Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks Udi Ben-Porat Tel-Aviv University, Israel Anat Bremler-Barr IDC Herzliya,

Slides:



Advertisements
Similar presentations
Preliminaries Advantages –Hash tables can insert(), remove(), and find() with complexity close to O(1). –Relatively easy to program Disadvantages –There.
Advertisements

Hash Tables.
EISCambridge 2009MoN8 Exploring Markov models for gate-limited service and their application to network-based services Glenford Mapp and Dhawal Thakker.
Lecture 6 Hashing. Motivating Example Want to store a list whose elements are integers between 1 and 5 Will define an array of size 5, and if the list.
Data Structures Using C++ 2E
Stability of computer network for the set delay Jolanta Tańcula.
Software Diversity for Information Security Gaurav Kataria Carnegie Mellon University.
Udi Ben-Porat ETH Zurich Switzerland
Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 19 Scheduling IV.
Hashing21 Hashing II: The leftovers. hashing22 Hash functions Choice of hash function can be important factor in reducing the likelihood of collisions.
Latency-sensitive hashing for collaborative Web caching Presented by: Xin Qi Yong Yang 09/04/2002.
On the Exploitation of CDF based Wireless Scheduling Udi Ben-Porat Tel-Aviv University, Israel Anat Bremler-Barr IDC Herzliya, Israel Hanoch Levy ETH Zurich,
Small-world Overlay P2P Network
Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.
#11 QUEUEING THEORY Systems Fall 2000 Instructor: Peter M. Hahn
11.Hash Tables Hsu, Lih-Hsing. Computer Theory Lab. Chapter 11P Directed-address tables Direct addressing is a simple technique that works well.
Evaluating Window Joins Over Unbounded Streams By Nishant Mehta and Abhishek Kumar.
Sets and Maps Chapter 9. Chapter 9: Sets and Maps2 Chapter Objectives To understand the Java Map and Set interfaces and how to use them To learn about.
1 CSE 326: Data Structures Hash Tables Autumn 2007 Lecture 14.
Hash Tables1 Part E Hash Tables  
1 Introduction to Load Balancing: l Definition of Distributed systems. Collection of independent loosely coupled computing resources. l Load Balancing.
Design and Analysis of Algorithms - Chapter 71 Hashing b A very efficient method for implementing a dictionary, i.e., a set with the operations: – insert.
Tirgul 9 Hash Tables (continued) Reminder Examples.
Introduction to Hashing CS 311 Winter, Dictionary Structure A dictionary structure has the form: (Key, Data) Dictionary structures are organized.
Little’s Theorem Examples Courtesy of: Dr. Abdul Waheed (previous instructor at COE)
Data Structures Using C++ 2E Chapter 9 Searching and Hashing Algorithms.
Hash Tables. Container of elements where each element has an associated key Each key is mapped to a value that determines the table cell where element.
Lecture 6 Hashing. Motivating Example Want to store a list whose elements are integers between 1 and 5 Will define an array of size 5, and if the list.
Queuing Networks. Input source Queue Service mechanism arriving customers exiting customers Structure of Single Queuing Systems Note: 1.Customers need.
1 The Good, The Bad and the Ugly: Network Performance in Malicious Environment Udi Ben-Porat ETH Zurich, Switzerland Anat Bremler-Barr IDC Herzliya, Israel.
Self-Organizing Agents for Grid Load Balancing Junwei Cao Fifth IEEE/ACM International Workshop on Grid Computing (GRID'04)
1 Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks Udi Ben-Porat Tel-Aviv University, Israel Anat Bremler-Barr IDC Herzliya,
Hashing Chapter 20. Hash Table A hash table is a data structure that allows fast find, insert, and delete operations (most of the time). The simplest.
Peacock Hash: Deterministic and Updatable Hashing for High Performance Networking Sailesh Kumar Jonathan Turner Patrick Crowley.
