Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks Udi Ben-Porat Tel-Aviv University, Israel Anat Bremler-Barr IDC Herzliya,

Published byJennifer Hood Modified over 9 years ago

Similar presentations

Presentation on theme: "Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks Udi Ben-Porat Tel-Aviv University, Israel Anat Bremler-Barr IDC Herzliya,"— Presentation transcript:

1 Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks Udi Ben-Porat Tel-Aviv University, Israel Anat Bremler-Barr IDC Herzliya, Israel Hanoch Levy ETH Zurich, Switzerland

2 Why are the systems so vulnerable? Computer and network systems have been designed under the assumption that each user aims at maximizing his own performance But in "DDoS environment" - some users aim to degrade the performance of other users. Current Status: Protocols and systems are quite vulnerable in DDOS environment  In Crypto terminology we count "Alice" and "Bob“ and forgot “Eve” the evil adversary U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 2

3 Distributed Denial of Service (DDoS): Consume the servers/network resources Zombies DDoS: Attacker adds users/queries zombies to flood a server Attacker 3 U. Ben-Porat / A. Bremler / H. Levy Infocom 2008

4 Sophisticated DDoS Attack Sophisticated DDoS : Goal: Create maximal damage with limited budget  Damage – Performance degradation Increase errors rate, average delay etc.  Budget – Amount of operations/access allowed Motivation:  Reduce the (efforts and) cost of the attack  Make the attack hard to detect  Allow attacks on limited access servers U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 4

5 Sophisticated Attacks Examples  Simple example: Database server Make hard queries, avoid cache Goal: consume CPU time  Sophisticated attacks in the research: TCP  [TCP] Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E.W.Knightly Sigcomm 2003 Opeh Hash  [OH] Denial of Service via Algorithmic Complexity Attacks Scott A. Crosby and Dan S. Wallach Usenix 2003 Admission Control  [RoQ] Reduction of Quality (RoQ) Attacks on Internet End- Systems Mina Guirguis, Azer Bestavros, Ibrahim Matta and Yuting Zhang Infocom 2005 U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 5

6 6 Study Objective Propose a DDoS Vulnerability performance metric  Vulnerability Measure  To be used in addition to traditional system performance metrics Understanding the vulnerability of different systems to sophisticated attacks This Talk Describe DDoS Vulnerability performance metric Demonstrate metric impact  Hash Table: Very Common in networking  Performance (traditional) : OPEN equivalent CLOSED  Vulnerability analysis: OPEN is better than CLOSED!! U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 6

7 Distributed Denial of Service ( DDoS ) Attacker adds more regular users Loading the server - degrading server performance Server Performance Server Attacker Normal DDoS S. DDoS U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 7

8 Sophisticated DDoS Normal DDoS S. DDoS Server Performance Server Attacker Attacker adds sophisticated malicious users Each user creates maximal damage (per attack budget) U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 8

9 Vulnerability Factor Definition Vulnerability= v means: In terms of performance degradation 1 malicious user equals v regular users Performance Degradation Scales (st = Malicious Strategy) 9 U. Ben-Porat / A. Bremler / H. Levy Infocom 2008

10 Vulnerability Factor Definition Performance After adding (budget =c) After adding (budget=c) Normal DDoS S. DDoS 10 U. Ben-Porat / A. Bremler / H. Levy Infocom 2008

11 Vulnerability Factor – example Example: vulnerability of server serving N users: Vulnerability(k): = 20% / 5% = 4 When allowing k additional users to this system (in an hostile environment), we should be prepared for performance degradation 4 times worse than the expected Add k malicious usersAdd k regular users Attack Type: 20%5% Performance Degradation: U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 11

12 Demonstration of Vulnerability metric: Attack on Hash Tables Hash table is a data structure based on Hash function and an array of buckets. Central component in networks Operations: Insert, Search and Delete of elements according to their keys. key Insert (element) Buckets Hash(key) User Server U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 12

13 13 Hash Tables Bucket = one element Collision-> the array is repeatedly probed until an empty bucket is found Bucket = list of elements that were hashed to that bucket Open Hash Closed Hash Insertion verifies the element does not already exists U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 13

