Fighting Fire with Light: A Case for Defending DDoS Attacks Using the Optical Layer
FFighting Fire with Light: A Case for Defending DDoSAttacks Using the Optical Layer
Matthew Hall † , Ramakrishnan Durairajan † , Vyas Sekar ‡† University of Oregon, ‡ Carnegie Mellon University
ABSTRACT
The DDoS attack landscape is growing at an unprecedentedpace. Inspired by the recent advances in optical network-ing, we make a case for optical layer-aware DDoS defense(O-LAD) in this paper. Our approach leverages the opticallayer to isolate attack traffic rapidly via dynamic reconfig-uration of (backup) wavelengths using ROADMs—bridgingthe gap between (a) evolution of the DDoS attack landscapeand (b) innovations in the optical layer (e.g., reconfigurableoptics). We show that the physical separation of traffic pro-files allows finer-grained handling of suspicious flows andoffers better performance for benign traffic in the face of anattack. We present preliminary results modeling throughputand latency for legitimate flows while scaling the strengthof attacks. We also identify a number of open problemsfor the security, optical, and systems communities: model-ing diverse DDoS attacks (e.g., fixed vs. variable rate, de-tectable vs. undetectable), building a full-fledged defensesystem with optical advancements (e.g., OpenConfig), andoptical layer-aware defenses for a broader class of attacks(e.g., network reconnaissance).
1. INTRODUCTION
Distributed denial-of-service (DDoS) attacks are on therise [1, 9, 17, 39]. The immense attack volumes that saturatethe infrastructure (e.g., transit link flooding), the attack het-erogeneity (e.g., distinguishable vs. indistinguishable, directvs. indirect, etc.), and the low costs to facilitate large-scaleattacks (e.g., attacker-defender cost asymmetry) make DDoS the most important cybersecurity issue faced by today’s en-terprises.Great progress has been made in devising DDoS miti-gation strategies. Advances in this front range from well-known techniques such as scrubbing [5, 7, 10, 11, 32] and fil-tering [8, 15, 26, 48] to the recent routing around congestion (RAC) technique [42]. Despite these advances, the attacklandscape is continuously evolving and, as a result, creating a“silver bullet" solution to tackle DDoS has remained beyondour grasp. For example, Tran et al. [44] recently showed thatRAC-based DDoS defense is infeasible and unusable in aninter-domain setting. This mandates a rethinking of natureof the DDoS attacks and calls for new defense strategies. Meanwhile, the optical community has advanced to thepoint where scaling from 100G to 400G—programmaticallyand on demand—is possible today [2]. As another exam-ple, the improvements for amplifier modeling [22] and tun-ing [46] point towards a rapidly reconfigurable long-haulbackbone in the near future. Lastly, wavelength selec-tive switches [43] and reconfigurable add-drop multiplexers(ROADMs) allow wavelengths to change and enable trafficre-routing on the order of microseconds [38]. While the op-tical technologies have proven to be of great utility withinnetworking efforts [38, 41, 14], to the best of our knowledgeit has not received enough attention for cybersecurity issues,in general, and DDoS defenses, in particular.We, therefore, believe it is time to introduce “optical layer-awareness" to effectively combat DDoS attacks. In this pa-per, we make a case for an optical layer-aware DDoS defense(O-LAD). The core of O-LAD is based on two key propertiesof reconfigurable optics: P1 - physical separation of trafficwithin a shared or congested link [6, 33, 49], and P2 - oppor-tunistic reconfigurability of wavelengths [38, 43]. By lever-aging these two properties—contrary to Tran et al. [44]—weposit that RAC-style DDoS defense, while infeasible in aninter-domain setting, is indeed feasible in an intra-domain,enterprise setting.In our preliminary evaluation, we present models forthroughput and latency with O-LAD. Our models separatetraffic into two groups, suspicious and trusted (utilizingP1), and reconfigures the network topology (with P2). Wedemonstrate the efficacy of the models on two types of DDoSattacks: direct and indirect. For direct attacks, we reroutethe suspicious traffic to a scrubber and send trusted trafficdirectly to the destination—improving throughput by 25 to51%, while reducing latency by 33 to 65%. Similarly, weshow how to apply the two proprieties to reduce attacker de-tection time by 5 to 10 × for indirect (link-flooding) attacks.While our preliminary results demonstrate the feasibilityof O-LAD, a number of grand challenges remain at the in-tersection of networking, security and optical communities.First, apart from the direct vs. indirect DDoS, challengeslie ahead in modeling and evaluating O-LAD gains forother types of DDoS attacks including (in)distinguishable,volume-based, and protocol-conforming attacks. Second, inaddition to DDoS attacks, we posit that O-LAD is applicable1 a r X i v : . [ c s . CR ] F e b or a broader class of cybersecurity issues such as networkreconnaissance.
