Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by Oleg Rekutin

Published byΖωή Αλεξανδρίδης Modified over 6 years ago

Similar presentations

Presentation on theme: "Presented by Oleg Rekutin"— Presentation transcript:

1 Presented by Oleg Rekutin
Sustaining Availability of Web Services under Distributed Denial of Service Attacks Jun Xu, Member, IEEE, and Wooyong Lee (Georgia Institute of Technology, Atlanta, GA) Presented by Oleg Rekutin

2 Overview Web defense focus Two stages of defense Game theory proof
Measurements Overview 2-Step Protection Game Theory Simulation Conclusion Will skip implementation details because they are integrated here and there. No code on the slide. Will not review existing DDoS defense techniques. Sustaining Availability of Web Services under DDoS November 29, 2018 Outline: Overview

3 System Model Overview 2-Step Protection Game Theory Simulation
Conclusion Consists not only of a special firewall, but also of the routers of the local ISP. These are perimeter routers and they perform filtering: filter spoofed IPs, and blacklisted IPs. Firewall contains the logic to enable the spoofed IP detection and figures out the IPs to blacklist. Capacity of the perimeter routers (of the local network) >>> capacity of the firewall. Sustaining Availability of Web Services under DDoS November 29, 2018

4 Normal Flow Connect to victim.com:80 Connect to 123.34.56.[MAC]:[MAC]
Receive an HTTP redirect to an IP:port pair: [MAC]:[MAC] MAC based on source IP Randomly drop SYN packets under attack Connect to [MAC]:[MAC] from correct source IP: Normal HTTP browsing occurs from incorrect source IP: Drop packets Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS November 29, 2018 Outline: 2-Step Protection

5 System Model - Public IP - Pseudo-IP set Overview 2-Step Protection
Game Theory Simulation Conclusion - Public IP - Pseudo-IP set Hand-wave the flow. Normal HTTP session is protected from flooding by spoofed IP requests. But what about the HTTP redirect portion? That whole handshake operation takes a few packets back and forth, but is not covered by the pseudo-IP MAC. Sustaining Availability of Web Services under DDoS November 29, 2018

6 First Redirect Protection
Use SYN cookie in TCP seqnum Extend cookie to all redirect packets Overview 2-Step Protection Game Theory Simulation 22 bits 10 bits Conclusion MAC xor source port Fits first redirect packets Sustaining Availability of Web Services under DDoS November 29, 2018

7 Spoofed IP protection server client SYN src: srcIP:port dst: vicitm:80
Overview SYN src: srcIP:port dst: vicitm:80 2-Step Protection Game Theory SYN-ACK dst: srcIP, MAC:0000 in seqno Simulation Conclusion ACK src: srcIP:port dst: vicitm:80 ackno: MAC:0001 Spoofed src IP  can’t get SYN-ACK spoof ip protection point In a flood situation, ACK w/ valid MAC is allowed to get through legit client relief point Drop ACKs w/o valid MAC. HTTP redirect uses MAC no’s src: srcIP:port dst: vicitm:80 Sustaining Availability of Web Services under DDoS November 29, 2018

8 Subnet belonging to web site
Pseudo-IP MAC IP address: Port: Replay attack Change key based on timestamp in header Overview 28 bits 4 bits 2-Step Protection Subnet belonging to web site MAC Game Theory Simulation Conclusion MAC( srcIP, key ) 1 1 14 bits Is MAC? Is SSL? MAC Composition of the MAC. The MAC is based on a shared key. Key is shared between all perimeter routers. What if the attacker snoops on the network for outgoing connections from a legitimate client? He can tell the destination IP and hostname. He can then send SYN packets to that IP address by spoofing the source IP address and using the snooped MAC. Solution: change the key with time. For example, based on a timestamp in header. If key lifetime is 30 seconds or so, then not enough time to effectively snoop, authors assert. Sustaining Availability of Web Services under DDoS November 29, 2018

9 Rate Limiting Fair bandwidth for all legit IP users Detect attackers
Uses Deficit Round Robin Complexity O(1) Tight fairness Detect attackers Regular users class: fair share Attacking users class: much smaller share (1/10th) Overview 2-Step Protection Game Theory Simulation Conclusion Fair bandwidth sharing: prevents a flood from a single attacker. Number of attackers may outnumber the number of regular clients. Sustaining Availability of Web Services under DDoS November 29, 2018

