Presentation is loading. Please wait.

Presentation is loading. Please wait.

DDoS Defense by Offense1 Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D., (MIT) and Shenker, S. (UC Berkeley), SIGCOMM ’06 Presented by Ivanka.

Published byShonda Reynolds Modified over 9 years ago

Similar presentations

Presentation on theme: "DDoS Defense by Offense1 Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D., (MIT) and Shenker, S. (UC Berkeley), SIGCOMM ’06 Presented by Ivanka."— Presentation transcript:

1 DDoS Defense by Offense1 Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D., (MIT) and Shenker, S. (UC Berkeley), SIGCOMM ’06 Presented by Ivanka Todorova for CSCE 715

2 DDoS Defense by Offense2 Outline Introduction Applicability Design Implementation Evaluation Concerns Conclusions Questions

3 DDoS Defense by Offense3 Introduction

4 DDoS Defense by Offense4 Overview Defense against application-level distributed denial-of service (DDoS) attacks Way of dealing with the attack as it occurs, not a prevention mechanism

5 DDoS Defense by Offense5 Overview Without Speak-up With Speak-up

6 DDoS Defense by Offense6 Application-level DDoS? Many Internet servers have “open clientele” Appeal over a classic ICMP link flood Requires far less bandwidth The attack is “in-band” Bots attack web sites by using computationally expensive requests

7 DDoS Defense by Offense7 Application-level DDoS Current defenses focus on slowing down/stopping the attack Good clients are crowded out in these defense systems They need a mechanism to speak up while server is under an attack

8 DDoS Defense by Offense8 Taxonomy of Defenses Over-provision massively Detect and block - disadvantages Profiling CAPTCHA-based defenses Capabilities Charge all clients in a currency

9 DDoS Defense by Offense9 Speak-up Currency-based defense bandwidth as the currency The central mechanism is the server front-end, the thinner Thinner protects the server from overload performs encouragement in the form of a virtual auction

10 DDoS Defense by Offense10 Applicability

11 DDoS Defense by Offense11 Questions How much aggregate bandwidth does the legitimate clientele need for speak-up to be effective? How much aggregate bandwidth does the legitimate clientele need for speak-up to leave them unharmed by an attack? Couldn’t small Web sites, even if defended by speak-up, still be harmed? Because bandwidth is a communal resource, doesn’t the encouragement to send more traffic damage the network?

12 DDoS Defense by Offense12 Conditions to Make it Work Adequate link bandwidth Adequate client bandwidth

13 DDoS Defense by Offense13 Conditions to win over other defenses No pre-defined clientele Non-human clientele Unequal requests or spoofing or smart bots

14 DDoS Defense by Offense14 Design

15 DDoS Defense by Offense15 Design Goal Allocate resources to competing clients in proportion to their bandwidths If this goal is met, modest over-provisioning is enough to satisfy good clients Idealized server provisioning requirement

16 DDoS Defense by Offense16 Required Mechanisms Limiting requests to the server to c per second Revealing the available bandwidth Proportional Allocation

17 DDoS Defense by Offense17 Variations of Speak-up Random Drops and Aggressive Retries Dropping requests at random to reduce the rate to c Clients send repeated retries Thinner admits incoming requests with some probability p Price for access, r, is the number of retries

18 DDoS Defense by Offense18 Variations of Speak-up Why not enforce one outstanding retry per client? Because of spoofing and NAT Two cases to consider Good clients can afford the price Good clients cannot afford the price They do not get service at rate g

19 DDoS Defense by Offense19 Variations of Speak-up Explicit Payment Channel When server is overloaded, a requesting client opens a separate payment channel A contending client sends stream of bytes on this channel Thinner tracks how many bytes each contending client sends

20 DDoS Defense by Offense20 Variations of Speak-up Server notifies thinner when ready for a new request Thinner holds a virtual auction Two main differences with previous scheme Choice of scheme depends on application

21 DDoS Defense by Offense21 Robustness to Cheating Theorem In a system with regular service intervals, any client that continuously transmits an ε fraction of the average bandwidth received by the thinner gets at least an ε/2 fraction of the service, regardless of how the bad clients time or divide up their bandwidth Assumption – requests are served with perfect regularity, i.e. every 1/c seconds True regardless of the service rate c Theory vs. Practice