2. WHY CONSIDER OPTICS?
Introducing optical layer awareness to the higher layers ofthe protocol stack has a number of key benefits for DDoSdefenses, in particular, and networked systems, in general.
Optical layer can enable new, more powerful DDoS de-fenses.
There are two fundamental properties of optics thatwe can leverage to defend DDoS attacks effectively. First,we can physically separate traffic (P1), e.g., on different col-ored lambdas of a shared or congested link. This separationenables us to use optical circuit switches to re-route suspi-cious traffic to edge-defense appliances such as scrubbers.Subsequently, we can scrub the suspicious traffic while rout-ing the trusted traffic directly to the intended destination,similar to RAC [42]. This way, the trusted traffic benefitsfrom lower latency. Suspicious traffic, if it is determined tobe benign, benefits from less congestion (as less traffic ismoving through the scrubber). A detailed analysis of thisscenario is presented in § 4.1.Second is the opportunistic reconfigurability of the opti-cal layer using the available backup wavelengths in a net-work (P2). Wavelength-selective switches (WSS) or re-configurable add-drop multiplexers (ROADMs) allow wave-lengths to change and re-route traffic on the order of mi-croseconds [38]. We envision this capability enabling thenext generation of highly dynamic networks. In these fu-ture generation networks, when attackers target a link witha link flooding attack (e.g., [30]), a network controller canquickly identify underutilized, backup, or low-priority wave-lengths adjacent to the flooded link to allocate new capacityfor trusted traffic on the targeted link. This strategy has thepotential to increase the attack cost radically and protect thelink (and thus the legitimate flows using it) from congestion.
Optical layer awareness can make networked systemsmore efficient.
First, exposing the optical layer to the net-worked systems has been shown to help operators preventlink failures in backbones [40] and design better traffic en-gineering solutions [18]. Second, free-space optics solutionshave been shown to reduce latency for intra-datacenter trans-fers [19, 20]. Finally, recent dynamic capacity planning ef-forts demonstrate the benefits of reconfigurable optical net-works vs. traditional, statically-provisioned networks [14].
Optical and networking layers are disconnected andtheir co-optimization is largely unexplored.
Networkedsystems depend on the optical layer to support bandwidth-intensive applications and scenarios (e.g., machine learning,volumetric DDoS attacks). These systems generally performcritical functions only at the network layer e.g., to minimizelatency across the network [25, 34] or to reduce the impactof severe attacks outages [29]. While the recent studieshave looked into joint optimization between the optical andnetwork layers [14, 27, 40], the area is still largely unex-plored and, in turn, calls for cross-layer solutions. Industry trends indicate a growing interest in optics in network man-agement [16, 31]. We suspect that optical layer managementvia higher level control is inevitable, and we look towardsinnovation in this front as an enabler for O-LAD.
Despite these benefits, leveraging optical layer to defendDDoS has its own challenges, which we outline below.
Optical layer lacks robust APIs.
Networked systemswill require a new interface, and modes of cross-layer com-munication to enable the next generation of networked ser-vices. Industry efforts such as OpenConfig [37] are work-ing to bridge this gap by providing vendor-neutral APIs fornetwork management. However, without sufficient attentionfrom the networked systems and optical communities, theseefforts could potentially stagnate. Lack of APIs in the opticallayer is a significant open problem which we do not look intoin this paper. In this work, we assume that programmabletopologies with vendor-neutral APIs exist and explore waysto leverage that ability to fight DDoS attacks.
3. A CASE FOR OPTICAL LAYER-AWAREDDOS DEFENSE (O-LAD)
Overview.
In this work, we present a case for OpticalLayer-Aware DDoS Defense (O-LAD). The key insight inO-LAD is to transmit the trusted traffic over a physicallydistinct wavelength from suspicious and malicious traffic byopportunistically reconfiguring low-priority wavelengths orbackup wavelengths, leading to performance benefits for avictim (i.e., higher throughput and lower latency).
Feasibility.
O-LAD is feasible in today’s enterprise net-works. In what follows, we identify two sources for wave-lengths that can be leveraged to implement O-LAD but leaveimplementation details to future work. First, enterprise net-works commonly deploy backup wavelengths, e.g., for faulttolerance and fast fail-over capabilities [35, 45]. Since thesewavelengths are already designated to mitigate link outages,we see them as suitable sources for additional capacity dur-ing an attack. Second, wavelengths carrying low-prioritytraffic can be re-allocated dynamically, away from their pathand onto the attack path. Sacrificing low priority trafficduring outages is a common theme in traffic engineering(TE) [21, 24, 28] that we appropriate at the optical layer, thusallowing more capacity for trusted traffic during an attack.
Definitions.
