Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Streaming Algorithms
Search
majek04
March 15, 2016
Technology
600
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Streaming Algorithms
majek04
March 15, 2016
More Decks by majek04
See All by majek04
Keeloq_AD_2025__1_.pdf
majek04
0
44
BPF programmable socket lookup
majek04
0
680
Linux at Cloudflare
majek04
3
8.9k
DDoS Landscape
majek04
0
450
Inside Cloudbleed
majek04
3
3k
Golang sucks
majek04
21
53k
Gatelogic - Somewhat functional reactive framework in Python
majek04
1
5.3k
How Cloudflare deals with largest DDoS attacks?
majek04
2
3.6k
Why we chose Service Worker API
majek04
0
2.9k
Other Decks in Technology
See All in Technology
Oracle Exadata Database Service on Cloud@Customer X11M (ExaDB-C@C) サービス概要
oracle4engineer
PRO
2
8.4k
知らん間に、回ってる
ming_ayami
0
380
Keeping applications secure by evolving OAuth 2.0 and OpenID Connect
ahus1
PRO
1
160
Amazon EVS で VCF 9.0 / 9.1 のサポート開始まとめ
mtoyoda
0
290
SRE依存からの脱却 運用を開 発チームへ移す、 フルサイ クル開 発体制の実践
joooee0000
0
2.5k
AWS Summit の片隅で、体育座りしながらコミュニティがにぎわう理由を考えた
k_adachi_01
2
370
DMM.com 購入改善推進チーム におけるCodeRabbitを用いた レビューフロー改善の一例
ysknsid25
2
580
美しいコードを書くためにF#を学んでみた話
yud0uhu
1
400
AIと共生する開発者プラットフォーム:バクラクのモノレポ×マイクロサービス基盤
sakajunquality
2
3.2k
SRE本の知られざる名シーン / The Hidden Gems of Google SRE Book
nari_ex
1
330
「最後に責任を取るのはチーム」— 人間のPRレビューを最小化してアップデートしたメンタルモデル
jnishime_dresscode
0
170
Empower GenAI with Agile - あなたのアジャイルが生成AIのバフになる仕組み
hageyahhoo
1
160
Featured
See All Featured
Efficient Content Optimization with Google Search Console & Apps Script
katarinadahlin
PRO
1
670
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
mfonobong
2
460
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
marketingsoph
0
210
How To Speak Unicorn (iThemes Webinar)
marktimemedia
1
500
sira's awesome portfolio website redesign presentation
elsirapls
0
300
エンジニアに許された特別な時間の終わり
watany
107
250k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
Redefining SEO in the New Era of Traffic Generation
szymonslowik
1
360
AI Search: Where Are We & What Can We Do About It?
aleyda
0
7.7k
Testing 201, or: Great Expectations
jmmastey
46
8.2k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Transcript
Automatic DoS mitigation (streaming algorithms) Marek Majkowski marek@cloudflare.com @majek04
2 Who we are
3 Large network
4 Content neutral
5 DoS is a problem DoS events per day
6 X example.com Defending from DoS is hard
• L3 - spoofed IP packets • source IP addresses
are fake • very large • this is what you hear in news • L7 - fully established TCP connections • IP reputation is effective 7 Two DoS types
8 L3 Volume per server Packets per second
9 Automatic attack handling Attack Detection Mitigation database Reactive Automation
sflow iptables
10 Automatic attack detection Attack Detection sflow
• infinite data stream on input • approximate 11 Streaming
algorithms Streaming algorithm Data stream Results
• sflow packets samples as input • detected attacks on
output 12 Attack detection is streaming! Streaming algorithms Packet samples Attacks
• EWMA - Exponentially weighted moving average • Counting rates
of packets • Space saving • Known as Top-N or Heavy Hitters • Simplified hierarchical heavy hitters • Hyper log log • Cardinality estimation - Counting unique things 13 Streaming algorithms
14 The problem: PPS ! Mpps Descr! 3.878 --ip=141.245.59.191/32! 2.878
--ip=141.245.59.192/32! 1.878 --ip=141.245.59.193/32! 1.878 --ip=141.245.59.194/32! 1.878 --ip=141.245.59.195/32! 1.878 --ip=141.245.59.196/32! 1.878 --ip=141.245.59.197/32! 1.878 --ip=141.245.59.198/32! 1.878 --ip=141.245.59.199/32! ...!
