DDoS Defense by Offense1 Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D., (MIT) and Shenker, S. (UC Berkeley), SIGCOMM ’06 Presented by Ivanka Todorova for CSCE 715

DDoS Defense by Offense2 Outline Introduction Applicability Design Implementation Evaluation Concerns Conclusions Questions

DDoS Defense by Offense3 Introduction

DDoS Defense by Offense4 Overview Defense against application-level distributed denial-of service (DDoS) attacks Way of dealing with the attack as it occurs, not a prevention mechanism

DDoS Defense by Offense5 Overview Without Speak-up With Speak-up

DDoS Defense by Offense6 Application-level DDoS? Many Internet servers have “open clientele” Appeal over a classic ICMP link flood Requires far less bandwidth The attack is “in-band” Bots attack web sites by using computationally expensive requests

DDoS Defense by Offense7 Application-level DDoS Current defenses focus on slowing down/stopping the attack Good clients are crowded out in these defense systems They need a mechanism to speak up while server is under an attack

DDoS Defense by Offense8 Taxonomy of Defenses Over-provision massively Detect and block - disadvantages Profiling CAPTCHA-based defenses Capabilities Charge all clients in a currency

DDoS Defense by Offense9 Speak-up Currency-based defense bandwidth as the currency The central mechanism is the server front-end, the thinner Thinner protects the server from overload performs encouragement in the form of a virtual auction

DDoS Defense by Offense10 Applicability

DDoS Defense by Offense11 Questions How much aggregate bandwidth does the legitimate clientele need for speak-up to be effective? How much aggregate bandwidth does the legitimate clientele need for speak-up to leave them unharmed by an attack? Couldn’t small Web sites, even if defended by speak-up, still be harmed? Because bandwidth is a communal resource, doesn’t the encouragement to send more traffic damage the network?

DDoS Defense by Offense12 Conditions to Make it Work Adequate link bandwidth Adequate client bandwidth

DDoS Defense by Offense13 Conditions to win over other defenses No pre-defined clientele Non-human clientele Unequal requests or spoofing or smart bots

DDoS Defense by Offense14 Design

DDoS Defense by Offense15 Design Goal Allocate resources to competing clients in proportion to their bandwidths If this goal is met, modest over-provisioning is enough to satisfy good clients Idealized server provisioning requirement

DDoS Defense by Offense16 Required Mechanisms Limiting requests to the server to c per second Revealing the available bandwidth Proportional Allocation

DDoS Defense by Offense17 Variations of Speak-up Random Drops and Aggressive Retries Dropping requests at random to reduce the rate to c Clients send repeated retries Thinner admits incoming requests with some probability p Price for access, r, is the number of retries

DDoS Defense by Offense18 Variations of Speak-up Why not enforce one outstanding retry per client? Because of spoofing and NAT Two cases to consider Good clients can afford the price Good clients cannot afford the price They do not get service at rate g

DDoS Defense by Offense19 Variations of Speak-up Explicit Payment Channel When server is overloaded, a requesting client opens a separate payment channel A contending client sends stream of bytes on this channel Thinner tracks how many bytes each contending client sends

DDoS Defense by Offense20 Variations of Speak-up Server notifies thinner when ready for a new request Thinner holds a virtual auction Two main differences with previous scheme Choice of scheme depends on application

DDoS Defense by Offense21 Robustness to Cheating Theorem In a system with regular service intervals, any client that continuously transmits an ε fraction of the average bandwidth received by the thinner gets at least an ε/2 fraction of the service, regardless of how the bad clients time or divide up their bandwidth Assumption – requests are served with perfect regularity, i.e. every 1/c seconds True regardless of the service rate c Theory vs. Practice

DDoS Defense by Offense22 Heterogenous Requests If all requests are treated equally, an attacker can get a disproportionate share of the server by sending only the hardest requests “Hardness” of a computation The thinner breaks time into quanta Each request is seen as comprising equal- sized chunks

DDoS Defense by Offense23 Heterogenous Requests If a client’s request is made of x chunks, the client must win x auctions for one request The thinner extracts an on-going payment until the request completes The thinner can SUSPEND, RESUME, and ABORT requests

DDoS Defense by Offense24 Heterogeneous Requests The thinner holds a virtual auction for every quantum v is the currently active request and u is the contending request that has paid the most If u has paid more than v If v has paid more than u Time-out and ABORT any request that has been SUSPENDED for some period

DDoS Defense by Offense25 Implementation

DDoS Defense by Offense26 How it Works Any JavaScript-capable Web browser can use the system Thinner returns HTML to the client with server’s response When the server is not free, the thinner returns JavaScript to the Web client that causes it to automatically issue two HTTP requests

DDoS Defense by Offense27 Evaluation

DDoS Defense by Offense28 Setup and Method Each client’s requests are driven by a Poisson process of rate λ requests/s. A client never allows more than a configurable number w (the window) of outstanding requests If more than w requests are outstanding, the client puts the new request in a backlog queue If a request is in this queue for more than 10 seconds, it times out

