SMARTCOOKIE: blocking large-scale SYN floods with a split-proxy defense on programmable data planes
Article No.: 13, Pages 217 - 234
Abstract
Despite decades of mitigation efforts, SYN flooding attacks continue to increase in frequency and scale, and adaptive adversaries continue to evolve. Meanwhile, volumes of benign traffic in modern networks are also growing rampantly. As a result, network providers, which run thousands of servers and process 100s of Gbps of traffic, find themselves urgently requiring defenses that are secure against adaptive adversaries, scalable against large volumes of traffic, and highly performant for benign applications. Unfortunately, existing defenses local to a single device (e.g., purely software-based or hardware-based) are failing to keep up with growing attacks and struggle to provide performance, security, or both. In this paper, we present SMARTCOOKIE, the first system to run cryptographically secure SYN cookie checks on highspeed programmable switches, for both security and performance. Our novel split-proxy defense leverages emerging programmable switches to block 100% of SYN floods in the switch data plane and also uses state-of-the-art kernel technologies such as eBPF to enable scalability for serving benign traffic. SMARTCOOKIE defends against adaptive adversaries at two orders of magnitude greater attack traffic than traditional CPU-based software defenses, blocking attacks of 136.9 Mpps without packet loss. We also achieve 2x-6.5x lower end-to-end latency for benign traffic compared to existing switch-based hardware defenses.
References
[1]
Linux SYN cookie epoch time. https://elixir.bootlin.com/linux/v6.0/source/include/net/tcp.h#L497, 2005.
[2]
tcp(7) - Linux man page. https://linux.die.net/man/7/tcp, 2005.
[3]
FreeBSD Manual Pages. https://www.freebsd.org/cgi/man.cgi?syncookies, 2008.
[4]
Cilium: ebpf-based networking, observability, security. https://cilium.io/, 2017.
[5]
AARNet. The rise of DDoS attacks in 2023: what you need to know. https://www.aarnet.edu.au/the-rise-of-ddos-attacks-in-2023-what-you-need-to-know#, 2023.
[6]
Paulo Sérgio Almeida. A case for partitioned bloom filters. IEEE Transactions on Computers, 2022.
[7]
Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. Understanding the Mirai botnet. In USENIX Security Symposium, 2017.
[8]
Jean-Philippe Aumasson and Daniel J. Bernstein. SipHash: A Fast Short-Input PRF. Lecture Notes in Computer Science, 7668, 2012.
[9]
Bmv2 authors. Behavioral model (bmv2). https://github.com/p4lang/behavioral-model, 2019.
[10]
Suricata authors. Suricata - eBPF and XDP. https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html, 2018.
[11]
Gilberto Bertin. XDP in practice: Integrating XDP into our DDoS mitigation pipeline. In Netdev: The Technical Conference on Linux Networking, 2017.
[12]
Pat Bosshart, Dan Daly, Glen Gibb, Martin Izzard, Nick McKeown, Jennifer Rexford, Cole Schlesinger, Dan Talayco, Amin Vahdat, George Varghese, and David Walker. P4: Programming protocol-independent packet processors. In ACM SIGCOMM Computer Communication Review, 2014.
[13]
Pat Bosshart, Glen Gibb, Hun-Seok Kim, George Varghese, Nick McKeown, Martin Izzard, Fernando Mujica, and Mark Horowitz. Forwarding metamorphosis: Fast programmable match-action processing in hardware for SDN. In ACM SIGCOMM, 2013.
[14]
Broadcom. BCM56870 Series. https://www.broadcom.com/products/ethernet-connectivity/switching/strataxgs/bcm56870-series.
[15]
CAIDA. The CAIDA UCSD Anonymized Internet Traces 2018 - July 19th, equinix-nyc.dirA.20180719-130000, 2018.
[16]
CAIDA. Trace Statistics for CAIDA Passive OC48 and OC192 Traces, 2018.
[17]
Ang Chen, Wenchao Zhou, Akshay Sriraman, Tavish Vaidya, Yuankai Zhang, Andreas Haeberlen, Boon Loo, Linh Phan, Micah Sherr, and Clay Shields. Dispersing Asymmetric DDoS Attacks with SplitStack. In ACM Workshop on Hot Topics in Networks (HotNets), 2016.
[18]
Xiang Chen, Hongyan Liu, Dong Zhang, Qun Huang, Haifeng Zhou, Chunming Wu, and Qiang Yang. Empowering ddos attack mitigation with programmable switches. IEEE Network, 2022.
