SlideShare a Scribd company logo

anti-ddos GNTC based on P4 /BIH

Download as PPTX, PDF
L
Leo Chu

antiddos based on P4 tofino is a programmable chip of forwarding switch this is knowledge sharing from GNTC

Engineering
1 of 29
Netw o r k Secur i t y P 4 - Enabl e d A n t i - D D o S
We are an Internet Company We do more than Datacenters 北 京 互 联 港 湾 I n t e r n e t H a r b o r WHO ARE WE?
Network Security We care about it.
In computing, a denial-of-service attack (DoS attack) is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled Let’s start with DDoS 43%
T h e D D o S i s s i m p l e
A n d o l d - f a s h i o n e d
BUT it is a everyday headache • It burns money and kills business • It consumes valuable bandwidth • When DDos kills your uplink, it is a nightmare for IDC cause everybody dies • Blocking/unblocking IP also takes money and time
It takes a lot to detect and m i t i g a t e • Attacking cost is low (even lower with cloud) • Nowhere to be traced (IP spoofing) • Random victims • We need to find the attack/attackers without hurting good ones and it is expensive
Traditional approaches •Problems? • Delay • Price • Performance • Predict
Anything New? Not so good, but any other better options?
B i g b a n g t h e o r y
P4-enabled In-Network DDoS detection
• No mirroring/bypassing traffic is needed so no delay expected • Simple P4 lines(less than 100 lines for SYN-flood) • Detect and drop/mitigate, quick response • With INT/big data, a lot things can happen in the same time • Great performance (6.4Tbps line rate) What’s changed?
E x a m p l e : S y n - C o o k i e Detect normal vs. suspicious traffic inside network in 6.4Tbps instead of statically mirroring lots of traffic to DDoS mitigation boxes
Non-attack scenario Initiator Tofino switch Listener SYN SYN+ACK with cookie ACK with cookie + 1 RST SYN SYN+ACK ACK Add to whitelist Not on whitelist
Attack scenario Initiator Tofino switch Listener SYN SYN+ACK with cookie Not on whitelist SYN SYN+ACK with cookie Not on whitelist SYN SYN+ACK with cookie Not on whitelist . . . . Shielded from the attack
Control flow Receive SYN SIP in whitelist ? Compute SYN cookie Send SYN+ACK with cookie in seq# and timestamp fields Forward packet Yes No Receive ACK ACK#-1 == cookie? Add SIP to whitelist Send RST Forward packet No Yes Compute SYN cookie ACK#-1 == timestamp? No
Sample P4 code table generate_syn_cookie_table { actions { generate_syn_cookie; } size: 1; } action generate_syn_cookie() { add(tcp.ackNo, tcp.seqNo, 1); modify_field_with_hash_based_offset( sa_metadata.temp32b_3, 0, syn_cookie_hash_flc1, 2147483648 ); modify_field( tcp.flags, 18 ); // SYN-ACK // copy tcp port numbers modify_field( sa_metadata.temp16b_1, l3_metadata.lkp_l4_sport ); modify_field( sa_metadata.temp16b_2, l3_metadata.lkp_l4_dport ); // copy IP addresses modify_field( sa_metadata.temp32b_1, ipv4_metadata.lkp_ipv4_sa ); modify_field( sa_metadata.temp32b_2, ipv4_metadata.lkp_ipv4_da ); }
Sample P4 code field_list syn_cookie_seed_fl1 { ipv4_metadata.lkp_ipv4_sa; ipv4_metadata.lkp_ipv4_da; l3_metadata.lkp_l4_sport; l3_metadata.lkp_l4_dport; sa_metadata.nonce1; } field_list_calculation syn_cookie_hash_flc1 { input { syn_cookie_seed_fl1; } algorithm : crc32; output_width : TCP_SEQNUM_WIDTH; } action compute_syn_cookie1() { modify_field_with_hash_based_offset( sa_metadata.cookie1, 0, syn_cookie_hash_flc1, 2147483648 ); } table compute_syn_cookie_table1 { actions { compute_syn_cookie1; } size: 1; }
Sample P4 code register sa_bloom_filter_whitelist_reg1 { width : 1; static : sa_bloom_filter_whitelist_1; instance_count : SA_WHITE_LIST_SIZE; } field_list sa_hash_fields { ipv4_metadata.lkp_ipv4_sa; } field_list_calculation sa_hash_1 { input { sa_hash_fields; } algorithm : crc16_extend; output_width : SA_WHITELIST_HASH_WIDTH; } action check_sa_bloom_filter_1() { sa_bloom_filter_alu_1.execute_stateful_alu_from_hash(sa_hash_1); } table sa_bloom_filter_whitelist_1 { actions { check_sa_bloom_filter_1; } size: 1;
Sample P4 code table swap_address_syn_ack_table { actions { swap_addresses; } size: 1; } action swap_addresses() { modify_field( tcp.seqNo, sa_metadata.temp32b_3 ); modify_field( l3_metadata.lkp_l4_sport, sa_metadata.temp16b_2 ); modify_field( l3_metadata.lkp_l4_dport, sa_metadata.temp16b_1 ); modify_field( tcp.dstPort, sa_metadata.temp16b_1 ); modify_field( tcp.srcPort, sa_metadata.temp16b_2 ); modify_field( ipv4_metadata.lkp_ipv4_sa, sa_metadata.temp32b_2 ); modify_field( ipv4_metadata.lkp_ipv4_da, sa_metadata.temp32b_1 ); modify_field( ipv4.srcAddr, sa_metadata.temp32b_2 ); modify_field( ipv4.dstAddr, sa_metadata.temp32b_1 ); }
