Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger."— Presentation transcript:

1 Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger

2 CyberSlam = DDoS that Mimics Legitimate Browsing

3 www.foo.com GET File.zip DO DBQuery 20,000+ zombies issue requests that mimic legitimate browsing Requests Look Legitimate  Standard filters don’t help CyberSlam

4 CyberSlam Attacks Happen! Instances of CyberSlam o First FBI DDoS Case – Hired professionals hit competitor o Mafia extorts online gaming sites … o Code RED Worm Why CyberSlam? o Avoid detection by NIDS & firewalls o High pay-off by targeting expensive resources E.g., CPU, DB, Disk, processes, sockets o Large botnets are available

5 Threat Model In scope o Attacks on higher layer bottlenecks, e.g., CPU, Memory, Database, Disk, processes, … o Attacks that fool the server to congest its uplink bandwidth o Mutating attacks Outside the scope o Flooding server’s downlink (prior work) o Live-lock in the device driver

6 Tentative Solutions Filter big resource consumers? Passwords? Computational puzzles? ????  No big consumers; Commodity OS do not support fine-grained resource accounting  Might not exist, expensive to check  Computation is abundant in a botnet

7 Reverse Turing Test (e.g., CAPTCHAs) to distinguish humans from zombies But… Partial Solution:

8 3 Problems with CAPTCHA Authentication (2) Bias against users who can’t or won’t answer CAPTCHAs Can’t see it (1) DDoS the authentication mechanism (connect to server, force context-switches, hog sockets etc.) (3) How to divide resources between service and authentication as to maximize system goodput? NONO

9 Kill-Bots’ Contributions First to protect against CyberSlam Solves problems with CAPTCHAs: o Cheap stateless authentication o Serves legit. users who don’t answer CAPTCHAs o Optimal balance between authentication & service Improves performance during Flash Crowds Order of magnitude improvement in goodput & response time

10 Kill-Bots is a kernel extension for web servers No Overhead Normal SuspectedAttack LOAD > L 1 LOAD < L 2 < L 1 New Clients are authenticated once and given HTTP Cookie

11 Authentication vulnerable to DDoS Problem 1:

12 Authentication vulnerable to DDoS Check cookie, socket, reserve buffers Causes context switch, buffer copies SYN HTTP Request SYNACKACK SYNACK TCP FIN Send CAPTCHA ServerClient Problem 1: SYN Cookie Standard Network Stack Resources are reserved till client sends a FIN but zombies don’t FIN

13 Authentication vulnerable to DDoS Problem 1: Modify network stack to issue CAPTCHAs without state Solution:

14 Authentication vulnerable to DDoS SYN Cookie Drop; SYN SYNACK TCP FIN Send CAPTCHA Kill-Bots Server Client Problem 1: Check cookie, send CAPTCHA without a socket! Solution: Modified Network Stack SYNACKACK HTTP Request Modify network stack to issue CAPTCHAs without state Stateless & Cheap Keep congestion control semantics No browser mods. Stateless & Cheap Keep congestion control semantics No browser mods.

15 Legit. Users who don’t answer CAPTCHA Use reaction to CAPTCHA Humans (1)Answer CAPTCHA (2) Reload; if doesn’t work, give up Zombies Can’t answer CAPTCHA, but have to bombard the server with requests Solution: Count the unanswered CAPTCHAs per IP, and drop if more than T; Problem 2: COUNTER Bloom Filter increase give captcha decrease correct ans. Cheap with a Bloom Filter

16 Stage 1: CAPTCHA Authentication Learn IP addresses of zombies using Bloom filter Stage 2: Use only Bloom filter for Authentication No CAPTCHAs Users who don’t answer CAPTCHAs can access the server despite the attack in Stage 2 Bloom Learns All Zombie IPs

17 To Authenticate or To Serve? Problem 3:

18 Authenticate all new arrivals  can’t serve all authenticated clients Authenticate very few arrivals  too few legitimate users are authenticated Authenticate new clients with prob.  (drop others)  A form of admission control with 2 arrival types But what  maximizes goodput? Solution: Problem 3: To Authenticate or To Serve?

