based packet classification package for Linux 2.4 that is im- plemented in three parts: a ... lected by the network monitor described in [12] at a Gigabit. Ethernet ...
Traffic-Adaptive Packet Filtering of Denial of Service Attacks Lukas Kencl, Christian Schwarzer Intel Research 15 JJ Thomson Avenue, Cambridge, CB3 0FD, United Kingdom {lukas.kencl, christian.schwarzer}@intel.com Abstract
depth of the search tree. However, neither the packet flows (sequences of packets sharing the same 5-tuple flow ID1 ) are distributed uniformly over the address- or rule-space, nor the popularity of flows in terms of packet count is uniform [7, 5]. Previous studies [17] confirmed that some of the flow parameters are correlated (e.g. rate and size) and that small flows (mice) represent the majority, yet most of the traffic (in bytes) is concentrated in few big flows (elephants) [3]. These were shown to be persistent at least on a small time scale (holds for flow volumes [13]). In search trees this traffic bias is reflected as imbalance in the tree traversal patterns, as a vast majority of searches typically end in a tiny subset of tree leaves [2, 4]. This phenomenon has led to recent designs of traffic-aware classification methods [2, 4], aiming to obtain much superior average case performance, while bounding the worst case. As often in TE [13], flows that carry most of the traffic are identified and treated differently to optimize resources utilization. While performing well under the typical Zipf-like patterns of normal networking traffic, it remained an open question how would such methods fare in presence of malicious traffic, such as a denial-of-service attack [9]. In the following, we experimentally validate the performance of the shortcut method [2] under such conditions, showing that it actually adapts gracefully to the attack traffic.
Traffic-adaptive packet filtering is a mechanism to adjust packet classification methods at run-time to the particular traffic mix a network node is receiving. It has been conjectured previously that such techniques could perform positively when filtering out malicious attack traffic, due to their flow aggregation capabilities. In this work, we present two novel contributions - a first ever working implementation of a traffic adaptive firewall, based on insertion of shortcuts into a search tree, and both a simulated and a real-life performance study of adaptive packet filtering under denial-of-service attack traffic, the outcomes of which support the above conjecture.
1. Introduction Recent interest in packet filtering, or packet classification, stems from the growing size of filter rule databases (i.e. Access Control Lists (ACLs)), used to protect ISPs and enterprise networks as well as individual hosts against attacks on the increasingly hostile Internet. Packet classification methods are also used in implementing Virtual Private Networks (VPNs) and in performing Traffic Engineering (TE). By packet classification we understand a task where multiple fields in the packet header are compared against rules in a classification table, to determine the applying rule with the highest priority. The rules can be a combination of a fixed match, prefix match or range match over various fields of the packet header. Classification rule bases can be very large (e.g. 32k rules [15]) and the search speed is a major performance factor. Executed per every packet, the search must be carried out within a tight time budget. As it usually requires a number of memory accesses, and memory latency lags behind processor and link transmission speed growth, optimization of data structures is critical. Efficient rule-based classification [6, 8, 15, 11] has been a subject of extensive research. Often, a search tree is built over a pre-processed rule-set (as in the Hi-Cuts [8] and HyperCuts [15] methods, see Fig. 1). The methods are typically optimized for the worst case scenario, minimizing the
1 The 5-tuple flow ID is defined as: IP source and destination addresses, IP protocol number and TCP/UDP source and destination port numbers.
Packet IP Source: 192.54.36.193 IP Dest.: 80.72.16.167 192.56/13
IP Source
192.48/13 IP Destination 80.64/13 80.72/13
Rule IP Source: 192.54.36.192/26 IP Destination: 80.72.16.160/27 ...
