Top

Journal of Network and Systems Management

Published in:

08-09-2017

Towards Deployable, Distributed ISP Traffic Filtering for the Cloud-Era

Author: Ramesh Subbaraman

Published in: Journal of Network and Systems Management | Issue 3/2018

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Traditionally Internet Service Providers (ISPs) have used a centralized traffic filtering architecture, wherein unwanted traffic heading towards a customer who subscribes to their filtering service is diverted to a security data center (SDC); from where only traffic deemed wanted is re-routed back to the customer using an overlay network of tunnels. Given the huge volumes of traffic that are being seen today, this centralized architecture’s scalability is already being stretched from a network capacity point of view. Moreover, the traffic diversion mechanism used necessitates configuring and maintaining tunnels, which is a network management overhead. We argue that this centralized architecture and tunnel necessitating traffic diversion mechanism will not scale as we move further along into the era where ISPs are becoming or providing connectivity to cloud providers. We propose a distributed architecture with multiple SDCs that scales from a capacity perspective, and describe how a standardized router capability, Border Gateway Protocol—Flow Specifications, can be used to selectively propagate traffic diversion routes which eliminates the need for tunnels. Furthermore, we show how the assigning of arriving traffic to specific SDCs can be modeled and solved as a mathematical optimization problem, which enables automated instantiation of the filtering service and also helps quantify the benefits of the distributed architecture from a capacity utilization perspective.

next article Early Detection of DDoS Attacks Against Software Defined Network Controllers

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

While the roles of these protocols and elements in the traffic filtering context are outlined as needed, a full description of each of them is beyond the scope of this paper.

In the context of this paper, back bone complexes refer to larger facilities usually exclusive to the ISP that house routing and compute equipment; and are typically located in more sparsely populated areas where space, power, land and other costs are lower.

The same practical considerations as in Sect. 5.1 apply—here we still aggregrate by the customer’s prefixes, but they are now source prefixes rather than destination prefixes.

The model is not specific to OSPF—in general the shortest paths could be instead computed in a manner consistent with another IGP such as IS–IS.

One can also vary the demands (\({\hbox {d}}_{\mathrm{pq}}\)) when launching parallel instances of the problem as a means to do some what-if analysis before picking a solution to instantiate.

Juniper Networks. Understanding teardrop attacks, JUNOS software security configuration guide. https://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig-security/understanding-teardrop-attacks.html

Cisco Systems Inc.: Configuring Port Security, Catalyst 6500 Release 12.2SX Software Configuration Guide, pp. 62–67. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html#wp1055296%0A (2013)

Wen, S., Jia, W., Zhou, W., Zhou, W., Xu, C.: CALD: surviving various application-layer DDoS attacks that mimic flash crowd. In: 4th International Conference on Network and System Security (NSS) (2010)

AT&T. Denial of Service—DDoS Protection. http://www.business.att.com/enterprise/Service/network-security/threat-vulnerability-management/ddos-protection/

Verizon. Cloud security: move to the cloud with confidence. http://www.verizonenterprise.com/products/security/managed/?utm_source=pdf&utm_medium=infographic&utm_content=ddos&utm_campaign=Security2013

Peng, T., Leckie, C., Ramamohanarao, K.: Protection from distributed denial of service attack using history-based IP filtering, networking. In: IEEE International Conference on Communications (ICC), pp. 482–486 (2003)

Yoon, M.: Using whitelsting to mitigate DDoS attacks on critical internet sites. IEEE Commun. Mag. 48(7), 110–115 (2010)CrossRef

Chen, S., Chow, R.: A new perspective in defending against DDoS. In: Proceedings of the 10th IEEE Workshop on Future Trends of Distributed Computing Systems (FTDS) (2004)

Liu, X., Yang, X., Lu, Y.: To filter or to authorize: network-layer DoS defense against multimillion-node botnets. In: Proceedings of the ACM SIGCOMM 2008 conference on Data communication, pp. 195–206 (2008)

10.

Bates, T., Chen, E., Chandra, R.: BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP), RFC 4456. RFC Editor. http://www.rfc-editor.org/rfc/rfc4456.txt (2006)

11.

Gottlieb, J.: Understanding Large Internet Provider Backbone Networks. Lecture slides for CS E6998-02: internet routing, Columbia University. http://www1.cs.columbia.edu/~ji/F02/ir21/index.html (2002)

12.

Rosen, E., Rekhter, Y.: BGP/MPLS IP Virtual Private Networks (VPNs), RFC 4364. RFC Editor (2006)

13.

SMBWorld Asia Editors. Largest packet-per-second DDoS attack ever documented. SMBWorld Asia. http://www.smbworldasia.com/en/content/largest-packet-second-ddos-attack-ever-documented (2011)

14.

Constantin, L.: Largest DDoS attack so far this year peaked at 45Gbps, says company, computer world news. http://www.computerworld.com/s/article/9222156/Largest_DDoS_attack_so_far_this_year_peaked_at_45Gbps_says_company (2011)

15.

