# ROTOROUTER: Router Support for Endpoint-Authorized Decentralized Traffic Filtering to Prevent DoS Attacks

**Albert Kwon** <sup>1 2</sup> Kaiyu Zhang <sup>2</sup> Perk Lun Lim <sup>2</sup> Yu Pan <sup>2</sup> Jonathan Smith <sup>2</sup> André DeHon <sup>2</sup>

 $^{1}MIT$ 

<sup>2</sup>University of Pennsylvania

December 12, 2014

# Denial-of-Service (DoS) Attacks

- Denial-of-service is an attack that makes network or server unavailable
- Overload the network with junk messages so that valid traffic can't make through



• Bank of America, JP Morgan, and Citi (2012)

- Bank of America, JP Morgan, and Citi (2012)
- Bitcoin (Dwolla, Mt. Gox) (2013)

3 / 23

- Bank of America, JP Morgan, and Citi (2012)
- Bitcoin (Dwolla, Mt. Gox) (2013)
- Reddit (2013)

3 / 23

- Bank of America, JP Morgan, and Citi (2012)
- Bitcoin (Dwolla, Mt. Gox) (2013)
- Reddit (2013)
- Sony's Playstation Network (2014)

- Bank of America, JP Morgan, and Citi (2012)
- Bitcoin (Dwolla, Mt. Gox) (2013)
- Reddit (2013)
- Sony's Playstation Network (2014)
- DoS costs \$240k-\$1.2 million in lost revenue/day

- Bank of America, JP Morgan, and Citi (2012)
- Bitcoin (Dwolla, Mt. Gox) (2013)
- Reddit (2013)
- Sony's Playstation Network (2014)
- DoS costs \$240k-\$1.2 million in lost revenue/day

## Existing Solutions for DoS



- Software firewalls
  - Non-solution

# Existing Solutions for DoS



- Software firewalls
  - Non-solution



- Hardware firewalls
  - Inflexible

# Existing Solutions for DoS



- Software firewalls
  - Non-solution



- Hardware firewalls
  - Inflexible



- Replication
  - Expensive

#### Routers cooperate to only route desired traffic

• End points add metadata to packets

- End points add metadata to packets
- Routers validate all traffic going through



- End points add metadata to packets
- Routers validate all traffic going through
- Enable the end points to "program" the routers
  - Similar to OpenFlow, but decentralized

- End points add metadata to packets
- Routers validate all traffic going through
- Enable the end points to "program" the routers
  - Similar to OpenFlow, but decentralized
- Both protocol change and hardware support

#### Outline

- Motivation
- 2 ROTOROUTER Network Protocol
- ROTOROUTER Architecture
- ROTOROUTER Evaluation
- Conclusion

#### Outline

- Motivation
- 2 ROTOROUTER Network Protocol
- ROTOROUTER Architecture
- 4 ROTOROUTER Evaluation
- Conclusion

Extend TCP/IP



- Extend TCP/IP
- Connection ID: flow
  - IPv4 source + destination, and random number



8 / 23

- Extend TCP/IP
- Connection ID: flow
  - IPv4 source + destination, and random number
- Hash
  - Prevents tampering



- Extend TCP/IP
- Connection ID: flow
  - IPv4 source + destination, and random number
- Hash
  - Prevents tampering



- Extend TCP/IP
- Connection ID: flow
  - IPv4 source + destination, and random number
- Hash
  - Prevents tampering
- Public key signature
  - Prevents spoofing
  - Assume that public keys of end points are distributed





• Receiving end point sends:



- Receiving end point sends:
  - Onnection ID corresponding to the flow



- Receiving end point sends:
  - ConnectionID corresponding to the flow
  - 2 Boolean indicating if flow is desired or not



- Receiving end point sends:
  - ConnectionID corresponding to the flow
  - 2 Boolean indicating if flow is desired or not
  - Source node's public key



Alice





Bob



• Router performs:





• Router performs:





- Router performs:
  - Look up connection ID





- Router performs:
  - Look up connection ID
  - Verify the hash of the packet
  - Verify the signature with the public key





- Router performs:
  - Look up connection ID
  - Verify the hash of the packet
  - Verify the signature with the public key
  - Orop or relay the packet



#### Outline

- Motivation
- 2 ROTOROUTER Network Protocol
- ROTOROUTER Architecture
- 4 ROTOROUTER Evaluation
- Conclusion

## ROTOROUTER Architecture



#### ROTOROUTER Architecture



#### Flow Table

 Dictionary mapping connection ID to source public key, and a valid flow boolean



#### Flow Table

- Dictionary mapping connection ID to source public key, and a valid flow boolean
- Small cache (on BRAM) backed by larger memory
  - Negative flows are cached as well



