SENSS: Security Service for the Internet


Members and Collaborators

Motivation


Arbor Networks

Growing DDoS Attacks and BGP attacks

  • Arbor Networks reported that there DDoS attacks in 2014 has 8 times compared to 2012
  • It has been reported that 71% of the data centers have had a DDoS attack
  • In 2013, BGP prefix hijacking affected 1,500 prefixes, in 150 cities
  • Some cases involved Live interception attacks for more than 60 days
  • In this time period,Traffic from major companies, government, ISPs were diverted

  • The best locations for diagnosis and mitigation are often far from the victim . But the problem is that the victim cannot observe nor control traffic and routes at these locations . For example, in Reflector Attack, public servers see spoofed requests but do not know/care that they are spoofed and the victim has a challenge to separate legitimate from attack traffic.






    SENSS


    SENSS - software-defined security service is a framework that enables a victim network to request services from remote ISPs for traffic that carries source IPs or destination IPs from this net work's address space. These services range from statistics gathering, to filtering or quality of service guarantees, to route reports or modifications. The SENSS service has very simple, yet powerful, interfaces. This enables it to handle a variety of data plane and control plane attacks, while being easily implementable in today's ISP. Through extensive evaluations on realistic traffic traces and Internet topology, we show how SENSS can be used to quickly, safely and effectively mitigate a variety of large-scale attacks that are largely unhandled today.


    What does SENSS offer to the Victim?

    How does SENSS work?

    Demo


    We demonstrate the SENSS to detect a direct flood with signature attacks under two scenarios.


    SENSS Proxy

    This demo consists of a 120 node AS level topology emulated on Deterlab. SENSS client at LBMC contantly fingerprints its traffic by using traffic_query commands. In this demo we use 880 attack and 240 legitimate traffic sources. There are two rounds of attack -- during the first, SENSS CLIENT at LBMC is able to send out add_filter message to the SENSS server at ARNEP and during the second round of larger attacks, SENSS client delegates its control over to the SENSS proxy at ICN, as its not able to communicate with any of the SENSS servers. The proxy at ICN then sends add_filter messages to SENSS servers at ARPNET and EQUINIX.


    0.8 Tbps attack

    This demo consists of 13 servers with Netronome Agilio NICs which generates 40Gbps--80Gbps of attack traffic (a cumulative attack of 0.8Tbps) towards the SENSS client. Four of these servers send a mix of both legitimate and attack traffic. SENSS client constantly fingerprints its traffic by issuing the traffic_query request to all 13 SENSS servers. Using the derived traffic fingerprint of its own legitimate traffic, the SENSS client can recognise when its under a large attack and issue a add_filter messages to the SENSS servers.

    Evaluation


    We evaluated the performance of SENSS using realistic legitimate attack traffic mined from a month's worth data of RouteViews.From this we concluded that.
  • Adopters have higher benefits. Early adopters can mitigate 100% of the DDoS with signature and reflector attacks
  • As the adoption grows the protection grows for everyone in terms of effectiveness and the range of attacks which are mitigated
  • Deployement at any tier helps
  • Most of the attacks can be mitigated with deployement at just 1-2% of all the ASes with under ten second delay

  • DDoS with Signature
    DDoS without Signature
    Blackholing Attack




    Software


    Source Code can be downloaded here.

    Publications

    SENSS Against Volumetric DDoS Attacks, Sivaramakrishnan Ramanathan, Jelena Mirkovic, Minlan Yu and Ying Zhang, In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2018 [PDF]

    API


    Traffic Query


    traffic_query(OFPMatch,Certificate,ASN,otime)
  • OFPMatch - OFPMatch Object used for querying the ISP about the flow volume generated. More information on OFPMatch here
  • Certificate - RPKI ROA Certificate used to validate that client is authorised to originate the IP Prefixes
  • ASN - Autonomous System Number under the ISP where the traffic_query command needs to be executed
  • otime - Duration to observe the flow volume generated for the particular OFPMatch and for the given ASN

  • The sample response shows that , AS recieves 6 Packets or 204 bytes from AS2 . Also, 10 packets or 340 bytes passed through AS to AS2 . Finally, the AS originated 5 packets or 170 bytes.

