MIDDLEWARE SYSTEMS RESEARCH GROUP A Taxonomy for Denial of Service Attacks in Content-based Publish/Subscribe Systems Alex Wun, Alex Cheung, Hans-Arno.

Slides:



Advertisements
Similar presentations
An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,
Advertisements

Security in Sensor Networks By : Rohin Sethi Aranika Mahajan Twisha Patel.
Efficient Event-based Resource Discovery Wei Yan*, Songlin Hu*, Vinod Muthusamy +, Hans-Arno Jacobsen +, Li Zha* * Chinese Academy of Sciences, Beijing.
Alex Cheung and Hans-Arno Jacobsen August, 14 th 2009 MIDDLEWARE SYSTEMS RESEARCH GROUP.
Some Open Problems in Publish/Subscribe Networking David S. Rosenblum Chief Technology Officer PreCache Inc.
Management of Uncertainty in Publish/Subscribe Systems Haifeng Liu Department of Computer Sceince University of Toronto.
Denial of Service in Sensor Networks Szymon Olesiak.
1 Programa de Engenharia Elétrica - PEE/COPPE/UFRJ Universidade Federal do Rio de Janeiro A Review of Anomalies Detection Schemes for Smart Grids Andrés.
Ludger Fiege, TU Darmstadt, Germany Slide 1 A Modular Approach to Build Structured Event-based Systems Ludger Fiege Dep. of Computer Science.
Design and Operational Characteristics of a Distributed Cooperative Infrastructure against DDoS Attacks Georgios Koutepas, Fotis Stamatelopoulos, Vasilios.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 Herald: Achieving a Global Event Notification Service Luis Felipe Cabrera, Michael B. Jones, Marvin Theimer Microsoft Research.
Transactional Mobility in Distributed Content-Based Publish/Subscribe Systems Songlin Hu*, Vinod Muthusamy +, Guoli Li +, Hans-Arno Jacobsen + * Chinese.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
©NEC Laboratories America 1 Hui Zhang Samrat Ganguly Sudeept Bhatnagar Rauf Izmailov NEC Labs America Abhishek Sharma University of Southern California.
Criticisms of I3 Jack Lange. General Issues ► Design ► Performance ► Practicality.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World
Quantitative Characterization of Denial of Service Attacks: A Case Study of Location Services Adam Bargteil David Bindel Yan Chen.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Hermes: A Distributed Event- Based Middleware Architecture Peter Pietzuch and Jean Bacon 1st DEBS Workshop, Vienna,
Wireless Sensor Network Security Anuj Nagar CS 590.
Towards a More Functional and Secure Network Infrastructure Dan Adkins, Karthik Lakshminarayanan, Adrian Perrig (CMU), and Ion Stoica.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.
Distributed Publish/Subscribe Network Presented by: Yu-Ling Chang.
UNCLASSIFIED – APPROVED FOR PUBLIC RELEASEUNCLASSIFIED Architectures for Mobile Wireless Publish/Subscribe Networks David S. Rosenblum Chief Technology.
An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Securing Wireless Mesh Networks By Ben Salem & Jean-Pierre Hubaux Presented by Akilesh Sadassivam (Group Leader) Harish Varadarajan Selvaganesh Dharmeswaran.
Alex King Yeung Cheung and Hans-Arno Jacobsen University of Toronto June, 24 th 2010 ICDCS 2010 MIDDLEWARE SYSTEMS RESEARCH GROUP.
Effects of Routing Computations in Content-Based Routing Networks with Mobile Data Sources Vinod Muthusamy, Milenko Petrovic, Hans-Arno Jacobsen University.
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
1 Locating Application Data Across Service Discovery Domains MobiCom’01.
Publisher Mobility in Distributed Publish/Subscribe Systems Vinod Muthusamy, Milenko Petrovic, Dapeng Gao, Hans-Arno Jacobsen University of Toronto June.
CH2 System models.
