Skip to main content

Advertisement

Springer Nature Link
Log in

Towards Deployable, Distributed ISP Traffic Filtering for the Cloud-Era

  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

Traditionally Internet Service Providers (ISPs) have used a centralized traffic filtering architecture, wherein unwanted traffic heading towards a customer who subscribes to their filtering service is diverted to a security data center (SDC); from where only traffic deemed wanted is re-routed back to the customer using an overlay network of tunnels. Given the huge volumes of traffic that are being seen today, this centralized architecture’s scalability is already being stretched from a network capacity point of view. Moreover, the traffic diversion mechanism used necessitates configuring and maintaining tunnels, which is a network management overhead. We argue that this centralized architecture and tunnel necessitating traffic diversion mechanism will not scale as we move further along into the era where ISPs are becoming or providing connectivity to cloud providers. We propose a distributed architecture with multiple SDCs that scales from a capacity perspective, and describe how a standardized router capability, Border Gateway Protocol—Flow Specifications, can be used to selectively propagate traffic diversion routes which eliminates the need for tunnels. Furthermore, we show how the assigning of arriving traffic to specific SDCs can be modeled and solved as a mathematical optimization problem, which enables automated instantiation of the filtering service and also helps quantify the benefits of the distributed architecture from a capacity utilization perspective.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Notes

  1. While the roles of these protocols and elements in the traffic filtering context are outlined as needed, a full description of each of them is beyond the scope of this paper.

  2. In the context of this paper, back bone complexes refer to larger facilities usually exclusive to the ISP that house routing and compute equipment; and are typically located in more sparsely populated areas where space, power, land and other costs are lower.

  3. The same practical considerations as in Sect. 5.1 apply—here we still aggregrate by the customer’s prefixes, but they are now source prefixes rather than destination prefixes.

  4. The model is not specific to OSPF—in general the shortest paths could be instead computed in a manner consistent with another IGP such as IS–IS.

  5. One can also vary the demands (\({\hbox {d}}_{\mathrm{pq}}\)) when launching parallel instances of the problem as a means to do some what-if analysis before picking a solution to instantiate.

References

  1. Juniper Networks. Understanding teardrop attacks, JUNOS software security configuration guide. https://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig-security/understanding-teardrop-attacks.html

  2. Cisco Systems Inc.: Configuring Port Security, Catalyst 6500 Release 12.2SX Software Configuration Guide, pp. 62–67. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html#wp1055296%0A (2013)

  3. Wen, S., Jia, W., Zhou, W., Zhou, W., Xu, C.: CALD: surviving various application-layer DDoS attacks that mimic flash crowd. In: 4th International Conference on Network and System Security (NSS) (2010)

  4. AT&T. Denial of Service—DDoS Protection. http://www.business.att.com/enterprise/Service/network-security/threat-vulnerability-management/ddos-protection/

  5. Verizon. Cloud security: move to the cloud with confidence. http://www.verizonenterprise.com/products/security/managed/?utm_source=pdf&utm_medium=infographic&utm_content=ddos&utm_campaign=Security2013

  6. Peng, T., Leckie, C., Ramamohanarao, K.: Protection from distributed denial of service attack using history-based IP filtering, networking. In: IEEE International Conference on Communications (ICC), pp. 482–486 (2003)

  7. Yoon, M.: Using whitelsting to mitigate DDoS attacks on critical internet sites. IEEE Commun. Mag. 48(7), 110–115 (2010)

    Article  Google Scholar 

  8. Chen, S., Chow, R.: A new perspective in defending against DDoS. In: Proceedings of the 10th IEEE Workshop on Future Trends of Distributed Computing Systems (FTDS) (2004)

  9. Liu, X., Yang, X., Lu, Y.: To filter or to authorize: network-layer DoS defense against multimillion-node botnets. In: Proceedings of the ACM SIGCOMM 2008 conference on Data communication, pp. 195–206 (2008)

  10. Bates, T., Chen, E., Chandra, R.: BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP), RFC 4456. RFC Editor. http://www.rfc-editor.org/rfc/rfc4456.txt (2006)

  11. Gottlieb, J.: Understanding Large Internet Provider Backbone Networks. Lecture slides for CS E6998-02: internet routing, Columbia University. http://www1.cs.columbia.edu/~ji/F02/ir21/index.html (2002)

  12. Rosen, E., Rekhter, Y.: BGP/MPLS IP Virtual Private Networks (VPNs), RFC 4364. RFC Editor (2006)

  13. SMBWorld Asia Editors. Largest packet-per-second DDoS attack ever documented. SMBWorld Asia. http://www.smbworldasia.com/en/content/largest-packet-second-ddos-attack-ever-documented (2011)

  14. Constantin, L.: Largest DDoS attack so far this year peaked at 45Gbps, says company, computer world news. http://www.computerworld.com/s/article/9222156/Largest_DDoS_attack_so_far_this_year_peaked_at_45Gbps_says_company (2011)