15 Naive approach pps IP 12.2M 1.2.3.4 2.4M 42.1.2.4 0.01M
2.4.3.1 0.01M 192.168.1.1
16 There is no such thing as pps
17 Naive: Moving average 1.0s 1.1s 1.3s 1.8s 1.99s 2.1s
2.4s 2.41s t=2.50s Precisely 5 samples
18 Not-smoothed values 1.0s 1.1s 1.3s 1.8s 1.99s 2.1s 2.4s
2.41s 100 3 50 5 2 5 10 raw pps=
19 Not-smoothed values
20 Linux load average - charge
21 Linux load average - discharge
22 Better: EWMA old load difference dampening factor measurement frequency
half-life time
23
24
• Smoothed average • The same maths as Linux "load
average" • Charges slow (half-life) • Discharges quickly • Can be also used to count rates of packets 25 EWMA - summary
26 The problem: PPS ! Mpps Descr! 3.878 --ip=141.245.59.191/32! 2.878
--ip=141.245.59.192/32! 1.878 --ip=141.245.59.193/32! 1.878 --ip=141.245.59.194/32! 1.878 --ip=141.245.59.195/32! 1.878 --ip=141.245.59.196/32! 1.878 --ip=141.245.59.197/32! 1.878 --ip=141.245.59.198/32! 1.878 --ip=141.245.59.199/32! ...!
27 The problem: Memory pps IP 12.2M 1.2.3.4 2.4M 42.1.2.4
0.01M 2.4.3.1 0.01M 192.168.1.1 ...
• aka: heavy hitters • A fixed-memory data structure •
That can "count" top-N items • think: top url's, top customer IP's, etc • Count-Min sketch, Space Saving 28 Top-N problem
29 Space saving error count key
30 Space saving error count key 0 1 Alice Alice
31 Space saving error count key 0 2 Alice Alice
32 Space saving error count key 0 2 Alice 0
1 Ben Ben
33 Space saving error count key 0 2 Alice 0
1 Ben 0 1 Charlie Charlie
34 Space saving error count key 0 2 Alice 0
1 Ben 0 1 Charlie Eric?
35 Space saving error count key 0 2 Alice 0
1 Ben 0 1 Charlie Eric?
36 Space saving error count key 0 2 Alice 1
0 Eric 0 1 Charlie + Eric
37 Space saving error count key 0 2 Alice 1
1 Eric 0 1 Charlie Eric
38 Space saving error count key 0 2 Alice 1
1 Eric 0 1 Charlie 2 Counter? 1 .. 2 1
39
What about rates? 40 • It's hard • was: GetAll()
• now: GetAll(time.Time) • No longer O(1) • Instead O(log n)