To quantify the benefits of O-LAD we modelthe enterprise, where O-LAD will be deployed, as a multi-graph G = ( V, E ) . In G , V is a set of routers and switches. E is a multi-set of ordered pairs, i.e., E = { ( e, c ) } . Let e be an un-ordered pair of switches, e = { x, y } : x, y ∈ V , which represents a link (wavelength) between switches,and c ∈ C be the capacity of the wavelength. C = { , , , , , } is the set of capacities available forwavelengths with today’s commodity transceivers [3].2 igure 1: Classes of traffic flows ( F ) considered byO-LAD. Attack traffic is shaded in red with diagonalhatches ( A ). Benign Traffic is shaded in solid blue.( ( S − A ) ∪ ¬ S ). In our model, flows ( F ) are denoted by a source and a des-tination address ( src, dst ) . We assume that the flows orig-inate and terminate outside of G , and categorize them intofour subsets. Flows can be Attack ( A ), Suspicious ( S ), NotSuspicious (also known as Trusted) ( ¬ S ), and Benign ( B ).We use the terms: good, benign, and legitimate interchange-ably when referring to non-attack traffic. However, B trafficis not necessarily trusted traffic, ¬ S . The four classes arerelated as follows (see Figure 1). All flows are either Suspi-cious or Trusted; S ∪ ¬ S = F & S ∩ ¬ S = ∅ . Attacktraffic is a subset of Suspicious traffic; A ⊆ S . Trusted traf-fic is a subset of Benign traffic; ¬ S ⊆ B . Benign traffic is ( S − A ) ∪ ¬ S . In a direct attack, a large number of attackers flood a vic-tim with traffic such that the victim cannot respond to le-gitimate users. From an attacker’s standpoint, simple tech-niques (e.g., reflection and amplification [12, 13]) can in-crease the strength of direct attacks without requiring addi-tional resources.
Scrubbing-based defense.
In a traditional, scrubbing-based solution, anomalies in traffic patterns trigger an alarmwhen voluminous traffic that is bound for a targeted cliententers the network. After the presence of the attack is known,the network reroutes all traffic bound for the target througha fixed set of hardware scrubbing appliances. This rerout-ing introduces additional latency, and the bandwidth of thedevices themselves adds a fixed limit to the throughput oftraffic for legitimate senders exiting the scrubber.
O-LAD.
With O-LAD, we can achieve physical isolationof traffic, diverting suspicious traffic S through the scrubberand forwarding ¬ S directly to the client, as shown in Fig-ure 2. We can achieve this by switching ¬ S traffic to analternate lambda before it can enter the datacenter. Then, aROADM can be triggered to route the ¬ S wavelength di-rectly to the destination. Now datacenter only scrubs suspi-cious traffic. In an indirect attack (e.g. Crossfire attack [30]), a coor-dinated group of attackers sends traffic to each other suchthat their communications over the Internet target a specificbackbone link. Such attacks also minimize the throughput for traffic to the intended target by choosing a critical linkand creating an abnormally high demand for that link.
Spiffy-based defense.
Spiffy [29] identifies indirect at-tackers by a bandwidth scaling operation on congested links.It utilizes an SDN controller and an optimization frameworkto maximize the bandwidth scaling ratio for all links in anISP network. The particular topology of the network limitsthis ratio. With capacity reserved, Spiffy reroutes a fractionof traffic from the link under attack via an alternate path.Then, it monitors the rate-change behavior of flows on thealternate path to detect malicious senders.
O-LAD.
In O-LAD, we propose leveraging idle and re-configurable (low-priority) wavelengths. This additional ca-pacity can increase throughput for legitimate senders, andenable us to identify malicious flows more quickly. Further-more, O-LAD can decrease latency for trusted flows travers-ing the link under attack. The latency decreases because weestablish the backup wavelength point-to-point for the link,rather than rerouting the suspicious flows through the net-work. When the enterprise detects a link-flooding attack(e.g., by [47]) it should allocate all suspicious traffic ( ¬ S )to one wavelength, and the trusted traffic ( S ) through a dy-namically provisioned backup wavelength. Then, the enter-prise can apply the rate-increase monitoring from [29] on theaffected traffic to black-hole traffic from malicious senderswhile increasing capacity for trusted senders. In § 4.2, weanalyze the throughput for legitimate senders over time withO-LAD and with Spiffy, and in § 4.3 we model the expectedlatency with Spiffy and compare it with an O-LAD solution. Figure 2: An O-LAD identifies suspicious (solid) andnon-suspicious (dashed) traffic. Then, physically sepa-rates both traffic types on distinct optical channels. Itforwards trusted traffic directly to the destination, andsuspicious traffic to the scrubbing datacenter.