14 Open vs. Closed In Attack vulnerability:  While attack is on: Attacker’s operations are CPU intensive  CPU loaded Post Attack vulnerability :  Loaded Table  insert/delete/search op’s suffer Vulnerability: OPEN vs. CLOSED Performance metrics: OPEN = CLOSED* What about Vulnerability? OPEN = CLOSED ? ( * when the buckets array of closed hash is twice bigger) U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 14

15 Attacker strategy (InsStrategy) Strategy:  Insert k elements (cost=budget=k) where all elements hash into the same bucket ( )  Theorem: InsStrategy is Optimal For both In Attack and Post Attack Closed Hash: Cluster Open Hash: One long list of elements Attack Results U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 15

16 Attack effects: Open vs Closed Open Hash – One long list of elements Closed Hash- Cluster U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 16

17 Analytic Results We compare the vulnerability of the Open and Closed Hash using analysis of the Vulnerability (probability + combinatory analysis) Common approach: Open Hash table with M buckets is performance-wise equivalent to a Closed Hash table with 2M buckets. We present graph: M = 500 and k = N, i.e.,  The additional users (k) double the number of values in the table. U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 17

18 In Attack: CPU Consumption In every malicious insertion, the server has to traverse all previous inserted elements (+ some existing elements) Open Hash Closed Hash Analytic results: Open Hash: Closed Hash: V = Elements (k) V ~ K/2 Malicious insertion ~ K/2 Regular insertion ~ O(1) Vulnerability ~ K/2 U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 18

19 Post Attack: Operation Complexity Open Hash Closed Hash Elements Open Hash: Vulnerability =1 No Post Attack degradation in Open Hash (Only small chance to traverse the malicious list) Closed Hash: Big chance the operation has to traverse part of the big cluster U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 19

20 Post Attack Operation Complexity Open Hash Open Hash This performance parameter is not vulnerable to sophisticated attacks: The complexity is always the average list length (L+k/M+1) regardless of the positions of the k elements Closed Hash- Cluster Closed Hash- Cluster Regular: Malicious: ~ k*k/2M Every insert element which is mapped into a bucket in the Cluster (not just specifically the bucket the attackers used) will need to search from its position to the end of the cluster. U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 20

21 Regular Users  Regular Users: Rate, job size distributed like X Attackers:  Attackers: Send jobs of size at rate whereK parameter of the attack (this increases the second moment of X) Budget:  Budget: Both users use the same budget =  Vulnerability: Unbounded ~k (The  Vulnerability: Unbounded ~k (The second moment of X plays an important role). Consider M/G/1 model with arrival rate and service times distributed as a random variable X. The expected waiting time of an arbitrary arrival: Queueing - FCFS Average Waiting Time = The second moment of X plays an important role U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 21

22 Post Attack: account for queuing Queue holds the requests for the server Waiting Time = (X= service time) Vulnerability of the (post attack) Waiting Time? Hash Table Server Request U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 22

23 Post Attack Waiting Time Open Hash: Vulnerable !! While in the model of Post Attack Operation Complexity the Open Hash is not Vulnerable ! Closed Hash: Drastically more vulnerable: Clusters increase the second moment of the service time Queue becomes unstable Stability Point Elements U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 23

24 Stability Point For N above this stability point, the arrival rate of regular user operations is greater than the expected service rate. For specific Hash state we can calculate the maximum magnitude of an attack so that the Hash remains stable after the attack has ended. U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 24

25 Practical Considerations In hostile environments one can no longer follow the simple approach of relying only on complexity based rules of operations in order to comply with the performance requirements of a system. For example, based on traditional performance  double the size of the Closed Hash table (rehashing) when the table reaches 70¡80% load. In a hostile environment the rehashing must be done much earlier (in the previous example at 48% load the Closed Hash is no longer stable). U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 25

26 Conclusions Closed Hash is much more vulnerable to sophisticated DDoS than Open Hash  In contrast: the two systems are considered equivalent via traditional performance evaluation. After attack ends, regular users still suffer from performance degradation Application using Hash in the Internet, where there is a queue before the hash, has high vulnerability. U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 26

27 Related Work [RoQ] Attack measurement: Potency  Potency measure specific attack  Vulnerability measures the system  Meaningless without additional numbers  Vulnerability is meaningful comparable information based on this number alone [OH] Studies attack only on Open Hash.  Our work is comparing Closed to Open Hash, also analyzing the post attack performance degradation U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 27

28 Questions ? U. Ben-Porat / A. Bremler / H. Levy Infocom 2008 28

Download ppt "Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks Udi Ben-Porat Tel-Aviv University, Israel Anat Bremler-Barr IDC Herzliya,"

Similar presentations

Preliminaries Advantages –Hash tables can insert(), remove(), and find() with complexity close to O(1). –Relatively easy to program Disadvantages –There.

