Flexible DDoS Defense: Bohatei

ID N0WHERE:75947
Type n0where
Reporter N0where
Modified 2015-12-11T00:12:44


DDoS defense today relies on expensive and proprietary hardware appliances deployed at fixed locations. This introduces key limitations with respect to flexibility (e.g., complex routing to get traffic to these “chokepoints”) and elasticity in handling changing attack patterns. We observe an opportunity to address these limitations using new networking paradigms such as software defined networking (SDN) and network functions virtualization (NFV). Based on this observation, we design and implement Bohatei, a flexible and elastic DDoS defense system.

In spite of extensive industrial and academic effort, distributed denial-of-service (DDoS) attacks continue to plague the Internet. Over the last few years, we have observed a dramatic escalation in the number, scale, and diversity of DDoS attacks. At the same time, new vectors and variations of known attacks are constantly emerging. The damage that these DDoS attacks cause to organizations is well-known and include both monetary losses and loss of customer trust.

DDoS defense today is implemented using expensive and proprietary hardware appliances (deployed in-house or in the cloud ) that are fixed in terms of placement, functionality, and capacity. First, they are typically deployed at fixed network aggregation points (e.g., a peering edge link of an ISP). Second, they provide fixed functionality with respect to the types of DDoS attacks they can handle. Third, they have a fixed capacity with respect to the maximum volume of traffic they can process. This fixed nature of today’s approach leaves network operators with two unpleasant options:

  1. to overprovision by deploying defense appliances that can handle a high (but pre-defined) volume of every known attack type at each of the aggregation points, or
  2. to deploy a smaller number of defense appliances at a central location (e.g., a scrubbing center) and reroute traffic to this location.

While option (2) might be more cost-effective, it raises two other challenges. First, operators run the risk of under-provisioning. Second, traffic needs to be explicitly routed through a fixed central location, which introduces additional traffic latency and requires complex routing hacks. Either way, handling larger volumes or new types of attacks typically mandates purchasing and deploying new hardware appliances.

Ideally, a DDoS defense architecture should provide the flexibility to seamlessly place defense mechanisms where they are needed and the elasticity to launch defenses as needed depending on the type and scale of the attack. We observe that similar problems in other areas of network management have been tackled by taking advantage of two new paradigms: software-defined networking (SDN) and network functions virtualization (NFV). SDN simplifies routing by decoupling the control plane (i.e., routing policy) from the data plane (i.e., switches). In parallel, the use of virtualized network functions via NFV reduces cost and enables elastic scaling and reduced time-to-deploy akin to cloud computing . These potential benefits have led major industry players (e.g., Verizon, AT&T) to embrace SDN and NFV.

Bohatei is a flexible and elastic DDoS defense system that demonstrates the benefits of these new network management paradigms in the context of DDoS defense. Bohatei leverages NFV capabilities to elastically vary the required scale (e.g., 10 Gbps vs. 100 Gbps attacks) and type (e.g., SYN proxy vs. DNS reflector defense) of DDoS defense realized by defense virtual machines (VMs). Using the flexibility of SDN, Bohatei steers suspicious traffic through the defense VMs while minimizing user-perceived latency and network congestion.

In designing Bohatei, we address three key algorithmic and system design challenges. First, the resource management problem to determine the number and location of defense VMs is NP-hard and takes hours to solve. Second, existing SDN solutions are fundamentally unsuitable for DDoS defense (and even introduce new attack avenues) because they rely on a per-flow orchestration paradigm, where switches need to contact a network controller each time they receive a new flow. Finally, an intelligent DDoS adversary can attempt to evade an elastic defense, or alternatively induce provisioning inef- ficiencies by dynamically changing attack patterns.

We have implemented a Bohatei controller using OpenDaylight, an industry-grade SDN platform. We have used a combination of open source tools (e.g., OpenvSwitch, Snort, Bro, iptables) as defense modules. We have developed a scalable resource management algorithm. Our evaluation, performed on a real test-bed as well as using simulations, shows that Bohatei effectively defends against several different DDoS attack types, scales to scenarios involving 500 Gbps attacks and ISPs with about 200 backbone routers, and can effectively cope with dynamic adversaries.

Flexible DDoS Defense: Bohatei documentation


Flexible DDoS Defense: Bohatei download