       
       


    Traffic Control


    Add Flow

    add_flow(OFPMatch,Certificate,ASN,Duration)
  • OFPMatch - Used to add a flow based on specifications on the OFPMatch object . More information on OFPMatch here
  • Certificate - RPKI ROA Certificate used to validate that client is authorised to originate the IP Prefixes
  • ASN - Autonomous System Number under the ISP where the add_flow command needs to be executed
  • Duration - Time duration for the flow to be active

  •    
       


    Filter Flow

    filter_flow(OFPMatch,Certificate,ASN,Duration)
  • OFPMatch - Used to filter a flow based on specifications on the OFPMatch object . More information on OFPMatch here
  • Certificate - RPKI ROA Certificate used to validate that client is authorised to originate the IP Prefixes
  • ASN - Autonomous System Number under the ISP where the filter_flow command needs to be executed
  • Duration - Time duration for the flow to be inactive

  •    
       


    Route Query


    route_query(Destination_IP,Certificate,ASN)
  • Destination_IP - Query for route to the destination IP from the ASN
  • Certificate - RPKI ROA Certificate used to validate that client is authorised to originate the IP Prefixes
  • ASN - Autonomous System Number under the ISP where the filter_flow command needs to be executed

  • The sample response shows that there are two paths available , where the path 1 is preferred over path 2 .
       
    
       


    Route Control


    route_control(Destination_IP,Certificate,ASN,Path_Number_to_Change,Promote)
  • Destination_IP - Query for route to the destination IP from the ASN
  • Certificate - RPKI ROA Certificate used to validate that client is authorised to originate the IP Prefixes
  • ASN - Autonomous System Number under the ISP where the filter_flow command needs to be executed
  • Path_Number_to_Change - path number obtained from route_query to promote or demote the path
  • Promote - boolean value to decide to promote or demote the path


  •    
    
       


       
    
       



    OFPMatch


    You can define the flow match by the keyword arguments.

              
    Argument Value Description
    in_port Integer 32bit Switch input port
    in_phy_port Integer 32bit Switch physical input port
    metadata Integer 64bit Metadata passed between tables
    eth_dst MAC address Ethernet destination address
    eth_src MAC address Ethernet source address
    eth_type Integer 16bit Ethernet frame type
    vlan_vid Integer 16bit VLAN id
    vlan_pcp Integer 8bit VLAN priority
    ip_dscp Integer 8bit IP DSCP (6 bits in ToS field)
    ip_ecn Integer 8bit IP ECN (2 bits in ToS field)
    ip_proto Integer 8bit IP protocol
    ipv4_src IPv4 address IPv4 source address
    ipv4_dst IPv4 address IPv4 destination address
    tcp_src Integer 16bit TCP source port
    tcp_dst Integer 16bit TCP destination port
    udp_src Integer 16bit UDP source port
    udp_dst Integer 16bit UDP destination port
    sctp_src Integer 16bit SCTP source port
    sctp_dst Integer 16bit SCTP destination port
    icmpv4_type Integer 8bit ICMP type
    icmpv4_code Integer 8bit ICMP code
    arp_op Integer 16bit ARP opcode
    arp_spa IPv4 address ARP source IPv4 address
    arp_tpa IPv4 address ARP target IPv4 address
    arp_sha MAC address ARP source hardware address
    arp_tha MAC address ARP target hardware address
    ipv6_src IPv6 address IPv6 source address
    ipv6_dst IPv6 address IPv6 destination address
    ipv6_flabel Integer 32bit IPv6 Flow Label
    icmpv6_type Integer 8bit ICMPv6 type
    icmpv6_code Integer 8bit ICMPv6 code
    ipv6_nd_target IPv6 address Target address for ND
    ipv6_nd_sll MAC address Source link-layer for ND
    ipv6_nd_tll MAC address Target link-layer for ND
    mpls_label Integer 32bit MPLS label
    mpls_tc Integer 8bit MPLS TC
    mpls_bos Integer 8bit MPLS BoS bit
    pbb_isid Integer 24bit PBB I-SID
    tunnel_id Integer 64bit Logical Port Metadata
    ipv6_exthdr Integer 16bit IPv6 Extension Header pseudo-field