Presentation is loading. Please wait.

Presentation is loading. Please wait.

Faculty of Electrical Engineering, Technion Drum Gal Badishi Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based.

Similar presentations


Presentation on theme: "Faculty of Electrical Engineering, Technion Drum Gal Badishi Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based."— Presentation transcript:

1 Faculty of Electrical Engineering, Technion Drum Gal Badishi Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based Multicast Gal Badishi, Idit Keidar, Amir Sasson

2 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (2) AgendaAgenda The problem The problem Overview of gossip-based multicast Overview of gossip-based multicast Proposed solution - Drum Proposed solution - Drum Analysis and simulations Analysis and simulations Implementation and measurements Implementation and measurements More DoS-mitigation techniques More DoS-mitigation techniques Conclusions Conclusions The problem The problem Overview of gossip-based multicast Overview of gossip-based multicast Proposed solution - Drum Proposed solution - Drum Analysis and simulations Analysis and simulations Implementation and measurements Implementation and measurements More DoS-mitigation techniques More DoS-mitigation techniques Conclusions Conclusions

3 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (3) Denial of Service (DoS) Unavailability of service Unavailability of service –Exhausting resources Remote attacks Remote attacks –Network level Solutions do not solve all application problems Solutions do not solve all application problems –Application level Got little attention Got little attention Quantitative analysis of impact on application and identification of vulnerabilities needed Quantitative analysis of impact on application and identification of vulnerabilities needed Unavailability of service Unavailability of service –Exhausting resources Remote attacks Remote attacks –Network level Solutions do not solve all application problems Solutions do not solve all application problems –Application level Got little attention Got little attention Quantitative analysis of impact on application and identification of vulnerabilities needed Quantitative analysis of impact on application and identification of vulnerabilities needed

4 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (4) Dollar Amount of Losses by Type

5 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (5) Remote Application-Level DoS Valid Request Bogus Request No Attack DoS Attack

6 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (6) ChallengesChallenges Quantify the effect of DoS at the application level Quantify the effect of DoS at the application level Expose vulnerabilities Expose vulnerabilities Find effective DoS-mitigation techniques Find effective DoS-mitigation techniques –Prove their usefulness using the found metric Quantify the effect of DoS at the application level Quantify the effect of DoS at the application level Expose vulnerabilities Expose vulnerabilities Find effective DoS-mitigation techniques Find effective DoS-mitigation techniques –Prove their usefulness using the found metric

7 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (7) MulticastMulticast A group of members A group of members At least one member is a source – generates messages At least one member is a source – generates messages Messages should arrive to all of the group members in a timely fashion Messages should arrive to all of the group members in a timely fashion Network level vs. application level (ALM) Network level vs. application level (ALM) A group of members A group of members At least one member is a source – generates messages At least one member is a source – generates messages Messages should arrive to all of the group members in a timely fashion Messages should arrive to all of the group members in a timely fashion Network level vs. application level (ALM) Network level vs. application level (ALM)

8 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (8) Tree-Based Multicast Use a spanning tree – most common solution Use a spanning tree – most common solution No duplicates (optimal BW when network-level) No duplicates (optimal BW when network-level) Single points of failure Single points of failure Use a spanning tree – most common solution Use a spanning tree – most common solution No duplicates (optimal BW when network-level) No duplicates (optimal BW when network-level) Single points of failure Single points of failure Source

9 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (9) Gossip-Based Multicast Progresses in rounds Progresses in rounds Every round Every round –Choose random partners (view ) –Send or receive messages –Discard old msgs from buffer Probabilistic reliability Probabilistic reliability Uses redundancy to achieve robustness Uses redundancy to achieve robustness Two methods Two methods –Push –Pull Progresses in rounds Progresses in rounds Every round Every round –Choose random partners (view ) –Send or receive messages –Discard old msgs from buffer Probabilistic reliability Probabilistic reliability Uses redundancy to achieve robustness Uses redundancy to achieve robustness Two methods Two methods –Push –Pull