[19]
Xiang Chen, Chunming Wu, Xuan Liu, Qun Huang, Dong Zhang, Haifeng Zhou, Qiang Yang, and Muhammad Khurram Khan. Empowering network security with programmable switches: A comprehensive survey. IEEE Communications Surveys & Tutorials, 2023.
[20]
Xiaoqi Chen. Implementing AES Encryption on Programmable Switches via Scrambled Lookup Tables. In ACM SIGCOMM Workshop on Secure Programmable Network Infrastructure (SPIN), 2020.
[21]
Catalin Cimpanu. AWS said it mitigated a 2.3 Tbps DDoS attack, the largest ever. https://www.zdnet.com/article/aws-said-it-mitigated-a-2-3-tbps-ddos-attack-the-largest-ever/, 2020.
[22]
Cisco. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Fuji 16.7.x. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-16-7/sec-data-zbf-xe-16-7-bookZsec-ddos-attack-prevn.html, 2017.
[23]
James Coker. Finland Government Sites Forced Offline by DDOS Attacks. https://www.infosecurity-magazine.com/news/finland-government-sites-offline/, 2022.
[24]
Kevin Collier, Shanshan Dong, and Ali Arouzi. Hacktivists, new and veteran, target Russia with one of cyber's oldest tools. https://www.nbcnews.com/tech/security/hacktivists-new-veteran-target-russia-one-cybers-oldest-tools-rcna20652, 2022.
[25]
Information Technology Intelligence Consulting. Hourly Downtime Costs Rise. https://itic-corp.com/blog/2019/05/, 2019.
[26]
Henri Maxime Demoulin, Isaac Pedisich, Nikos Vasilakis, Vincent Liu, Boon Thau Loo, and Linh Thi Xuan Phan. Detecting asymmetric application-layer Denial-of-Service attacks In-Flight with FineLame. In 2019 USENIX Annual Technical Conference (USENIX ATC 19). USENIX Association, 2019.
[27]
Marinos Dimolianis, Adam Pavlidis, and Vasilis Maglaris. Syn flood attack detection and mitigation using machine learning traffic classification and programmable data plane filtering, 2021.
[28]
Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, and Michael Bailey. Bohatei: Flexible and Elastic DDoS Defense. In USENIX Security Symposium, 2015.
[29]
Lauren Feiner. Cyberattack hits Ukrainian banks and government websites. https://www.cnbc.com/2022/02/23/cyberattack-hits-ukrainian-banks-and-government-websites.html, 2022.
[30]
Silvia Fichera, Laura Galluccio, Salvatore C. Grancagnolo, Giacomo Morabito, and Sergio Palazzo. OPERETTA: An OPEnflow-based REmedy to mitigate TCP SYNFLOOD Attacks against Web Servers. In The International Journal of Computer and Telecommunications Networking, 2015.
[31]
Gabriel. What is Apache Keepalive Timeout? How to optimize this critical setting. https://ioflood.com/blog/2020/02/21/what-is-apache-keepalive-timeout-how-to-optimize-this-critical-setting/, 2020.
[32]
Nick Galov. 39 Jaw-Dropping DDoS Statistics to Keep in Mind for 2022. https://hostingtribunal.com/blog/ddos-statistics/#gref, 2022.
[33]
Patrik Goldschmidt and Jan Kucera. Defense Against SYN Flood DoS Attacks Using Network-based Mitigation Techniques. In International Symposium on Integrated Network Management. IEEE, 2021.
[34]
Miguel Gomez. Dark Web Price Index 2020. https://www.privacyaffairs.com/dark-web-price-index-2020/, 2022.
[35]
Albert Gran Alcoz, Martin Strohmeier, Vincent Lenders, and Laurent Vanbever. Aggregate-based congestion control for pulse-wave ddos defense. In ACM SIGCOMM. ACM, 08 2022.
[36]
P4.org Architecture Working Group. P416 Portable Switch Architecture (PSA). https://p4.org/p4-spec/docs/PSA.html.
[37]
Alexander Gutnikov, Oleg Kupreev, and Yaroslav Shmelev. DDoS Attacks in Q1 2022, Kapersky Lab Technical report. https://securelist.com/ddos-attacks-in-q1-2022, 2022.
[38]
Alexander Gutnikov, Oleg Kupreev, and Yaroslav Shmelev. DDoS Attacks in Q4 2021, Kapersky Lab Technical report. https://securelist.com/ddos-attacks-in-q4-2021, 2022.
[39]
Jessica Haworth. Israeli government websites temporarily knocked offline by 'massive' cyber-attack. https://portswigger.net/daily-swig/israeli-government-websites-temporarily-knocked-offline-by-massive-cyber-attack, 2022.
