SAV-based Anti-DDoS Architecture

SAV-based Anti-DDoS Architecture Tsinghua University

Beijing 100084 China cuiyong@tsinghua.edu.cn http://www.cuiyong.net/

Tsinghua University

Beijing 100084 China jianping@cernet.edu.cn

Zhongguancun Laboratory

Beijing 100094 China zhanglei@zgclab.edu.cn

Zhongguancun Laboratory

Beijing 100094 China lilz@zgclab.edu.cn

Routing SAVNET Working Group Source Address Validation DDoS Detection and Mitigation Existing SAV schemes can not effectively defend against IP Spoofing DDoS under incremental deployment. This document proposes SAV-D, a savnet based distributed defense architecture to enhance SAV's defense. The main idea of SAV-D is to collect and aggregate more threat data from existing SAV devices and then distribute crucial knowledge to widespread devices, thus significantly expanding defense across the entire network.

Introduction Distributed Denial-of-Service (DDoS) attacks have been a persistent cyber threat, where IP spoofing DDoS is one of the major contributors. Amplification DDoS typically exploit IP spoofing to generate large volumes of traffic with small requests, allowing attackers to overwhelm the target's resources while evading detection. Some other DDoS attacks (e.g., TCP SYN Flooding ) also forge source IP addresses in order to drain the target's resources. To eliminate IP spoofing, several Source Address Validation (SAV) schemes have been proposed, such as SAVI, uRPF and EFP-uRPF. However, the defense effectiveness of current SAV schemes highly depends on the SAV devices' deployment ratio. A large number of spoofed packets can only be prevented with a significantly high deployment ratio, but the incremental deployment process is often slow. According to CAIDA's Spoofer Project, 24.9% of IPv4 autonomous systems (excluding NAT), and 33.3% of IPv6 autonomous systems are still spoofable by March 2023. This indicates a limited SAV deployment, thus the defense effectiveness. In the above context, this document offers an SAV-based anti-DDoS architecture (SAV-D) that incorporates the following advances.

SAV-honeynet based threat data collection. Each SAV device functions as a honeypot that does not directly drop spoofed packets but instead records the spoofing characteristics and sends them to a centralized control plane.
Collaborative defense with both SAV and non-SAV devices. The control plane detects ongoing attacks and generates filtering rules. These rules are then distributed to both SAV and non-SAV devices along the attack paths to manipulate malicious traffic.
Threat information sharing with the victim-end. The control plane shares attack detection information and IP blocklists with victim-end defense systems to assist their mitigations.

Through the mechanisms of honeynet, data aggregation and distribution, SV-D can fully leverage the value of SAV devices and threat data, resulting in a significant defense improvement.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Problem Statement The effectiveness of existing SAV schemes highly relies on the deployment ratio of devices, which is currently limited. Adversaries often actively test their bots for plausibility, packet loss, and amplification benefits. This testing can force the bots to migrate from SAV domains to non-SAV domains, resulting in fewer spoofed packets being blocked by SAV devices. Additionally, uRPF and EFP-uRPF have issues with filtering accuracy in certain scenarios. Some managers may hesitate to enable SAV due to the probability of filtering errors. Moreover, SAV can prevent spoofed packets from being sent out, but it cannot provide protection for the deployers. The lack of direct benefits may also impede the deployment process. In this context, there is a strong need to improve the defense capabilities of current SAV practices. To achieve the goal, it is essential to consider the following limitations. Firstly, due to the attack testing, directly dropping spoofed packets can reduce the possibility of capturing threat data. Secondly, in amplification DDoS, the reflected packets sent to victims have the authentic src-IP, making them unfilterable by SAV devices. Lastly, although today's SAV mechanism can filter spoofed packets at local devices, the important threat information they provide has yet to be fully utilized. If victims were made aware of the type of spoofing traffic targeting them, they could execute faster and more accurate countermeasures.

SAV-D Architecture The proposed SAV-D is shown in Figure 1, whitch can be deployed on both intra-domain and inter-domain savnet. It introduces a centralized control plane (i.e., the controller) that connects SAV devices, legacy devices, and victims' defense systems. The functions of the controller can be divided into three parts: attack detection, analysis and defense execution. The controllers can collect spoofing characteristics from widespread SAV devices (as honeypots) and aggregate them for further analysis. From a whole viewpoint, the controller can detect ongoing attacks and generate filtering rules for both SAV and non-SAV devices. In addition, the controller can maintain IP blocklists based on the information reported by SAV devices, whitch can assist in detectiong DDoS attacks and generating filtering rules. And then the rules will be distributed to corresponding devices to perform filtering. Moreover, the controller will share the attack information with the victims' defense system to assist in their defense operations.

SAV Controller The controller is a logical entity that can be implemented as a distributed or centralized cluster system. The placement of controllers may take several factors into consideration, including latency, resiliency, and load balancing to connected devices.