10 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (10) PushPush Source

11 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (11) PullPull Source

12 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (12) Effects of DoS on Gossip Reasonable to assume that source is attacked Reasonable to assume that source is attacked Surprisingly, we show that naïve gossip is vulnerable to DoS attacks Surprisingly, we show that naïve gossip is vulnerable to DoS attacks Attacking a process in pull-based gossip may prevent it from sending messages Attacking a process in pull-based gossip may prevent it from sending messages Attacking a process in push-based gossip may prevent it from receiving messages Attacking a process in push-based gossip may prevent it from receiving messages Reasonable to assume that source is attacked Reasonable to assume that source is attacked Surprisingly, we show that naïve gossip is vulnerable to DoS attacks Surprisingly, we show that naïve gossip is vulnerable to DoS attacks Attacking a process in pull-based gossip may prevent it from sending messages Attacking a process in pull-based gossip may prevent it from sending messages Attacking a process in push-based gossip may prevent it from receiving messages Attacking a process in push-based gossip may prevent it from receiving messages

13 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (13) DrumDrum A new gossip-based ALM protocol A new gossip-based ALM protocol Utilizes DoS-mitigation techniques Utilizes DoS-mitigation techniques –Using random one-time ports to communicate –Combining both push and pull –Separating and bounding resources Eliminates vulnerabilities to DoS Eliminates vulnerabilities to DoS Proven robust using formal analysis and quantitative evaluation Proven robust using formal analysis and quantitative evaluation A new gossip-based ALM protocol A new gossip-based ALM protocol Utilizes DoS-mitigation techniques Utilizes DoS-mitigation techniques –Using random one-time ports to communicate –Combining both push and pull –Separating and bounding resources Eliminates vulnerabilities to DoS Eliminates vulnerabilities to DoS Proven robust using formal analysis and quantitative evaluation Proven robust using formal analysis and quantitative evaluation

14 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (14) Random Ports Any request necessitating a reply contains a random port number Any request necessitating a reply contains a random port number –“Invisible” to the attacker (e.g., encrypted) The reply is sent to that random port The reply is sent to that random port Assumption: attacking other ports does not affect the random port’s queue (i.e., there is no BW exhaustion) Assumption: attacking other ports does not affect the random port’s queue (i.e., there is no BW exhaustion) Any request necessitating a reply contains a random port number Any request necessitating a reply contains a random port number –“Invisible” to the attacker (e.g., encrypted) The reply is sent to that random port The reply is sent to that random port Assumption: attacking other ports does not affect the random port’s queue (i.e., there is no BW exhaustion) Assumption: attacking other ports does not affect the random port’s queue (i.e., there is no BW exhaustion)

15 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (15) Combining Push and Pull Attacking push cannot prevent receiving messages via pull (random ports) Attacking push cannot prevent receiving messages via pull (random ports) Attacking pull cannot prevent sending via push Attacking pull cannot prevent sending via push Each process has some control over the processes it communicates with Each process has some control over the processes it communicates with Attacking push cannot prevent receiving messages via pull (random ports) Attacking push cannot prevent receiving messages via pull (random ports) Attacking pull cannot prevent sending via push Attacking pull cannot prevent sending via push Each process has some control over the processes it communicates with Each process has some control over the processes it communicates with

16 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (16) Bounding Resources Motivation: prevent resource exhaustion Motivation: prevent resource exhaustion Each round process a random subset of the arriving messages and discard the rest Each round process a random subset of the arriving messages and discard the rest Separate resources for orthogonal operations Separate resources for orthogonal operations Motivation: prevent resource exhaustion Motivation: prevent resource exhaustion Each round process a random subset of the arriving messages and discard the rest Each round process a random subset of the arriving messages and discard the rest Separate resources for orthogonal operations Separate resources for orthogonal operations Valid Request Bogus Request Round Duration

17 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (17) Drum’s Push Mechanism Alice sends Bob a push-offer Alice sends Bob a push-offer Bob replies with a digest of messages he has already received Bob replies with a digest of messages he has already received Alice only sends Bob messages missing from his digest Alice only sends Bob messages missing from his digest Random ports Random ports Alice sends Bob a push-offer Alice sends Bob a push-offer Bob replies with a digest of messages he has already received Bob replies with a digest of messages he has already received Alice only sends Bob messages missing from his digest Alice only sends Bob messages missing from his digest Random ports Random ports