DDoS Detection • Challenges: 1. Large traffic → must be in data-plane 2. Many connections from many sources with low traffic → heavy hitter detection • Solution steps: 1. Count number of sources per service/destination in data plane • Limited memory in data plane → Use an approximation data structure with guaranteed accuracy (Hyper loglog sketch) 2. Estimate the number of flows and compare against a threshold • Periodically in control-plane • Or per packet in data-plane 3. Possible reactions • Mark packets • Forward to DDoS mitigation • Zoom in destination IP range to find which server is under attack • Zoom in source IP range to find the attacker 22
Hyper LogLog Sketch • Motivation: Estimate the number of source IPs in many packets • Intuition: To see a rare pattern in random numbers, we need to see many values 1. If I say I got 100 straight heads in coin tossing, I was either lucky or tossed the coin many times • Algorithm: 1. Hash source IPs to a uniformly random number 2. Count the number of consecutive 0s in the beginning of hash 3. Keep track of the maximum number of zeros we saw till now • More zeros indicate we saw more source IPs • 10 zeros → 2^11 IPs in average 4. Do this for 1000s of times per packet and track separate numbers to get an accurate estimate (avoid lucky cases) • Updating only 1 of 1000s randomly has the same accuracy 5. Read 1000s of counters and use average 23
Hyper LogLog Sketch • Motivation: Estimate the number of source IPs in many packets • Intuition: To see a rare pattern in random numbers, we need to see many values 1. If I say I got 100 straight heads in coin tossing, I was either lucky or tossed the coin many times • Algorithm: 1. Hash source IPs to a uniformly random number 2. Count consecutive 0s in the beginning of hash 3. Keep track of total number of zeros till now • More zeros indicate we saw more source IPs • 10 zeros → 2^11 IPs in average 4. Do this for 1000s of times per packet and track separate numbers to get an accurate estimate (avoid lucky cases) • Updating only 1 of 1000s randomly has the same accuracy 5. Read 1000s of counters and use average 24
Implementation: Count in data-plane, compare in control-plane Hash Count # zeros Track max zeros Periodically 1. fetch counters from data-plane 2. estimate and compare against threshold 3. reset counters Control-plane Data-plane Watchlist 25 table count_zeros { reads { hll_md.hash : ternary; } actions { count_zeros_do; } size : 64; } action count_zeros_do(zeros) { modify_field(hll_md.zeros, zeros); }
Results # counters (SRAM bytes for Track max zeros table) ● Detection Latency: ○ Control-plane: ~5ms to fetch counters and estimate ○ Data-plane: 0 (it is per packet) ● Estimation error: 26 If threshold is 1B, we may report a destination with >0.985B or ignore one with <1.15B source IPs
Summary 27 Benefits of In-Network DDoS detection •A Tofino implementation guarantees high scalability and line-rate performance under any type of attack with minimal consumption of on- chip memory and resources. •In-network DDoS detection can be implemented in Tofino with high accuracy and negligible probability for false positives. •P4 programmability allows customers flexibility and customization of the DDoS detection methods and mitigation actions. •Granular statistics allow customers to quickly identify which applications and services are under attack. •When compared with a DDoS solution using NetFlow, a Tofino-based approach is multiple orders of magnitude faster in detecting a DDoS attack (tens of milliseconds vs. tens of seconds).
Summary 28 In-Network DDoS detection with programmable chipset like Tofino: • High scalability & line-rate with minimal memory consumption • High accuracy vs. negligible probability for false positives • P4 programmability: flexible customization of detection methods and mitigation actions • Granular statistics: quick identify apps & services under attack • Multiple orders of magnitude faster than NetFlow based solutions (tens of milliseconds vs. tens of seconds)
Q&A THANKS

