A Policy Modeling System for Large-Scale Network Attacks
2018
This report is an introduction and overview to the ASGARD policy modeling system. ASGARD enables analysts, researchers and network defenders to evaluate the impact of policy decisions on an attacker’s ability to successfully execute an attack. In this context, we define policy as decisions that affect the behavior of large segments of the Internet, such as ASNs, ISPs or countries.
ASGARD is designed to explore the impact of policy decisions and inform the development of effective network defenses at the start point, that is, where the bots used for DDoS, spam and other attacks reside. Historically, security research has focused on defenses at the end point, that is the target of an attack. For many attacks, such as DDoS, end point defenses have limited impact because attackers have an overwhelming supply of resources. Conversely, work on developing start point defenses are often technically simpler to implement, but require convincing a skeptical audience that they will be effective.
We, the ASGARD designers, believe that this resistance is due to a lack of understanding of the impact of policy decisions. Network providers makes security decisions rationally, and given the constant slate of current threats, there is minimal benefit in taking the burden of enforcing a globally responsible policy that provides them no local benefit. The net result of this is well-understood; reflection attacks have been a threat for over a decade, despite the fact that the reconfiguration required to reduce this threat is minimal. ASGARD provides the capacity to model the impact of global policy decisions, such as host reconfiguration, inventory management and egress control.
ASGARD evaluates impact via game-based Monte Carlo simulations conducted at two levels. The first (low-level) simulation represents a DDoS attack conducted by a botnet. The low-level simulation uses a game-based model to evaluate attacker success or failure: the attacker succeeds when they overwhelm the defender’s capacity to absorb the traffic which the attacker sends. The second (high-level) simulation runs multiple low-level simulations using randomly selected botnets; in this way, the high-level simulation can evaluate the potential impact of policy decisions. Low-level simulations provide technical fidelity by modeling attacks using realistic numbers; high level simulations evaluate the impact of policy responses.
A Policy Modeling System for Large-Scale Network Attacks
2018
This report is an introduction and overview to the ASGARD policy modeling system. ASGARD enables analysts, researchers and network defenders to evaluate the impact of policy decisions on an attacker’s ability to successfully execute an attack. In this context, we define policy as decisions that affect the behavior of large segments of the Internet, such as ASNs, ISPs or countries.
ASGARD is designed to explore the impact of policy decisions and inform the development of effective network defenses at the start point, that is, where the bots used for DDoS, spam and other attacks reside. Historically, security research has focused on defenses at the end point, that is the target of an attack. For many attacks, such as DDoS, end point defenses have limited impact because attackers have an overwhelming supply of resources. Conversely, work on developing start point defenses are often technically simpler to implement, but require convincing a skeptical audience that they will be effective.
We, the ASGARD designers, believe that this resistance is due to a lack of understanding of the impact of policy decisions. Network providers makes security decisions rationally, and given the constant slate of current threats, there is minimal benefit in taking the burden of enforcing a globally responsible policy that provides them no local benefit. The net result of this is well-understood; reflection attacks have been a threat for over a decade, despite the fact that the reconfiguration required to reduce this threat is minimal. ASGARD provides the capacity to model the impact of global policy decisions, such as host reconfiguration, inventory management and egress control.
ASGARD evaluates impact via game-based Monte Carlo simulations conducted at two levels. The first (low-level) simulation represents a DDoS attack conducted by a botnet. The low-level simulation uses a game-based model to evaluate attacker success or failure: the attacker succeeds when they overwhelm the defender’s capacity to absorb the traffic which the attacker sends. The second (high-level) simulation runs multiple low-level simulations using randomly selected botnets; in this way, the high-level simulation can evaluate the potential impact of policy decisions. Low-level simulations provide technical fidelity by modeling attacks using realistic numbers; high level simulations evaluate the impact of policy responses.
A Policy Modeling System for Large-Scale Network Attacks
2018
This report is an introduction and overview to the ASGARD policy modeling system. ASGARD enables analysts, researchers and network defenders to evaluate the impact of policy decisions on an attacker’s ability to successfully execute an attack. In this context, we define policy as decisions that affect the behavior of large segments of the Internet, such as ASNs, ISPs or countries.
ASGARD is designed to explore the impact of policy decisions and inform the development of effective network defenses at the start point, that is, where the bots used for DDoS, spam and other attacks reside. Historically, security research has focused on defenses at the end point, that is the target of an attack. For many attacks, such as DDoS, end point defenses have limited impact because attackers have an overwhelming supply of resources. Conversely, work on developing start point defenses are often technically simpler to implement, but require convincing a skeptical audience that they will be effective.
We, the ASGARD designers, believe that this resistance is due to a lack of understanding of the impact of policy decisions. Network providers makes security decisions rationally, and given the constant slate of current threats, there is minimal benefit in taking the burden of enforcing a globally responsible policy that provides them no local benefit. The net result of this is well-understood; reflection attacks have been a threat for over a decade, despite the fact that the reconfiguration required to reduce this threat is minimal. ASGARD provides the capacity to model the impact of global policy decisions, such as host reconfiguration, inventory management and egress control.
ASGARD evaluates impact via game-based Monte Carlo simulations conducted at two levels. The first (low-level) simulation represents a DDoS attack conducted by a botnet. The low-level simulation uses a game-based model to evaluate attacker success or failure: the attacker succeeds when they overwhelm the defender’s capacity to absorb the traffic which the attacker sends. The second (high-level) simulation runs multiple low-level simulations using randomly selected botnets; in this way, the high-level simulation can evaluate the potential impact of policy decisions. Low-level simulations provide technical fidelity by modeling attacks using realistic numbers; high level simulations evaluate the impact of policy responses.