18 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (18) Evaluation Methodology Compare 3 protocols Compare 3 protocols –Push (push-based with bounded resources) –Pull (pull-based with bounded resources) –Drum Under various DoS attacks Under various DoS attacks –Increasing strength (shows trend under DoS) –Fixed strength (exposes vulnerabilities) Source is always attacked Source is always attacked Evaluates combination of Push and Pull Evaluates combination of Push and Pull Separately evaluate the other two techniques Separately evaluate the other two techniques Compare 3 protocols Compare 3 protocols –Push (push-based with bounded resources) –Pull (pull-based with bounded resources) –Drum Under various DoS attacks Under various DoS attacks –Increasing strength (shows trend under DoS) –Fixed strength (exposes vulnerabilities) Source is always attacked Source is always attacked Evaluates combination of Push and Pull Evaluates combination of Push and Pull Separately evaluate the other two techniques Separately evaluate the other two techniques

19 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (19) Evaluation Methodology (cont.) Measure propagation time – expected number of rounds it takes a message to reach all of the correct processes Measure propagation time – expected number of rounds it takes a message to reach all of the correct processes –99% in the simulations and actual measurements Use real implementation to measure actual latency and throughput Use real implementation to measure actual latency and throughput Measure propagation time – expected number of rounds it takes a message to reach all of the correct processes Measure propagation time – expected number of rounds it takes a message to reach all of the correct processes –99% in the simulations and actual measurements Use real implementation to measure actual latency and throughput Use real implementation to measure actual latency and throughput

20 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (20) Analysis/Simulation Assumptions Static group with complete connectivity Static group with complete connectivity Processes have complete group knowledge Processes have complete group knowledge Propagation of a single message M Propagation of a single message M –But simulate situation where all procs have msgs to send M is never purged from local buffers M is never purged from local buffers Rounds are synchronized Rounds are synchronized All round operations complete within the same round All round operations complete within the same round All processes are correct (analysis) or 10% of them perform a DoS attack (simulation) All processes are correct (analysis) or 10% of them perform a DoS attack (simulation) Static group with complete connectivity Static group with complete connectivity Processes have complete group knowledge Processes have complete group knowledge Propagation of a single message M Propagation of a single message M –But simulate situation where all procs have msgs to send M is never purged from local buffers M is never purged from local buffers Rounds are synchronized Rounds are synchronized All round operations complete within the same round All round operations complete within the same round All processes are correct (analysis) or 10% of them perform a DoS attack (simulation) All processes are correct (analysis) or 10% of them perform a DoS attack (simulation)

21 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (21) Validating Known Results The propagation time of gossip-based multicast protocols is O(log n) [P87, KSSV00] The propagation time of gossip-based multicast protocols is O(log n) [P87, KSSV00]

22 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (22)

23 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (23) Validating Known Results (cont.) The performance of gossip-based multicast protocols degrades gracefully as failures amount [LMM00, GvRB01] The performance of gossip-based multicast protocols degrades gracefully as failures amount [LMM00, GvRB01]

24 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (24)

25 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (25) DefinitionsDefinitions n – number of processes in the group n – number of processes in the group F – size of view, and max # of requests to process in a round (F = 4 ) F – size of view, and max # of requests to process in a round (F = 4 )  – percentage of attacked processes  – percentage of attacked processes x – number of bogus messages an attacked process receives in a round x – number of bogus messages an attacked process receives in a round B – total attack strength (B =  nx ) B – total attack strength (B =  nx ) n – number of processes in the group n – number of processes in the group F – size of view, and max # of requests to process in a round (F = 4 ) F – size of view, and max # of requests to process in a round (F = 4 )  – percentage of attacked processes  – percentage of attacked processes x – number of bogus messages an attacked process receives in a round x – number of bogus messages an attacked process receives in a round B – total attack strength (B =  nx ) B – total attack strength (B =  nx )

