Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The Good, The Bad and the Ugly: Network Performance in Malicious Environment Udi Ben-Porat ETH Zurich, Switzerland Anat Bremler-Barr IDC Herzliya, Israel.

Published byRoland Marsh Modified over 9 years ago

Similar presentations

Presentation on theme: "1 The Good, The Bad and the Ugly: Network Performance in Malicious Environment Udi Ben-Porat ETH Zurich, Switzerland Anat Bremler-Barr IDC Herzliya, Israel."— Presentation transcript:

1 1 The Good, The Bad and the Ugly: Network Performance in Malicious Environment Udi Ben-Porat ETH Zurich, Switzerland Anat Bremler-Barr IDC Herzliya, Israel Hanoch Levy Tel-Aviv University, Israel First steps in Research CS – TAU – 1/2012 11/1/2012FirstStepsInResearch - H. Levy - CS TAU

2 2 T raditional Network Analysis / Design Expected Value Analysis  Average over a variety of cases  Traditional “performance people” Worst Case Analysis  Take the worst case scenario  Traditionally CS people BASIC ASSUMPTION:  USERS WANT THE BEST FOR THEM “The Good” “The Bad” 11/1/20122 FirstStepsInResearch - H. Levy - CS TAU

3 3 Today’s Networks Can we still assume: “ Users Want the Best for THEM”? Mostly yes… … BUT Not ALL! “The UGLY” MALICIOUS USERS: WANT TO HARM OTHERS’ PERFORMANCE 11/1/20123 FirstStepsInResearch - H. Levy - CS TAU

4 4 “Malicious” Network performance and Design “Expected” and “Worst” may not be enough Need to account for the malicious Need a “Malicious” performance methodology WE WANT to Combine “Performance” with “security” This talk:  How to evaluate effect on Performance  How to evaluate SYSTEM VULNERABILITY 11/1/20124 FirstStepsInResearch - H. Levy - CS TAU

5 5 Distributed Denial of Service ( DDoS ) Attacker adds more regular users Loading the server - degrades the performance Server Performance Server Attacker Normal DDoS S. DDoS 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

6 6 Sophisticated DDoS Normal DDoS S. DDoS Server Performance Server Attacker Attacker adds sophisticated malicious users Each user creates maximal damage (per attack budget) 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

7 7 Study Objective Propose a DDoS Vulnerability performance metric  Vulnerability Measure  To be used in addition to traditional system performance metrics Understand the vulnerability of various systems to attacks This Talk Examples Describe DDoS Vulnerability performance metric Demonstrate Metric impact  Hash Table: Very Common in networking  Performance (traditional) : OPEN equivalent CLOSED  Vulnerability analysis: OPEN << CLOSED!! 11/1/20127 FirstStepsInResearch - H. Levy - CS TAU

8 8 This Talk (cont) Demonstrate Vulnerability in a distributed environment  Attacking the CDF Scheduling by collaboration 11/1/20128 FirstStepsInResearch - H. Levy - CS TAU

9 9 Example 1: Data Structures (( Worst Case Exploit Denial of Service via Algorithmic Complexity Attacks, Scott A. Crosby and Dan S. Wallach, Usenix 2003 Attacker induces the worst-case behavior on real software. Average case: O(1) Worst case: O(n) 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

10 10 Example 1: Bro Performance under Hash Attack Bro intrusion detection system [Paxson ‘98]  High performance, open source IDS Hash used by the port scanning detector Attack: Carefully chosen source IPs and dest port numbers to achieve the worst case of the Hash Slides from the complexity attack paper presentation 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

11 11 Example 2: Attack on Admission Control Mechanism ( Traffic Pattern Exploit ) Reduction of Quality (RoQ) Attacks on Internet End- Systems, Mina Guirguis, Azer Bestavros, Ibrahim Matta and Yuting Zhang, INFOCOM 2005 Reduction of Quality attack - targets the adaptation mechanisms  prevent convergrnce to steady-state. 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

12 12 Example 2: cont’ A simple admission control sets its admission rate as a function of the utilization of its back-end system. Web-Server Admission Controller Admission Rejections Feedback Client 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