Recommended

Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014
chrissanders88
 
SnortUsersWebcast-Rules_pt2
SnortUsersWebcast-Rules_pt2SnortUsersWebcast-Rules_pt2
SnortUsersWebcast-Rules_pt2
Liễu Hồng
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap Discovery
Tai Pan
 
Cryptographic Protocols: Practical revocation and key rotation
Cryptographic Protocols: Practical revocation and key rotationCryptographic Protocols: Practical revocation and key rotation
Cryptographic Protocols: Practical revocation and key rotation
Priyanka Aash
 
minor final
minor finalminor final
minor final
Jaskaran Singh
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3
Nutan Kumar Panda
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
n|u - The Open Security Community
 

Recommended

Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014
chrissanders88
 
SnortUsersWebcast-Rules_pt2
SnortUsersWebcast-Rules_pt2SnortUsersWebcast-Rules_pt2
SnortUsersWebcast-Rules_pt2
Liễu Hồng
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap Discovery
Tai Pan
 
Cryptographic Protocols: Practical revocation and key rotation
Cryptographic Protocols: Practical revocation and key rotationCryptographic Protocols: Practical revocation and key rotation
Cryptographic Protocols: Practical revocation and key rotation
Priyanka Aash
 
minor final
minor finalminor final
minor final
Jaskaran Singh
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3
Nutan Kumar Panda
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
n|u - The Open Security Community
 
CNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersCNIT 141 5. Stream Ciphers
CNIT 141 5. Stream Ciphers
Sam Bowne
 
Os detection with arp
Os detection with arpOs detection with arp
Os detection with arp
David Clark
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
Ozkan E
 
Geographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentGeographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deployment
Marco Tusa
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNS
DefconRussia
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
amiable_indian
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
Vishal Vasudev
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
Sam Bowne
 
Nmap
NmapNmap
Nmap
NishaYadav177
 
Common Dos and DDoS
Common Dos and DDoSCommon Dos and DDoS
Common Dos and DDoS
Jayesh Patel
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
n|u - The Open Security Community
 
Wireshar training
Wireshar trainingWireshar training
Wireshar training
Luke Luo
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
Aryan G
 
IS Unit 1_Conventional Encryption_Classical Encryption Techniques
IS Unit 1_Conventional Encryption_Classical Encryption TechniquesIS Unit 1_Conventional Encryption_Classical Encryption Techniques
IS Unit 1_Conventional Encryption_Classical Encryption Techniques
Sarthak Patel
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi
 
Classical Encryption Techniques in Network Security
Classical Encryption Techniques in Network SecurityClassical Encryption Techniques in Network Security
Classical Encryption Techniques in Network Security
babak danyal
 
Breaking ssl
Breaking sslBreaking ssl
Breaking ssl
Vinayak Raghuvamshi
 
Seven Grades of Perfect Forward Secrecy
Seven Grades of Perfect Forward SecrecySeven Grades of Perfect Forward Secrecy
Seven Grades of Perfect Forward Secrecy
Oleg Gryb
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Bishop Fox
 
Approximation Data Structures for Streaming Applications
Approximation Data Structures for Streaming ApplicationsApproximation Data Structures for Streaming Applications
Approximation Data Structures for Streaming Applications
Debasish Ghosh
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
Guardicore
 

More Related Content

What's hot

Os detection with arp
Os detection with arpOs detection with arp
Os detection with arp
David Clark
 
Geographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentGeographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deployment
Marco Tusa
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNS
DefconRussia
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
Vishal Vasudev
 
IS Unit 1_Conventional Encryption_Classical Encryption Techniques
IS Unit 1_Conventional Encryption_Classical Encryption TechniquesIS Unit 1_Conventional Encryption_Classical Encryption Techniques
IS Unit 1_Conventional Encryption_Classical Encryption Techniques
Sarthak Patel
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Bishop Fox
 

What's hot (20)

CNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersCNIT 141 5. Stream Ciphers
CNIT 141 5. Stream Ciphers
 