26 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (26) Analysis – Increasing Strength Lemma 1: Fix  < 1 and n. Drum’s propagation time is bounded from above by a constant independent of x Lemma 1: Fix  < 1 and n. Drum’s propagation time is bounded from above by a constant independent of x Proof idea Proof idea –Define effective fan-in and effective fan-out –Both have an element independent of x –When x   this element is dominant –The effective fans are bounded from below Lemma 1: Fix  < 1 and n. Drum’s propagation time is bounded from above by a constant independent of x Lemma 1: Fix  < 1 and n. Drum’s propagation time is bounded from above by a constant independent of x Proof idea Proof idea –Define effective fan-in and effective fan-out –Both have an element independent of x –When x   this element is dominant –The effective fans are bounded from below

27 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (27) Analysis – Increasing Strength Lemma 2: Fix  and n. The propagation time of Push grows at least linearly with x Lemma 2: Fix  and n. The propagation time of Push grows at least linearly with x Proof idea Proof idea –Assume all non-attacked processes already have the message (and so does the source) –Bound the expected number of processes having M at round k from above –Find the minimal k in which all processes have M –Reaching all attacked processes takes at least a time linear in x Lemma 2: Fix  and n. The propagation time of Push grows at least linearly with x Lemma 2: Fix  and n. The propagation time of Push grows at least linearly with x Proof idea Proof idea –Assume all non-attacked processes already have the message (and so does the source) –Bound the expected number of processes having M at round k from above –Find the minimal k in which all processes have M –Reaching all attacked processes takes at least a time linear in x

28 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (28) Analysis – Increasing Strength Lemma 3: Fix  and n. The propagation time of Pull grows at least linearly with x Lemma 3: Fix  and n. The propagation time of Pull grows at least linearly with x Proof idea Proof idea –Denote by p the probability that the source reads a valid pull request in a round –# of rounds for M to leave the source is geometrically distributed with p –The expectation is 1/p –1/p is at least linear in x Lemma 3: Fix  and n. The propagation time of Pull grows at least linearly with x Lemma 3: Fix  and n. The propagation time of Pull grows at least linearly with x Proof idea Proof idea –Denote by p the probability that the source reads a valid pull request in a round –# of rounds for M to leave the source is geometrically distributed with p –The expectation is 1/p –1/p is at least linear in x

29 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (29)

30 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (30)

31 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (31) Analysis – Fixed Strength Define c = B/nF (total attack strength divided by total system capacity) Define c = B/nF (total attack strength divided by total system capacity) Lemma 4: For c > 5, Drum’s expected propagation time is monotonically increasing with  Lemma 4: For c > 5, Drum’s expected propagation time is monotonically increasing with  Proof idea Proof idea –Effective fan-in and effective fan-out are monotonically decreasing with  Define c = B/nF (total attack strength divided by total system capacity) Define c = B/nF (total attack strength divided by total system capacity) Lemma 4: For c > 5, Drum’s expected propagation time is monotonically increasing with  Lemma 4: For c > 5, Drum’s expected propagation time is monotonically increasing with  Proof idea Proof idea –Effective fan-in and effective fan-out are monotonically decreasing with 

32 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (32)

33 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (33) Implementation and Measurements Multithreaded processes in Java Multithreaded processes in Java Operations are not synchronized Operations are not synchronized Rounds are not synchronized among processes Rounds are not synchronized among processes 50 machines on a 100Mbit LAN (Emulab) 50 machines on a 100Mbit LAN (Emulab) One process per machine One process per machine 5 processes (10%) perform a DoS attack 5 processes (10%) perform a DoS attack Multithreaded processes in Java Multithreaded processes in Java Operations are not synchronized Operations are not synchronized Rounds are not synchronized among processes Rounds are not synchronized among processes 50 machines on a 100Mbit LAN (Emulab) 50 machines on a 100Mbit LAN (Emulab) One process per machine One process per machine 5 processes (10%) perform a DoS attack 5 processes (10%) perform a DoS attack

34 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (34) Validating the Simulations Evaluate the protocols in the same scenarios tested by simulation Evaluate the protocols in the same scenarios tested by simulation High correlation shows that the simplifying assumptions have little effect on the results High correlation shows that the simplifying assumptions have little effect on the results Evaluate the protocols in the same scenarios tested by simulation Evaluate the protocols in the same scenarios tested by simulation High correlation shows that the simplifying assumptions have little effect on the results High correlation shows that the simplifying assumptions have little effect on the results