13 13 Example 2: cont’ Attacker sends a surge demand, from time to time, for a very short period and pushes the system into overload. Result: False rejection of traffic. Web-Server Admission Controller Rejections Overload Attacker Zombies Client 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

14 14 Example 3: Attack on TCP Retransmission ( Traffic Pattern Exploit ) Shrews: Low-Rate TCP-Targeted Denial of Service Attacks, A. Kuzmanovic and E.W.Knightly, Sigcomm 2003 Attacks exploit the timeout mechanism of TCP resulting in a complete denial of service. Shrew 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

15 15 Multiple Access Protocols ( Protocol Deviation Exploit ) Ethernet like protocol  Shared channel, a set of nodes send and receive frames over the same channel, only one node can transmit at a time  Each node runs a collision avoiding algorithm.  Attackers disobey collision avoidance  disturb the transmission over the channel 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

16 16 Our goal Proposing a Vulnerability measurement for all sophisticated DDoS attacks  Vulnerability Measurement  How easy it is to degrade your users performance Understanding the vulnerability of different systems to sophisticated attacks 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

17 17 Vulnerability Factor Definition Vulnerability= v means: A malicious user degrades the server performance v -times more than a regular user Performance Degradation Scales (st = Malicious Strategy) 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

18 18 Vulnerability Interpretation Vulnerability= v means: How many “innocent” users (operations) are denied service per one malicious user (operation) Performance Degradation Scales (st = Malicious Strategy) 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

19 19 Vulnerability Factor Definition Performance After adding (budget =c) After adding (budget=c) Normal DDoS S. DDoS 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

20 20 Demonstration of Vulnerability metric: Attack on Hash Tables Central component in networks Hash table is a data structure based on Hash function and an array of buckets. Operations: Insert, Search and Delete of elements according to their keys. key Insert (element) Buckets Hash(key) User Server 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

21 21 Hash Tables Bucket = one element Collision-> the array is repeatedly probed until an empty bucket is found Bucket = list of elements that were hashed to that bucket Open Hash Closed Hash 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

22 22 Performance Factors In Attack  While attack is on: Attacker’s operations are CPU intensive  CPU loaded Post Attack:  Loaded Table  insert/delete/search op’s suffer Vulnerability: OPEN vs. CLOSED Traditional Performance: OPEN = CLOSED* What about Vulnerability? OPEN = CLOSED ? ( * when the buckets array of closed hash is twice bigger) 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

23 23 Attacker strategy (InsStrategy) Strategy:  Insert k elements (cost=budget=k) where all elements hash into the same bucket ( )  Theorem: InsStrategy is Optimal For both performance factors Closed Hash: Cluster Open Hash: One long list of elements Attack Results 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

24 24 In Attack: Resource Consumption V = Analytic results: Open Hash: Closed Hash: In every malicious insertion, the server has to traverse all previous inserted elements (+ some existing elements) Open Hash Closed Hash V = 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

25 25 Post Attack: Operation Complexity Open Hash Closed Hash Open Hash: Vulnerability =1 No Post Attack degradation in Open Hash Closed Hash: 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

26 26 Why Open So Good, Closed So Bad Open Hash Access cost = approximately mean of chain E[C] Closed Hash Access cost = approximately residual life of chain E[C^2]/2E[C] Like in M/G/1 ! 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

27 27 Post Attack: account for queuing Requests for the server are queued up Vulnerability of the (post attack) Waiting Time? Hash Table Server 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

28 28 Queue Analysis (M/G/1) Waiting time is proportional to E[S^2] / E[s] S = service time (Random variable) Hash Table Server 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

29 29 Post Attack Waiting Time Open Hash: Stability Point Service times proportional to chain length E[S] = 1 E[S^2] > 1 Now is VULNERABLE !! OPEN 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

30 30 Post Attack Waiting Time Drastically more vulnerable No longer stable for Load>48% Stability Point Closed Hash: Closed Hash Service times proportional to chain 2 nd moment: E[S] ~ E[C^2] E[S^2] ~E[C^3] 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

31 31 Conclusions HASH:  Normal performance: Closed hash = Open Hash  Under attack Closed hash >> Open Hash Malicious Performance:  Need Performance evaluation to account for attacks  Can use the vulnerability metric 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

32 32 Questions? 11/1/2012 FirstStepsInResearch - H. Levy - CS TAU

Download ppt "1 The Good, The Bad and the Ugly: Network Performance in Malicious Environment Udi Ben-Porat ETH Zurich, Switzerland Anat Bremler-Barr IDC Herzliya, Israel."