Os detection with arp
Os detection with arpOs detection with arp
Os detection with arp
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
 
Geographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentGeographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deployment
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNS
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
 
Nmap
NmapNmap
Nmap
 
Common Dos and DDoS
Common Dos and DDoSCommon Dos and DDoS
Common Dos and DDoS
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Wireshar training
Wireshar trainingWireshar training
Wireshar training
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
IS Unit 1_Conventional Encryption_Classical Encryption Techniques
IS Unit 1_Conventional Encryption_Classical Encryption TechniquesIS Unit 1_Conventional Encryption_Classical Encryption Techniques
IS Unit 1_Conventional Encryption_Classical Encryption Techniques
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Classical Encryption Techniques in Network Security
Classical Encryption Techniques in Network SecurityClassical Encryption Techniques in Network Security
Classical Encryption Techniques in Network Security
 
Breaking ssl
Breaking sslBreaking ssl
Breaking ssl
 
Seven Grades of Perfect Forward Secrecy
Seven Grades of Perfect Forward SecrecySeven Grades of Perfect Forward Secrecy
Seven Grades of Perfect Forward Secrecy
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 

Similar to anti-ddos GNTC based on P4 /BIH

Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
ConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttling
Maarten Balliauw
 
Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big Data
Frank Denis
 
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneApproaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologne
Maarten Balliauw
 
A Trusted Approach Towards DDos Attack
A Trusted Approach Towards DDos AttackA Trusted Approach Towards DDos Attack
A Trusted Approach Towards DDos Attack
theijes
 

Similar to anti-ddos GNTC based on P4 /BIH (20)

Approximation Data Structures for Streaming Applications
Approximation Data Structures for Streaming ApplicationsApproximation Data Structures for Streaming Applications
Approximation Data Structures for Streaming Applications
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
 
Aerospike Go Language Client
Aerospike Go Language ClientAerospike Go Language Client
Aerospike Go Language Client
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attack
 
InfluxEnterprise Architecture Patterns by Tim Hall & Sam Dillard
InfluxEnterprise Architecture Patterns by Tim Hall & Sam DillardInfluxEnterprise Architecture Patterns by Tim Hall & Sam Dillard
InfluxEnterprise Architecture Patterns by Tim Hall & Sam Dillard
 
Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipher
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
ConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttling
 
Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big Data
 
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneApproaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologne
 
InfluxEnterprise Architectural Patterns by Dean Sheehan, Senior Director, Pre...
InfluxEnterprise Architectural Patterns by Dean Sheehan, Senior Director, Pre...InfluxEnterprise Architectural Patterns by Dean Sheehan, Senior Director, Pre...
InfluxEnterprise Architectural Patterns by Dean Sheehan, Senior Director, Pre...
 
Approximate methods for scalable data mining
Approximate methods for scalable data miningApproximate methods for scalable data mining
Approximate methods for scalable data mining
 
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioWhen DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
 
Training Slides: 153 - Working with the CLI
Training Slides: 153 - Working with the CLITraining Slides: 153 - Working with the CLI
Training Slides: 153 - Working with the CLI
 
A Trusted Approach Towards DDos Attack
A Trusted Approach Towards DDos AttackA Trusted Approach Towards DDos Attack
A Trusted Approach Towards DDos Attack
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of service
 
snort.ppt
snort.pptsnort.ppt
snort.ppt
 

Recently uploaded

Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Call Girls Mumbai
 
Hospital management system project report.pdf
Hospital management system project report.pdfHospital management system project report.pdf
Hospital management system project report.pdf
Kamal Acharya
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Verification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxVerification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptx
chumtiyababu
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
jaanualu31
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
AldoGarca30
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
Kamal Acharya
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 

Recently uploaded (20)

PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and properties
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
Engineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesEngineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planes
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
Hospital management system project report.pdf
Hospital management system project report.pdfHospital management system project report.pdf
Hospital management system project report.pdf
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
 