1 Hash table. 2 Objective To learn: Hash function Linear probing Quadratic probing Chained hash table.
1 Chapters 8 Overview of Queuing Analysis. Chapter 8 Overview of Queuing Analysis 2 Projected vs. Actual Response Time.
1 CSE 326: Data Structures: Hash Tables Lecture 12: Monday, Feb 3, 2003.
PODC Distributed Computation of the Mode Fabian Kuhn Thomas Locher ETH Zurich, Switzerland Stefan Schmid TU Munich, Germany TexPoint fonts used in.
05/2007ORNL Presentation Distributed Denial of Service Games by Chinar Dingankar, Student Dr. R. R. Brooks, Associate Professor Holcombe Department of.
Can’t provide fast insertion/removal and fast lookup at the same time Vectors, Linked Lists, Stack, Queues, Deques 4 Data Structures - CSCI 102 Copyright.
CSE373: Data Structures & Algorithms Lecture 17: Hash Collisions Kevin Quinn Fall 2015.
Segmented Hash: An Efficient Hash Table Implementation for High Performance Networking Subsystems Sailesh Kumar Patrick Crowley.
Hashing - 2 Designing Hash Tables Sections 5.3, 5.4, 5.4, 5.6.
Chapter 12 Hash Table. ● So far, the best worst-case time for searching is O(log n). ● Hash tables  average search time of O(1).  worst case search.
March 23 & 28, Csci 2111: Data and File Structures Week 10, Lectures 1 & 2 Hashing.
March 23 & 28, Hashing. 2 What is Hashing? A Hash function is a function h(K) which transforms a key K into an address. Hashing is like indexing.
Chapter 11 Hash Tables © John Urrutia 2014, All Rights Reserved1.
Hashing Chapter 7 Section 3. What is hashing? Hashing is using a 1-D array to implement a dictionary o This implementation is called a "hash table" Items.
COSC 2007 Data Structures II Chapter 13 Advanced Implementation of Tables IV.
CS261 Data Structures Hash Tables Open Address Hashing.
Hashtables. An Abstract data type that supports the following operations: –Insert –Find –Remove Search trees can be used for the same operations but require.
OPERATING SYSTEMS CS 3530 Summer 2014 Systems and Models Chapter 03.
ISOM MIS 215 Module 5 – Binary Trees. ISOM Where are we? 2 Intro to Java, Course Java lang. basics Arrays Introduction NewbieProgrammersDevelopersProfessionalsDesigners.
CS6045: Advanced Algorithms Data Structures. Hashing Tables Motivation: symbol tables –A compiler uses a symbol table to relate symbols to associated.
1 Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks Dr. Anat Bremler-Barr Efi Arazi School of Computer Science Interdisciplinary.
Hash Tables Ellen Walker CPSC 201 Data Structures Hiram College.
Sets and Maps Chapter 9. Chapter Objectives  To understand the Java Map and Set interfaces and how to use them  To learn about hash coding and its use.
Prof. Amr Goneid, AUC1 CSCI 210 Data Structures and Algorithms Prof. Amr Goneid AUC Part 5. Dictionaries(2): Hash Tables.
DS.H.1 Hashing Chapter 5 Overview The General Idea Hash Functions Separate Chaining Open Addressing Rehashing Extendible Hashing Application Example: Geometric.
Yo-Yo Attack : DDoS Attack on Cloud Auto-scaling Mechanisms
Hash table CSC317 We have elements with key and satellite data
Hash tables Hash table: a list of some fixed size, that positions elements according to an algorithm called a hash function … hash function h(element)
Hash Table.
Instructor: Lilian de Greef Quarter: Summer 2017
CSE373: Data Structures & Algorithms Lecture 14: Hash Collisions
CSE373: Data Structures & Algorithms Lecture 14: Hash Collisions
CH 9.2 : Hash Tables Acknowledgement: These slides are adapted from slides provided with Data Structures and Algorithms in C++, Goodrich, Tamassia and.
CH 9.2 : Hash Tables Acknowledgement: These slides are adapted from slides provided with Data Structures and Algorithms in C++, Goodrich, Tamassia and.
Udi Ben-Porat ETH Zurich Switzerland
CSE 373: Data Structures and Algorithms
Presentation transcript:

Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks Udi Ben-Porat Tel-Aviv University, Israel Anat Bremler-Barr IDC Herzliya, Israel Hanoch Levy ETH Zurich, Switzerland

Why are the systems so vulnerable? Computer and network systems have been designed under the assumption that each user aims at maximizing his own performance But in "DDoS environment" - some users aim to degrade the performance of other users. Current Status: Protocols and systems are quite vulnerable in DDOS environment  In Crypto terminology we count "Alice" and "Bob“ and forgot “Eve” the evil adversary U. Ben-Porat / A. Bremler / H. Levy Infocom

Distributed Denial of Service (DDoS): Consume the servers/network resources Zombies DDoS: Attacker adds users/queries zombies to flood a server Attacker 3 U. Ben-Porat / A. Bremler / H. Levy Infocom 2008

Sophisticated DDoS Attack Sophisticated DDoS : Goal: Create maximal damage with limited budget  Damage – Performance degradation Increase errors rate, average delay etc.  Budget – Amount of operations/access allowed Motivation:  Reduce the (efforts and) cost of the attack  Make the attack hard to detect  Allow attacks on limited access servers U. Ben-Porat / A. Bremler / H. Levy Infocom

Sophisticated Attacks Examples  Simple example: Database server Make hard queries, avoid cache Goal: consume CPU time  Sophisticated attacks in the research: TCP  [TCP] Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E.W.Knightly Sigcomm 2003 Opeh Hash  [OH] Denial of Service via Algorithmic Complexity Attacks Scott A. Crosby and Dan S. Wallach Usenix 2003 Admission Control  [RoQ] Reduction of Quality (RoQ) Attacks on Internet End- Systems Mina Guirguis, Azer Bestavros, Ibrahim Matta and Yuting Zhang Infocom 2005 U. Ben-Porat / A. Bremler / H. Levy Infocom

6 Study Objective Propose a DDoS Vulnerability performance metric  Vulnerability Measure  To be used in addition to traditional system performance metrics Understanding the vulnerability of different systems to sophisticated attacks This Talk Describe DDoS Vulnerability performance metric Demonstrate metric impact  Hash Table: Very Common in networking  Performance (traditional) : OPEN equivalent CLOSED  Vulnerability analysis: OPEN is better than CLOSED!! U. Ben-Porat / A. Bremler / H. Levy Infocom

Distributed Denial of Service ( DDoS ) Attacker adds more regular users Loading the server - degrading server performance Server Performance Server Attacker Normal DDoS S. DDoS U. Ben-Porat / A. Bremler / H. Levy Infocom

Sophisticated DDoS Normal DDoS S. DDoS Server Performance Server Attacker Attacker adds sophisticated malicious users Each user creates maximal damage (per attack budget) U. Ben-Porat / A. Bremler / H. Levy Infocom

Vulnerability Factor Definition Vulnerability= v means: In terms of performance degradation 1 malicious user equals v regular users Performance Degradation Scales (st = Malicious Strategy) 9 U. Ben-Porat / A. Bremler / H. Levy Infocom 2008

Vulnerability Factor Definition Performance After adding (budget =c) After adding (budget=c) Normal DDoS S. DDoS 10 U. Ben-Porat / A. Bremler / H. Levy Infocom 2008

Vulnerability Factor – example Example: vulnerability of server serving N users: Vulnerability(k): = 20% / 5% = 4 When allowing k additional users to this system (in an hostile environment), we should be prepared for performance degradation 4 times worse than the expected Add k malicious usersAdd k regular users Attack Type: 20%5% Performance Degradation: U. Ben-Porat / A. Bremler / H. Levy Infocom

Demonstration of Vulnerability metric: Attack on Hash Tables Hash table is a data structure based on Hash function and an array of buckets. Central component in networks Operations: Insert, Search and Delete of elements according to their keys. key Insert (element) Buckets Hash(key) User Server U. Ben-Porat / A. Bremler / H. Levy Infocom

13 Hash Tables Bucket = one element Collision-> the array is repeatedly probed until an empty bucket is found Bucket = list of elements that were hashed to that bucket Open Hash Closed Hash Insertion verifies the element does not already exists U. Ben-Porat / A. Bremler / H. Levy Infocom

Open vs. Closed In Attack vulnerability:  While attack is on: Attacker’s operations are CPU intensive  CPU loaded Post Attack vulnerability :  Loaded Table  insert/delete/search op’s suffer Vulnerability: OPEN vs. CLOSED Performance metrics: OPEN = CLOSED* What about Vulnerability? OPEN = CLOSED ? ( * when the buckets array of closed hash is twice bigger) U. Ben-Porat / A. Bremler / H. Levy Infocom

Attacker strategy (InsStrategy) Strategy:  Insert k elements (cost=budget=k) where all elements hash into the same bucket ( )  Theorem: InsStrategy is Optimal For both In Attack and Post Attack Closed Hash: Cluster Open Hash: One long list of elements Attack Results U. Ben-Porat / A. Bremler / H. Levy Infocom