10 Detecting Attackers: Flooding
DRR drops packets count them per flow If # of dropped packets > threshold H Attacker that does not obey TCP congestion control What if many attackers using fair share? Overview 2-Step Protection Game Theory Simulation Conclusion First defense is against flooding clients that do not obey TCP congestion control. If they have an excessively large number of packets dropped to maintain fairness, it’s an attacker. Authors mention-- Attacker has two counter-strategies: flood w/ traffic [not gonna work due to above] many attackers using fair share Sustaining Availability of Web Services under DDoS November 29, 2018

11 Detecting Attackers: Loitering
Regular transactions: 100’s to 1000’s packets Q – maximum legit packets quota Low probability of legit transaction using more than Q packets If client uses > Q, attacker Overview 2-Step Protection Site Action Packets sent cnn.com read 3 pieces of headline news 1387 delta.com search, reserve & purchase a ticket 513 etrade.com look up 5 stock quotes & account balance 523 Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS November 29, 2018

12 Game Theory Model effectiveness Guide design Minmax utility
Performance of the system under all possible attacks Minmax sound maximizes minmax utility Overview 2-Step Protection Game Theory Simulation Conclusion The authors use game theory to model its effectiveness and guide its design. Sustaining Availability of Web Services under DDoS November 29, 2018 Outline: Game Theory

13 Guide Design Most effective strategies for adversary: Not effective:
TCP SYN flood using spoofed IPs (unprivileged traffic) Many attackers consume fair share with legit IPs (privileged traffic) Not effective: Frame innocent IPs Flood with legitimate IP Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS November 29, 2018

14 Predict Performance System utility function
(# new clients per second) * (average satisfaction of each client) X - # of attackers: unprivileged traffic Z - # of attackers: privileged traffic Y - bandwidth allocated to unprivileged traffic Minmax utility: Overview 2-Step Protection Game Theory Simulation Conclusion New clients that make it to the site. Attacker aims to minimize the function, defense aims to maximize the function. Y is under the control of the proposed system. Neither party has incentive to deviate from the minmax solution. Sustaining Availability of Web Services under DDoS November 29, 2018

15 System Utility Function
f(p) Tolerate 4 consecutive packet losses, because delay is less than 8 seconds p  percentage of unprivileged traffic U(r) r = average download rate g(X, Y, Z) = f(p) * A * U(r) Overview 2-Step Protection percentage of new clients that get service arrival rate of new clients user-perceived utility Game Theory Simulation Conclusion 8 seconds is the maximum human-tolerable delay. d(p) delay until the first SYN packet gets through and the service is established. T is the average time it takes for the transaction to complete W is the average amount of traffic a client sends during a transaction Sustaining Availability of Web Services under DDoS November 29, 2018

16 Choosing Utility Function
Naïve/folkore: U1(r) = c * r c > 0 Empirical study-based Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS November 29, 2018

17 Empirical Utility Curve
Overview 2-Step Protection Game Theory Simulation Conclusion Users asked to rate satisfaction on scale 1-5. Functions fits well when rate is from 10 to 150kbps. U(r) = is used in the study, since both are so close. Sustaining Availability of Web Services under DDoS November 29, 2018

18 Numerical Simulation g(X, Y, Z) Adversary optimal strategy:
Constraints: X<=N, Z<=N/10 X=N and Z=N/10 Defense: maximize g(N, Y, N/10) Example numerical simulation: B = 400,000 pps W = 1,000 p Average effective bandwidth = 40 pps Attacker sending rate = 1,000 pps Overview 2-Step Protection Game Theory Simulation Conclusion The attacker has constraints in the form of X<=N, Z<N/10 --- N/10 comes from the “no loitering law” Since any reduction in X or Z leads to higher utility, attacker chooses X=N, Z=N/10 Leaves a one variable optimization problem -- Y So let’s now perform a simulation using a specific bandwidth of the firewall, a specific web transaction size (1000 packets), and a specific average web bandwidth. Sustaining Availability of Web Services under DDoS November 29, 2018

19 Numerical Results Overview 2-Step Protection Game Theory Simulation
Conclusion The load is the arrival rate of the new clients. For example, under medium load incoming traffic is 5 times the link bandwidth (80% packet loss) system serves 55% of legit clients 27.5% longer end-to-end page download time Sustaining Availability of Web Services under DDoS November 29, 2018

