Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks Dr. Anat Bremler-Barr Efi Arazi School of Computer Science Interdisciplinary.

Published byAlban Logan Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks Dr. Anat Bremler-Barr Efi Arazi School of Computer Science Interdisciplinary."— Presentation transcript:

1 1 Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks Dr. Anat Bremler-Barr Efi Arazi School of Computer Science Interdisciplinary Center, Herzliya joint work with Prof. Hanoch Levy (TAU) and Udi Ben-Porat (TAU)

2 2 Bio Anat Bremler-Barr Dr. Anat Bremler- Barr holds and P.hD degree (with distinction) in computer science, from Tel Aviv University. In 2001 she co-founded Riverhead Networks Inc., a company that provides systems to protect from Denial of Service attacks. She was the chief scientist of the company. The company was acquired by Cisco Systems in 2004. In 2004 she joined the School of Computer Science at the Interdisciplinary Center Herzliya. Her research interests are in computer networks and distributed computing. Her current works focused on designing routers and protocols that support efficient and reliable communication.

3 3 The Interdisciplinary Center Goal: Israel’s first private university Foundation: 11 years ago UG and graduate programs, fully accredited recognized internationally 3,700 students now, goal is at most 5,000 Located in Herzliya Non-profit institution No tax-payer money.

4 4 Efi Arazi School of Computer Science

5 5 Agenda Definition: Sophisticated DDoS Attacks Classification of Sophisticated Attacks Why are the systems so vulnerable ? Vulnerability Factor Sophisticated attacks on Hash Sophisticated attacks on Queueing Mechanism Future Work

6 6 Zombies on innocent computers Distributed Denial of Service: Consume the servers/network resources Server-level DDoS attacks Infrastructure-level DDoS attacks Bandwidth-level DDoS attacks

7 7 Sophisticated DDOS Attack Sophisticated DDoS – attacker sends traffic to hurt a weak point of the system Goal:  Sending less traffic – achieving maximum effect  Application oriented vs. Network oriented

8 8 Motivation: 1. Reduce the cost of attacks: Reduce the number of required zombies Reduce the sophistication in coordinating the attack 2. Reduce the amount of traffic  Increase the likelihood that the attack will succeed: Going “Under the Radar” of the DDoS mitigation mechanisms

9 9 Sophisticated Attacks Examples Real life attacks (commonly used):  Syn attack Goal: fill buffer  Http server: requesting none existent pages Goal: avoid cache, consume CPU  DB server: request hard queries Goal: avoid cache, go to DISK, consume CPU

10 10 Classification of Sophisticated Attacks Based on the weak design point exploited by the attacker  Worst-Case Exploit - Attacker exploits the worst- case performance of the system which differs from the average case  Traffic Pattern Exploit - Attacker exploits the stochastic worst case traffic pattern to the system.  Protocol Deviation exploit - Attacker forms his own protocol rules, exploiting the fact the protocol was designed using the assumption that all the users obey the rules of the protocol.

11 11 Sophisticated Attacks in the Literature  Worst-Case Exploit – Hash, QuickSort, Regular Expression Parser, Linux Cache  Traffic Pattern Exploit – Reduction of Quality (Admission Control and Load Balancer), TCP Retransmission Mechanism, WFQ  Protocol Deviation exploit – In our Future work

12 12 Example 1: Data Structures (( Worst Case Exploit Denial of Service via Algorithmic Complexity Attacks, Scott A. Crosby and Dan S. Wallach, Usenix 2003 Attacker induces the worst-case behavior on real software. Pre-condition of the attack: The Hash function is publicly known (common). Hash tables – Average Case O(1) vs. Worst Case O(n) Average case: O(1) Worst case: O(n)

13 13 Example 1: Solution Pre-condition of the attack: The Hash function is publicly known Countermeasures  Two options: 1. Keyed hash function 2. Universal hashing  Not commonly used: Programmers are reluctant to use  Some new papers: still vulnerable