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptxOrlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Verification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxVerification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptx
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 

anti-ddos GNTC based on P4 /BIH

  • 1. Netw o r k Secur i t y P 4 - Enabl e d A n t i - D D o S
  • 2. We are an Internet Company We do more than Datacenters 北 京 互 联 港 湾 I n t e r n e t H a r b o r WHO ARE WE?
  • 4. In computing, a denial-of-service attack (DoS attack) is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled Let’s start with DDoS 43%
  • 5. T h e D D o S i s s i m p l e
  • 6. A n d o l d - f a s h i o n e d
  • 7. BUT it is a everyday headache • It burns money and kills business • It consumes valuable bandwidth • When DDos kills your uplink, it is a nightmare for IDC cause everybody dies • Blocking/unblocking IP also takes money and time
  • 8. It takes a lot to detect and m i t i g a t e • Attacking cost is low (even lower with cloud) • Nowhere to be traced (IP spoofing) • Random victims • We need to find the attack/attackers without hurting good ones and it is expensive
  • 9. Traditional approaches •Problems? • Delay • Price • Performance • Predict
  • 10. Anything New? Not so good, but any other better options?
  • 11. B i g b a n g t h e o r y
  • 13. • No mirroring/bypassing traffic is needed so no delay expected • Simple P4 lines(less than 100 lines for SYN-flood) • Detect and drop/mitigate, quick response • With INT/big data, a lot things can happen in the same time • Great performance (6.4Tbps line rate) What’s changed?
  • 14. E x a m p l e : S y n - C o o k i e Detect normal vs. suspicious traffic inside network in 6.4Tbps instead of statically mirroring lots of traffic to DDoS mitigation boxes
  • 15. Non-attack scenario Initiator Tofino switch Listener SYN SYN+ACK with cookie ACK with cookie + 1 RST SYN SYN+ACK ACK Add to whitelist Not on whitelist
  • 16. Attack scenario Initiator Tofino switch Listener SYN SYN+ACK with cookie Not on whitelist SYN SYN+ACK with cookie Not on whitelist SYN SYN+ACK with cookie Not on whitelist . . . . Shielded from the attack
  • 17. Control flow Receive SYN SIP in whitelist ? Compute SYN cookie Send SYN+ACK with cookie in seq# and timestamp fields Forward packet Yes No Receive ACK ACK#-1 == cookie? Add SIP to whitelist Send RST Forward packet No Yes Compute SYN cookie ACK#-1 == timestamp? No
  • 18. Sample P4 code table generate_syn_cookie_table { actions { generate_syn_cookie; } size: 1; } action generate_syn_cookie() { add(tcp.ackNo, tcp.seqNo, 1); modify_field_with_hash_based_offset( sa_metadata.temp32b_3, 0, syn_cookie_hash_flc1, 2147483648 ); modify_field( tcp.flags, 18 ); // SYN-ACK // copy tcp port numbers modify_field( sa_metadata.temp16b_1, l3_metadata.lkp_l4_sport ); modify_field( sa_metadata.temp16b_2, l3_metadata.lkp_l4_dport ); // copy IP addresses modify_field( sa_metadata.temp32b_1, ipv4_metadata.lkp_ipv4_sa ); modify_field( sa_metadata.temp32b_2, ipv4_metadata.lkp_ipv4_da ); }
  • 19. Sample P4 code field_list syn_cookie_seed_fl1 { ipv4_metadata.lkp_ipv4_sa; ipv4_metadata.lkp_ipv4_da; l3_metadata.lkp_l4_sport; l3_metadata.lkp_l4_dport; sa_metadata.nonce1; } field_list_calculation syn_cookie_hash_flc1 { input { syn_cookie_seed_fl1; } algorithm : crc32; output_width : TCP_SEQNUM_WIDTH; } action compute_syn_cookie1() { modify_field_with_hash_based_offset( sa_metadata.cookie1, 0, syn_cookie_hash_flc1, 2147483648 ); } table compute_syn_cookie_table1 { actions { compute_syn_cookie1; } size: 1; }
  • 20. Sample P4 code register sa_bloom_filter_whitelist_reg1 { width : 1; static : sa_bloom_filter_whitelist_1; instance_count : SA_WHITE_LIST_SIZE; } field_list sa_hash_fields { ipv4_metadata.lkp_ipv4_sa; } field_list_calculation sa_hash_1 { input { sa_hash_fields; } algorithm : crc16_extend; output_width : SA_WHITELIST_HASH_WIDTH; } action check_sa_bloom_filter_1() { sa_bloom_filter_alu_1.execute_stateful_alu_from_hash(sa_hash_1); } table sa_bloom_filter_whitelist_1 { actions { check_sa_bloom_filter_1; } size: 1;