4. EARLY PROMISE OF O-LAD
In this section, we present the throughput and latency gainsfor legitimate senders under a variety of attack scenarios andwith different mitigation strategies. igure 3: (A) Baseline Throughput for Legitimate Senders and Malicious attackers when no defense is deployed. (B)Throughput for Legitimate Senders when using a 40 Gbps scrubber, with a baseline for reference of improvement. (C)Throughput for legitimate senders when 40% of good traffic is trusted. The O-LAD line is the sum of the trusted lineand scrubber line below. (D) O-LAD’s throughput when 80% of traffic is trusted. We model the throughput for a voluminous direct attackunder (i) a baseline scenario where no defense mechanismis implemented, (ii) when scrubbing is used, and (iii) whenscrubbing is used with O-LAD, as described in § 3.2. Weshow that O-LAD increases throughput for legitimate flowsvs. (i) and (ii) during DDoS attacks of varying strength.
Baseline.
We analyze the throughput for benign and mali-cious traffic during a DDoS attack on an enterprise network.We assume that the victim has a 10 Gbps bandwidth con-nection. Furthermore, we suppose that when traffic demandto the target network meets or exceeds the allowed capacity,all traffic is prioritized equally (the target is incapable of dis-tinguishing benign or malicious traffic). Finally, we assumethat traffic to the victim has a historical trend of 70% utiliza-tion. Thus 7 Gbps of traffic is from legitimate senders. Fig-ure 3 (A) shows that as the volume of the attack increases, thethroughput for real users (goodput), quickly decreases. Thegoodput begins to fall as soon as the attacker sends enoughtraffic to saturate the network’s bandwidth.
Scrubbing.
The state-of-the-art solution for defendingagainst direct attacks is to forward all flows to the victimthrough scrubbing appliances, either on-site at the victim’slocation, or within a carrier network. We model the tar-get’s traffic as it is re-routed through a scrubbing service(e.g., [10]). Recall, the victim has 10 Gbps bandwidth and 7Gbps of traffic is from legitimate users. Suppose scrubbingservice has a fixed capacity of 40 Gbps. We assume thatthe scrubber is 100% effective in removing malicious traf-fic. However, after the attack volume exceeds the scrubber’sbandwidth, the total throughput for the victim decreases, justas it did in the baseline scenario. Figure 3 (B) illustrates thelimitation of the scrubbing defense mechanism. After theattack strength reaches 40 Gbps, services for the legitimatesenders degrades. Note that attack strength required to de-grade services increases over the baseline scenario. If theattacker’s goal were to reduce the rate for legitimate sends to3 Gbps, then the attacker would need to scale the attack from20 Gbps to 80 Gbps—a 4x increase in cost for the attacker.
Scrubbing + O-LAD.
Now, consider the throughput thatthe network can forward to the client with O-LAD. We as- sume that a fixed proportion of legitimate traffic can betrusted, regardless of the attack strength. For example, if thehistorical utilization of the service under attack is 7 Gbps,then a fraction of the senders who make up 7 Gbps of de-mand are labeled as trusted. With trusted traffic prioritized,we can forward it to the victim without involving a scrubber.Simultaneously, we will deliver all other suspicious traffic tothe scrubber.Figures 3 (C) and (D) illustrate the throughput for differ-ent classes of traffic (trusted, and suspicious, malicious, andtotal) when 40% or 80% of benign traffic is from trustedsources. We can see from the figure that goodput of thenetwork asymptotically approaches the volume of trustedtraffic as the strength of the attack grows. We also noticethat the throughput for data leaving the scrubber approacheszero as the strength of the attack increases. The goodput ofthe network is the sum of trusted traffic and the scrubbersthroughput. We argue that physically separating traffic ondistinct wavelengths, and only sending suspicious traffic tothe scrubber, increases the quality of service for the victim’snetwork during a DDoS attack.
Improvements via O-LAD.
Considering the three miti-gation strategies, we see that O-LAD pushes the boundaryfurther for the strength of DDoS attacks that a network cantolerate. In Figure 3 we see that when we trust 40% and 80%of the legitimate traffic, the impact of an attack is reducedsignificantly against scrubbing and the baseline. Specifically,consider a 40 Gbps DDoS attack. In the baseline scenario,throughput for legitimate traffic fell from 7 to ∼ ∼ ∼ ∼
37% of the full strength. Ifwe forward 40% of the legitimate traffic as trusted, the aggre-gate throughput increases from 2.6 Gbps to 4.4 Gbps, or 62%7 Gbps—an improvement of 25% percent. Finally, if the net-work can identify 80% of traffic as trusted, then throughputfor legitimate senders is ∼ Next, we consider the throughput of our network underattack from an indirect, link-flooding attack. Suppose thatthe target link capacity is 10 Gbps and senders on this linkare guaranteed a 100 Mbps data rate. Further, suppose theattacker wants to reduce the rate for legitimate senders byten-fold. Thus the attacker needs to generate 100 Gbps of at-tack traffic. According to the optimal attack strategy in [29],this attacker requires 10 thousand attack flows, sending dataat 10 Mbps each, to reduce the capacity of the link to theintended level.The response time for a network to mitigate the link-flooding attack with Spiffy is a factor of how much extracapacity can be reserved for fighting link flooding attacks inthe layer-3 topology, M network [29]. Kang et al., show that5 to 10 operations of Temporary bandwidth expansion (TBE)are required to identify 90% of attack flows (based on exper-iments with ISP topologies; see Figure 15 in [29] for moredetails). Also, each of these operations takes ∼ ∼
25 to 50 seconds.Using O-LAD, the introduction of backup wavelengthsto the network or acquisition of low-priority wavelengthsfor defenses could potentially increase M network to M ideal ,which is the volume of backup capacity required to iden-tify all bots with one operation of TBE. If these backupwavelengths are added in the same order of time as a TBEoperation, it is possible to mitigate the attack in ∼ Here, we describe the latency improvements with O-LAD,first describing the baseline latency expectations formally for(i) no defense, (ii) scrubber-based defense for direct attacks,and (iii) Spiffy-based defense for indirect attacks. Then wedescribe a solution using O-LAD. To start, we consider threeclasses of traffic and reason about the expected latency foreach of them with O-LAD for direct DDoS attacks: TrustedTraffic, ( ¬ S ), suspicious traffic from legitimate senders ( S − A ), and their union, all good traffic ( ( S − A ) ∪ ¬ S ). Baseline.
