Download presentation
Presentation is loading. Please wait.
Published byOswald Jefferson Modified over 9 years ago
1
SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938 April 12, 2007
2
Outline Introduction SOS Architecture Defense Against Attacks Performance Strength Weaknesses Future Work
3
Introduction SOS – Secure Overlay Services Proactively secure communications between known entities against Denial of Service (DoS) Attacks Assumes a pre-determined set of approved clients communicating with a target Focus efforts on a site that stores information that is difficult to replace
4
SOS Architecture Diagram
5
SOS Architecture Target Selects some subset of nodes to act as Secret Servlets Accepts traffic only from Secret Servlet IPs Secret Servlets Verifies authenticity of request to act as Secret Servlet Identifies Beacon Nodes
6
SOS Architecture Beacon Nodes Notified by either Secret Servlets or Target of their role (“Hey, you’re a Beacon!”) Verify validity of information received Forwards traffic received to particular Secret Servlet associated with Target
7
SOS Architecture Secure Overlay Access Point (SOAP) Nodes Authenticates and authorizes request from client to communicate with Target Securely routes all traffic to Target via Beacon nodes
8
Protection Against DoS If an SOAP node is attacked, source point can enter through an alternate SOAP node If a node within the overlay is attacked, the node “exits” and the overlay provides new paths to Beacons No node is more important or sensitive than any other If Secret Servlet is compromised, new subset of Secret Servlets can be chosen
9
Defending Against Attack Security Analysis Assumptions: An attacker knows and can attack overlay nodes Attacker does not know functionality of any given node, and cannot determine it Bandwidth available to launch an attack is limited Attack packets can always be identified as illegitimate traffic Different users access overlay via different SOAPs A node can simultaneously act as a SOAP, Beacon and/or Secret Servlet
10
Defending Against Static Attacks ~40% of nodes must be attacked simultaneously for attack to succeed once out of 10,000 attempts Increasing number of Beacons and Secret Servlets quickly drops probability of successful attack
11
Defending Against Dynamic Attacks Dynamic Attack allows for SOS to self-heal; Attacker can then alter attack in response Centralized vs. Distributed Repair Process Centralized vs. Distributed Attack Process
12
Defending Against Network Attacks Several zombies launch attack on Target Triggered immediately or at some specified time Anonymizing the Attacked Node When Secret Servlet Identity is unknown, attacks randomly launched into overlay Only a fraction of attack traffic will reach appropriate servlet Placing targeted servlet in an overlay of size 30 reduces probability of attack by 4 orders of magnitude
13
Performance Measurement of time-to-completion of https requests Depending upon the number of nodes in the overlay, the time-to-completion increases by a factor of 2-10
14
Performance Shortcut Implementation SOAPs contact Beacon nodes to determine Secret Servlet; cache information and route future traffic from source directly to Servlet Latency increases by as little as a factor of 2
15
Strengths Proactive approach to fighting Denial of Service (DoS) attacks Overlay can self-heal when a participant node is attacked Scalable access control
16
Weaknesses Assumes, for security analysis, that no attack can come from inside the overlay Assumes that an attacker cannot mask illegitimate traffic to appear legitimate To improve scalability, the number of SOAPs, Beacons, and Secret Servlets are limited – which lessens protection from DoS attacks Shortcut implementation does not protect secret information
17
Future Work More details about how repair and attack processes will function Evaluation of damage and attack that can come from inside the overlay Consideration of attack traffic that may be able to pass through overlay Exploration of overlays shared by multiple organizations in a secure manner Investigation of possible shortcuts through the overlay that do not compromise security
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.