QUIC-Tr4ck: Mitigando Ataques QUIC-Flood usando Planos de Dados Programáveis
Resumo
O protocolo QUIC tem como propósito melhorar o desempenho de aplicações Web, permitindo o estabelecimento de conexões multiplexadas sobre o protocolo UDP. No entanto, com a popularização de serviços baseados em QUIC, esses passaram a ser alvo de tentativas de ataques maliciosos, principalmente de ataques de negação de serviço (DoS). Apesar de já existirem soluções para mitigação de ataques contra QUIC operando em endpoints, soluções baseadas em planos de dados programáveis (PDP) para detectar e mitigar ataques ao protocolo QUIC são pouco exploradas. Neste artigo, é apresentado o QUIC-Tr4ck, um sistema para rastreamento de pacotes QUIC que combina de forma híbrida estratégias empregadas no plano de dados programável (utilizando a linguagem P4 e sketches) e estratégias executando em um controlador SDN (consolidando snapshots para uma análise holística do estado da rede). QUIC-Tr4ck permite que switches interceptem conexões QUIC e identifiquem clientes maliciosos de maneira proativa e preventiva, isto é, antes que eles exauram os recursos de um servidor.
Referências
Basyoni, L., Erbad, A., Alsabah, M., Fetais, N., Mohamed, A., and Guizani, M. (2021). Quictor: Enhancing tor for real-time communication using quic transport protocol. IEEE Access, 9:28769–28784.
Bosshart, P., Daly, D., Gibb, G., Izzard, M., McKeown, N., Rexford, J., Schlesinger, C., Talayco, D., Vahdat, A., Varghese, G., and Walker, D. (2014). P4: Programming protocol-independent packet processors. SIGCOMM Comput. Commun. Rev., 44(3):87–95.
Cao, X., Zhao, S., and Zhang, Y. (2019). 0-rtt attack and defense of quic protocol. In 2019 IEEE Globecom Workshops (GC Wkshps), pages 1–6.
Castanheira, L., Parizotto, R., and Schaeffer-Filho, A. E. (2019). Flowstalker: Comprehensive traffic flow monitoring on the data plane using p4. In ICC 2019 2019 IEEE International Conference on Communications (ICC), pages 1–6.
Charikar, M., Chen, K., and Farach-Colton, M. (2002). Finding frequent items in data streams. In International Colloquium on Automata, Languages, and Programming, pages 693–703. Springer.
Chatzoglou, E., Kouliaridis, V., Karopoulos, G., and Kambourakis, G. (2022). Revisiting quic attacks: A comprehensive review on quic security and a hands-on study.
Chen, X., Kim, H., Aman, J. M., Chang, W., Lee, M., and Rexford, J. (2020). Measuring tcp round-trip time in the data plane. In Proceedings of the Workshop on Secure Programmable Network Infrastructure, pages 35–41.
Cloudflare (2022). What is a QUIC flood DDoS attack? | QUIC and UDP floods. Cloudflare Website. Accessed in: December 2022, [link].
Coelho, B. and Schaeffer-Filho, A. (2022). Backorders: using random forests to detect ddos attacks in programmable data planes. In Proceedings of the 5th International Workshop on P4 in Europe, pages 1–7.
da Silva, A. S., Smith, P., Mauthe, A., and Schaeffer-Filho, A. (2015). Resilience support in software-defined networking: A survey. Computer Networks, 92:189–207.
Dalmazo, B. L., Marques, J. A., Costa, L. R., Bonfim, M. S., Carvalho, R. N., da Silva, A. S., Fernandes, S., Bordim, J. L., Alchieri, E., Schaeffer-Filho, A., Paschoal Gaspary, L., and Cordeiro, W. (2021). A systematic review on distributed denial of service attack defense mechanisms in programmable networks. International Journal of Network Management, 31(6):e2163.