20 Simulation Simulate using ns-2 Goals: Non-goals:
Verify that fair scheduling (DRR) works (privileged traffic limitation) Study dynamics (change over time): Client bandwidth Page retrieval time Packet drop probability Non-goals: Does not verify unprivileged vs privileged dynamics Overview 2-Step Protection Game Theory Simulation Conclusion The simulation is 100% legitimate traffic, with attacking clients stealing a fair share of bandwidth. There is NO unprivileged traffic in the simulation. Sustaining Availability of Web Services under DDoS November 29, 2018 Outline: Simulation

21 Simulation Setup Topology: DRR applied to outgoing bandwidth
Use HTTP/1.0 Clients: web-like behavior, 1000 packets Loitering threshold Q is 3000 packets Overview 2-Step Protection Game Theory Simulation Conclusion Web-like behavior where each request uses a main HTML page and then fetches embedded object. There is think time of about 15 seconds. Transactions are about 1000 packets. The authors provide other parameters in the paper. propagation delay is 20ms Sustaining Availability of Web Services under DDoS November 29, 2018

22 Simulation Scenarios Severe attack, light load
Moderate attack, heavy load Severe attack, heavy load Severe attack = 300 attackers Moderate attack = 100 attackers Light load = 25% Heavy load = 75% Overview 2-Step Protection Game Theory Simulation Conclusion 30 minute simulation. Attackers start about 5 minutes into the simulation. Attackers have NO THINK TIME continue to attack until the end do conform to TCP congestion control. Sustaining Availability of Web Services under DDoS November 29, 2018

23 Severe Attack, Light Load
Overview 2-Step Protection Game Theory Simulation Conclusion Total throughput of attackers jumps to 750kbps when attack starts. Then 5 minutes later, it goes down to 600kbps. -- this is when attackers have used up the quota, now using 1/10 Page retrieval time is relieved significantly, but is longer than originally because of some bandwidth still going to the attackers. This proves that DRR indeed guarantees approximately fair or weighted fair bandwidth allocation. 6 minutes for attack to die down. Sustaining Availability of Web Services under DDoS November 29, 2018

24 Moderate Attack, Heavy Load
Overview 2-Step Protection Game Theory Simulation Conclusion Attackers go from 250kbps to 200kbps About 7 minutes to die down Sustaining Availability of Web Services under DDoS November 29, 2018

25 Severe Attack, Heavy Load
Overview 2-Step Protection Game Theory Simulation Conclusion Attacker bandwidth stays at around 300kbps. Note the change in scale and how adversely the page retrieval times are affected. Takes 17 minutes for # of attackers to go from 300 to about 30. Takes much longer to use up the quota under heavy load. Number of legitimate concurrent clients also goes up because each client now stays longer. Sustaining Availability of Web Services under DDoS November 29, 2018

26 Conclusion Simulation results show DRR works and show dynamics
Sustains web services under severe attacks Practically deployable Game theory framework models performance of system Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS November 29, 2018 Outline: Conclusion

27 Acknowledgements Charts used from original article Overview
2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS November 29, 2018

Download ppt "Presented by Oleg Rekutin"

Similar presentations

Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.

Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.
 Liang Guo  Ibrahim Matta  Computer Science Department  Boston University  Presented by:  Chris Gianfrancesco and Rick Skowyra.

 Liang Guo  Ibrahim Matta  Computer Science Department  Boston University  Presented by:  Chris Gianfrancesco and Rick Skowyra.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
An Empirical Study of Real Audio Traffic A. Mena and J. Heidemann USC/Information Sciences Institute In Proceedings of IEEE Infocom Tel-Aviv, Israel March.

An Empirical Study of Real Audio Traffic A. Mena and J. Heidemann USC/Information Sciences Institute In Proceedings of IEEE Infocom Tel-Aviv, Israel March.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP 2001 1.

The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP
EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao

EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.
1 Core-Stateless Fair Queueing: Achieving Approximately Fair Bandwidth Allocations in High Speed Networks Ion Stoica,Scott Shenker, and Hui Zhang SIGCOMM’99,

1 Core-Stateless Fair Queueing: Achieving Approximately Fair Bandwidth Allocations in High Speed Networks Ion Stoica,Scott Shenker, and Hui Zhang SIGCOMM’99,
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Using Prices to Allocate Resources at Access Points Jimmy Shih, Randy Katz, Anthony Joseph One Administrative Domain Access Point A Access Point B Network.

Using Prices to Allocate Resources at Access Points Jimmy Shih, Randy Katz, Anthony Joseph One Administrative Domain Access Point A Access Point B Network.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger.

Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
TCP/IP Basics A review for firewall configuration.

TCP/IP Basics A review for firewall configuration.

Similar presentations

Ads by Google