  15. Net Security. DDoS attack size accelerating rapidly, net security news article. http://www.net-security.org/secworld.php?id=15783 (2013)

  16. Seals, T.: Q3 DDoS Attack Volumes are the Largest Ever Seen. InfoSecurity magazine. http://www.infosecurity-magazine.com/news/q3-ddos-attack-volumes-are-the/ (2014)

  17. Akamai’s State of the Internet/Security Team. akamai’s [state of the internet]/secuity Q1 2016 report. 3(1) (2016). https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/akamai-q1-2016-state-of-the-internet-security-report.pdf

  18. Paganini, P.: Anonymous Hackers Launch #OpUSA against US Banking and Goverment Agencies, the hacker news. http://thehackernews.com/2013/05/anonymous-hackers-launch-opusa-against.html (2013)

  19. Yuksel, M., Ramakrishnan, K., Kalyanaraman, S., Houle, J., Sadhvani, R.: Required extra capacity: estimating over-provisioning in a single class of service IP backbone. IEEE Trans. Netw. Serv. Manag. 56(17), 3723–3743 (2011)

    Google Scholar 

  20. Banerjee, A.: Is your head in the cloud? The cloud services opportunity. Heavy Reading. http://www.oracle.com/us/industries/communications/oracle-telco-cloud-wp-1538974.pdf (2011)

  21. Metzler, J.: The 2012 Cloud Networking Report, Part 4: The Wide Area Network (WAN), A 10 Networks. http://www.a10networks.com.cn/resources/cloud_networking/A10-Cloud_Networking_Report-pt.4.pdf (2012)

  22. Rashid, F.: Recent bank cyber attacks originated from hacked data centers, not large botnet, security week—in-formation security news. http://www.securityweek.com/recent-bank-cyber-attacks-originated-hacked-data-centers-not-large-botnet (2012)

  23. Whitney, L.: Amazon EC2 cloud service hit by botnet, outage, CNet News. http://news.cnet.com/8301-1009_3-10413951-83.html (2009)

  24. Ollman, G.: The Day Before Zero: An Ongoing Conversation About Advanced Threats, Damballa blogpost. https://blog.damballa.com/archives/330dd

  25. Kassner, M.: What’s better than creating your own DDoS? Renting one, tech republic IT security article. http://www.techrepublic.com/blog/it-security/whats-better-than-creating-your-own-ddos-renting-one/ (2013)

  26. Glenn, M.: A Summary of DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a Service Provider Environment. SANS Institute InfoSec Reading Room. https://www.sans.org/reading-room/whitepapers/intrusion/summary-dos-ddos-prevention-monitoringmitigation-techniques-service-provider-enviro-1212 (2003)

  27. Handley, M., Greenhalg, A.: Steps Towards a DoS-Resistant Internet Architecture, SIGCOMM04 workshops (2004)

  28. Huici, F., Handley, M.: An edge to edge filtering archi-tecture against DoS. ACM SIGCOMM Comput. Commun. Rev. 37(2), 39–50 (2007)

    Article  Google Scholar 

  29. Greenhalg, A., Mark, H., Huici, F.: Using routing and tunneling to combat DoS attacks. In: Proceedings of the USENIX Steps to Reducing Unwanted Traffic on the Internet (SRUTI) (2005)

  30. Ramachandran, V., Nandi, S.: Bleeding edge distributed denial of service (DDoS) attack mitigation techniques for ISPs. In: Proceedings of 8th International Conference on Information Technology (2005)

  31. Lim, S., Ha, J., Kim, H., Kim, Y., Yang, S.: A SDN-oriented DDoS blocking scheme for botnet-based attacks. In: Sixth International Conference on Ubiquitous and Future Networks (ICUFN) (2014)

  32. Moon, Y., Choi, S., Kim, H., Yoo, C.: A hybrid defense technique for ISP against the distributed denial of service attacks. Appl. Math. Inf. Sci. 8(5), 2347–2359 (2014)

    Article  Google Scholar 

  33. Sahay, R., Blanc, G., Zhang, Z., Debar, H: Towards Autonomic DDoS Mitigation using Software Defined Networking, NDSS workshop on security of emerging networking technologies (SENT) (2015)

  34. Bouet, M., Leguay, J., Conan, V.: Cost-based placement of vDPI functions in NFV infrastructures. Int. J. Netw. Manag. 25, 490–506 (2015)

    Article  Google Scholar 

  35. Wang, B., Zheng, Y., Lou, W., Hou, Y.: DDoS attack protection in the era of cloud computing and software-defined networking. Comput. Netw. 81, 308319 (2015)

    Article  Google Scholar 

  36. Bawany, N., Shamsi, J., Salah, K.: DDoS attack detection and mitigation using SDN: methods, practices, and solutions. Arab. J. Sci. Eng. 42(2), 425441 (2017)

