Mitigating DoS Attack Through Selective Bin Verification Micah Sherr a, Michael Greenwald b, Carl A. Gunter c, Sanjeev Khanna a, and Santosh S. Venkatesh a NPSec 2005 November 6 th, 2005 a University of Pennsylvania b Bell Labs c University of Illinois at Urbana-Champaign

Distributed Denial of Service (DDoS) Request Response

Existing Countermeasures ● Increase capacity – Augment networks with additional equipment – Costly $$$ ● Filter out DoS traffic – Focus of academic literature – Discriminate between normal and malicious traffic – Assumes such disambiguation is possible – Rely on traffic profiles or assistance from routers

Selective Bin Verification ● First proposed in “DoS Protection for Reliably Authenticated Broadcast” [Gunter et al (NDSS '04)] ● Contributions of this work: – Bin verification applied to client-server model – Introduction of multiple simultaneous senders ● Mitigates DoS attack even when – Attack packets permeate network – No network disambiguation possible ● Does not hinder (even improves!) reliability ● Assumes sparse resource is computation, not network bandwidth

Sequential Selective Verification ● Broadcaster transmits authenticated broadcast stream – expensive for receiver to validate (signature check) ● Observation: disparity between bandwidth used by legitimate sender (broadcaster) and attacker (assume multicast communication) n

Sequential Selective Verification Algorithm ● Assume DoS attack at maximum strength ● Assume sender uses small portion of available bandwidth ● Legitimate sender transmits c copies of each message ● Receivers selectively verify packet with probability p ● Probability that a legitimate packet will be discarded is (1-p) c ● Linear reduction in required number of inspections

Can we apply the same principal for client-server architectures? Selective Bin Verification Yes! Selective Bin Verification ● Server has n “bins” ● Each well-formed message has identifier b – Honest client starts at some int r, increments identifier with each message copy ● Server places incoming message into bin (b mod n) ● After collection interval, receiver processes smallest k bins, discards the rest

Server (Bob) Sender/Client (Alice) Zombies Cop y 1 Cop y 2 Cop y 3 Cop y 4 Cop y 5 Cop y 1 Cop y 2 Cop y 3 Cop y 4 Cop y 5 Cop y 1 Cop y 2 Cop y 3 Cop y 4 Cop y 5 Cop y 4 Cop y 5 Cop y 1 Cop y 2 Cop y 3 Cop y 4 Cop y 5 Cop y 1 Cop y 2 Cop y 3 Cop y 4 Cop y 5 Cop y 1 Cop y 2 Cop y 3 Cop y 4 Cop y 5 Cop y 6

Experimental Setup ● Goal: Determine how well binning technique protects expensive, real-world protocol. ● Multiple clients (threads) connected to single server ● X.509 Two-Pass: securely transmit key k to receiver (1) A → B : cert, D, S A (D) where (2) B → A : OK D = {r,B,P B (k)} ● Emulated loss rate (L) Clients Server Attacker

DoS Resilience ● How well does selective bin verification perform compared to straightforward implementation? ● 50 senders/clients ● 1 server ● 20 bins ● 3 selected bins ● Attack diminished approximately by factor of # bins inspected / # of bins

Reliability of Binning Technique ● Message may not be processed (failure) due to loss rate – w/o binning, fixed at 1-L ● Does binning impair reliability? – Can derive expected failure rate – Can adjust number of copies to compensate ● Experimental results confirms our analysis ● 100 senders ● 20 bins ● 20% loss rate

Subset Attack ● What if attacker doesn't stripe his attack? – Remember: sender (good or evil) controls message placement ● Theorem: The contribution of inspections due to DoS is maximized when the attack is evenly distributed across all n bins. Pf: see paper. ● Optimal strategy is therefore to use equal distribution policy.

Conclusions ● Under certain protocol and topology assumptions, selective bin verification is effective even when flood reaches receiver ● Tunable parameters make it a promising technique for large attacks ● Future enhancements: – Activating binning during attack, deactivated in steady state (reduces overhead) – Formal analysis of which protocols may benefit best – Combining with network-based defenses – Formulate and prove optimality theorem

Questions?

Extra Slides (not part of presentation)

Theorem: The contribution of inspections due to DoS is maximized when the attack is evenly distributed across all n bins. Proof: Let L(σ)=total number of adversary packets in S smallest bins, where σ is attacker's distribution function (σ(i) = # of packets sent to bin i). Let σ' be the equal distribution (for simplicity, for all i,j, σ'(i)=σ'(j)). Since the k-smallest bins can never contain more messages than k times the average bin load, then for all σ, L(σ) ≤ L(σ').

Sequential vs. Bin Verification ● Bin verification: – Suppose we have n bins and m senders and each sender sends n copies – In absence of network loss, satisfy all m senders by choosing single bin. Server's load is therefore 1 packet/sender ● Sequential verification: – To get load of 1 packet/sender, server needs to discard with probability (1-1/n) – Probability that none of a sender's packets are received is roughly 1/e (m/e senders will have no packets received) ● With binning, 100% success rate, w/o binning only 63.21%

In n rounds of the protocol: Without selective verification:With selective verification: inspections = n(1+A)E[inspections] = n(p(c + A)) failures = 0E[failures] = n*((1-p) c ) E.g., n=1000, A = 1000; set c = 25, p=0.12 Without selective verification:With selective verification: inspections = 1,001,000E[inspections] = 123,000 failures = 0E[failures] = 40.9 A = attack messages/round, p = insp. probability, c = sender copies