19 Analysis Modeled system using Queuing Theory Found Optimal  * (proof in paper) But  * depends on many unknown parameters attack rate mean service time mean session size legitimate request rate, etc…

20 Kill-Bots adapts the authentication prob. by measuring fraction of time CPU is idle Solution to Problem 3:

21 Analysis says: if idle > 0,  is prop. to (1- idle) Say you want to keep server busy 90% of time: Kill-Bots adapts the authentication prob. by measuring fraction of time CPU is idle

22 Solution to Problem 3: Analysis says: if idle > 0,  is prop. to (1- idle) Say you want to keep server busy 90% of time: Kill-Bots adapts in real time Kill-Bots adapts the authentication prob. by measuring fraction of time CPU is idle

23 Solution to Problem 3: Analysis says: if idle > 0,  is prop. to (1- idle) Say you want to keep server busy 90% of time: Kill-Bots adapts in real time Kill-Bots adapts the authentication prob. by measuring fraction of time CPU is idle

24 Tying it Together

25

26

27

28

29 Recap: Kill-Bots addresses CyberSlam DDoS the authentication Serve legitimate users who don’t answer CAPTCHAs Divide resources between authentication & service Problem Solution Send CAPTCHAs cheaply without sockets Use reaction to CAPTCHA to identify zombies Adaptive authentication as admission control

30 Attacks & Defenses Replay Attacks? o Don’t work. Limit #connections per cookie Spoof IP, cause Bloom filter to block o Doesn’t happen. SYN cookie before updating Bloom Breaking the CAPTCHA? o Kill-bots can use any Reverse Turing Test

31 Performance

32 Wide-area Evaluation Using PlanetLab Legit. users are driven from CSAIL Web traces >25,000 attackers on PlanetLab request random pages 60% of legitimate users answer CAPTCHAs

33 Metrics Goodput (of Legitimate Users) Response time (of Legitimate Users) Maximum survivable attack rate

34 Kill-Bots under DDoS Goodput of Legit. (Mb/s) Attack Rate (Request/sec)

35 Kill-Bots under DDoS Goodput of Legit. (Mb/s) Attack Rate (Request/sec) Response Time (sec) Attack Rate (Request/sec)

36 Kill-Bots under DDoS Goodput of Legit. (Mb/s) Attack Rate (Request/sec) Response Time (sec) Attack Rate (Request/sec) 5-10 times better Goodput and Response Time

37 Why Adapt the Authentication Probability? Goodput of Legit. (Mb/s) Attack Rate (Request/sec) Server with adaptive authentication Server with authentication Base server Adaptive  is much better than authenticating every new user

38 Kill-Bots under Flash Crowd Goodput of legit. (Mb/s) Response Time (sec) Time (sec) Flash Crowd

39 Goodput of legit. (Mb/s) Response Time (sec) Time (sec) Flash Crowd Orders of magnitude better Response Time

40 Response Time (sec) Time (sec) Authentication Prob.  Time (sec) Flash Crowd Kill-Bots under Flash Crowd Adaptive  provides admission control

41 Response Time (sec) Time (sec) Kill-Bots under Flash Crowd Kill-Bots authenticates new clients only if it can serve them… 80,000360,000Number of dropped legitimate requests Kill-BotsBase Server

42 Kill-Bots’ Contributions First to protect Web servers from DDoS attacks that mimic legitimate browsing First to deal with CAPTCHA’s bias against legitimates users who don’t solve them Sends CAPTCHA and checks answer without any server state Addresses both DDoS attacks and Flash Crowds Orders of magnitude better response time, goodput, and survivable attack rate

Download ppt "Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger."

Similar presentations

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
Slides mostly by Sherif Khattab 1 Denial-of-Service [Gligor, 84] ``A group of otherwise-authorized users of a specific service is said to deny service.

Slides mostly by Sherif Khattab 1 Denial-of-Service [Gligor, 84] ``A group of otherwise-authorized users of a specific service is said to deny service.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
5/18/2015 Samarpita Hurkute DDoS Defense By Offense 1 DDoS Defense by Offense Michael Walfish,Mythili Vutukuru,Hari Balakrishnan,David Karger,Scott Shenker.

5/18/2015 Samarpita Hurkute DDoS Defense By Offense 1 DDoS Defense by Offense Michael Walfish,Mythili Vutukuru,Hari Balakrishnan,David Karger,Scott Shenker.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,

PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.

Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.

Similar presentations

Ads by Google