    Article  Google Scholar 

  37. Addis, B., Belabed, D., Bouet, M., Secci, S.: Virtual network functions placement and routing optimization. In: IEEE 4th International Conference on Cloud Networking (CloudNet) (2015)

  38. Mahajan, R., Bellovin, S., Floyd, S., Ioannidis, J., Paxson, V., Shenker, S.: Controlling high bandwidth aggregates in the network. ACM Comput. Commun. Rev. (CCR) 32, 62–73 (2002)

    Article  Google Scholar 

  39. Zargar, S., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)

    Article  Google Scholar 

  40. Huston, G., Michaelson, G.: Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs), RFC 6483. RFC Editor (2012)

  41. Kent, S., Lynn, C., Seo, K.: Secure Border Gateway Protocol (S-BGP). IEEE J. Sel. Areas Commun. 18(4), 582–592 (2000)

    Article  Google Scholar 

  42. Kent, S., Lynn, C., Mikkelson, J., Seo, K.: Secure border gateway protocol (S-BGP)—real world performance and deployment issues. In: Proceedings of Symposium on Network and Distributed Systems Security (NDSS) (2000)

  43. Quagga Routing Software Suite. http://www.nongnu.org/quagga/index.html

  44. Sekar, V., Duffield, N., Spatscheck, O., Van der Merwe, J., Zhang, H.: LADS: Large-scale Automated DDoS Detection System. In: Proc. of USENIX ATC, pp. 171–184 (2006)

  45. Verkaik, P., Spatscheck, O., Van der Merwe, J., Snoeren, A.: Primed: community-of-interest-based DDoS mitigation, ACM SIGCOMM’06 Workshops (2006)

  46. Arbor Networks. Peakflow. http://www.arbornetworks.com/products/peakflow

  47. F5. Security for Service Providers. https://www.f5.com/it-management/solutions/service-provider-security/related/

  48. Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: characterizations and implications for CDNs and web sites. In: Proceedings of the 11th International Conference on World Wide Web. pp. 293–304

  49. Le, Q., Zhanikeev, M., Tanaka, Y.: Methods for distinguishing flash crowds from spoofed DoS attacks. In: 3rd EuroNGI Conference on Next Generation Internet Networks (2007)

  50. Wilson, C.: Cloudshield, IBM put DPI on Blade Center, Connected Planet Online. http://connectedplanetonline.com/software/news/ibm-blade-center-dpi-0902/ (2008)

  51. Hyun, S., Jeong, J., Woo, S., Yeo, Y., Park, J-S.: NSF-Triggered Traffic Steering Framework (draft-hyun-i2nsf-nsf-triggered-steering-02). IETF Secretariat. http://www.ietf.org/internet-drafts/draft-hyun-i2nsf-nsf-triggered-steering-02.txt (2017)

  52. Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., McPherson, D.: Dissemination of Flow Specification Rules, RFC 5575. RFC Editor. http://www.rfc-editor.org/rfc/rfc5575.txt (2009)

  53. Serodio, L.: Traffic diversion techniques for DDoS mitigation using BGP flowspec, slides presented at North American Network Operators Group (NANOG) 58. http://www.nanog.org/sites/default/files/wed.general.trafficdiversion.serodio.10.pdf (2013)

  54. Gassen, D., Lozno, R., McPherson, D.: BGP flow specification deployment experience. Slides presented at North American Network Operators Group (NANOG) 38. https://www.nanog.org/meetings/nanog38/presentations/labovitz-bgp-flowspec.pdf (2006)

  55. Uttaro, J., Filsfils, C., Smith, D., Alcaide, J., Mohapatra, P.: Revised Validation Procedure for BGP Flow Specifications (draft-ietf-idr-bgp-flowspec-oid-02). IETF Secretariat. http://www.ietf.org/internet-drafts/draft-ietf-idr-bgp-flowspec-oid-02.txt (2014)

  56. Juniper Networks, Example: Enabling BGP to Carry Flow-Specification Routes, Juniper Network Tech Library. http://www.juniper.net/techpubs/en_US/junos13.3/topics/example/routing-bgp-flow-specification-routes.html (2013)

  57. Chee, W., Brennan, T.: H..t..t.p.p.o.s.t, slides presented at OWASP Foundation AppSec DC. https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf (2010)

  58. IBM. CPLEX Optimizer. http://www-01.ibm.com/software/commerce/optimization/cplex-optimizer/

  59. National Science Foundation, Federally Funded R&D Cen-ters Master Government List, National Center for Science and Engineering Statistics (2010)

Download references

Author information

Authors and Affiliations

  1. AT&T Security Research Center, 33 Thomas St., New York, NY, 10007, USA

    Ramesh Subbaraman

Authors
  1. Ramesh Subbaraman
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Ramesh Subbaraman.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Subbaraman, R. Towards Deployable, Distributed ISP Traffic Filtering for the Cloud-Era. J Netw Syst Manage 26, 547–572 (2018). https://doi.org/10.1007/s10922-017-9424-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10922-017-9424-1

Keywords