35 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (35)

36 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (36)

37 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (37) High-Throughput Experiments Single source Single source Creates 40 messages per second Creates 40 messages per second Round duration = 1 second Round duration = 1 second Messages are purged after 10 rounds Messages are purged after 10 rounds Each process sends at most 80 data messages to another process in a round Each process sends at most 80 data messages to another process in a round Throughput and latency are measured at the 44 correct receiving processes Throughput and latency are measured at the 44 correct receiving processes Single source Single source Creates 40 messages per second Creates 40 messages per second Round duration = 1 second Round duration = 1 second Messages are purged after 10 rounds Messages are purged after 10 rounds Each process sends at most 80 data messages to another process in a round Each process sends at most 80 data messages to another process in a round Throughput and latency are measured at the 44 correct receiving processes Throughput and latency are measured at the 44 correct receiving processes

38 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (38)

39 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (39)

40 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (40)

41 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (41) Evaluating Random Ports Analyze Drum using simulations Analyze Drum using simulations Assume pull-replies are returned to a well- known port Assume pull-replies are returned to a well- known port –Different than the port for pull-requests –Both ports are now being attacked –Original attack on pull channels is equally divided between these ports Analyze Drum using simulations Analyze Drum using simulations Assume pull-replies are returned to a well- known port Assume pull-replies are returned to a well- known port –Different than the port for pull-requests –Both ports are now being attacked –Original attack on pull channels is equally divided between these ports

42 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (42)

43 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (43) Evaluating Resource Separation Analyze Drum using actual measurements Analyze Drum using actual measurements Merge all bounds on reception of control messages Merge all bounds on reception of control messages –Push-offers, push-replies, pull-requests –Originally, allow reception of F/2 (= 2) messages/round on each listening control msgs port –Now, allow reception of 3F/2 (= 6) messages/round in total, for all control messages Analyze Drum using actual measurements Analyze Drum using actual measurements Merge all bounds on reception of control messages Merge all bounds on reception of control messages –Push-offers, push-replies, pull-requests –Originally, allow reception of F/2 (= 2) messages/round on each listening control msgs port –Now, allow reception of 3F/2 (= 6) messages/round in total, for all control messages

44 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (44)

45 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (45) SummarySummary Gossip-based protocols are very robust, but… Gossip-based protocols are very robust, but… –naïve gossip-based protocols are vulnerable to targeted DoS attacks Drum uses simple techniques to mitigate the effects of DoS attacks Drum uses simple techniques to mitigate the effects of DoS attacks Evaluations show Drum’s resistance to DoS Evaluations show Drum’s resistance to DoS The most effective attack against Drum is a broad one The most effective attack against Drum is a broad one Gossip-based protocols are very robust, but… Gossip-based protocols are very robust, but… –naïve gossip-based protocols are vulnerable to targeted DoS attacks Drum uses simple techniques to mitigate the effects of DoS attacks Drum uses simple techniques to mitigate the effects of DoS attacks Evaluations show Drum’s resistance to DoS Evaluations show Drum’s resistance to DoS The most effective attack against Drum is a broad one The most effective attack against Drum is a broad one

46 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (46) General Principles DoS-mitigation techniques: DoS-mitigation techniques: –random ports –neighbor-selection by local choices –separate resource bounds Design goal: eliminate vulnerabilities Design goal: eliminate vulnerabilities –The most effective attack is a broad one Analysis and quantitative evaluation of impact of DoS Analysis and quantitative evaluation of impact of DoS DoS-mitigation techniques: DoS-mitigation techniques: –random ports –neighbor-selection by local choices –separate resource bounds Design goal: eliminate vulnerabilities Design goal: eliminate vulnerabilities –The most effective attack is a broad one Analysis and quantitative evaluation of impact of DoS Analysis and quantitative evaluation of impact of DoS

47 Gal BadishiFaculty of Electrical Engineering, TechnionDrum (47)


Download ppt "Faculty of Electrical Engineering, Technion Drum Gal Badishi Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based."

Similar presentations


Ads by Google