  • 21. Sample P4 code table swap_address_syn_ack_table { actions { swap_addresses; } size: 1; } action swap_addresses() { modify_field( tcp.seqNo, sa_metadata.temp32b_3 ); modify_field( l3_metadata.lkp_l4_sport, sa_metadata.temp16b_2 ); modify_field( l3_metadata.lkp_l4_dport, sa_metadata.temp16b_1 ); modify_field( tcp.dstPort, sa_metadata.temp16b_1 ); modify_field( tcp.srcPort, sa_metadata.temp16b_2 ); modify_field( ipv4_metadata.lkp_ipv4_sa, sa_metadata.temp32b_2 ); modify_field( ipv4_metadata.lkp_ipv4_da, sa_metadata.temp32b_1 ); modify_field( ipv4.srcAddr, sa_metadata.temp32b_2 ); modify_field( ipv4.dstAddr, sa_metadata.temp32b_1 ); }
  • 22. DDoS Detection • Challenges: 1. Large traffic → must be in data-plane 2. Many connections from many sources with low traffic → heavy hitter detection • Solution steps: 1. Count number of sources per service/destination in data plane • Limited memory in data plane → Use an approximation data structure with guaranteed accuracy (Hyper loglog sketch) 2. Estimate the number of flows and compare against a threshold • Periodically in control-plane • Or per packet in data-plane 3. Possible reactions • Mark packets • Forward to DDoS mitigation • Zoom in destination IP range to find which server is under attack • Zoom in source IP range to find the attacker 22
  • 23. Hyper LogLog Sketch • Motivation: Estimate the number of source IPs in many packets • Intuition: To see a rare pattern in random numbers, we need to see many values 1. If I say I got 100 straight heads in coin tossing, I was either lucky or tossed the coin many times • Algorithm: 1. Hash source IPs to a uniformly random number 2. Count the number of consecutive 0s in the beginning of hash 3. Keep track of the maximum number of zeros we saw till now • More zeros indicate we saw more source IPs • 10 zeros → 2^11 IPs in average 4. Do this for 1000s of times per packet and track separate numbers to get an accurate estimate (avoid lucky cases) • Updating only 1 of 1000s randomly has the same accuracy 5. Read 1000s of counters and use average 23
  • 24. Hyper LogLog Sketch • Motivation: Estimate the number of source IPs in many packets • Intuition: To see a rare pattern in random numbers, we need to see many values 1. If I say I got 100 straight heads in coin tossing, I was either lucky or tossed the coin many times • Algorithm: 1. Hash source IPs to a uniformly random number 2. Count consecutive 0s in the beginning of hash 3. Keep track of total number of zeros till now • More zeros indicate we saw more source IPs • 10 zeros → 2^11 IPs in average 4. Do this for 1000s of times per packet and track separate numbers to get an accurate estimate (avoid lucky cases) • Updating only 1 of 1000s randomly has the same accuracy 5. Read 1000s of counters and use average 24
  • 25. Implementation: Count in data-plane, compare in control-plane Hash Count # zeros Track max zeros Periodically 1. fetch counters from data-plane 2. estimate and compare against threshold 3. reset counters Control-plane Data-plane Watchlist 25 table count_zeros { reads { hll_md.hash : ternary; } actions { count_zeros_do; } size : 64; } action count_zeros_do(zeros) { modify_field(hll_md.zeros, zeros); }
  • 26. Results # counters (SRAM bytes for Track max zeros table) ● Detection Latency: ○ Control-plane: ~5ms to fetch counters and estimate ○ Data-plane: 0 (it is per packet) ● Estimation error: 26 If threshold is 1B, we may report a destination with >0.985B or ignore one with <1.15B source IPs
  • 27. Summary 27 Benefits of In-Network DDoS detection •A Tofino implementation guarantees high scalability and line-rate performance under any type of attack with minimal consumption of on- chip memory and resources. •In-network DDoS detection can be implemented in Tofino with high accuracy and negligible probability for false positives. •P4 programmability allows customers flexibility and customization of the DDoS detection methods and mitigation actions. •Granular statistics allow customers to quickly identify which applications and services are under attack. •When compared with a DDoS solution using NetFlow, a Tofino-based approach is multiple orders of magnitude faster in detecting a DDoS attack (tens of milliseconds vs. tens of seconds).
  • 28. Summary 28 In-Network DDoS detection with programmable chipset like Tofino: • High scalability & line-rate with minimal memory consumption • High accuracy vs. negligible probability for false positives • P4 programmability: flexible customization of detection methods and mitigation actions • Granular statistics: quick identify apps & services under attack • Multiple orders of magnitude faster than NetFlow based solutions (tens of milliseconds vs. tens of seconds)