Strayer University at Arlington, VA Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based Multicast Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Agenda Overview of gossip-based multicast The problem Proposed solution Analysis and simulations Implementation and measurements Conclusions Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Multicast A group of members At least one member is a source – generates messages Messages should arrive to all of the group members in a timely fashion Network level vs. application level (ALM) Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Tree-Based Multicast Use a spanning tree – most common solution No duplicates (optimal BW when network-level) Single points of failure Source Prof. Mort Anvari Strayer University at Arlington, VA
Gossip-Based Multicast Progresses in rounds Every round Choose random partners (view ) Send or receive messages Discard old msgs from buffer Probabilistic reliability Trades latency and BW for redundancy Two methods Push Pull Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Push Source Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Pull Source Prof. Mort Anvari Strayer University at Arlington, VA
Hostility over the Internet Forgery/spoofing Penetration Denial of Service (DoS) Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Denial of Service Unavailability of service Methods Exploiting bugs Exhausting resources Remote attacks Network level Application level Got little attention No quantitative analysis of impact on application Prof. Mort Anvari Strayer University at Arlington, VA
Dollar Amount of Losses by Type Prof. Mort Anvari Strayer University at Arlington, VA
Remote Application-Level DoS No Attack DoS Attack Valid Request Bogus Request Prof. Mort Anvari Strayer University at Arlington, VA
Effects of DoS on Gossip Reasonable to assume that source is attacked Surprisingly, we show that naïve gossip is vulnerable to DoS attacks Attacking a process in pull-based gossip may prevent it from sending messages Attacking a process in push-based gossip may prevent it from receiving messages Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Our Solution Drum – a new gossip-based ALM protocol Utilizes DoS-mitigation techniques Separating and bounding resources Combining both push and pull Using random one-time ports to communicate Proven robust using formal analysis and quantitative evaluation Provides general methods for analyzing and quantitatively evaluating resistance to DoS-attacks Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Bounding Resources Motivation: prevent resource exhaustion Each round process a random subset of the arriving messages and discard the rest Round Duration Valid Request Bogus Request Prof. Mort Anvari Strayer University at Arlington, VA
Combining Push and Pull Attacking push cannot prevent receiving messages via pull (random ports) Attacking pull cannot prevent sending via push Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Random Ports Any request necessitating a reply contains a random port number “Invisible” to the attacker (e.g., encrypted) The reply is sent to that random port Assumption: attacking other ports does not affect the random port’s queue (i.e., there is no BW exhaustion) Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Drum’s Push Mechanism Alice sends Bob a push-offer Bob replies with a digest of messages he has already received Alice only sends Bob messages missing from his digest Random ports Prof. Mort Anvari Strayer University at Arlington, VA
Evaluation Methodology Compare 3 protocols Push (push-based with bounded resources) Pull (pull-based with bounded resources) Drum Under various DoS attacks Fixed strength Increasing strength Source is always attacked Evaluates combination of Push and Pull Prof. Mort Anvari Strayer University at Arlington, VA
Evaluation Methodology (cont.) Measure propagation time – expected number of rounds it takes a message to reach all of the correct processes 99% in the simulations and actual measurements Use real implementation to measure actual latency and throughput Prof. Mort Anvari Strayer University at Arlington, VA
Analysis/Simulation Assumptions Static group with complete connectivity Processes have complete group knowledge Propagation of a single message M But simulate situation where all procs have msgs to send M is never purged from local buffers Rounds are synchronized All round operations complete within the same round All processes are correct (analysis) or 10% of them perform a DoS attack (simulation) Prof. Mort Anvari Strayer University at Arlington, VA
Validating Known Results The propagation time of gossip-based multicast protocols is O(log n) [P87, KSSV00] Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Prof. Mort Anvari Strayer University at Arlington, VA
Validating Known Results (cont.) The performance of gossip-based multicast protocols degrades gracefully as failures amount [LMM00, GvRB01] Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Definitions n – number of processes in the group F – size of view, and max # of requests to process in a round (F = 4 ) – percentage of attacked processes x – number of bogus messages an attacked process receives in a round B – total attack strength (B = nx ) Prof. Mort Anvari Strayer University at Arlington, VA
Analysis – Increasing Strength Lemma 1: Fix and n. Drum’s propagation time is bounded from above by a constant independent of x Proof idea Define effective fan-in and effective fan-out Both have an element independent of x When x this element is dominant The effective fans are bounded from below Prof. Mort Anvari Strayer University at Arlington, VA
Analysis – Increasing Strength Lemma 2: Fix and n. The propagation time of Push grows at least linearly with x Proof idea Assume all non-attacked processes already have the message (and so does the source) Bound the expected number of processes having M at round k from above Find the minimal k in which all processes have M Reaching all attacked processes takes at least a time linear in x Prof. Mort Anvari Strayer University at Arlington, VA
Analysis – Increasing Strength Lemma 3: Fix and n. The propagation time of Pull grows at least linearly with x Proof idea Denote by p the probability that the source reads a valid pull request in a round # of rounds for M to leave the source is geometrically distributed with p The expectation is 1/p 1/p is at least linear in x Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Prof. Mort Anvari Strayer University at Arlington, VA
Analysis – Fixed Strength Define c = B/nF (total attack strength divided by total system capacity) Lemma 4: For c > 5, Drum’s expected propagation time is monotonically increasing with Proof idea Effective fan-in and effective fan-out are monotonically decreasing with Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Prof. Mort Anvari Strayer University at Arlington, VA
Implementation and Measurements Uses the Java programming language Multithreaded processes Operations are not synchronized Rounds are not synchronized among processes 50 machines on a 100Mbit LAN (Emulab) One process per machine 5 processes (10%) perform a DoS attack Prof. Mort Anvari Strayer University at Arlington, VA
Validating the Simulations Evaluate the protocols in the same scenarios tested by simulation High correlation shows that the simplifying assumptions have little effect on the results Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Prof. Mort Anvari Strayer University at Arlington, VA
High-Throughput Experiments Single source Creates 40 messages (50 bytes long) per second Total of 10,000 messages Round duration = 1 second Messages are purged after 10 rounds Each process sends at most 80 data messages to another process in a round Throughput and latency are measured at the 44 correct receiving processes Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA Conclusions DoS attacks are a real problem Gossip-based protocols have no single points of failure However, naïve gossip-based protocols are vulnerable to targeted DoS attacks Drum uses simple techniques to mitigate the effects of DoS attacks Evaluations show Drum’s resistance to DoS The most effective attack against Drum is a broad one General DoS-mitigation techniques: random ports and neighbor-selection Analysis and quantitative evaluation techniques may be applicable to other systems as well Prof. Mort Anvari Strayer University at Arlington, VA
Strayer University at Arlington, VA The End Prof. Mort Anvari Strayer University at Arlington, VA