14 14 Example 1: Bro Performance under Hash Attack Bro intrusion detection system [Paxson ‘98]  High performance, open source IDS Hash used by the port scanning detector Attack: Carefully chosen source IPs and dest port numbers to achieve the worst case of the Hash 16Kbit/second attack  Slam CPU in 7 minutes  60+ seconds processing latency  31% drop rate Slides from the complexity attack paper presentation

15 15 Example 2: Attack on Admission Control Mechanism ( Traffic Pattern Exploit ) Reduction of Quality (RoQ) Attacks on Internet End- Systems, Mina Guirguis, Azer Bestavros, Ibrahim Matta and Yuting Zhang, INFOCOM 2005 Reduction of Quality attack - the attack targets the adaptation mechanisms by hindering the adaptive component from converging to steady-state.

16 16 Example 2: cont’ A simple admission control sets its admission rate as a function of the utilization of its back-end system. Web-Server Admission Controller Admission Rejections Feedback Client

17 17 Example 2: cont’ Attacker sends a surge demand, from time to time, for a very short period and pushes the system into overload. Result: False rejection of traffic. Web-Server Admission Controller Rejections Overload Attacker Zombies Client

18 18 Example 3: Attack on TCP Retransmission ( Traffic Pattern Exploit ) Shrews: Low-Rate TCP-Targeted Denial of Service Attacks, A. Kuzmanovic and E.W.Knightly, Sigcomm 2003 Attacks exploit the timeout mechanism of TCP resulting in a complete denial of service. Shrew

19 19 Example 3: cont’ Attacker: sends pulse of traffic Multiple losses force TCP to enter RTO (Retransmission Time Out) mechanism (part of the congestion control of TCP) Attacker periodically repeats pulse  When flows attempt to simultaneously exit timeout and enter slow-start…  Attacker pulses again and forces flows synchronously back into timeout state Traffic Time minRTO

20 20 Multiple Access Protocols ( Protocol Deviation Exploit ) Ethernet like protocol  Shared channel, a set of nodes send and receive frames over the same channel, only one node can transmit at a time  Each node runs some type of collision avoiding algorithm.  Attackers aim to disturb the transmission over the channel as much as possible  they run their own protocol (not obeying the collision avoiding algorithm)

21 21 Why are the systems so vulnerable? Computer and network systems have been designed under the principle that each user aims at maximizing his performance Network operational strategies: optimize operation to the benefit of the overall population "DDoS environment" - some users aim to degrade the performance of other users.

22 22 Current Status: Protocols and systems are quite vulnerable in DDOS environment  In Crypto terminology we count "Alice" and "Bob“ and forgot “Eve” the evil adversary We need to make the systems more resilient to attacks (at the expense of the efficiency ?!) Why are the systems so vulnerable ? (cont’)

23 23 Practical Lessons While designing new systems, we need to take into consideration the sophisticated DDoS attack: Attackers may go after your worst-case performance. Attackers may go after the stochastic worst case traffic pattern Attackers may form their own protocol rules.

24 24 Our goal Understanding the vulnerability of different systems to sophisticated DDoS attacks.

25 25 The Vulnerability Metric We need a new Metric ! Complexity (worst case vs. average) is not enough  Worst case does not take into consideration the cost of the attack  Worst case analysis deals with the most difficult input into the system per user - not the “stochastic worst” case  Worst case analysis assumes that all participants follow the protocol rules.

26 26 Definition of Vulnerability Factor Vulnerability Factor: maximal performance degradation (damage) that sophisticated malicious users can inflict, using specific amount of resources (cost), normalized by the performance degradation attributed to regular users using the same resources.

27 27 Evaluation of DDoS attacks Amount of traffic that is required to overload the server 1 DoS - NOT DDoS Application bug A lot Basic DDoS Brute Force - flooding Sophisticated DDoS Hurting the weak point of the system design Vulnerability factor 1 K Infinity

28 28 Sophisticated Attack on Hash Tables Operations: Insert, Search and Delete of elements according to their keys. Insert (including search): O(1) on average, O(N) worst case (N-elements) A Hash is based on an array of size M, where an entry in the array is called a bucket. Hash function h, transforms the key, k, into an integer that is used as an index to locate a bucket. Collision occurs  Two Hash strategies to handle the collision: Closed and Open Hash