Figure 1. Example of tree-based packet classification, as in Hi-Cuts [8]. 1
2. Traffic-Adaptive Packet Filtering a
The adaptive packet filtering method periodically introduces shortcuts into the search tree along frequently travelled paths, to reduce the number of memory accesses. Statistics about how the tree is traversed are collected continuously and read periodically. Reading counters in all the tree leaves is sufficient to recreate the entire traversal pattern of the tree, as the statistics can be aggregated in parent nodes all the way up to the root. With large trees, this operation may be prohibitive (e.g. in a tree of depth l = 10 and node degree d = 4, about 1 million leaf counters would have to be read). Heuristics and optimizations have been proposed to streamline the counter management [14, 10]. Shortcuts are further edges inserted into the tree, bypassing several nodes and aggregating the tests along that path (see Fig. 2). Shortcuts are placed only along such paths where beneficial for the number of memory accesses saved. In this work, we use the previously proposed sequential shortcut placement heuristic by Bergamini and Kencl [2]. This Network of Shortcuts (NoS) placement algorithm traverses the tree in a top-down, left-to-right fashion, and at each node attempts to place the ”best” shortcut in the node subtree, based on Local Gain, i.e. how many memory accesses would placing such a shortcut save. The complexity is O(N logd N ), where N is the total number of nodes. Variables used for evaluating the shortcut method performance are Total Gain, e.g. the total number of memory accesses saved by using the method (equal to the sum of Local Gains), and Relative Gain, which determines what fraction of memory accesses have been eliminated. If BM A is the number of memory accesses needed if using the original tree and AM A if using the shortcuts, Total Gain is defined as T GAIN = (BM A − AM A) and Relative Gain as RGAIN = T GAIN/BM A. The NoS method performs a control loop, where periodically the statistics are read and the shortcuts for the next time interval are placed. The duration of the adaptation interval is determined on a few profiling runs by trading off the gain obtained by the shortcuts against the cost of recomputing the shortcuts and running the control loop. The method of prediction of the frequently travelled paths is open for further research. In this work, we place shortcuts as they would perform best on traffic in the previous time interval. The NoS method has been shown in [2] to compare favorably with a similar sized cache. This is due to high aggregation of different flows along a single path, easily covered with shortcuts. Similarly, we conjecture that a shortcut method actually benefits from an exhaustive Denial-ofService (DoS) Attack on the firewall, as the many different flow identifiers used in the attack packets gather along few paths in the search tree.
b c d e
Figure 2. Shortcut example: a shortcut from a is inserted to reach hotspot e faster.
3. Implementation The traffic-adaptive packet filtering is implemented, on one hand, in MATLAB for fast prototyping and simulation and, on the other hand, in Linux for real-life experiments. Our Linux implementation is based on PTree [1], a treebased packet classification package for Linux 2.4 that is implemented in three parts: a Java GUI front-end, a user-space back-end with tree compiler and a kernel module that hooks itself into the Linux protocol stack by means of the netfilter architecture. We enhanced the PTree implementation with modules that perform the adaptation to the network traffic conditions. The resulting architecture is shown in Fig. 3. Kernel modules execute the actual per-packet classification and the hit statistics collection on all the tree nodes. The creation of the search tree and the periodic recomputation of the shortcuts is performed in the user-space. The NoS module periodically pulls the hit statistics from the
User Space PTree Front End
PTree Back End Rule Base
Search Tree
GUI NoS Module Statistics Gathering
NoS Placement
Kernel Space NoS on PTree Packet Classification Kernel module Node Monitoring
NoS
Memory Packets IN
Counters
Tree
Shortcuts
Figure 3. NoS Linux implementation. 2
Packets OUT
kernel to the user-space in order to compute a new shortcut placement. The new shortcuts are then downloaded to the kernel and added to the decision tree without updating the original search tree itself. The actual shortcuts are represented as enhanced copies of original tree nodes and stored at a different memory location than the classification tree. Branch and shortcut traversal is done by memory indirection, which doesn’t affect the memory layout of the initial classification tree.
We evaluate the shortcut method on two instances of search trees. Firstly, on an artificial balanced and complete tree of degree 4 and depth 9, where at each node the search space is partitioned into neighboring chunks of equal size. Secondly, a HyperCuts [15] packet classification tree on IP source and destination fields is derived from 1000 rules with the filter set generator of the ClassBench suite [16], with default parameters: smoothness = 2, address scope = 0.5 and application scope = -0.1 . HyperCuts parameters are: maximum rules in leaf = 4 and maximum number of cuts = 1. The resulting tree has a total of 1325 nodes out of which 994 are leaves. Average tree depth is 7.3 (standard deviation of 0.74), whereas minimal and maximal depth are 4 and 9. As performance metric of the shortcut placement we use RGAIN (fraction of memory accesses saved per adaptation interval). An adaptation interval of 10000 packets was used for both dump and DDoS_Attack traces. Results Discussion: The evolution of the relative gain vs. the number of the adaptation interval is shown in Fig. 5 (top and middle). The adaptation intervals containing packets of the distributed denial of service attack can clearly be distinguished from intervals containing only non-malicious traffic. In fact, the attack has a beneficial impact on the performance of the adaptive method. On average, there are only around 45 packets per non-malicious flow as opposed to 7195 packets in a flow taking part in the DDoS attack. As many packets in few different flows can be much better captured by the shortcuts than few packets in many different flows, the adaptive method performs better during the attack. The shortcut placement algorithm achieves better performance on the dump trace. This is probably due to the fact that IP source and destination tuples (Fig. 4) in the DDoS_Attack trace are spread more uniformly over the address space. Clustering in the dump trace leads to more packets being caught by the same branch in the classification tree, which makes a shortcut placement in such a branch more effective. Fig. 5 also shows results for both trees. The higher relative gain on the balanced tree is due to its high depth that allows the placement of longer and, therefore, more effective shortcuts, as illustrated by average shortcut lengths in Fig. 5 (bottom).