#### Flow Table

- Dictionary mapping connection ID to source public key, and a valid flow boolean
- Small cache (on BRAM) backed by larger memory
  - Negative flows are cached as well
- Crucial for router performance
  - (Near) Associative memory <sup>1</sup>



13 / 23

• Cryptographic hash and signature verification



- Cryptographic hash and signature verification
  - Currently: SHA-1 for hash, and RSA for signature



- Cryptographic hash and signature verification
  - Currently: SHA-1 for hash, and RSA for signature
- Crucial for router performance



- Cryptographic hash and signature verification
  - Currently: SHA-1 for hash, and RSA for signature
- Crucial for router performance
  - Large exponentiation ⇒ No line-rate public key signature



- Cryptographic hash and signature verification
  - Currently: SHA-1 for hash, and RSA for signature
- Crucial for router performance
  - Large exponentiation ⇒ No line-rate public key signature
  - Okay to use small exponent for verification



### On-chip Processor

• Communicates with the end points to setup new flows



### On-chip Processor

- Communicates with the end points to setup new flows
  - Only impacts initial latency



### On-chip Processor

- Communicates with the end points to setup new flows
  - Only impacts initial latency
- Manages the flow table entries



#### Outline

- Motivation
- 2 ROTOROUTER Network Protocol
- ROTOROUTER Architecture
- 4 ROTOROUTER Evaluation
- Conclusion

• Hardware prototype on NetFPGA-10G platform



- Hardware prototype on NetFPGA-10G platform
  - Xilinx Virtex 5 (xc5vtx240tffg1759-2) using 65nm technology



- Hardware prototype on NetFPGA-10G platform
  - Xilinx Virtex 5 (xc5vtx240tffg1759-2) using 65nm technology
- Supports four 1 Gbps ports



- Hardware prototype on NetFPGA-10G platform
  - Xilinx Virtex 5 (xc5vtx240tffg1759-2) using 65nm technology
- Supports four 1 Gbps ports
- Implemented using Bluespec System Verilog, and open source libraries



- Hardware prototype on NetFPGA-10G platform
  - Xilinx Virtex 5 (xc5vtx240tffg1759-2) using 65nm technology
- Supports four 1 Gbps ports
- Implemented using Bluespec System Verilog, and open source libraries
  - Bluespec: Processor, flow table, crossbar, mod-exp



- Hardware prototype on NetFPGA-10G platform
  - Xilinx Virtex 5 (xc5vtx240tffg1759-2) using 65nm technology
- Supports four 1 Gbps ports
- Implemented using Bluespec System Verilog, and open source libraries
  - Bluespec: Processor, flow table, crossbar, mod-exp
  - OpenCore: SHA-1



- Hardware prototype on NetFPGA-10G platform
  - Xilinx Virtex 5 (xc5vtx240tffg1759-2) using 65nm technology
- Supports four 1 Gbps ports
- Implemented using Bluespec System Verilog, and open source libraries
  - Bluespec: Processor, flow table, crossbar, mod-exp
  - OpenCore: SHA-1
  - NetFPGA-10G library: Gigabit ethernet, PCle, etc



|                     | Ar     | Clock |       |
|---------------------|--------|-------|-------|
| Module              | LUTs   | BRAMs | (MHz) |
| Crossbar w/ Buffers | 8249   | 16    | 300   |
| Flow Table          | 38     | 74    | 350   |
| Processor           | 26985  | 52    | 200   |
| SHA-1 Module        | 4×1005 | 0     | 125   |
| Mod-Exp             | 73591  | 0     | 200   |
| RotoRouter          | 112883 | 142   | 125   |
| IPv4 Router         | 22523  | 35    | 150   |
| Total available     | 149760 | 324   | -     |

|                     | Area   |       | Clock |
|---------------------|--------|-------|-------|
| Module              | LUTs   | BRAMs | (MHz) |
| Crossbar w/ Buffers | 8249   | 16    | 300   |
| Flow Table          | 38     | 74    | 350   |
| Processor           | 26985  | 52    | 200   |
| SHA-1 Module        | 4×1005 | 0     | 125   |
| Mod-Exp             | 73591  | 0     | 200   |
| RotoRouter          | 112883 | 142   | 125   |
| IPv4 Router         | 22523  | 35    | 150   |
| Total available     | 149760 | 324   | -     |

|                     | Area   |       | Clock |
|---------------------|--------|-------|-------|
| Module              | LUTs   | BRAMs | (MHz) |
| Crossbar w/ Buffers | 8249   | 16    | 300   |
| Flow Table          | 38     | 74    | 350   |
| Processor           | 26985  | 52    | 200   |
| SHA-1 Module        | 4×1005 | 0     | 125   |
| Mod-Exp             | 73591  | 0     | 200   |
| RotoRouter          | 112883 | 142   | 125   |
| IPv4 Router         | 22523  | 35    | 150   |
| Total available     | 149760 | 324   | -     |