MIDDLEWARE SYSTEMS RESEARCH GROUP Denial of Service in Content-based Publish/Subscribe Systems M.A.Sc. Candidate: Alex Wun Thesis Supervisor: Hans-Arno.
Mobile Networking Challenges1 5.6 Mobile Ad Hoc Networks  Ad hoc network does not have any preexisting centralized server nodes to perform packet routing,
Content-Based Routing in Mobile Ad Hoc Networks Milenko Petrovic, Vinod Muthusamy, Hans-Arno Jacobsen University of Toronto July 18, 2005 MobiQuitous 2005.
--Harish Reddy Vemula Distributed Denial of Service.
MIDDLEWARE SYSTEMS RESEARCH GROUP Middleware A Policy Management Framework for Content-based Publish/Subscribe Middleware Hans-Arno Jacobsen Department.
Distributed Authentication in Wireless Mesh Networks Through Kerberos Tickets draft-moustafa-krb-wg-mesh-nw-00.txt Hassnaa Moustafa
Dynamic Load Balancing in Distributed Content-based Publish/Subscribe Alex K. Y. Cheung & Hans-Arno Jacobsen University of Toronto November 30 th, 2006.
MIDDLEWARE SYSTEMS RESEARCH GROUP MSRG.ORG Total Order in Content-based Publish/Subscribe Systems Joint work with: Vinod Muthusamy, Hans-Arno Jacobsen.
Historic Data Access in Publish/Subscribe Middleware System Research Group University of Toronto.
11 December, th IETF, AAA WG1 AAA Proxies draft-ietf-aaa-proxies-01.txt David Mitton.
Classification and Analysis of Distributed Event Filtering Algorithms Sven Bittner Dr. Annika Hinze University of Waikato New Zealand Presentation at CoopIS.
PhD Candidate: Alex K. Y. Cheung Supervisor: Hans-Arno Jacobsen PhD Thesis Presentation University of Toronto March 28, 2011 MIDDLEWARE SYSTEMS RESEARCH.
MIDDLEWARE SYSTEMS RESEARCH GROUP Modelling Performance Optimizations for Content-based Publish/Subscribe Alex Wun and Hans-Arno Jacobsen Department of.
MIDDLEWARE SYSTEMS RESEARCH GROUP Adaptive Content-based Routing In General Overlay Topologies Guoli Li, Vinod Muthusamy Hans-Arno Jacobsen Middleware.
Minimal Broker Overlay Design for Content-Based Publish/Subscribe Systems Naweed Tajuddin Balasubramaneyam Maniymaran Hans-Arno Jacobsen University of.
Information-Centric Networks10b-1 Week 10 / Paper 2 Hermes: a distributed event-based middleware architecture –P.R. Pietzuch, J.M. Bacon –ICDCS 2002 Workshops.
P2PSIP Security Analysis and evaluation draft-song-p2psip-security-eval-00 Song Yongchao Ben Y. Zhao
Information-Centric Networks Section # 10.2: Publish/Subscribe Instructor: George Xylomenos Department: Informatics.
A Critical Analysis on the Security of IoTs
Copyright © Hans-Arno Jacobsen DRDC-UofT Workshop, 2010 Information Infrastructure for Situational Awareness and Systems Integration Hans-Arno Jacobsen.
Peter R Pietzuch and Jean Bacon Peer-to-Peer Overlay Networks in an Event-Based Middleware DEBS’03, San Diego, CA, USA,
1 State-of-the-art in Publish/Subscribe Middleware for Supporting Mobility Sumant Tambe EECS Preliminary Examination December 11, 2007 Vanderbilt University,
Community Clustering in Distributed Publish/Subscribe System Wei Li 1,2,Songlin Hu 1, Jintao Li 1, Hans-Arno Jacobsen 3 1 Institute of Computing Technology,
Stefanos Antaris Distributed Publish/Subscribe Notification System for Online Social Networks Stefanos Antaris *, Sarunas Girdzijauskas † George Pallis.
Congestion Avoidance with Incremental Filter Aggregation in Content-Based Routing Networks Mingwen Chen 1, Songlin Hu 1, Vinod Muthusamy 2, Hans-Arno Jacobsen.
Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
Miklós Zoltán Technical University of Vienna Distributed Systems Group
Composite Subscriptions in Content-based Pub/Sub Systems
Presentation transcript:

MIDDLEWARE SYSTEMS RESEARCH GROUP A Taxonomy for Denial of Service Attacks in Content-based Publish/Subscribe Systems Alex Wun, Alex Cheung, Hans-Arno Jacobsen Department of Electrical and Computer Engineering Department of Computer Science University of Toronto

Current State of Denial of Service Prominent DoS news in 2007:  6 of 13 Root DNS servers attacked [ICANN2007]  DC++ P2P networks used in attacks [DCPP2007]  Estonian sites: government, bank, police [Yahoo2007]  Plenty more … DoS problems are not going away

Research Goals Stimulate discussion about DoS in CPS  Avoid repeating old DoS weaknesses (e.g., IPv6 source routing) Identify new DoS Concerns  Will DoS attacks in CPS systems be any different?  What are the prominent issues?  How can potential DoS attacks be classified?

Our Contributions Study impact of CPS features on DoS effects  Distributed event delivery  Content-based processing overhead  State maintenance Classify potential DoS attack characteristics Identify CPS concepts with DoS implications

Messaging Middleware SSP Publishers P Subscribers Enterprise Servers Embedded Devices Sensor Networks AB C Content-based Publish/Subscribe

DoS Taxonomy

Message Propagation Effects Multi-hop routing  Localization  Transmission

Propagation Localized Single-Hop Multi-Hop Global Non-matching message injection Malicious unsubscribe Edge broker access control Local clients Co-operative detection not helpful Effects may still be distributed Broker multicast Per-hop security schemes Client location Matching message injection Rendezvous routing Remote clients Transmitting DoS effects remotely Flooding Global client interest May span organizations

State Management Effects Assumptions on distribution message type Cumulative effects

Statefulness Stateless Stateful Soft-state Persistent Recovery through normal processing Unretained publication injections Connection attempts Effects continue due to state change Malicious unsubscriptions Subscription injections Publications retained for CEP Recovery through normal maintenance Expiry mechanisms Periodic optimizations Recovered state causes DoS DB-based Fault-tolerance Historic data Configuration corruptions Time Attack Effects Attack stops Time Attack Effects Attack stops Time Attack Effects Attack stops Periodic cleanup Time Effects Load from persistent storage

Content-based Processing Effects Low content complexity High content complexity

Content-based Processing Effects Performance variability highly dependent on workload complexity  Response times  System recovery

Content-dependence Independent Proportional Inversely proportional Severity of DoS effects are the same regardless of content complexity ID-based filter removal Higher complexity content produces more severe DoS effects Inducing matching load Lower complexity content produces more sever DoS effects Filter-based filter removal Content complexity Load # of Victims # of Targets Downtime

Techniques - Thrashing DoS from processing repeated state changes Subscription cover thrashing example:  Many non-covering subscriptions exist from other client(s)  Adversary issues covering subscription (triggers removal)  Adversary removes covering subscription (triggers restoration)  Repeat …

Techniques - Stockpiling Store malicious state for use in future attack(s) Can be low rate to avoid detection Subscription flood example:  Stockpile subscription state  Issue advertisement to attract subscriptions

Techniques - Traffic Amplification Malicious traffic of adversary multiplied Known to be a problem in traditional Internet  Smurf attack  Source routing  Reflection (connection retries) Fundamental to many CPS features?  Highly generic subscriptions and advertisements  Uncovering and Unmerging  Historic data

Filter versus ID State Removal

Related Work Mirkovic and Reiher [Mirkovic2004]  DDoS taxonomy in traditional Internet domain Srivatsa and Liu [Srivatsa2005]  Authentication to limit flooding-based DoS Wang et al. [Wang2002]  Discussed DoS briefly along with other security concerns

Conclusion CPS characteristics with DoS implications  Message propagation (remote attacks)  Content complexity (highly variable performance)  State maintenance (assumptions on message type distribution) Abusing features for DoS  Stockpiling  Traffic Amplification  Filter Removal (Thrashing, Victims)

References [ICANN2007]  [DCPP2007]  [Yahoo2007]  10 [Mirkovic2004]  A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, ACM SIGCOMM [Srivatsa2005]  Securing Publish-Subscribe Overlay Services with EventGuard, ACM Conference on Computer and Communications Security [Wang2002]  Security Issues and Requirements for Internet-Scale Publish-Subscribe Systems, Hawaii International Conference on System Sciences

MIDDLEWARE SYSTEMS RESEARCH GROUP Extra Slides

Messaging Middleware PublishersSubscribers Enterprise Servers Embedded Devices Sensor Networks xxxxx Distributed broker federations Subscription state management Content-based processing

SSP Publishers P Subscribers Content-based Publish/Subscribe

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.