Similar presentations

Mitigating Routing Misbehavior in Mobile Ad-Hoc Networks Reference: Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, Sergio Marti, T.J. Giuli,

Mitigating Routing Misbehavior in Mobile Ad-Hoc Networks Reference: Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, Sergio Marti, T.J. Giuli,
Doc.: IEEE 802.11-14/0604r1 Submission May 2014 Slide 1 Modeling and Evaluating Variable Bit rate Video Steaming for 802.11ax Date: 2014-05-12 Authors:

Doc.: IEEE /0604r1 Submission May 2014 Slide 1 Modeling and Evaluating Variable Bit rate Video Steaming for ax Date: Authors:
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,

Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,
Stability of computer network for the set delay Jolanta Tańcula.

Stability of computer network for the set delay Jolanta Tańcula.
Udi Ben-Porat ETH Zurich Switzerland

Udi Ben-Porat ETH Zurich Switzerland
Hashing21 Hashing II: The leftovers. hashing22 Hash functions Choice of hash function can be important factor in reducing the likelihood of collisions.

Hashing21 Hashing II: The leftovers. hashing22 Hash functions Choice of hash function can be important factor in reducing the likelihood of collisions.
© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.

© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.
On the Exploitation of CDF based Wireless Scheduling Udi Ben-Porat Tel-Aviv University, Israel Anat Bremler-Barr IDC Herzliya, Israel Hanoch Levy ETH Zurich,

On the Exploitation of CDF based Wireless Scheduling Udi Ben-Porat Tel-Aviv University, Israel Anat Bremler-Barr IDC Herzliya, Israel Hanoch Levy ETH Zurich,
Cuckoo Hashing : Hardware Implementations Adam Kirsch Michael Mitzenmacher.

Cuckoo Hashing : Hardware Implementations Adam Kirsch Michael Mitzenmacher.
1 Foundations of Software Design Fall 2002 Marti Hearst Lecture 18: Hash Tables.

1 Foundations of Software Design Fall 2002 Marti Hearst Lecture 18: Hash Tables.
Michael Walfish, Mythili Vutukuru, Hari Balakrishanan, David Karger, Scott Shankar DDos Defense by Offense.

Michael Walfish, Mythili Vutukuru, Hari Balakrishanan, David Karger, Scott Shankar DDos Defense by Offense.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
Dynamic Internet Congestion with Bursts Stefan Schmid Roger Wattenhofer Distributed Computing Group, ETH Zurich 13th International Conference On High Performance.

Dynamic Internet Congestion with Bursts Stefan Schmid Roger Wattenhofer Distributed Computing Group, ETH Zurich 13th International Conference On High Performance.
1 Data Persistence in Large-scale Sensor Networks with Decentralized Fountain Codes Yunfeng Lin, Ben Liang, Baochun Li INFOCOM 2007.

1 Data Persistence in Large-scale Sensor Networks with Decentralized Fountain Codes Yunfeng Lin, Ben Liang, Baochun Li INFOCOM 2007.
Dynamic Tuning of the IEEE 802.11 Protocol to Achieve a Theoretical Throughput Limit Frederico Calì, Marco Conti, and Enrico Gregori IEEE/ACM TRANSACTIONS.

Dynamic Tuning of the IEEE Protocol to Achieve a Theoretical Throughput Limit Frederico Calì, Marco Conti, and Enrico Gregori IEEE/ACM TRANSACTIONS.
Hash Tables With Finite Buckets Are Less Resistant to Deletions Yossi Kanizo (Technion, Israel) Joint work with David Hay (Columbia U. and Hebrew U.) and.

Hash Tables With Finite Buckets Are Less Resistant to Deletions Yossi Kanizo (Technion, Israel) Joint work with David Hay (Columbia U. and Hebrew U.) and.
Presented by Prasanth Kalakota & Ravi Katpelly

Presented by Prasanth Kalakota & Ravi Katpelly
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.

Similar presentations

Ads by Google