To collect spoofing information, the controller will passively receive the data sent from the certified SAV devices. The collected spoofing information should include but not limited to timestamp, 5-tuple (i.e., src-IP, dst-IP, src-port, dst-port, and protocol), TCP flag, packet size, and amounts. This information will be readily stored in a database for further analysis.
To analyze the aggregated statistics, the controller retrieves the spoofing information periodically (e.g., every 10 seconds). The spoofed packets are analyzed based on their src-IP to detect reflection attacks or flooding attacks with certain algorithms. A large volume of spoofed packets using a specific protocol (e.g., NTP, DNS) is a clear indication that the src-IP is being targeted by reflection attacks. For flooding attacks, the posssible evidence is a large number of spoofed packets with same target IP and different source IP. The detection results include the attack target, type, duration, malicious IP lists, etc.
Generating filtering rules based on detection results is a straightforward process. Before the reflection, the filtering rules are based on src-IP and ports. After reflection, the src-IP is the server's address, and the dst-IP is the victim's address. Considering the reflected packets are often much larger than legitimate packets, filtering rules could be generated based on dst-IP, ports, and packet size.
Communicating with relevant devices consists of two folds. One fold is distributing filtering rules to SAV and legacy devices and receiving feedback from SAV devices. The other fold is to provide the victim's defense system with attack detection information, which is essential to efficiently stop the attack traffic.

SAV Device The SAV devices refer to routers or switches that are capable of validating the source IP address, including SAVI, uRPF, etc. Compared to simply dropping spoofed packets, SAV devices are required to selectively allow spoofed packets through if they do not match the filtering rules. This mechanism can be considered as a SAV-honeynet that records threat data related to spoofing.

The SAV device must register it to the controller when being installed, in which a unique identification number and other information (e.g., location, management IP address) may needed. Whenever a spoofed packet is detected, the SAV device will record its timestamp, 5-tuple, TCP flag, packet size, and so on. However, only if the spoofed packet matches existing filtering rules, will the packet be dropped. After a certain interval, the recorded data will be compressed and sent to the controller.
Modern devices are generally capable of filtering based on packet length and counting the number of filtered packets. Upon receiving filtering rules from the controller, the SAV device must install them into its data plane. The SAV device also needs to record the number of packets filtered by each rule. If a rule filters no packet during some periods, the rule will be automatically removed to save the rule's space.

Legacy Device The commercial routers that are widely deployed in production are considered to be legacy devices. Access Control List (ACL) is universally supported in today's routers for packet filtering. Legacy devices can achieve extensive filtering by simply connecting their management interface to the controller and receiving the rules. Since ACLs may vary across legacy devices, filtering rules must be adapted to meet the specific requirements of each device. The legacy routers can join the SAV-D system by registering it to the controller with information similar to the SAV router. Once registered, the legacy routers can receive the filtering rules from the controller in a safe and trusted channel. These rules will be installed into the data plane. Similar to SAV devices, if a rule filters no packet during some period, the rule will be automatically removed.

Victims' Defense The SAV deployers can request access to the attack detection information related to themselves. The information includes various details such as the attack target, type, duration, and malicious IP lists. These details can serve as auxiliary signals to boost the detection time. In addition, SAV-D can provide real-time updated IP blocklists, which can be efficiently used for blocking malicious traffic. In an ideal situation, the defense system could provide an interface to directly receive the information and automatically perform corresponding filtering policies. This mechanism could improve the effectiveness of DDoS defense and incentivize more SAV deployment.

Connection Example Figure 2 depicts a connection example of SAV-D system. There are SAV routers distributed throughout the network, and they MUST communicate with the SAV controller in order to collaborate. This document suggests that each SAV router stores several records of the SAV controller for backup. Each SAV router MUST try to connect to its nearest SAV controller at all times. If the SAV router loses contact with the present controller, it MUST seek the next closest controller. Such a mechanism can assist SAV routers in maintaining connections to the best of their abilities. The SAV controller appears as a single entity to the external. Realizing the full functionality of the SAV controller MAY require many computing and storage resources. As a result, the SAV controller can be built as clustered or distributed servers, where consistency and scalability are the primary concerns. Each SAV controller can communicate with many SAV routers and perform the corresponding functions.

Data transmission Data transmission includes bidirectional data transmission of control plane and data plane. The monitoring information of the spoofed src-IP packets is transmitted from the data plane to the control plane. Following the existing definition of savnet, the monitoring information transmission protocol should follow YANG Data Model for Intra-domain and Inter-domain Source Address Validation. In the opposite direction, the filtering rules and threat information are transmitted. The transmission of filtering instructions can be referred to DOTS Telemetry, whitch describes the transmission requirements of collaborative filtering instructions. The threat information includes the attack detection resultant, victim IP ddress segmant and etc. and describe the transmission requirements for threat information, whitch can be the candidate protocol.