41
• Top-N / Heavy-hitter algorithm • Fixed memory size •
Strong error guarantees 42 Summary - Space saving
43 Aggregating attacks ! Mpps Descr! 3.878 --ip=141.245.59.191/32! 2.878 --ip=141.245.59.192/32!
1.878 --ip=141.245.59.193/32! 1.878 --ip=141.245.59.194/32! 1.878 --ip=141.245.59.195/32! 1.878 --ip=141.245.59.196/32! 1.878 --ip=141.245.59.197/32! 1.878 --ip=141.245.59.198/32! 1.878 --ip=141.245.59.199/32! ...! ! Mpps Descr! 35.878 --ip=141.245.59.0/24! vs
44 Hierarchical Heavy Hitters
45 Simplified HHH
46 Multiple dimensions pps IP:port 12.2M 1.2.3.4:53 2.4M 42.1.2.4:80 0.01M
2.4.3.1:80 0.01M 192.168.1.1:443 pps IP 12.2M 1.2.3.4 2.4M 42.1.2.4 0.01M 2.4.3.1 0.01M 192.168.1.1 pps subnet 12.2M 1.2.3.0/24 2.4M 42.1.2.0/24 0.01M 2.4.3.0/24 0.01M 192.168.1.0/24
47 Multiple dimensions pps IP:port 12.2M 1.2.3.4:53 2.4M 42.1.2.4:80 0.01M
2.4.3.1:80 0.01M 192.168.1.1:443 pps IP 12.2M 1.2.3.4 2.4M 42.1.2.4 0.01M 2.4.3.1 0.01M 192.168.1.1 pps subnet 12.2M 1.2.3.0/24 2.4M 42.1.2.0/24 0.01M 2.4.3.0/24 0.01M 192.168.1.0/24 incoming sample: 42.1.2.4:80
48 Multiple dimensions pps IP:port 12.2M 1.2.3.4:53 2.4M 42.1.2.4:80 0.01M
2.4.3.1:80 0.01M 192.168.1.1:443 pps IP 12.2M 1.2.3.4 2.4M 42.1.2.4 0.01M 2.4.3.1 0.01M 192.168.1.1 pps subnet 12.2M 1.2.3.0/24 2.4M 42.1.2.0/24 0.01M 2.4.3.0/24 0.01M 192.168.1.0/24 reporting threshold: 1M
49 Attack report ! Mpps Descr! 12.2 --ip=1.2.3.4 --port=53! 2.4
--ip=42.1.2.4 --port=80! 12.2 --ip=1.2.3.4! 2.4 --ip=42.1.2.4! 12.2 --ip=1.2.3.0/24! 2.4 --ip=42.1.2.0/24!
50 Multiple dimensions pps IP:port 12.2M 1.2.3.4:53 2.4M 42.1.2.4:80 0.01M
2.4.3.1:80 0.01M 192.168.1.1:443 pps IP 0.1M 1.2.3.4 0M 42.1.2.4 0.01M 2.4.3.1 0.01M 192.168.1.1 pps subnet 0.1M 1.2.3.0/24 0M 42.1.2.0/24 0.01M 2.4.3.0/24 0.01M 192.168.1.0/24 incoming sample: 42.1.2.4:80
51 Attack report ! Mpps Descr! 12.2 --ip=1.2.3.4 --port=53! 2.4
--ip=42.1.2.4 --port=80!
52 Scales well
• Approximate • High error in pps • Works well
in practice • Scales well • Fast and simple to implement 53 Summary - SHHH
54 Spoofed Source IP? ! Mpps Description! 23.833 --target=173.245.59.2 --agent=WAW
--iface=659 Est= 57364! 23.067 --target=173.245.58.1 --agent=WAW --iface=659 Est= 56995! 7.139 --target=173.245.58.1 --agent=DUS --iface=893 Est= 11493! 6.366 --target=173.245.59.2 --agent=DUS --iface=893 Est= 11240! 2.590 --target=173.245.58.1 --agent=SIN --iface=657 Est=219987! 2.557 --target=173.245.59.2 --agent=SIN --iface=657 Est=220380! 1.045 --target=173.245.58.1 --agent=MAN --iface=756 Est= 207! 1.039 --target=173.245.59.2 --agent=MAN --iface=756 Est= 200!
55 Hyper log log "Alice" 22 unique items! HLL
56 Hyper log log OR 44 unique items ( )
= HLL#1 HLL#2
57
58 What about rates? HLL #1 HLL #2 HLL #3
HLL #4
59 Hard drives
• Attack detection is a streaming problem • Streaming algorithms
are awesome • Applicable to many more problems 60 Summary Thanks! marek@cloudflare.com