DDoS Defense by Offense29 Setup and Method This model describes the behavior of both good and bad clients Bad clients send requests faster and have concurrent requests Good client: λ=2, w=1 Bad client: λ = 40, w=20 Experiments run with 50 clients, each with 2 Mbits/s of access bandwidth (B+G=100 Mbits/s)

DDoS Defense by Offense30 Experiments Validating the Thinner’s Allocation Speak-up’s Latency and Byte Cost Adversarial Advantage Heterogeneous Network Conditions Good and Bad Clients Sharing a Bottleneck Impact of Speak-up on Other Traffic

DDoS Defense by Offense31 Validating the Thinner’s Allocation Question 1: Do clients get service in proportion to bandwidth? 50 clients connect to the thinner over a 100 Mbits/s LAN, each has 2 Mbits/s of bandwidth Fraction of good clients,, varies and the server’s capacity c = 100 requests/s

DDoS Defense by Offense32 Validating the Thinner’s Allocation

DDoS Defense by Offense33 Validating the Thinner’s Allocation Question 2: What happens when we vary the capacity of the server? is the minimum value of c at which all good clients get service, if speak-up is deployed and if speak-up allocates server in proportion to bandwidth 25 good and 25 bad clients, each with a bandwidth of 2 Mibts/s c=50, 100, 200

DDoS Defense by Offense34 Validating the Thinner’s Allocation

DDoS Defense by Offense35 Latency Cost Same setup as last experiment – c varies, 50 clients, G=B=50 Mbits/s

DDoS Defense by Offense36 Latency Cost

DDoS Defense by Offense37 Byte Cost Byte cost “Upper Bound” plots the theoretical average price, (G+B)/c

DDoS Defense by Offense38 Byte Cost

DDoS Defense by Offense39 Adversarial Advantage Question: What is the minimum value of c at which all of the good demand is satisfied? Experiment with the same conditions as above (G=B=50 Mbits/s; 50 clients) but for more values of c All of the good demand is satisfied at c=115, only 15% more than Conclusion

DDoS Defense by Offense40 Heterogeneous Network Conditions Investigate the server’s allocation for different client’s bandwidth Assign 50 clients to 5 categories 10 clients in category i (1 ≤ i≤ 5) have bandwidth 0.5i Mbits/s and connected to the thinner over a LAN All clients are good Server’s capacity c =10 requests/s

DDoS Defense by Offense41 Heterogeneous Network Conditions

DDoS Defense by Offense42 Heterogeneous Network Conditions Now look at effect of varied RTT Each request has at least one quiescent period, the length of which depends on the RTT Assign 50 clients to 5 categories 10 clients in category i (1 ≤ i≤ 5) have RTT = 100i ms Each have bandwidth 2 Mbits/s, and c=10 requests/s Two cases: all clients good and all clients bad

DDoS Defense by Offense43 Heterogeneous Network Conditions

DDoS Defense by Offense44 Good and Bad Clients Sharing a Bottleneck 30 clients, each with a bandwidth of 2 Mbits/s, connect to the thinner through a common link l Bandwidth of l is 40 Mbits/s, clients generate 60 Mbits/s 10 good, 10 bad clients, each with bandwidth 2 Mbits/s, connect to the thinner directly through a LAN Server’s capacity c=50 requests/s Vary number of good and bad clients behind l

DDoS Defense by Offense45 Good and Bad Clients Sharing a Bottleneck

DDoS Defense by Offense46 The clients behind l together capture half of the server’s capacity “Bottleneck service” is the portion of the server captured by all clients behind l Good clients get less than the bandwidth- proportional allocation because bad clients “hog” l Effect on good clients more pronounced when bottleneck’s bandwidth is a smaller fraction of clients’ combined bandwidth Good and Bad Clients Sharing a Bottleneck

DDoS Defense by Offense47 Impact of Speak-up on Other Traffic What happens when a TCP endpoint, H, shares a bottleneck link, m, with clients that are currently uploading dummy bytes? When H is a TCP sender When H is a receiver For request-response protocols like HTTP

DDoS Defense by Offense48 Impact of Speak-up on Other Traffic Experiment with H as a receiver and investigate effects on HTTP download 10 good speak-up clients sharing a bottleneck link, m, with H, a host that runs the HTTP client wget m has a bandwidth of 1 Mbit/s and one-way delay 100 ms Each of the 11 clients has a bandwidth of 2 Mbits/s Thinner fronting a server with c=2 requests/s and a separate Web server, S

DDoS Defense by Offense49 Impact of Speak-up on Other Traffic

DDoS Defense by Offense50 Impact of Speak-up on Other Traffic Download times inflate considerably However, this experiment is very pessimistic: large RTTs, highly restrictive bottleneck bandwidth (20x smaller than demand), low server capacity Obviously, speak-up is the exacerbating factor but it will not have the same effect on every link

DDoS Defense by Offense51 Concerns

DDoS Defense by Offense52 Concerns Bandwidth envy Variable bandwidth costs Incentives for ISPs Solving the wrong problem Flash crowds

DDoS Defense by Offense53 Conclusions

DDoS Defense by Offense54 Conclusions Main Advantages Main Disadvantages

DDoS Defense by Offense55 Questions?