29 29 Open Hash Each bucket in the array points to a linked list of the records that were hashed to that bucket. Load L=N/M Insert operation of a new element: L+1 (unsuccessful search)

30 30 Closed Hash In a Closed Hash all elements are stored in the array itself In the insert operation the array is repeatedly probed until an empty bucket is found. Load Insert of a new element approximately

31 31 Models The measured performance:  In Attack Resource Consumption  Post Attack Operation Complexity  Post Attack Waiting Time

32 32 Insert Strategy The Optimal Malicious Users’s Strategy (under the various models) : performing k insert operations (cost=budget=k) of new elements where all the insert elements hash into the same bucket.

33 33 Insert Strategy Outcome Open Hash – One long linked list Closed Hash- Cluster

34 34 Analytic Results We compare the vulnerability of the Open and Closed Hash. Common approach: Open Hash table with M buckets is performance-wise equivalent to a Closed Hash table with 2M buckets. We derive the results using analysis of the Vulnerability (probability + combinatory analysis) We present graph: M = 500 and k = N, i.e., the additional users double the number of values (k = N).

35 35 In Attack Resource Consumption Open Hash: Malicious: (L+1) +(L+2)…+(L+1+k) Regular: (L+1)+(L+1+1/M)+…+(L+1+k/M) Vulnerability ~k/2Closed: Same idea + Clustering effect

36 36 Post Attack Operation Complexity Open Hash: Vulnerability =1Closed: Conclusions: Post Attack degradation Closed Hash is much more vulnerable than an Open Hash

37 37 Post Attack Operation Complexity Open Hash Open Hash Malicious = Regular: The insert time = expected length of an arbitrarily linked list in the Hash +1 = L+k/M+1 Closed Hash- Cluster Closed Hash- Cluster Regular: Malicious: ~ k*k/2M Every insert element which is mapped into a bucket in the Cluster (not just specifically the bucket the attackers used) will need to search from its position to the end of the cluster.

38 38 Post Attack Operation Complexity Closed Hash –Regular Closed Hash –RegularUsers Closed Hash- Attackers Closed Hash- Attackers Attackers create the worst state of Closed Hash

39 39 Queueing Simple example of the First Come First Served (FCFS) queue. Under this mechanism, attackers ”must wait like everyone else”, no control of their place in the queue Even then, attackers can still cause significant damage by using the same resources as regular users. The strategy of the malicious users is simple - just submit large jobs from time to time. The vulnerability level of this system is unbounded.

40 40 Regular Users  Regular Users: job size distributed like X Attackers:  Attackers: send jobs of size at rate whereK parameter of the attack Budget:  Budget:  Vulnerability: Unbounded ~k (t  Vulnerability: Unbounded ~k (the second moment plays an important role). Consider M/G/1 model with arrival rate and service times distributed as a random variable X. The expected waiting time of an arbitrary arrival: Queueing - FCFS

41 41 Combining Hash with Queueing The requests to the Hash get queued up in a queue and then are served by the hash table. Interest in the Post Attack Effect The delay is proportional to the second moment of chain/cluster length (and not to the first moment).

42 42 Post Attack Waiting Time Open Hash: Vulnerable !! While in the model of Post Attack Operation Complexity the Open Hash is not Vulnerable !Closed: Drastically more vulnerable resulting: clusters + second moment of the hash operation times no longer stable for N > 237 Stability Point

43 43 Post Attack Waiting Time Open Hash Open Hash Closed Hash- Cluster Closed Hash- Cluster RegularMalicious Regular Malicious

44 44 Practical Considerations In hostile environments one can no longer follow the simple approach of relying only on complexity based rules of operations in order to comply with the performance requirements of a system. For example, based on traditional performance  double the size of the Closed Hash table (rehashing) when the table reaches 70¡80% load. In a hostile environment the rehashing must be done much earlier (in the previous example at 48% load the Closed Hash is no longer stable).

45 45 Stability Point For specific Hash state we can calculate the maximum magnitude of an attack so that the Hash remains stable after the attack has ended. Above this stability point, the status of the Hash is such that the arrival rate of regular user operations, times its expected processing time is greater than one.