4. Experimental Validation We use two approaches to validate the shortcut concept. Firstly, we simulate the classification based on packet headers from real traces against realistic trees in MATLAB software. Secondly, the Linux kernel implementation of the adaptive classification method is used as a firewall over which a client is streaming a video from a server. Both in the simulated as well as in the real-life experiments, we evaluate the behavior and performance of the adaptive system in presence of a denial of service (DoS) attack.
4.1. Simulated Experiments In order to make the simulated MATLAB experiments as realistic as possible we are not only using real network traces to extract 5-tuple packet header information, but also realistic rule sets to generate the classification tree. Two different real network traces are replayed against the packet classification tree. The dump trace was collected by the network monitor described in [12] at a Gigabit Ethernet connection. The distributions of flow sizes, durations and rates can be considered to be in stationary regime. The prefix-preserving anonymized DDoS_Attack trace (as used in [9]) contains a distributed denial of service attack. The attack is a reflector attack that sends echo reply packets to a target victim. Basic statistics for the two traces are shown in Table 1 . Fig. 4 shows the scatter plot of IP destination address (32-bit) vs. IP source address (32bit) of all flow IDs for both traces. The IP tuples of the DDoS_Attack trace occupy a much larger area of the total tuple space (232 ∗232 ) than those of the dump trace. This is probably caused by the anonymization scheme.
9
4
9
x 10
4
Table 1. Trace statistics DDos Attack dump Total packets 6889982 4754524 Distinct flow IDs 131032 52959 Attack packets 1043223 Attack flow IDs 145 First attack packet 1344047 Last attack packet 6190054 -
3 2.5 2 1.5 1 0.5 0 0
x 10
3.5 IP destination address
IP destination address
3.5
3 2.5 2 1.5 1 0.5
1
2 IP source address
3
4 9
x 10
0 0
1
2 IP source address
3
Figure 4. IP source vs. dest. address for ”DDoS Attack” (left) and ”dump” (right) trace 3
4 9
x 10
"DDos_Attack" on artificial tree
"DDos_Attack" on HyperCuts tree
0.6
0.6 0.5
Attack
Relative Gain
Relative Gain
0.5 0.4 0.3 0.2 0.1 0
Attack
0.4 0.3 0.2
100
200
300 400 500 Adaptation Iteration
600
0.1 0
700
100
200
0.6
0.5
0.5 Relative Gain
Relative Gain
0.6
0.4 0.3 0.2
0.4 0.3
100
200 300 Adaptation Iteration
400
0.1 0
500
100
"dump" on artificial tree 4 3 2 1 100
200 300 Adaptation Iteration
200 300 Adaptation Iteration
400
500
400
500
"dump" on HyperCuts tree Average Shortcut Length
Average Shortcut Length
700
0.2
5
0 0
600
"dump" on HyperCuts tree
"dump" on artificial tree
0.1 0
300 400 500 Adaptation Iteration
400
500
5 4 3 2 1 0 0
100
200 300 Adaptation Iteration
Figure 5. Time series of relative gain and average shortcut length for ”DDoS Attack” and ”dump” trace on artificial tree and HyperCuts tree. Adaptation interval is 10000 packets.
4.2. Real-life Experiments
tral router. The firewall on the router is configured to allow through the video data packets from server to client and the corresponding acknowledgements from client to server. Packets not belonging to one of these flows are dropped at the router. We compare the performance of the shortcut placement in terms of throughput at the client with and without attacking traffic on the router by switching the adaptive shortcut placement module from off to on during the experiments.
The performance of the shortcut method in a real network configuration is demonstrated by using the Linux implementation of the adaptive packet filter as a firewall on a Linux machine. The firewall is placed as a router in a small network configuration using four Linux machines. The testbed is depicted in Fig. 6 and includes the router running a tree-based packet classifier, a video streaming server, a video client and a machine hosting an attacker. The client is playing a video stream provided by the video server directly over the network and over the cenVideo Stream
Video Server
Results Discussion: In both experiments, the video is initially played at the client without loss or jitter at a rate of about 4.5 MBytes/sec (Fig. 7: NoS off). As the shortcuts accelerate the classification of a data flow, the activation of the adaptive method increases the throughput of the video stream as shown on the left of Fig. 7.