[40]
Richard Hummel, Carol Hildebrand, Hardik Modi, Gary Sockrider, Roland Dobbins, Steinthor Bjarnason, Jill Sopko, Suweera DeSouza, Ivan Bondar, and Oliver Daff. NETSCOUT Threat Intelligence report for 2H 2019. https://www.netscout.com/sites/default/files/2020-02/SECR_001_EN-2001_Web.pdf, 2019.
[41]
Toke Høiland-Jørgensen, Jesper Dangaard Brouer, Daniel Borkmann, John Fastabend, Tom Herbert, David Ahern, and David Miller. The eXpress Data Path: Fast Programmable Packet Processing in the Operating System Kernel. In Conference on emerging Networking Experiments and Technologies (CoNEXT), 2018.
[42]
Intel. Barefoot Tofino. https://www.intel.com/content/www/us/en/products/network-io/programmable-ethernet-switch.html.
[43]
Andreas Iselt, Andreas Kirstädter, Antoine Pardigon, and Thomas Schwabe. Resilient Routing Using MPLS and ECMP. In IEEEXplore, 2004.
[44]
Nivedita James. 45 Global DDOS Attack Statistics 2023. https://www.getastra.com/blog/security-audit/ddos-attack-statistics/, 2023.
[45]
Juniper. Juniper Networks' MX480 Universal Routing Platform. https://www.juniper.net/us/en/products/routers/mx-series/mx480-universal-routing-platform.html, 2022.
[46]
Patrick Kennedy. Intel Tofino2 Next-Gen Programmable Switch Detailed. https://www.servethehome.com/intel-tofino2-next-gen-programmable-switch-detailed/, 2020.
[47]
Daehyeok Kim, Jacob Nelson, Dan R. K. Ports, Vyas Sekar, and Srinivasan Seshan. RedPlane: Enabling Fault-Tolerant Stateful In-Switch Applications. In ACM SIGCOMM, 2021.
[48]
Daehyeok Kim, Yibo Zhu, Changhoon Kim, Jeongkeun Lee, and Srinivasan Seshan Liu. Generic External Memory for Switch Data Planes. In ACM Workshop on Hot Topics in Networks (HotNets), 2018.
[49]
Oleg Kupreev, Ekaterina Badovskaya, and Alexander Gutnikov. DDoS Attacks in Q2 2020, Kapersky Lab Technical report. https://securelist.com/ddos-attacks-in-q2-2020, 2020.
[50]
Oleg Kupreev, Alexander Gutnikov, and Yaroslav Shmelev. DDoS Attacks in Q3 2022, Kapersky Lab Technical report. https://securelist.com/ddos-report-q3-2022/107860/, 2022.
[51]
Zaoxing Liu, Hun Namkung, Georgios Nikolaidis, Jeongkeun Lee, Changhoon Kim, Xin Jin, Vladimir Braverman, Minlan Yu, and Vyas Sekar. Jaqen: A High-Performance Switch-Native Approach for Detecting and Mitigating Volumetric DDoS Attacks with Programmable Switches. In USENIX Security Symposium, 2021.
[52]
Rui Miao, Hongyi Zeng, Changhoon Kim, Jeongkeun Lee, and Minlan Yu. SilkRoad: Making Stateful Layer-4 Load Balancing Fast and Cheap Using Switching ASICs. In ACM SIGCOMM, 2017.
[53]
Reza Mohammadi, Reza Javidan, and Conti Mauro. SLICOTS: An SDN-Based Lightweight Countermeasure for TCP SYN Flooding Attacks. In IEEE Transactions on Network and Service Management, volume 14. IEEE, June 2017.
[54]
Netronome. BPF, eBPF, XDP and Bpfilter... What are These Things and What do They Mean for the Enterprise? https://www.netronome.com/blog/bpf-ebpf-xdp-and-bpfilter-what-are-these-things-and-what-do-they-mean-enterprise/, 2018.
[55]
Nvidia. Nvidia BlueField-3 DPU Programmable Data Center Infrastructure On-a-Chip. https://www.nvidia.com/content/dam/en-zz/Solutions/Data-Center/documents/datasheet-nvidia-bluefield-3-dpu.pdf, 2022.
[56]
Vern Paxson. End-to-End Routing Behavior in the Internet. In IEEE/ACM Transactions on Networking, volume 5, 1997.
[57]
Petar Penkov, Eric Dumazet, and Stanislav Fomichev. Issuing SYN Cookies in XDP. In Netdev, The Technical Conference on Linux Networking, 2020.
[58]
Mario Pinho. AWS Shield threat landscape review: 2020 year-in-review. https://aws.amazon.com/blogs/security/aws-shield-threat-landscape-review-2020-year-in-review/, 2021.