For our baseline analysis of latency, we considerthe metric as the product of the ratio of demand to capacityand expected a delay when there is no congestion. L Baseline = (cid:40) δ if T ≤ T c δ ∗ T /T c if T > T c (1)In equation 1, δ is the baseline (propagation) delay throughthe network from ingress to the victim, T is the aggregatedemand for all flows F , and T c is the physical capacity ofthe congested path or victim. We show the baseline model,with the fixed capacity, T c , of 10 Gbps, in Figure 4 (A). Scrubber.
To model latency for a scrubber, we introducea new additive term, (cid:15) , representing the additional latency in-curred by traffic through the scrubber in Equation 2. We alsoreplace the capacity of the client, T c , with the capacity of thedatacenter housing the scrubber, T D . Figure 4 (A) shows theexpected latency when a scrubber is used, assuming that thebaseline latency ( δ ) is 100 ms, the scrubber-induced delay( (cid:15) ) is 100 ms, and the capacity of the datacenter ( T D ) is 40Gbps. The slope of the latency curve is determined by the ca-pacity of the network and the baseline latency ( d ). Precisely,it is the derivative of L with respect to T , or (3 δ + (cid:15) ) /T D .Thus, a higher capacity implies a lower impact on latency.In this model, the scrubber can withstand up to T D Gbpsof throughput before performance degrades. This protectioncomes at the cost of additional latency for re-routing all flowsto the scrubber. Hence, the Scrubber solution’s latency startsat 200 ms instead of the baseline 100 ms. L Scrubber = (cid:40) ( δ + (cid:15) ) if T ≤ T D ( δ + (cid:15) )( T /T D ) if T > T D (2) Spiffy.
To model latency for Spiffy, we recognize two crit-ical factors described in [29]. (1) Recall that Spiffy reducescongestion by expanding bandwidth with reserved suppliesin the network. This factor, M Network , is topology depen-dent. When evaluated on several real-world topologies, thepotential bandwidth scaling factor, M Network (or M N ) wasapproximately two times the initial capacity (See figure 14in [29]). Therefore, after twice the initial capacity is ex-ceeded, latency increases. (2) Spiffy uses alternate paths toforward traffic and identify attackers. We will refer this fac-tor as AP L , the percentage increase in the alternate path tothe normal path. By [29],
AP L is expected to be 4 to 24%longer, so we say
AP L is 0.04 to 0.24. We augment the5 igure 4: (A) Latency for legitimate traffic for baseline and scrubbing. (B) Latency for legitimate senders with Spiffy,where alternate path have an upper-bound additional latency of 24%, and lower bound paths have 4% additionallatency. (C) O-LAD, where 40% and 80% of legitimate users can be identified and routed around congestion. scrubber’s latency model for Spiffy by substituting (cid:15) with δ ∗ AP L as shown below. (cid:15) = δ ∗ AP L = ⇒ δ + (cid:15) = δ + δ ∗ AP L = δ ∗ (1+ AP L ) (3)We then substitute T D with M Network to obtain L Spiffy = (cid:40) ( δ ∗ (1 + AP L )) if T ≤ M N ( δ ∗ (1 + AP L ))(
T /M N ) if T > M N (4)Figure 4 (B) shows the expected latency for Spiffy [29]during a link-flooding attack. Latency during low strengthattacks (0 to 14 Gbps) is 104 ms to 124 ms, which is rela-tively close to the baseline (100 ms). This initial latency isbetter than the scrubber’s, which started at 200 ms. After theattack traffic exceeds the reserved bandwidth, M N , latencyincreases. O-LAD.