Net Security. DDoS attack size accelerating rapidly, net security news article. http://www.net-security.org/secworld.php?id=15783 (2013)

16.

Seals, T.: Q3 DDoS Attack Volumes are the Largest Ever Seen. InfoSecurity magazine. http://www.infosecurity-magazine.com/news/q3-ddos-attack-volumes-are-the/ (2014)

17.

Akamai’s State of the Internet/Security Team. akamai’s [state of the internet]/secuity Q1 2016 report. 3(1) (2016). https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/akamai-q1-2016-state-of-the-internet-security-report.pdf

18.

Paganini, P.: Anonymous Hackers Launch #OpUSA against US Banking and Goverment Agencies, the hacker news. http://thehackernews.com/2013/05/anonymous-hackers-launch-opusa-against.html (2013)

19.

Yuksel, M., Ramakrishnan, K., Kalyanaraman, S., Houle, J., Sadhvani, R.: Required extra capacity: estimating over-provisioning in a single class of service IP backbone. IEEE Trans. Netw. Serv. Manag. 56(17), 3723–3743 (2011)

20.

Banerjee, A.: Is your head in the cloud? The cloud services opportunity. Heavy Reading. http://www.oracle.com/us/industries/communications/oracle-telco-cloud-wp-1538974.pdf (2011)

21.

Metzler, J.: The 2012 Cloud Networking Report, Part 4: The Wide Area Network (WAN), A 10 Networks. http://www.a10networks.com.cn/resources/cloud_networking/A10-Cloud_Networking_Report-pt.4.pdf (2012)

22.

Rashid, F.: Recent bank cyber attacks originated from hacked data centers, not large botnet, security week—in-formation security news. http://www.securityweek.com/recent-bank-cyber-attacks-originated-hacked-data-centers-not-large-botnet (2012)

23.

Whitney, L.: Amazon EC2 cloud service hit by botnet, outage, CNet News. http://news.cnet.com/8301-1009_3-10413951-83.html (2009)

24.

Ollman, G.: The Day Before Zero: An Ongoing Conversation About Advanced Threats, Damballa blogpost. https://blog.damballa.com/archives/330dd

25.

Kassner, M.: What’s better than creating your own DDoS? Renting one, tech republic IT security article. http://www.techrepublic.com/blog/it-security/whats-better-than-creating-your-own-ddos-renting-one/ (2013)

26.

Glenn, M.: A Summary of DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a Service Provider Environment. SANS Institute InfoSec Reading Room. https://www.sans.org/reading-room/whitepapers/intrusion/summary-dos-ddos-prevention-monitoringmitigation-techniques-service-provider-enviro-1212 (2003)

27.

Handley, M., Greenhalg, A.: Steps Towards a DoS-Resistant Internet Architecture, SIGCOMM04 workshops (2004)

28.

Huici, F., Handley, M.: An edge to edge filtering archi-tecture against DoS. ACM SIGCOMM Comput. Commun. Rev. 37(2), 39–50 (2007)CrossRef

29.

Greenhalg, A., Mark, H., Huici, F.: Using routing and tunneling to combat DoS attacks. In: Proceedings of the USENIX Steps to Reducing Unwanted Traffic on the Internet (SRUTI) (2005)

30.

Ramachandran, V., Nandi, S.: Bleeding edge distributed denial of service (DDoS) attack mitigation techniques for ISPs. In: Proceedings of 8th International Conference on Information Technology (2005)

31.

Lim, S., Ha, J., Kim, H., Kim, Y., Yang, S.: A SDN-oriented DDoS blocking scheme for botnet-based attacks. In: Sixth International Conference on Ubiquitous and Future Networks (ICUFN) (2014)

32.

Moon, Y., Choi, S., Kim, H., Yoo, C.: A hybrid defense technique for ISP against the distributed denial of service attacks. Appl. Math. Inf. Sci. 8(5), 2347–2359 (2014)CrossRef

33.

Sahay, R., Blanc, G., Zhang, Z., Debar, H: Towards Autonomic DDoS Mitigation using Software Defined Networking, NDSS workshop on security of emerging networking technologies (SENT) (2015)

34.

Bouet, M., Leguay, J., Conan, V.: Cost-based placement of vDPI functions in NFV infrastructures. Int. J. Netw. Manag. 25, 490–506 (2015)CrossRef

35.

Wang, B., Zheng, Y., Lou, W., Hou, Y.: DDoS attack protection in the era of cloud computing and software-defined networking. Comput. Netw. 81, 308319 (2015)CrossRef

36.

Bawany, N., Shamsi, J., Salah, K.: DDoS attack detection and mitigation using SDN: methods, practices, and solutions. Arab. J. Sci. Eng. 42(2), 425441 (2017)CrossRef

37.

Addis, B., Belabed, D., Bouet, M., Secci, S.: Virtual network functions placement and routing optimization. In: IEEE 4th International Conference on Cloud Networking (CloudNet) (2015)

38.