[59]
Mohamed Rahouti, Kaiqi Xiong, Nasir Ghani, and Farooq Shaikh. SYNGuard: Dynamic threshold-based SYN flood attack detection and mitigation in software-defined networks. In The Institution of Engineering and Technology Networks, 2020.
[60]
Dominik Scholz, Sebastian Gallenmuller, Henning Stubbe, Bassam Jaber, Minoo Rouhi, and Georg Carle. Me Love (SYN-)Cookies: SYN Flood Mitigation in Programmable Data Planes. In P4 Workshop in Europe (EUROP4). Open Networking Foundation, 2020.
[61]
Dominik Scholz, Andreas Oeldemann, Fabien Geyer, Sebastian Gallenmuller, Henning Stubbe, Thomas Wild, Andreas Herkersdorf, and Georg Carle. Cryptographic Hashing in P4 Data Planes. In ACM/IEEE Symposium on Architectures for Networking and Communications Systems, 2019.
[62]
Cisco Security. TTL Expiry Attack Identification and Mitigation. https://sec.cloudapps.cisco.com/security/center/resources/ttl_expiry_attack.html#2, 2023.
[63]
Amazon Web Services. AWS Best Practices for DDoS Resiliency. In AWS Whitepaper, 2022.
[64]
Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. AVANT-GUARD: Scalable and Vigilant Switch Flow Management in Software-Defined Networks. In ACM SIGSAC Conference on Computer & Communications Security, 2013.
[65]
Nikita Shirokov and Ranjeeth Dasineni. Open-sourcing Katran, a scalable network load balancer. https://engineering.fb.com/2018/05/22/open-source/open-sourcing-katran-a-scalable-network-load-balancer/, 2018.
[66]
Guangda Sun, Mingliang Jiang, Xin Zhe Khooi, Yunfan Li, and Jialin Li. Neobft: Accelerating byzantine fault tolerance using authenticated in-network ordering. In ACM SIGCOMM, pages 239-254, 2023.
[67]
Microsoft TechNet. Syn attack protection on Windows Vista, Windows 2008, Windows 7, Windows 2008 R2, Windows 8/8.1, Windows 2012 and Windows 2012 R2. https://docs.microsoft.com/en-us/answers/questions/144446/synattackprotect.html, 2014.
[68]
Check Point Software Technologies. Understanding Aggressive Aging. https://sc1.checkpoint.com/documents/R80.20/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R80.20/SmartConsole_OLH/EN/Wh_4163Q-r2uASm5pwt7Iw2, 2021.
[69]
Liang Wang, Hyojoon Kim, Prateek Mittal, and Jennifer Rexford. Programmable in-network obfuscation of DNS traffic. In NDSS: DNS Privacy Workshop, 2021.
[70]
Liang Wang, Prateek Mittal, and Jennifer Rexford. Data-plane security applications in adversarial settings. In ACM SIGCOMM Computer Communication Review, 2022.
[71]
Sophia Yoo and Xiaoqi Chen. Secure Keyed Hashing on Programmable Switches. In ACM SIGCOMM Workshop on Secure Programmable network Infrastructure (SPIN'21). ACM, 2021.
[72]
Menghao Zhang, Guanyu Li, Shicheng Wang, Chang Liu, Ang Chen, Hongxin Hu, Guofei Gu, Qianqian Li, Mingwei Xu, and Jianping Wu. Poseidon: Mitigating volumetric DDoS attacks with programmable switches. In Network and Distributed System Security Symposium, 2020.
[73]
Huancheng Zhou, Sungmin Hong, Yangyang Liu, Xiapu Luo, Weichao Li, and Guofei Gu. Mew: Enabling large-scale and dynamic link-flooding defenses on programmable switches. In 2023 IEEE Symposium on Security and Privacy (SP), 2023.
Index Terms
- SMARTCOOKIE: blocking large-scale SYN floods with a split-proxy defense on programmable data planes
Index terms have been assigned to the content through auto-classification.
Recommendations
Detecting Insider Theft of Trade Secrets
Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...
Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
AbstractSide-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...
Comments
Information & Contributors
Information
Published In
Copyright © 2024 The USENIX Association.
Sponsors
- Bloomberg Engineering
- Google Inc.
- NSF
- Futurewei Technologies
- IBM
Publisher
USENIX Association
United States
Publication History
Published: 12 August 2024
Qualifiers
- Research-article
- Research
- Refereed limited
Acceptance Rates
Overall Acceptance Rate 40 of 100 submissions, 40%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 25 Feb 2025