, Tom AndersonArvind Krishnamurthy, Tom Anderson

Affiliates Day, 2007Affiliates Day, 2007

BotnetsBotnets

A botnet is a large group of infected A botnet is a large group of infected computers controlled by a hackercomputers controlled by a hacker

Used toUsed to Send spamSend spam Steal personal informationSteal personal information Launch DDoS attacksLaunch DDoS attacks

Extortion/Protection RacketsExtortion/Protection Rackets Attack rivalsAttack rivals

Botnets are BigBotnets are Big

Total bots:Total bots: 6 million [Symantec]6 million [Symantec] 150 million [Vint Cerf]150 million [Vint Cerf]

Single botnets have numbered 1.5 Single botnets have numbered 1.5 millionmillion

Average upload bandwidth: 3 Mb/sAverage upload bandwidth: 3 Mb/s Back of the envelope: 4.5-450 Tb/sBack of the envelope: 4.5-450 Tb/s

Flood many core links, small-medium ISPsFlood many core links, small-medium ISPs

How DoS WorksHow DoS Works



Our ApproachOur Approach

Swarm of Swarm of machines machines forward trafficforward traffic

Explicitly Explicitly request each request each packetpacket

Attacks must Attacks must down all down all mailboxes and mailboxes and thus all pathsthus all paths

MailboxesMailboxes

A large number of machines offer to A large number of machines offer to carry traffic for certain destinationscarry traffic for certain destinations

Rather than immediately forward it, Rather than immediately forward it, they buffer traffic until a request is they buffer traffic until a request is receivedreceived

This building block provides two key This building block provides two key advantagesadvantages Filtering logic is left at the destinationFiltering logic is left at the destination The system as a whole is fail-stopThe system as a whole is fail-stop

The MailboxThe Mailbox

Many MailboxesMany Mailboxes

Send traffic Send traffic randomly among randomly among mailboxesmailboxes



Botnet can take Botnet can take down one mailboxdown one mailbox




But communication But communication continuescontinues


Send traffic randomly Send traffic randomly among mailboxesamong mailboxes


But communication But communication continuescontinues

Diluted attacks Diluted attacks against all mailboxes against all mailboxes failfail

Remaining DetailsRemaining Details

Attackers can Attackers can ignore the ignore the mailboxes and just mailboxes and just attack the server attack the server (Filtering Ring)(Filtering Ring)

Remaining DetailsRemaining Details

Attackers can ignore Attackers can ignore the mailboxes and the mailboxes and just attack the just attack the server (Filtering server (Filtering Ring)Ring)

Before a connection Before a connection starts, the server starts, the server has no idea to has no idea to request packetsrequest packets(General Requests)(General Requests)

Filtering RingFiltering Ring

Keeps a list of Keeps a list of requested packetsrequested packets

Drops all Drops all unrequested packetsunrequested packets

Protects thin access Protects thin access linkslinks

Deployed in depth to Deployed in depth to counter “insider counter “insider attacks”attacks”

General RequestsGeneral Requests

First packets unexpected => can’t First packets unexpected => can’t requestrequest

Filtering ring prevents unrequested Filtering ring prevents unrequested packets from reaching the serverpackets from reaching the server

Solution: Issue some small number of Solution: Issue some small number of general requests to the mailboxesgeneral requests to the mailboxes Allow “first packets” through the filtering ringAllow “first packets” through the filtering ring Provides admission controlProvides admission control Limit access by auth tokens & crypto-puzzlesLimit access by auth tokens & crypto-puzzles

Complete SystemComplete System

Lookup mailboxes for a server from a Lookup mailboxes for a server from a distributed name service (CoDoNs)distributed name service (CoDoNs)

Contact one mailbox for a puzzleContact one mailbox for a puzzle Present a solution and waitPresent a solution and wait Mailbox forwards solution to the Mailbox forwards solution to the

serverserver Server responds and begins to Server responds and begins to

request packetsrequest packets

Key FeaturesKey Features

Unilaterally DeployableUnilaterally Deployable Pay Akamai for mailboxesPay Akamai for mailboxes Pay upstream ISP to install filtering ringPay upstream ISP to install filtering ring

Server is in complete controlServer is in complete control Explicitly asks for each packetExplicitly asks for each packet Is not required to trust any given Is not required to trust any given

mailboxmailbox System is fail-stopSystem is fail-stop

LatencyLatency

DoS ResilienceDoS Resilience

Established Established connectionconnection



Attack kills some Attack kills some mailboxesmailboxes




““Goodput” Goodput” decreasesdecreases




““Goodput” Goodput” decreasesdecreases

Client sends faster Client sends faster (more redundantly) (more redundantly) to compensateto compensate


ConclusionsConclusions

We have presented a system to We have presented a system to mitigate Denial of Service attacks which mitigate Denial of Service attacks which can be unilaterally deployed todaycan be unilaterally deployed today

Performance is reasonable with few Performance is reasonable with few optimizations, still room for optimizations, still room for improvementimprovement

Can scale to deal with the massive Can scale to deal with the massive botnets of today and tomorrowbotnets of today and tomorrow

Questions?Questions?

Documents

Withstanding Multimillion-Node Botnets