|                     | Area   |       | Clock |
|---------------------|--------|-------|-------|
| Module              | LUTs   | BRAMs | (MHz) |
| Crossbar w/ Buffers | 8249   | 16    | 300   |
| Flow Table          | 38     | 74    | 350   |
| Processor           | 26985  | 52    | 200   |
| SHA-1 Module        | 4×1005 | 0     | 125   |
| Mod-Exp             | 73591  | 0     | 200   |
| RotoRouter          | 112883 | 142   | 125   |
| IPv4 Router         | 22523  | 35    | 150   |
| Total available     | 149760 | 324   | -     |

|                     | Area   |       | Clock |
|---------------------|--------|-------|-------|
| Module              | LUTs   | BRAMs | (MHz) |
| Crossbar w/ Buffers | 8249   | 16    | 300   |
| Flow Table          | 38     | 74    | 350   |
| Processor           | 26985  | 52    | 200   |
| SHA-1 Module        | 4×1005 | 0     | 125   |
| Mod-Exp             | 73591  | 0     | 200   |
| RotoRouter          | 112883 | 142   | 125   |
| IPv4 Router         | 22523  | 35    | 150   |
| Total available     | 149760 | 324   | -     |

3 machines with1 Gbps Ethernet



- 3 machines with1 Gbps Ethernet
- One attacker flooding the network, while the other two saturate network bandwidth



- 3 machines with1 Gbps Ethernet
- One attacker flooding the network, while the other two saturate network bandwidth



- 3 machines with1 Gbps Ethernet
- One attacker flooding the network, while the other two saturate network bandwidth



• Want to support 10, or even 100, Gbps ports

• Want to support 10, or even 100, Gbps ports

|                      | Crossbar | Flow Table | SHA-1 | Mod-Exp |
|----------------------|----------|------------|-------|---------|
| Clock Speed (MHz)    | 300      | 350        | 125   | 200     |
| Individual           | 19.2     | 515        | 4×0.8 | 4×1.2   |
| Throughput (Gbps)    |          |            |       |         |
| Effective Throughput | 8        | 184        | 3.2   | 4.8     |
| @ 125 MHz (Gbps)     |          |            |       |         |

- Want to support 10, or even 100, Gbps ports
- Newer FPGAs support high speeding switching (> 160 Gbps)<sup>2</sup>

|                      | Crossbar | Flow Table | SHA-1 | Mod-Exp |
|----------------------|----------|------------|-------|---------|
| Clock Speed (MHz)    | 300      | 350        | 125   | 200     |
| Individual           | 19.2     | 515        | 4×0.8 | 4×1.2   |
| Throughput (Gbps)    |          |            |       |         |
| Effective Throughput | 8        | 184        | 3.2   | 4.8     |
| @ 125 MHz (Gbps)     |          |            |       |         |

December 12, 2014 20 / 23

<sup>&</sup>lt;sup>2</sup>Z. Dai and J. Zhu. Saturating the transceiver bandwidth: Switch fabric design on FPGAs, FPGA 2012 📑

- Want to support 10, or even 100, Gbps ports
- Newer FPGAs support high speeding switching (> 160 Gbps)<sup>2</sup>
- Crypto could be replicated
  - Hash and signature primitives could be switched to faster primitives (e.g., eliptical curve)

|                      | Crossbar | Flow Table | SHA-1 | Mod-Exp |
|----------------------|----------|------------|-------|---------|
| Clock Speed (MHz)    | 300      | 350        | 125   | 200     |
| Individual           | 19.2     | 515        | 4×0.8 | 4×1.2   |
| Throughput (Gbps)    |          |            |       |         |
| Effective Throughput | 8        | 184        | 3.2   | 4.8     |
| @ 125 MHz (Gbps)     |          |            |       |         |

<sup>&</sup>lt;sup>2</sup>Z. Dai and J. Zhu. Saturating the transceiver bandwidth: Switch fabric design on FPGAs, FPGA 2012 📱 🕨

#### Outline

- Motivation
- 2 ROTOROUTER Network Protocol
- ROTOROUTER Architecture
- 4 ROTOROUTER Evaluation
- Conclusion



#### Conclusion

- Router assisted DoS protection shows great promise
  - Line-rate public key verification is possible!
- Proof-of-concept router demonstrates low-overhead
- Software and hardware co-design leads to better solutions





# Thanks!

#### Future Work

- Characterizing dynamic behaviors
  - Flow setup, router setup, etc
- Throughput impact on larger scale systems
- Incremental deployment