No Arabic abstract
IP Anycast is used for services such as DNS and Content Delivery Networks to provide the capacity to handle Distributed Denial-of-Service (DDoS) attacks. During a DDoS attack service operators may wish to redistribute traffic between anycast sites to take advantage of sites with unused or greater capacity. Depending on site traffic and attack size, operators may instead choose to concentrate attackers in a few sites to preserve operation in others. Previously service operators have taken these actions during attacks, but how to do so has not been described publicly. This paper meets that need, describing methods to use BGP to shift traffic when under DDoS that can build a response playbook. Operators can use this playbook, with our new method to estimate attack size, to respond to attacks. We also explore constraints on responses seen in an anycast deployment.
Distributed Denial-of-Service (DDoS) attacks are a major problem in the Internet today. In one form of a DDoS attack, a large number of compromised hosts send unwanted traffic to the victim, thus exhausting the resources of the victim and preventing it from serving its legitimate clients. One of the main mechanisms that have been proposed to deal with DDoS is filtering, which allows routers to selectively block unwanted traffic. Given the magnitude of DDoS attacks and the high cost of filters in the routers today, the successful mitigation of a DDoS attack using filtering crucially depends on the efficient allocation of filtering resources. In this paper, we consider a single router, typically the gateway of the victim, with a limited number of available filters. We study how to optimally allocate filters to attack sources, or entire domains of attack sources, so as to maximize the amount of good traffic preserved, under a constraint on the number of filters. We formulate the problem as an optimization problem and solve it optimally using dynamic programming, study the properties of the optimal allocation, experiment with a simple heuristic and evaluate our solutions for a range of realistic attack-scenarios. First, we look at a single-tier where the collateral damage is high due to the filtering at the granularity of domains. Second, we look at the two-tier problem where we have an additional constraint on the number of filters and the filtering is performed on the granularity of attackers and domains.
A quantum network promises to enable long distance quantum communication, and assemble small quantum devices into a large quantum computing cluster. Each network node can thereby be seen as a small few qubit quantum computer. Qubits can be sent over direct physical links connecting nearby quantum nodes, or by means of teleportation over pre-established entanglement amongst distant network nodes. Such pre-shared entanglement effectively forms a shortcut - a virtual quantum link - which can be used exactly once. Here, we present an abstraction of a quantum network that allows ideas from computer science to be applied to the problem of routing qubits, and manage entanglement in the network. Specifically, we consider a scenario in which each quantum network node can create EPR pairs with its immediate neighbours over a physical connection, and perform entanglement swapping operations in order to create long distance virtual quantum links. We proceed to discuss the features unique to quantum networks, which call for the development of new routing techniques. As an example, we present two simple hierarchical routing schemes for a quantum network of N nodes for a ring and sphere topology. For these topologies we present efficient routing algorithms requiring O(log N) qubits to be stored at each network node, O(polylog N) time and space to perform routing decisions, and O(log N) timesteps to replenish the virtual quantum links in a model of entanglement generation.
Opportunistic Routing (OR) is a novel routing technique for wireless mesh networks that exploits the broadcast nature of the wireless medium. OR combines frames from multiple receivers and therefore creates a form of Spatial Diversity, called MAC Diversity. The gain from OR is especially high in networks where the majority of links has a high packet loss probability. The updated IEEE 802.11n standard improves the physical layer with the ability to use multiple transmit and receive antennas, i.e. Multiple-Input and Multiple-Output (MIMO), and therefore already offers spatial diversity on the physical layer, i.e. called Physical Diversity, which improves the reliability of a wireless link by reducing its error rate. In this paper we quantify the gain from MAC diversity as utilized by OR in the presence of PHY diversity as provided by a MIMO system like 802.11n. We experimented with an IEEE 802.11n indoor testbed and analyzed the nature of packet losses. Our experiment results show negligible MAC diversity gains for both interference-prone 2.4 GHz and interference-free 5 GHz channels when using 802.11n. This is different to the observations made with single antenna systems based on 802.11b/g, as well as in initial studies with 802.11n.
Multicasting is effective when its group members are sparse and the speed is low. On the other hand, broadcasting is effective when the group members dense and the speed are high. Since mobile ad hoc networks are highly dynamic in nature, either of the above two strategies can be adopted at different scenarios. In this paper, we propose an ant agent based adaptive, multicast protocol that exploits group members desire to simplify multicast routing and invoke broadcast operations in appropriate localized regimes. By reducing the number of group members that participate in the construction of the multicast structure and by providing robustness to mobility by performing broadcasts in densely clustered local regions, the proposed protocol achieves packet delivery statistics that are comparable to that with a pure multicast protocol but with significantly lower overheads. By our simulation results, we show that our proposed protocol achieves increased Packet Delivery Fraction (PDF) with reduced overhead and routing load.
Machine-learning-based anomaly detection (ML-based AD) has been successful at detecting DDoS events in the lab. However published evaluations of ML-based AD have used only limited data and provided minimal insight into why it works. To address limited evaluation against real-world data, we apply autoencoder, an existing ML-AD model, to 57 DDoS attack events captured at 5 cloud IPs from a major cloud provider. We show that our models detect nearly all malicious flows for 2 of the 4 cloud IPs under attack (at least 99.99%) and detect most malicious flows (94.75% and 91.37%) for the remaining 2 IPs. Our models also maintain near-zero false positives on benign flows to all 5 IPs. Our primary contribution is to improve our understanding for why ML-based AD works on some malicious flows but not others. We interpret our detection results with feature attribution and counterfactual explanation. We show that our models are better at detecting malicious flows with anomalies on allow-listed features (those with only a few benign values) than flows with anomalies on deny-listed features (those with mostly benign values) because our models are more likely to learn correct normality for allow-listed features. We then show that our models are better at detecting malicious flows with anomalies on unordered features (that have no ordering among their values) than flows with anomalies on ordered features because even with incomplete normality, our models could still detect anomalies on unordered feature with high recall. Lastly, we summarize the implications of what we learn on applying autoencoder-based AD in production: training with noisy real-world data is possible, autoencoder can reliably detect real-world anomalies on well-represented unordered features and combinations of autoencoder-based AD and heuristic-based filters can help both.