Attack effects: Open vs Closed Open Hash – One long list of elements Closed Hash- Cluster U. Ben-Porat / A. Bremler / H. Levy Infocom

Analytic Results We compare the vulnerability of the Open and Closed Hash using analysis of the Vulnerability (probability + combinatory analysis) Common approach: Open Hash table with M buckets is performance-wise equivalent to a Closed Hash table with 2M buckets. We present graph: M = 500 and k = N, i.e.,  The additional users (k) double the number of values in the table. U. Ben-Porat / A. Bremler / H. Levy Infocom

In Attack: CPU Consumption In every malicious insertion, the server has to traverse all previous inserted elements (+ some existing elements) Open Hash Closed Hash Analytic results: Open Hash: Closed Hash: V = Elements (k) V ~ K/2 Malicious insertion ~ K/2 Regular insertion ~ O(1) Vulnerability ~ K/2 U. Ben-Porat / A. Bremler / H. Levy Infocom

Post Attack: Operation Complexity Open Hash Closed Hash Elements Open Hash: Vulnerability =1 No Post Attack degradation in Open Hash (Only small chance to traverse the malicious list) Closed Hash: Big chance the operation has to traverse part of the big cluster U. Ben-Porat / A. Bremler / H. Levy Infocom

Post Attack Operation Complexity Open Hash Open Hash This performance parameter is not vulnerable to sophisticated attacks: The complexity is always the average list length (L+k/M+1) regardless of the positions of the k elements Closed Hash- Cluster Closed Hash- Cluster Regular: Malicious: ~ k*k/2M Every insert element which is mapped into a bucket in the Cluster (not just specifically the bucket the attackers used) will need to search from its position to the end of the cluster. U. Ben-Porat / A. Bremler / H. Levy Infocom

Regular Users  Regular Users: Rate, job size distributed like X Attackers:  Attackers: Send jobs of size at rate whereK parameter of the attack (this increases the second moment of X) Budget:  Budget: Both users use the same budget =  Vulnerability: Unbounded ~k (The  Vulnerability: Unbounded ~k (The second moment of X plays an important role). Consider M/G/1 model with arrival rate and service times distributed as a random variable X. The expected waiting time of an arbitrary arrival: Queueing - FCFS Average Waiting Time = The second moment of X plays an important role U. Ben-Porat / A. Bremler / H. Levy Infocom

Post Attack: account for queuing Queue holds the requests for the server Waiting Time = (X= service time) Vulnerability of the (post attack) Waiting Time? Hash Table Server Request U. Ben-Porat / A. Bremler / H. Levy Infocom

Post Attack Waiting Time Open Hash: Vulnerable !! While in the model of Post Attack Operation Complexity the Open Hash is not Vulnerable ! Closed Hash: Drastically more vulnerable: Clusters increase the second moment of the service time Queue becomes unstable Stability Point Elements U. Ben-Porat / A. Bremler / H. Levy Infocom

Stability Point For N above this stability point, the arrival rate of regular user operations is greater than the expected service rate. For specific Hash state we can calculate the maximum magnitude of an attack so that the Hash remains stable after the attack has ended. U. Ben-Porat / A. Bremler / H. Levy Infocom

Practical Considerations In hostile environments one can no longer follow the simple approach of relying only on complexity based rules of operations in order to comply with the performance requirements of a system. For example, based on traditional performance  double the size of the Closed Hash table (rehashing) when the table reaches 70¡80% load. In a hostile environment the rehashing must be done much earlier (in the previous example at 48% load the Closed Hash is no longer stable). U. Ben-Porat / A. Bremler / H. Levy Infocom

Conclusions Closed Hash is much more vulnerable to sophisticated DDoS than Open Hash  In contrast: the two systems are considered equivalent via traditional performance evaluation. After attack ends, regular users still suffer from performance degradation Application using Hash in the Internet, where there is a queue before the hash, has high vulnerability. U. Ben-Porat / A. Bremler / H. Levy Infocom

Related Work [RoQ] Attack measurement: Potency  Potency measure specific attack  Vulnerability measures the system  Meaningless without additional numbers  Vulnerability is meaningful comparable information based on this number alone [OH] Studies attack only on Open Hash.  Our work is comparing Closed to Open Hash, also analyzing the post attack performance degradation U. Ben-Porat / A. Bremler / H. Levy Infocom

Questions ? U. Ben-Porat / A. Bremler / H. Levy Infocom

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.