@@ -12,6 +12,21 @@ systems routinely come under attack. There are efforts underway to
1212make them more resistant to attacks, as we discuss in the following
1313sections.
1414
15+ This following discussion builds on some of the concepts introduced in previous
16+ chapters. Notably, the concept of public key infrastructure (PKI),
17+ which we introduced in Chapter 4 and which underpins the operation of TLS,
18+ plays an important role in securing infrastructure as well. While the
19+ principles of certificates and chains of trust apply in any PKI, the
20+ specifics of how certificates are distributed and what they refer to
21+ are different in each application. We describe the different
22+ approaches to PKI for infrastructure services in the following sections.
23+
24+ Availability of infrastructure, including resistance to
25+ denial-of-service (DoS) attacks, is clearly important to the operation
26+ of the Internet. Mitigation of such attacks is increasingly handled by
27+ distributed infrastructure like content distribution networks (CDNs),
28+ as we discuss in the final section of this chapter.
29+
1530
16318.1 BGP and Routing Security
1732----------------------------
@@ -841,8 +856,8 @@ the key used to verify the signature. That's a significant increase in
841856the number of bytes returned for a single query. The mitigation
842857techniques outlined above—source address filtering and DoS
843858prevention—can still be applied. Additionally, there is an advantage
844- to using crytographic algorithms that use relatively short keys. For
845- this reason the EDCSA algorithm may be preferred to RSA, since EDCSA
859+ to using cryptographic algorithms that use relatively short keys. For
860+ this reason the ECDSA algorithm may be preferred to RSA, since ECDSA
846861keys are considerably shorter than RSA keys for comparable levels of
847862security.
848863
@@ -949,10 +964,114 @@ for the target function.
949964 <https://doi.org/10.1145/3340301.3341128> `__. Proc. 2019 Applied
950965 Networking Research Workshop, 2019.
951966
952- .. notes
953967
968+ 8.3 DoS Mitigation
969+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
970+
971+ In much of this book we have focused on attacks against the
972+ confidentiality or integrity of information, but we also need to
973+ concern ourselves with availability of both the end systems (such as
974+ web sites) and the infrastructure of the network itself. Commonly
975+ known as *Denial of Service (DoS) * attacks, such attacks typically
976+ involve an adversary trying to overwhelm "good" resources (link
977+ bandwidth, packet forwarding rates, server response throughput) with
978+ traffic generated by "bad" resources (such as botnets constructed from
979+ a distributed collection of compromised devices). Patching of
980+ vulnerabilities and the deployment of security appliances such as
981+ firewalls can help protect devices from being compromised in the first
982+ place, but they are not perfect—new vulnerabilities appear constantly
983+ and a human is often the weakest link. Hence we also need ways to
984+ mitigate the impact of *Distributed DoS (DDoS) * attacks. This is
985+ another example of defense in depth: protect devices against being
986+ compromised, and also protect against the attacks launched by
987+ compromised devices.
988+
989+ Keeping in mind that DDoS traffic typically looks legitimate (there's
990+ just too much of it), the DDoS challenge is addressed by two general
991+ countermeasures. Note that the best we can hope for is to mitigate the
992+ impact of such attacks; there is no cure-all. This is easy to
993+ understand at an intuitive level: any systems that we deploy to defend against DoS
994+ attacks represent a kind of resource that can itself be DoSed. Thus DoS
995+ mitigation solutions tend to be distributed themselves.
996+
997+ The first countermeasure is to absorb potential attacks with even
998+ greater resources than the adversary is able to muster. For web
999+ content, this is done using the same mechanism as is used to absorb
1000+ flash crowds of legitimate traffic: a *Content Distribution Network
1001+ (CDN). * The idea is to replicate content (whether it's a movie or a
1002+ critical piece of infrastructure metadata) across many
1003+ widely-distributed servers. As long as the aggregate capacity of these
1004+ servers is greater than the aggregate capacity of the botnet—and the
1005+ CDN does a good job spreading requests across the available
1006+ servers—content remains available. This notion of *aggregate * capacity
1007+ generalizes beyond web servers responding to HTTP GET requests. A
1008+ network is itself a distributed collection of forwarding and
1009+ transmission resources, engineered to distribute those resources in a
1010+ way that avoids vulnerable bottlenecks. The DNS, for example, is
1011+ itself a highly distributed system designed to avoid single points of
1012+ failure with redundancy at all levels of the hierarchy.