Fischlin, M. and Günther, F. (2017). Replay attacks on zero round-trip time: The case of the tls 1.3 handshake candidates. In 2017 IEEE European Symposium on Security and Privacy (EuroSP), pages 60–75.
Gbur, K. and Tschorsch, F. (2021). A quic(k) way through your firewall? Hiba, O., Leibowitz, H., and Herzberg, A. (2020). Quicr: Quic resiliency to bw-dos attacks.
Iyengar, J., E. and M. Thomson, E. (2021). Quic: A udp-based multiplexed and secure transport. RFC 9000. [link].
Jager, T., Schwenk, J., and Somorovsky, J. (2015). On the security of tls 1.3 and quic against weaknesses in pkcs1 v1.5 encryption. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS ’15, page 1185–1196, New York, NY, USA. Association for Computing Machinery.
Joras, M. and Chi, Y. (2020). How Facebook is bringing QUIC to billions. Engineering at Meta. [link].
Langley, A., Riddoch, A., Wilk, A., Vicente, A., Krasic, C., Zhang, D., Yang, F., Kouranov, F., Swett, I., Iyengar, J., Bailey, J., Dorfman, J., Roskind, J., Kulik, J., Westin, P., Tenneti, R., Shade, R., Hamilton, R., Vasiliev, V., Chang, W.-T., and Shi, Z. (2017). The quic transport protocol: Design and internet-scale deployment. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication (SIGCOMM’17), SIGCOMM ’17, page 183–196, New York, NY, USA. Association for Computing Machinery.
Lychev, R., Jero, S., Boldyreva, A., and Nita-Rotaru, C. (2015). How secure and quick is quic? provable security and performance analyses. In 2015 IEEE Symposium on Security and Privacy, pages 214–231.
Mahindra, R. and Guo, E. (2019). Employing QUIC protocol to optimize Uber’s app performance. Uber Blog. [link].
Namkung, H., Liu, Z., Kim, D., Sekar, V., and Steenkiste, P. (2022). {SketchLib}: Enabling efficient sketch-based monitoring on programmable switches. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), pages 743– 759.
Nawrocki, M., Hiesgen, R., Schmidt, T. C., and Wählisch, M. (2021). Quicsand: Quantifying quic reconnaissance scans and dos flooding events. In Proceedings of the 21st ACM Internet Measurement Conference, IMC ’21, page 283–291, New York, NY, USA. Association for Computing Machinery.
Scholz, D., Gallenmüller, S., Stubbe, H., and Carle, G. (2020). Syn flood defense in programmable data planes. In Proceedings of the 3rd P4 Workshop in Europe, EuroP4’20, page 13–20, New York, NY, USA. Association for Computing Machinery.
Shreedhar, T., Panda, R., Podanev, S., and Bajpai, V. (2021). Evaluating quic performance over web, cloud storage and video workloads. IEEE Transactions on Network and Service Management.
Tavares, K. and Ferreto, T. (2019). Ddos on sketch: Spoofed ddos attack defense with programmable data planes using sketches in sdn. In Anais do XXXVII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 805–819, Porto Alegre, RS, Brasil. SBC.
Xavier, B. M., Guimarães, R. S., Comarela, G., and Martinello, M. (2021). Programmable switches for in-networking classification. In IEEE INFOCOM 2021-IEEE Conference on Computer Communications, pages 1–10. IEEE.
Xu, W., Zhang, Z., Feng, Y., Song, H., Chen, Z., Wu, W., Liu, G., Zhang, Y., Liu, S., Tian, Z., et al. (2023). Clickinc: In-network computing as a service in heterogeneous programmable data-center networks. arXiv preprint arXiv:2307.11359.
Zeno, L., Ports, D. R., Nelson, J., Kim, D., Landau-Feibish, S., Keidar, I., Rinberg, A., Rashelbach, A., De-Paula, I., and Silberstein, M. (2022). {SwiSh}: Distributed shared state abstractions for programmable switches. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), pages 171–191.