Mahajan, R., Bellovin, S., Floyd, S., Ioannidis, J., Paxson, V., Shenker, S.: Controlling high bandwidth aggregates in the network. ACM Comput. Commun. Rev. (CCR) 32, 62–73 (2002)CrossRef

39.

Zargar, S., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)CrossRef

40.

Huston, G., Michaelson, G.: Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs), RFC 6483. RFC Editor (2012)

41.

Kent, S., Lynn, C., Seo, K.: Secure Border Gateway Protocol (S-BGP). IEEE J. Sel. Areas Commun. 18(4), 582–592 (2000)CrossRef

42.

Kent, S., Lynn, C., Mikkelson, J., Seo, K.: Secure border gateway protocol (S-BGP)—real world performance and deployment issues. In: Proceedings of Symposium on Network and Distributed Systems Security (NDSS) (2000)

43.

Quagga Routing Software Suite. http://www.nongnu.org/quagga/index.html

44.

Sekar, V., Duffield, N., Spatscheck, O., Van der Merwe, J., Zhang, H.: LADS: Large-scale Automated DDoS Detection System. In: Proc. of USENIX ATC, pp. 171–184 (2006)

45.

Verkaik, P., Spatscheck, O., Van der Merwe, J., Snoeren, A.: Primed: community-of-interest-based DDoS mitigation, ACM SIGCOMM’06 Workshops (2006)

46.

Arbor Networks. Peakflow. http://www.arbornetworks.com/products/peakflow

47.

F5. Security for Service Providers. https://www.f5.com/it-management/solutions/service-provider-security/related/

48.

Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: characterizations and implications for CDNs and web sites. In: Proceedings of the 11th International Conference on World Wide Web. pp. 293–304

49.

Le, Q., Zhanikeev, M., Tanaka, Y.: Methods for distinguishing flash crowds from spoofed DoS attacks. In: 3rd EuroNGI Conference on Next Generation Internet Networks (2007)

50.

Wilson, C.: Cloudshield, IBM put DPI on Blade Center, Connected Planet Online. http://connectedplanetonline.com/software/news/ibm-blade-center-dpi-0902/ (2008)

51.

Hyun, S., Jeong, J., Woo, S., Yeo, Y., Park, J-S.: NSF-Triggered Traffic Steering Framework (draft-hyun-i2nsf-nsf-triggered-steering-02). IETF Secretariat. http://www.ietf.org/internet-drafts/draft-hyun-i2nsf-nsf-triggered-steering-02.txt (2017)

52.

Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., McPherson, D.: Dissemination of Flow Specification Rules, RFC 5575. RFC Editor. http://www.rfc-editor.org/rfc/rfc5575.txt (2009)

53.

Serodio, L.: Traffic diversion techniques for DDoS mitigation using BGP flowspec, slides presented at North American Network Operators Group (NANOG) 58. http://www.nanog.org/sites/default/files/wed.general.trafficdiversion.serodio.10.pdf (2013)

54.

Gassen, D., Lozno, R., McPherson, D.: BGP flow specification deployment experience. Slides presented at North American Network Operators Group (NANOG) 38. https://www.nanog.org/meetings/nanog38/presentations/labovitz-bgp-flowspec.pdf (2006)

55.

Uttaro, J., Filsfils, C., Smith, D., Alcaide, J., Mohapatra, P.: Revised Validation Procedure for BGP Flow Specifications (draft-ietf-idr-bgp-flowspec-oid-02). IETF Secretariat. http://www.ietf.org/internet-drafts/draft-ietf-idr-bgp-flowspec-oid-02.txt (2014)

56.

Juniper Networks, Example: Enabling BGP to Carry Flow-Specification Routes, Juniper Network Tech Library. http://www.juniper.net/techpubs/en_US/junos13.3/topics/example/routing-bgp-flow-specification-routes.html (2013)

57.

Chee, W., Brennan, T.: H..t..t.p.p.o.s.t, slides presented at OWASP Foundation AppSec DC. https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf (2010)

58.

IBM. CPLEX Optimizer. http://www-01.ibm.com/software/commerce/optimization/cplex-optimizer/

59.

National Science Foundation, Federally Funded R&D Cen-ters Master Government List, National Center for Science and Engineering Statistics (2010)

Title: Towards Deployable, Distributed ISP Traffic Filtering for the Cloud-Era
Author: Ramesh Subbaraman
Publication date: 08-09-2017
Publisher: Springer US
Published in: Journal of Network and Systems Management / Issue 3/2018
Print ISSN: 1064-7570
Electronic ISSN: 1573-7705
DOI: https://doi.org/10.1007/s10922-017-9424-1

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 3/2018

A Novel Approach for Information Discovery in Wireless Sensor Grids

HE-MAN: Hierarchical Management for Vehicular Delay-Tolerant Networks

Network Selection Decisions for Multiple Calls Based on Consensus Level

Green Approach for Joint Management of Geo-Distributed Data Centers and Interconnection Networks

Updated Taxonomy for the Network and Service Management Research Field

Early Detection of DDoS Attacks Against Software Defined Network Controllers

Premium Partner