Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting Web Servers from Content Request Floods Srikanth Kandula ▪ Shantanu Sinha ▪ Dina Katabi ▪ Matthias Jacob CSAIL –MIT.

Published byMaurice Banks Modified over 9 years ago

Similar presentations

Presentation on theme: "Protecting Web Servers from Content Request Floods Srikanth Kandula ▪ Shantanu Sinha ▪ Dina Katabi ▪ Matthias Jacob CSAIL –MIT."— Presentation transcript:

1 Protecting Web Servers from Content Request Floods Srikanth Kandula ▪ Shantanu Sinha ▪ Dina Katabi ▪ Matthias Jacob CSAIL –MIT

2 The Attack GET LargeFile.zip DO LongDBQuery www.foo.com Hard to detect or counter because malicious requests look normal! Want to protect DB and disk bandwidth, socket buffers, processes, …

3 User Filter A Fairness Problem – Filters Humans Machines Server Resources Solution – Ensure that each human gets equal share Problem – Each machine gets equal share ●●●

4 Establishing Fairness Use Reverse Turing Test Suspected attack! To access www.foo.com enter the above letters:

5 Under attack. Come back later. Give Me www.foo.com Establishing Fairness Use Reverse Turing Test Suspected attack! To access www.foo.com enter the above letters: Under attack. Come back later. BTW, can solve test to access now. Existing SolsOur Solution

6 2 Modes Common case: Server behavior unchanged Normal UnderAttack

7 Solution Overview Verify SYN Cookie SYN Cookie Ignore! SYN HTTP Request SYNACKACK SYN Cookie TCP RST Send Test Server Unchanged Client Other Characteristics:   One test per session   Tests generated offline   Test expires   Replay attacks are harmless   Each answer grants up to 4 TCPs   Can’t attack by duplicating answers No connection until test answered

8 Solution Overview SYN RECV State Establish Connection SYNACKACK HTTP Request HTTP Response SYNACK SYN Client Server N/W StackApp Server Vulnerable to SYN Floods

9 Solution Overview Create Cookie Establish Connection SYNACKACK HTTP Request HTTP Response SYN Cookie SYN Client Server N/W StackApp Server Common Case Verify Cookie RST SYNACKACK HTTP Request Send Test SYN Cookie SYN Create Cookie Ignore Server N/W StackApp Server Client Send out a test from memory

10 Solution Overview Create Cookie Establish Connection SYNACKACK HTTP Request HTTP Response SYN Cookie SYN Client Server N/W StackApp Server Verify Cookie & Answer SYNACKACK Test Answer SYN Cookie SYN Create Cookie Ignore Client Server N/W StackApp Server HTTP Response Common CaseGrant access if answer is correct Tests are generated offline

11 Verify Cookie RST SYNACKACK HTTP Request Send Test SYN Cookie SYN Solution Overview Server behavior unchanged (Common case)   Create session after a correct answer   Up to 4 TCP connections per answer   One test per browsing session   Tests generated offline Create Cookie Ignore Client Server N/W StackApp Server

12 Solution Overview Server behavior unchanged (Common case)   Create session after a correct answer   Up to 4 TCP connections per answer   One test per browsing session   Tests generated offline Verify Cookie & Answer SYNACKACK Test Answer SYN Cookie SYN Create Cookie Ignore Client Server N/W StackApp Server HTTP Response

13 Extra – What If? User doesn’t want to solve the test? Attacker distributes a few answers to all worms? Each test allows access to limited resources Give Me www.foo.com Under attack. Come back later. BTW, solve the test to access now. Under attack. Come back later.

14  None when there is no attack  Under attack, per new-client overhead Two hashes In-kernel HTTP header parse Fetch two data packets from memory and transmit Extra System Overhead

15  Time constraints  Harder resource constraints Even a TCP connection cannot be established before test is answered  Other Preserve TCP / HTTP semantics Maintain HTTP sessions Support caches and web farms Yahoo/Hotmail method is not sufficient! Extra – Requirements

16 Extra Fairness  Problem – A single human attacker uses more server resources than a human user  Insight – Each machine gets equal share  Solution – Each human user gets a fair share DB Query Large File

17 Extra - Our Approach Reverse Turing Test to distinguish humans from machines Limits an attack to the number of human attackers [screenshot of yahoo image test] used by yahoo to prevent hard disk space utilization

18  Attacker spreads a worm  Worm floods server with requests for large files or database queries worker processes/threads, socket buffers database and disk bandwidth Hard to detect or counter because malicious requests look normal! Extra - The Attack

19  Cryptographic Client puzzles Computation power is cheap in DDoS attacks  IP source filtering AOL clients use same IP address pool Extra - Better than

20 Extra - Our Objective  Build a practical system to mitigate these attacks Unmodified clients Unmodified server software Deployable today

21 Establishing Fairness Use Reverse Turing Test Suspected attack! To access www.foo.com enter the above letters: Different from Prior Work   Crypto puzzles are easy since computation power is cheap   Yahoo! only protects disk space during account creation   We want to receive requests, deliver puzzles, validate answers before establishing a TCP connection

22 Establishing Fairness Use Reverse Turing Test Suspected attack! To access www.foo.com enter the above letters: Give Me www.foo.com BTW, solve the test to access now. Under attack. Come back later. BTW, solve the test to access now. Users who Solve a Test can access the server Under attack. Come back later. Yahoo uses RTT to protect disk space We receive requests, serve tests, validate answers before establishing a TCP connection

Download ppt "Protecting Web Servers from Content Request Floods Srikanth Kandula ▪ Shantanu Sinha ▪ Dina Katabi ▪ Matthias Jacob CSAIL –MIT."

Similar presentations

Securing Passwords against Dictionary Attacks

Securing Passwords against Dictionary Attacks
SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Chapter 2: Application Layer

Chapter 2: Application Layer
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger.

Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
Detecting SYN Flooding Attacks Haining Wang, Dandle Zhang, Kang G. Shin Presented By Hareesh Pattipati.

Detecting SYN Flooding Attacks Haining Wang, Dandle Zhang, Kang G. Shin Presented By Hareesh Pattipati.
Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.

Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.

Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks

Similar presentations

Ads by Google