1013+
1014+ The second countermeasure is to filter malicious traffic as early
1015+ (close to the source) as possible. If a DoS attack comes from a single
1016+ source, then it is easy to "block" traffic from that source at an
1017+ ingress to a network you control. This is why DoS attacks are
1018+ typically distributed. Dropping (or rate limiting) attack packets at
1019+ the boundary router (or firewall) for an enterprise or service
1020+ provider is better than allowing those packets to flood the core of
1021+ the network and reach a victim server(s), but the more widely
1022+ distributed the periphery of your network, the earlier you can filter
1023+ malicious packets. And drawing on the first countermeasure, the more
1024+ widely distributed your network resources are, the greater your
1025+ aggregate filtering capacity. Global overlay networks, as provided by
1026+ companies like Cloudflare and Fastly, offer a combination of content
1027+ distribution and distributed packet filtering. These are commercial
1028+ products, with many proprietary details, but the general principles
1029+ outlined here explain their underlying strategy.
1030+
1031+ Finally, note that DoS attacks highlight the never-ending nature of
1032+ tackling security. Almost any protocol or system can by a target of a
1033+ DoS attack. We discussed the role of DNS in amplification of DoS attacks in the
1034+ preceding section. When attacks are launched against web sites,
1035+ attackers are often taking advantage of the HTTP protocol—significant server
1036+ resources are consumed responding to bogus GET requests. As a very
1037+ different example, the forwarding of IP packets can be attacked with a
1038+ "Christmas Tree" packet, one that has multiple options turned on
1039+ (i.e., is "lit up like a Christmas tree"), where each option requires
1040+ IP to execute instructions it would not normally execute to forward a
1041+ typical packet. A router with a naive implementation of IP would be at
1042+ risk of not being able to forward packets at line speed if it's busy
1043+ processing the options. For this reason, routers typically implement a
1044+ "fast path" that is able to keep pace with line speeds and a "slow
1045+ path" that processes exceptional packets, and most importantly, they
1046+ quickly determine which path each packet should be assigned to. This
1047+ is a variant of the second countermeasure—decide early to protect
1048+ resources.
1049+
1050+ Another well-known example is a "SYN Flood" targeting TCP, whereby an
1051+ attacker floods a server with SYN requests without any intent to
1052+ complete the TCP handshake and actually establish a connection. This
1053+ overloads TCP's connection table, potentially denying connections to
1054+ legitimate clients. An IDS/IPS can help protect servers since a flood
1055+ of SYN packets is anomalous behavior, but individual servers can also
1056+ limit the impact by encoding connection state in the sequence number
1057+ included in the SYN+ACK they send back to the client—a "SYN cookie" of
1058+ sorts—and then allocate connection state locally only after the client
1059+ goes to the trouble of correctly ACK'ing that packet. This is a
1060+ variant of the first countermeasure in that it forces the attacker to
1061+ use additional resources.
1062+
1063+ These examples are just a few of many illustrating the need to program
1064+ defensively. This is especially true for protocols since they are
1065+ purposely designed to process messages from remote sources, exposing
1066+ them to attempts to crash, hack, or as in the case of DoS attacks,
1067+ simply consume the system. This topic ventures outside the scope of
1068+ the book, but the following reference explores one approach to
1069+ addressing the challenge.
9541070
955- adoption of RPKI vs DNSSEC - the difference between detecting
956- corrupt info vs. preventing spread of corrupt info
1071+ .. admonition :: Further Reading
9571072
958- compare infra mechanisms vs e2e, notably TLS
1073+ X. Qie, R. Pang, and L. Peterson. `Defensive Programming: Using an Annotation Toolkit to Build
1074+ DoS-Resistant Software
1075+ <https://www.usenix.org/conference/osdi-02/defensive-programming-using-annotation-toolkit-build-dos-resistant-software> `__.
1076+ Proceedings of the Fifth Symposium on Operating System Design and Implementation
1077+ (OSDI). Usenix. December 2002.
0 commit comments