46 46 Conclusions Closed Hash is much more vulnerable than the Open Hash to DDoS even though the two systems are considered to be equivalent via traditional performance evaluation. After the attack has ended, regular users still suffer from performance degradation FCFS queueing suffers from high vulnerability Application using Hash in the Internet, where there is a queue before the hash, has high vulnerability.

47 47 Related Work Definition of Sophisticated Attacks Suggesting one measurement for all Sophisticated Attacks The alternative measure: Potency [RoQ]  Was defined only to RoQ  Only count the performance degradation of a specific attack  Vulnerability measures the system  Meaningless without additional numbers  Vulnerability is meaningful information based on this number alone Analyzing Hash: Comparing Closed to Open Hash, also analyzing the post attack performance degradation Analyzing Queueing mechanism

48 48 Future Work Multiple Access Protocols (Ethernet like protocol) Scheduling Algorithms in Wireless Environments  Time Slotted Networks (OFDMA)

49 49 Questions ?

Download ppt "1 Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks Dr. Anat Bremler-Barr Efi Arazi School of Computer Science Interdisciplinary."

Similar presentations

Ch 11 Distributed Scheduling –Resource management component of a system which moves jobs around the processors to balance load and maximize overall performance.

Ch 11 Distributed Scheduling –Resource management component of a system which moves jobs around the processors to balance load and maximize overall performance.
©Silberschatz, Korth and Sudarshan12.1Database System Concepts Chapter 12: Indexing and Hashing Basic Concepts Ordered Indices B+-Tree Index Files B-Tree.

©Silberschatz, Korth and Sudarshan12.1Database System Concepts Chapter 12: Indexing and Hashing Basic Concepts Ordered Indices B+-Tree Index Files B-Tree.
Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,

Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,
Udi Ben-Porat ETH Zurich Switzerland

Udi Ben-Porat ETH Zurich Switzerland
Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, 2005 6.1 Operating System Concepts Operating Systems Lecture 19 Scheduling IV.

Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 19 Scheduling IV.
Latency-sensitive hashing for collaborative Web caching Presented by: Xin Qi Yong Yang 09/04/2002.

Latency-sensitive hashing for collaborative Web caching Presented by: Xin Qi Yong Yang 09/04/2002.
PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,

PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,
The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)
On the Exploitation of CDF based Wireless Scheduling Udi Ben-Porat Tel-Aviv University, Israel Anat Bremler-Barr IDC Herzliya, Israel Hanoch Levy ETH Zurich,

On the Exploitation of CDF based Wireless Scheduling Udi Ben-Porat Tel-Aviv University, Israel Anat Bremler-Barr IDC Herzliya, Israel Hanoch Levy ETH Zurich,
Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.

Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.
1 Foundations of Software Design Fall 2002 Marti Hearst Lecture 18: Hash Tables.

1 Foundations of Software Design Fall 2002 Marti Hearst Lecture 18: Hash Tables.
The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP 2001 1.

The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
Dynamic Internet Congestion with Bursts Stefan Schmid Roger Wattenhofer Distributed Computing Group, ETH Zurich 13th International Conference On High Performance.

Dynamic Internet Congestion with Bursts Stefan Schmid Roger Wattenhofer Distributed Computing Group, ETH Zurich 13th International Conference On High Performance.
Worst-case Fair Weighted Fair Queueing (WF²Q) by Jon C.R. Bennett & Hui Zhang Presented by Vitali Greenberg.

Worst-case Fair Weighted Fair Queueing (WF²Q) by Jon C.R. Bennett & Hui Zhang Presented by Vitali Greenberg.
Traffic Engineering With Traditional IP Routing Protocols

Traffic Engineering With Traditional IP Routing Protocols
Presented by Prasanth Kalakota & Ravi Katpelly

Presented by Prasanth Kalakota & Ravi Katpelly
DDoS Defense by Offense Presented by: Matthew C.H. Ma Damon Chan.

DDoS Defense by Offense Presented by: Matthew C.H. Ma Damon Chan.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.

Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.

Similar presentations

Ads by Google