The benefit of O-LAD is its ability to separate ¬ S and S flows, and use the physical separation to route ¬ S around congestion points (scrubbers or flooded links). Tomodel the latency improvement with O-LAD, we measurethe weighted average of latency for all good traffic ( ¬ S and S − A ). Equation 5 models this latency, using constructionsfrom § 4.3. We present O-LAD’s latency as L ∗ O − LAD where* is either D for direct attacks or I for indirect attacks. Inthe case of L DO − LAD we replace L scrubber with the relevantlatency measure, L Spiffy . L DO − LAD = ( L Baseline ) T ¬ S + ( L Scrubber ) T S − A T ¬ S + T S − A (5)The intuition is that trusted flows ( ¬ S ) will have the base-line latency, and non-attack suspicious flows ( S − A ) willhave a latency of the defense mechanism, either Spiffy orScrubbing. The aggregate measure for latency for O-LAD isthe average of these two values, weighted by the proportionof traffic in each category.Figure 4 (C) shows the latency values for varying attackstrengths when 40 and 80% of good traffic can be identifiedas trusted. We see that for a 100 Gbps attack, if 40% of thegood traffic is trusted, then latency drops to from 535 ms to361 ms against the scrubber—a 33% decrease. If 80% of thegood traffic can be trusted, then it falls to 187 ms—a 65% decrease. These early results show promise for an optics-based solution for RAC in the face of DDoS attacks.
5. FUTURE OUTLOOK
An approach like O-LAD opens up a number of interest-ing problems at the intersection of optical, security, and net-working communities, which we outline below.
On the Feasibility of O-LAD for Diverse DDoS Attacks.
Apart from the direct vs. indirect DDoS, grand challengeslie ahead in modeling and evaluating the gains of O-LAD forcombating other types of DDoS attacks. In particular, thefeasibility of O-LAD in defending (in)distinguishable, fixedvs. variable rate, volume-based, and protocol-conforming at-tacks calls for further research involving optical and securitycommunities.
Towards a Commercial, Industry-grade O-LAD Sys-tem.
In addition to understanding and evaluating the efficacyof O-LAD via models, the lack of vendor-agnostic APIs (asdiscussed in § 2.1) might impede the further developmentof O-LAD into a full-fledged DDoS defense system. Thiscalls for collaborations among optical, networking and secu-rity researchers and to create new partnerships e.g. betweenOpenConfig [37], enterprises, and security experts to solvethe grand challenges in this front. Furthermore, the hetero-geneity, scale, and dynamism of modern DDoS attacks re-quire new testing frameworks and capabilities for O-LAD tooperate effectively against the growing DDoS landscape.
O-LAD for a Broader Class of Cyber Attacks.
Whilethe goal of this paper is to make a case for optical layer-aware DDoS defense, we believe that the notion of opti-cal layer awareness is beneficial for a broader class of cy-ber attacks. First, insider reconnaissance is an on-goingproblem since the topology can be mapped as shown byAchleitner et al. [4]. By keeping the performance and net-work objectives in mind, we believe O-LAD can arbitrarilychange wavelengths to effectively combat reconnaissance byproviding cyber deception. In addition, complementary toNetHide [36], we believe that O-LAD can be used to com-bat targeted attacks by dynamically altering the underlyingwavelengths and, hence, topologies.6 . REFERENCES [1] DDoS Attacks Up By 84% in Q1. . cybersecurityintelligence . com/blog/ddos-attacks-up-by-84-in-q1-4346 . html .[2] The history of Optical and Ethernet. . ciena . com/insights/infographics/Packet-Optical-Convergence-Infographic-prx . html .[3] Dwdm sfp+. . fs . com/c/dwdm-sfp-plus-66?dwdm-tunable=20807 , 2019.[4] S. Achleitner, T. La Porta, P. McDaniel, S. Sugrim, S. V.Krishnamurthy, and R. Chadha. Cyber deception: Virtual networks todefend insider reconnaissance. In Proceedings of the 8th ACM CCSinternational workshop on managing insider security threats , pages57–68. ACM, 2016.[5] Akamai. Akamai security solutions. . akamai . com/us/en/products/security/ ,2019.[6] D. Awduche and Y. Rekhter. Multiprotocol lambda switching:combining mpls traffic engineering control with opticalcrossconnects. IEEE Communications Magazine , 39(3):111–116,2001.[7] AWS. Aws shield: Managed ddos protection. https://aws . amazon . com/shield/ , 2019.[8] F. Baker and P. Savola. Ingress filtering for multihomed networks.Technical report, BCP 84, RFC 3704, March, 2004.[9] E. Bursztein. Inside mirai the infamous iot botnet: A retrospectiveanalysis. https://elie . net/blog/security/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/ ,dec 2018.[10] CenturyLink. Centurylink ddos mitigation. . centurylink . com/asset/business/enterprise/brochure/ddos-mitigation . pdf , 2019.[11] Cloudflare. Advanced ddos attack protection. . cloudflare . com/ddos/ , 2019.[12] A. Correa. Ddos reflection and amplification attacks. . malwarepatrol . net/ddos-reflection-and-amplification-attacks/ . Accessed 2019.[13] J. Czyz, M. Kallitsis, M. Gharaibeh, C. Papadopoulos, M. Bailey, andM. Karir. Taming the 800 pound gorilla: The rise and decline of ntpddos attacks. In Proceedings of the 2014 Conference on InternetMeasurement Conference , pages 435–448. ACM, 2014.[14] R. Durairajan, P. Barford, J. Sommers, and W. Willinger. Greyfiber:A system for providing flexible access to wide-area connectivity. arXiv preprint arXiv:1807.05242 , 2018.[15] P. Ferguson and D. Senie. Network ingress filtering: Defeating denialof service attacks which employ ip source address spoofing. RFC2827, RFC Editor, May 2000.[16] M. Filer, J. Gaudette, M. Ghobadi, R. Mahajan, T. Issenhuth,B. Klinkers, and J. Cox. Elastic optical networking in the microsoftcloud.