Video Stream
Router with Firewall
Video Client
If the attacker starts her denial of service attack by sending bogus packets at rate 10 MBytes/sec against the router, the tree-based classification algorithm gets overwhelmed with malicious packets that also need to be matched against the firewall tree. For the purpose of this experiment, the firewall is configured as not to be able to handle the amount
Malicious Traffic
Attacker
Figure 6. Experimental testbed 4
7
6 Throughput [bytes/s]
7
x 10
2
x 10
5 4 3 2
1.5 Attacker Traffic 1
0.5
1 0 0
NoS on 3
NoS off 2
1
NoS on
NoS off
Throughput [bytes/s]
7
Video Traffic 10
20
30 Time [s]
40
50
0 0
60
50
100 Time [s]
150
200
Figure 7. Throughput of video data at the client before/after (NoS off/on) the activation of the shortcut placement without (left) and with (right) attack on the firewall. Adaptation interval is 10 seconds. of packets being sent by the attacker, which leads to a growing packet queue at the root of the classification tree. Video data packets are, therefore, experiencing large delays leading to very low or zero effective throughput at the client (region 2 in the right of Fig. 7). As a consequence, the video software stops the playback or loops through the local buffer content. Switching on the adaptive control loop remedies the situation by adapting the classification tree to the current traffic situation. The placement of shortcuts in the three frequently traveled tree branches corresponding to server-to-client, client-to-server and attacker-to-firewall packet flows reduces significantly the number of memory accesses in the classification process and, consequently, increases the throughput at the firewall. The actual throughput of video data packets (Region 3 in the right of Fig. 7) is now again high enough to guarantee lossless and jitter-free playback at the client.
[3] N. Brownlee and kc claffy. Understanding internet traffic streams: Dragonflies and tortoises. IEEE Communications Magazine,, October 2002. [4] E. Cohen and C. Lund. Packet classification in large ISPs: design and evaluation of decision tree classifiers. In Proceedings of SIGMETRICS, Banff, Canada, 2005. [5] H. Dreger, A. Feldmann, B. Krishnamurthy, J. Wallerich, and W. Willinger. A methodology for studying stability aspects of Internet flows. Computer Communication Review, May 2005. [6] A. Feldmann and S. Muthukrishnan. Tradeoffs for packet classification. In Proceedings of IEEE Infocom, 2000. [7] A. Feldmann and W. Whitt. Fitting mixtures of exponentials to long-tail distributions to analyze network performance models. In Proceedings of IEEE Infocom, 1997. [8] P. Gupta and N. McKeown. Packet classification using hierarchical intelligent cuttings. In Proceedings of Hot Interconnects VII, 1999. [9] A. Hussain, J. Heidemann, and C. Papadopoulos. A framework for classifying denial of service attacks. In Proceedings of SIGCOMM, Karlsruhe, Germany, August 2003. [10] N. Kammenhuber and L. Kencl. Efficient statistics gathering from tree-search methods in packet processing systems. In Proceedings of IEEE ICC, Seoul, Korea, May 2005. [11] M. Kounavis, A. Kumar, H. Vin, R. Yavatkar, and A. Campbell. Directions in packet classification for network processors. In Proceedings of the 2nd IEEE Workshop on Network Processors, 2003. [12] A. Moore, J.Hall, C.Kreibich, E.Harris, and I.Pratt. Architecture of a network monitor. In Passive and Active Measurement Workshop (PAM), La Jolla, CA, USA, 2003. [13] K. Papagiannaki, N. Taft, and C. Diot. Impact of flow dynamics on traffic engineering principles. In Proceedings of INFOCOM, 2004. [14] S. Ramabhadran and G. Varghese. Efficient implementation of a statistics counter architecture. In Proceedings of ACM SIGMETRICS, San Diego, CA, USA, June 2003. [15] S. Singh, F. Baboescu, G. Varghese, and J. Wang. Packet classification using multidimensional cutting. In Proceedings of SIGCOMM, Karlsruhe, Germany, 2003. [16] D. Taylor and J. Turner. ClassBench: A packet classification benchmark. In Proceedings of INFOCOM, Miami, FL, USA, 2005. [17] Y. Zhang, L.Breslau, V.Paxson, and S. Shenker. On the characteristics and origins of internet flow rates. In Proceedings of SIGCOMM, 2002.
5. Conclusion Two statements can be concluded based on this study: firstly, it is feasible to implement an adaptive extension to a tree-based filtering method and it can improve a networking device throughput significantly; secondly, the shortcut insertion (NoS) technique can be very effective in boosting a filter performance under the DoS attack traffic conditions. To reach a general conclusion about a traffic-adaptive method’s performance under attack condition, much more thorough investigation is needed, with many other types of attacks; in particular an algorithmic attack on the adaptation method itself. For the moment, though, this paper justifies mild optimism about the applicability of such methods.
References [1] D. Becker, R. Todorovic, and Q. Wang. PTREE: A system for flexible, efficient packet classification. Technical Report CS524 Networking Project at Washington University in St. Louis, USA, 2001. [2] A. Bergamini and L. Kencl. Network of shortcuts: An adaptive data structure for tree-based search methods. In Proceedings of IFIP Networking, Waterloo, Canada, May 2005.
5