Preliminaries Advantages –Hash tables can insert(), remove(), and find() with complexity close to O(1). –Relatively easy to program Disadvantages –There.
Hash Tables.

Hash Tables.
EISCambridge 2009MoN8 Exploring Markov models for gate-limited service and their application to network-based services Glenford Mapp and Dhawal Thakker.

EISCambridge 2009MoN8 Exploring Markov models for gate-limited service and their application to network-based services Glenford Mapp and Dhawal Thakker.
Lecture 6 Hashing. Motivating Example Want to store a list whose elements are integers between 1 and 5 Will define an array of size 5, and if the list.

Lecture 6 Hashing. Motivating Example Want to store a list whose elements are integers between 1 and 5 Will define an array of size 5, and if the list.
Data Structures Using C++ 2E

Data Structures Using C++ 2E
Stability of computer network for the set delay Jolanta Tańcula.

Stability of computer network for the set delay Jolanta Tańcula.
Software Diversity for Information Security Gaurav Kataria Carnegie Mellon University.

Software Diversity for Information Security Gaurav Kataria Carnegie Mellon University.
Udi Ben-Porat ETH Zurich Switzerland

Udi Ben-Porat ETH Zurich Switzerland
Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, 2005 6.1 Operating System Concepts Operating Systems Lecture 19 Scheduling IV.

Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 19 Scheduling IV.
Hashing21 Hashing II: The leftovers. hashing22 Hash functions Choice of hash function can be important factor in reducing the likelihood of collisions.

Hashing21 Hashing II: The leftovers. hashing22 Hash functions Choice of hash function can be important factor in reducing the likelihood of collisions.
Latency-sensitive hashing for collaborative Web caching Presented by: Xin Qi Yong Yang 09/04/2002.

Latency-sensitive hashing for collaborative Web caching Presented by: Xin Qi Yong Yang 09/04/2002.
On the Exploitation of CDF based Wireless Scheduling Udi Ben-Porat Tel-Aviv University, Israel Anat Bremler-Barr IDC Herzliya, Israel Hanoch Levy ETH Zurich,

On the Exploitation of CDF based Wireless Scheduling Udi Ben-Porat Tel-Aviv University, Israel Anat Bremler-Barr IDC Herzliya, Israel Hanoch Levy ETH Zurich,
Small-world Overlay P2P Network

Small-world Overlay P2P Network
Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.

Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.
#11 QUEUEING THEORY Systems 303 - Fall 2000 Instructor: Peter M. Hahn

#11 QUEUEING THEORY Systems Fall 2000 Instructor: Peter M. Hahn
11.Hash Tables Hsu, Lih-Hsing. Computer Theory Lab. Chapter 11P.2 11.1 Directed-address tables Direct addressing is a simple technique that works well.

11.Hash Tables Hsu, Lih-Hsing. Computer Theory Lab. Chapter 11P Directed-address tables Direct addressing is a simple technique that works well.
Evaluating Window Joins Over Unbounded Streams By Nishant Mehta and Abhishek Kumar.

Evaluating Window Joins Over Unbounded Streams By Nishant Mehta and Abhishek Kumar.
Sets and Maps Chapter 9. Chapter 9: Sets and Maps2 Chapter Objectives To understand the Java Map and Set interfaces and how to use them To learn about.

Sets and Maps Chapter 9. Chapter 9: Sets and Maps2 Chapter Objectives To understand the Java Map and Set interfaces and how to use them To learn about.
1 CSE 326: Data Structures Hash Tables Autumn 2007 Lecture 14.

1 CSE 326: Data Structures Hash Tables Autumn 2007 Lecture 14.
Hash Tables1 Part E Hash Tables   0 1 2 3 4 451-229-0004 981-101-0002 025-612-0001.

Hash Tables1 Part E Hash Tables  

Similar presentations

Ads by Google