IEEE/OSA Journal of Optical Communications andNetworking , 8(7):A45–A54, 2016.[17] M. Gaiser. How much monetary damage was done during the oct 21,2016 ddos of dyndns? . quora . com/How-much-monetary-damage-was-done-during-the-Oct-21-2016-DDOS-of-DynDNS , Oct2016.[18] M. Ghobadi and R. Mahajan. Optical layer failures in a largebackbone. In Proceedings of the 2016 Internet MeasurementConference , pages 461–467. ACM, 2016.[19] M. Ghobadi, R. Mahajan, A. Phanishayee, N. Devanur, J. Kulkarni,G. Ranade, P.-A. Blanche, H. Rastegarfar, M. Glick, and D. Kilper.Projector: Agile reconfigurable data center interconnect. In
Proceedings of the 2016 ACM SIGCOMM Conference , pages216–229. ACM, 2016.[20] N. Hamedazimi, H. Gupta, V. Sekar, and S. R. Das. Patch panels inthe sky: A case for free-space optics in data centers. In
Proceedingsof the Twelfth ACM Workshop on Hot Topics in Networks , page 23.ACM, 2013.[21] C.-Y. Hong, S. Kandula, R. Mahajan, M. Zhang, V. Gill, M. Nanduri,and R. Wattenhofer. Achieving high utilization with software-driven wan. In
ACM SIGCOMM Computer Communication Review ,volume 43, pages 15–26. ACM, 2013.[22] R. Ikhsan, R. F. Syahputra, et al. Performance control ofsemiconductor optical amplifier and fiber raman amplifier incommunication system. In , pages32–36. IEEE, 2018.[23] D. J. Ives, A. Alvarado, and S. J. Savory. Throughput gains fromadaptive transceivers in nonlinear elastic optical networks.
Journal ofLightwave Technology , 35(6):1280–1289, 2017.[24] S. Jain, A. Kumar, S. Mandal, J. Ong, L. Poutievski, A. Singh,S. Venkata, J. Wanderer, J. Zhou, M. Zhu, et al. B4: Experience witha globally-deployed software defined wan. In
ACM SIGCOMMComputer Communication Review , volume 43, pages 3–14. ACM,2013.[25] V. Jalaparti, I. Bliznets, S. Kandula, B. Lucier, and I. Menache.Dynamic pricing and traffic engineering for timely inter-datacentertransfers. In
Proceedings of the 2016 ACM SIGCOMM Conference ,pages 73–86. ACM, 2016.[26] C. Jin, H. Wang, and K. G. Shin. Hop-count filtering: an effectivedefense against spoofed ddos traffic. In
Proceedings of the 10th ACMconference on Computer and communications security , pages 30–41.ACM, 2003.[27] X. Jin, Y. Li, D. Wei, S. Li, J. Gao, L. Xu, G. Li, W. Xu, andJ. Rexford. Optimizing bulk transfers with software-defined opticalwan. In
Proceedings of the 2016 ACM SIGCOMM Conference , pages87–100. ACM, 2016.[28] S. Kandula, I. Menache, R. Schwartz, and S. R. Babbula. Calendaringfor wide area networks. In
ACM SIGCOMM computercommunication review , volume 44, pages 515–526. ACM, 2014.[29] M. S. Kang, V. D. Gligor, and V. Sekar. Spiffy: Inducingcost-detectability tradeoffs for persistent link-flooding attacks. In
NDSS , 2016.[30] M. S. Kang, S. B. Lee, and V. D. Gligor. The crossfire attack. In , pages 127–141. IEEE,2013.[31] D. Klonidis, F. Cugini, O. Gerstel, M. Jinno, V. Lopez,E. Palkopoulou, M. Sekiya, D. Siracusa, G. Thouénon, andC. Betoule. Spectrally and spatially flexible optical network planningand operations.
