Open AccessPosted Content
Practical Verifiable In-network Filtering for DDoS defense
Reads0
Chats0
TLDR
This paper proposes a verifiable in-network filtering system, called VIF, that exploits emerging hardware-based trusted execution environments (TEEs) and offers filtering verifiability to DDoS victims and neighboring networks and suggests that Internet exchange points are the good candidates to be early adopters of the authors' verifiable filters.Abstract:
In light of ever-increasing scale and sophistication of modern DDoS attacks, it is time to revisit in-network filtering or the idea of empowering DDoS victims to install in-network traffic filters in the upstream transit networks. Recent proposals show that filtering DDoS traffic at a handful of large transit networks can handle volumetric DDoS attacks effectively. However, the innetwork filtering primitive can also be misused. Transit networks can use the in-network filtering service as an excuse for any arbitrary packet drops made for their own benefit. For example, transit networks may intentionally execute filtering services poorly or unfairly to discriminate their competing neighbor ASes while claiming that they drop packets for the sake of DDoS defense. We argue that it is due to the lack of verifiable filtering - i.e., no one can check if a transit network executes the filter rules correctly as requested by the DDoS victims. To make in-network filtering a more robust defense primitive, in this paper, we propose a verifiable in-network filtering, called VIF, that exploits emerging hardware-based trusted execution environments (TEEs) and offers filtering verifiability to DDoS victims and neighbor ASes. Our proof of concept demonstrates that a VIF filter implementation on commodity servers with TEE support can handle traffic at line rate (e.g., 10 Gb/s) and execute up to 3,000 filter rules. We show that VIF can easily scale to handle larger traffic volume (e.g., 500 Gb/s) and more complex filtering operations (e.g., 150,000 filter rules) by parallelizing the TEE-based filters. As a practical deployment model, we suggest that Internet exchange points (IXPs) are the ideal candidates for the early adopters of our verifiable filters due to their central locations and flexible software-defined architecture.read more
Citations
More filters
Posted Content
Keystone: An Open Framework for Architecting TEEs
TL;DR: Keystone as mentioned in this paper is an open-source framework for building customized Trusted Execution Environments (TEEs) using simple abstractions provided by the hardware such as memory isolation and a programmable layer underneath untrusted components (e.g., OS).
Posted Content
Elasticlave: An Efficient Memory Model for Enclaves.
TL;DR: This work presents Elasticlave---a new TEE memory model that allows enclaves to selectively and temporarily share memory with other enclaves and the OS, and finds that its performance characteristics and hardware area footprint scale well with the number of shared memory regions it is configured to support.
Proceedings ArticleDOI
In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection
TL;DR: This paper introduces a new, offer-based operational model for in-network DDoS defense and forms the NP-hard rule selection problem for this model, and designs an algorithm that overcomes the fundamental limitations of the classical ACO framework and transform it with several key changes to make it applicable to the domain of in- network DDoSdefense.
Journal ArticleDOI
On Capturing DDoS Traffic Footprints on the Internet
TL;DR: The evaluation shows that PathFinder can significantly improve the efficacy of a DDoS defense system, its PFTrie data structure is fast and has a manageable overhead, and its streaming and zooming mechanisms significantly reduce the delay and overhead in transmitting DDoS footprints.
Proceedings ArticleDOI
DDOS Defense Strategy in Software Definition Networks
Wenliang Luo,Wenzhi Han +1 more
TL;DR: The principle of DDOS attack is summarized from the defensive purpose, the attack prevention in software definition network is analyzed, and the source, intermediate network, victim and distributed defense strategies are elaborated.
References
More filters
Journal ArticleDOI
An improved data stream summary: the count-min sketch and its applications
Graham Cormode,S. Muthukrishnan +1 more
TL;DR: In this paper, the authors introduce a sublinear space data structure called the countmin sketch for summarizing data streams, which allows fundamental queries in data stream summarization such as point, range, and inner product queries to be approximately answered very quickly; in addition it can be applied to solve several important problems in data streams such as finding quantiles, frequent items, etc.
Journal ArticleDOI
A taxonomy of DDoS attack and DDoS defense mechanisms
Jelena Mirkovic,Peter Reiher +1 more
TL;DR: This paper presents two taxonomies for classifying attacks and defenses in distributed denial-of-service (DDoS) and provides researchers with a better understanding of the problem and the current solution space.
Journal ArticleDOI
On inferring autonomous system relationships in the internet
TL;DR: An augmented AS graph representation is proposed that classifies AS relationships into customer-provider, peering, and sibling relationships, and presents heuristic algorithms that infer AS relationships from BGP routing tables.
Proceedings ArticleDOI
Last-Level Cache Side-Channel Attacks are Practical
TL;DR: This work presents an effective implementation of the Prime+Probe side-channel attack against the last-level cache of GnuPG, and achieves a high attack resolution without relying on weaknesses in the OS or virtual machine monitor or on sharing memory between attacker and victim.
Posted Content
Intel SGX Explained.
Victor Costan,Srinivas Devadas +1 more
TL;DR: In this article, the authors present a detailed and structured presentation of the publicly available information on SGX, a series of intelligent guesses about some important but undocumented aspects of SGX.