Workflow The proposed SAV-D architecture can collaboratively defend the IP spoofing DDoS in a distributed pattern. The typical procedures are described as follows. (i). The SAV routers validate and record the characteristics of spoofed packets, and periodically send this data to the logically centralized controller, where the global spoofing information is aggregated. (ii). Based on the aggregated statistics, the controller can accurately detect whether there are ongoing IP spoofing attacks with the help of predefined algorithms. (iii). Based on the detection results, the controller can generate defense policies for both SAV and non-SAV devices. The policies mainly involve filtering rules on 5-tuple and packet size. (iv). For detected attacks, the defense policies will be distributed to all SAV and legacy devices. Moreover, the detection results will also be sent to the victim's defense system. (v). The filtering rules will be installed on relevant devices to block the malicious packets. If a rule filters no packet during some period, the rule will be automatically removed.

Scalability When there are large amounts of devices introduced into the SAV-D, the control plane could be implemented with hierarchical structure, where multiple sub-level controllers are in charge of the devices inside AS domains. The single top-level controller can exchange information (i.e., IP spoofing statistics and filtering rules) with these sub-level controllers. Additionally, a large number of attacks and filtering rules could introduce another scalability problem. One possible solution is to prioritize the mitigations of these attacks, where severe attacks will be tackled first so that the number of filtering rules will be limited to moderate scope.

IANA Considerations This document includes no request to IANA.

Security Considerations Adversaries may send forged IP spoofing statistics to the control plane or send forged filtering rules to SAV and legacy devices, which could cause severe harm to legitimate traffic. To avoid this situation, the information transmissions of SAV-D could be encrypted with certification. There could also be attacks directly on the SAV-D controllers. As common systems, security systems (e.g., firewalls) are essential to protect the controllers. In addition, hot-standby controllers can also significantly improve security and availability.

References Normative References Ingress Filtering for Multihomed Networks BCP 38, RFC 2827, is designed to limit the impact of distributed denial of service attacks, by denying traffic with spoofed addresses access to the network, and to help ensure that traffic is traceable to its correct source network. As a side effect of protecting the Internet against such attacks, the network implementing the solution also protects itself from this and other attacks, such as spoofed management access to networking equipment. There are cases when this may create problems, e.g., with multihoming. This document describes the current ingress filtering operational mechanisms, examines generic issues related to ingress filtering, and delves into the effects on multihoming in particular. This memo updates RFC 2827. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Enhanced Feasible-Path Unicast Reverse Path Forwarding This document identifies a need for and proposes improvement of the unicast Reverse Path Forwarding (uRPF) techniques (see RFC 3704) for detection and mitigation of source address spoofing (see BCP 38). Strict uRPF is inflexible about directionality, the loose uRPF is oblivious to directionality, and the current feasible-path uRPF attempts to strike a balance between the two (see RFC 3704). However, as shown in this document, the existing feasible-path uRPF still has shortcomings. This document describes enhanced feasible-path uRPF (EFP-uRPF) techniques that are more flexible (in a meaningful way) about directionality than the feasible-path uRPF (RFC 3704). The proposed EFP-uRPF methods aim to significantly reduce false positives regarding invalid detection in source address validation (SAV). Hence, they can potentially alleviate ISPs' concerns about the possibility of disrupting service for their customers and encourage greater deployment of uRPF techniques. This document updates RFC 3704. TCP SYN Flooding Attacks and Common Mitigations This document describes TCP SYN flooding attacks, which have been well-known to the community for several years. Various countermeasures against these attacks, and the trade-offs of each, are described. This document archives explanations of the attack and common defense techniques for the benefit of TCP implementers and administrators of TCP servers or networks, but does not make any standards-level recommendations. This memo provides information for the Internet community. Source Address Validation Improvement (SAVI) Framework Source Address Validation Improvement (SAVI) methods were developed to prevent nodes attached to the same IP link from spoofing each other's IP addresses, so as to complement ingress filtering with finer-grained, standardized IP source address validation. This document is a framework document that describes and motivates the design of the SAVI methods. Particular SAVI methods are described in other documents. Distributed Denial-of-Service Open Threat Signaling (DOTS) Data Channel Specification The document specifies a Distributed Denial-of-Service Open Threat Signaling (DOTS) data channel used for bulk exchange of data that cannot easily or appropriately communicated through the DOTS signal channel under attack conditions. This is a companion document to "Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Specification" (RFC 8782). Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry This document aims to enrich the Distributed Denial-of-Service Open Threat Signaling (DOTS) signal channel protocol with various telemetry attributes, allowing for optimal Distributed Denial-of-Service (DDoS) attack mitigation. It specifies the normal traffic baseline and attack traffic telemetry attributes a DOTS client can convey to its DOTS server in the mitigation request, the mitigation status telemetry attributes a DOTS server can communicate to a DOTS client, and the mitigation efficacy telemetry attributes a DOTS client can communicate to a DOTS server. The telemetry attributes can assist the mitigator in choosing the DDoS mitigation techniques and performing optimal DDoS attack mitigation. This document specifies two YANG modules: one for representing DOTS telemetry message types and one for sharing the attack mapping details over the DOTS data channel. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References State of IP Spoofing

Acknowledgements Thanks to Linbo Hui, Yannan Hu, Wenyong Wang for their contribution to this draft.