IEEE Communications Magazine , 53(2):69–78, 2015.[32] M. N. Kumar, P. Sujatha, V. Kalva, R. Nagori, A. K. Katukojwala,and M. Kumar. Mitigating economic denial of sustainability (edos) incloud computing using in-cloud scrubber service. In , pages 535–539. IEEE, 2012.[33] Y. Lee, G. Bernstein, D. Li, and W. Imajuku. Routing and wavelengthassignment information model for wavelength switched opticalnetworks. Technical report, 2015.[34] H. H. Liu, S. Kandula, R. Mahajan, M. Zhang, and D. Gelernter.Traffic engineering with forward fault correction. In
ACM SIGCOMMComputer Communication Review , volume 44, pages 527–538.ACM, 2014.[35] A. Mahimkar, A. Chiu, R. Doverspike, M. D. Feuer, P. Magill,E. Mavrogiorgis, J. Pastor, S. L. Woodward, and J. Yates. Bandwidthon demand for inter-data center communication. In
Proceedings ofthe 10th ACM Workshop on Hot Topics in Networks , page 24. ACM,2011.[36] R. Meier, P. Tsankov, V. Lenders, L. Vanbever, and M. Vechev.Nethide: secure and practical network topology obfuscation. In , pages 693–709, 2018.[37] OpenConfig. Vendor-neutral, model-driven network managementdesigned by users. . openconfig . net/ , 2016.[38] G. Porter, R. Strong, N. Farrington, A. Forencich, P. Chen-Sun,T. Rosing, Y. Fainman, G. Papen, and A. Vahdat. Integratingmicrosecond circuit switching into the data center , volume 43. ACM,2013.[39] J. Russell. The worldâ ˘A ´Zs largest ddos attack took github offline forfewer than 10 minutes. https://techcrunch . com/2018/03/02/the-worlds-largest-ddos-attack-took-github-offline-for-less-than-tens-minutes/ ,2018.
40] R. Singh, M. Ghobadi, K.-T. Foerster, M. Filer, and P. Gill. Radwan:rate adaptive wide area network. In
Proceedings of the 2018Conference of the ACM Special Interest Group on DataCommunication , pages 547–560. ACM, 2018.[41] A. Singla, A. Singh, K. Ramachandran, L. Xu, and Y. Zhang.Proteus: a topology malleable data center network. In
Proceedings ofthe 9th ACM SIGCOMM Workshop on Hot Topics in Networks ,page 8. ACM, 2010.[42] J. M. Smith and M. Schuchard. Routing around congestion:Defeating ddos attacks and adverse network conditions via reactivebgp routing. In ,pages 599–617. IEEE, 2018.[43] T. A. Strasser and J. L. Wagener. Wavelength-selective switches forroadm applications.
IEEE Journal of selected topics in QuantumElectronics , 16(5):1150–1157, 2010.[44] M. Tran, M. S. Kang, H.-C. Hsiao, W.-H. Chiang, S.-P. Tung, andY.-S. Wang. On the feasibility of rerouting-based ddos defenses. In
InProceedings of IEEE Symposium on Security and Privacy (IEEES&P) , 2019.[45] A. Von Lehmen, R. Doverspike, G. Clapp, D. M. Freimuth,J. Gannett, A. Kolarov, H. Kobrinski, C. Makaya, E. Mavrogiorgis, J. Pastor, et al. Coronet: Testbeds, demonstration, and lessonslearned.
IEEE/OSA Journal of Optical Communications andNetworking , 7(3):A447–A458, 2015.[46] Y. Xiang, M. Tang, Q. Wu, H. Zhou, B. Yong, S. Fu, and D. Liu. Ajoint osnr and nonlinear distortions estimation method for opticalfiber transmission system.
IEEE Photonics Journal , 10(5):1–11,2018.[47] L. Xue, X. Luo, E. W. Chan, and X. Zhan. Towards detecting targetlink flooding attack. In , pages 90–105, 2014.[48] A. Yaar, A. Perrig, and D. Song. Stackpi: New packet marking andfiltering mechanisms for ddos and ip spoofing defense.
IEEE Journalon Selected Areas in Communications , 24(10):1853–1863, 2006.[49] C. Zervos, M. Spyropoulou, I. Kanakis, I. Lazarou, K.-O. Velthaus,E. Rouvalis, G. Torfs, E. Goobar, R. Santos, N. Tessema, et al. A newgeneration of high-speed electro-optical transceivers and flexiblebandwidth wavelength selective switches for coherent dci: theqameleon project approach. In
Optical Interconnects XIX , volume10924, page 109240E. International Society for Optics andPhotonics, 2019., volume10924, page 109240E. International Society for Optics andPhotonics, 2019.