22 DDoS Defense by Offense22 Heterogenous Requests If all requests are treated equally, an attacker can get a disproportionate share of the server by sending only the hardest requests “Hardness” of a computation The thinner breaks time into quanta Each request is seen as comprising equal- sized chunks

23 DDoS Defense by Offense23 Heterogenous Requests If a client’s request is made of x chunks, the client must win x auctions for one request The thinner extracts an on-going payment until the request completes The thinner can SUSPEND, RESUME, and ABORT requests

24 DDoS Defense by Offense24 Heterogeneous Requests The thinner holds a virtual auction for every quantum v is the currently active request and u is the contending request that has paid the most If u has paid more than v If v has paid more than u Time-out and ABORT any request that has been SUSPENDED for some period

25 DDoS Defense by Offense25 Implementation

26 DDoS Defense by Offense26 How it Works Any JavaScript-capable Web browser can use the system Thinner returns HTML to the client with server’s response When the server is not free, the thinner returns JavaScript to the Web client that causes it to automatically issue two HTTP requests

27 DDoS Defense by Offense27 Evaluation

28 DDoS Defense by Offense28 Setup and Method Each client’s requests are driven by a Poisson process of rate λ requests/s. A client never allows more than a configurable number w (the window) of outstanding requests If more than w requests are outstanding, the client puts the new request in a backlog queue If a request is in this queue for more than 10 seconds, it times out

29 DDoS Defense by Offense29 Setup and Method This model describes the behavior of both good and bad clients Bad clients send requests faster and have concurrent requests Good client: λ=2, w=1 Bad client: λ = 40, w=20 Experiments run with 50 clients, each with 2 Mbits/s of access bandwidth (B+G=100 Mbits/s)

30 DDoS Defense by Offense30 Experiments Validating the Thinner’s Allocation Speak-up’s Latency and Byte Cost Adversarial Advantage Heterogeneous Network Conditions Good and Bad Clients Sharing a Bottleneck Impact of Speak-up on Other Traffic

31 DDoS Defense by Offense31 Validating the Thinner’s Allocation Question 1: Do clients get service in proportion to bandwidth? 50 clients connect to the thinner over a 100 Mbits/s LAN, each has 2 Mbits/s of bandwidth Fraction of good clients,, varies and the server’s capacity c = 100 requests/s

32 DDoS Defense by Offense32 Validating the Thinner’s Allocation

33 DDoS Defense by Offense33 Validating the Thinner’s Allocation Question 2: What happens when we vary the capacity of the server? is the minimum value of c at which all good clients get service, if speak-up is deployed and if speak-up allocates server in proportion to bandwidth 25 good and 25 bad clients, each with a bandwidth of 2 Mibts/s c=50, 100, 200

34 DDoS Defense by Offense34 Validating the Thinner’s Allocation

35 DDoS Defense by Offense35 Latency Cost Same setup as last experiment – c varies, 50 clients, G=B=50 Mbits/s

36 DDoS Defense by Offense36 Latency Cost

37 DDoS Defense by Offense37 Byte Cost Byte cost “Upper Bound” plots the theoretical average price, (G+B)/c

38 DDoS Defense by Offense38 Byte Cost

39 DDoS Defense by Offense39 Adversarial Advantage Question: What is the minimum value of c at which all of the good demand is satisfied? Experiment with the same conditions as above (G=B=50 Mbits/s; 50 clients) but for more values of c All of the good demand is satisfied at c=115, only 15% more than Conclusion

40 DDoS Defense by Offense40 Heterogeneous Network Conditions Investigate the server’s allocation for different client’s bandwidth Assign 50 clients to 5 categories 10 clients in category i (1 ≤ i≤ 5) have bandwidth 0.5i Mbits/s and connected to the thinner over a LAN All clients are good Server’s capacity c =10 requests/s

41 DDoS Defense by Offense41 Heterogeneous Network Conditions

42 DDoS Defense by Offense42 Heterogeneous Network Conditions Now look at effect of varied RTT Each request has at least one quiescent period, the length of which depends on the RTT Assign 50 clients to 5 categories 10 clients in category i (1 ≤ i≤ 5) have RTT = 100i ms Each have bandwidth 2 Mbits/s, and c=10 requests/s Two cases: all clients good and all clients bad

43 DDoS Defense by Offense43 Heterogeneous Network Conditions

44 DDoS Defense by Offense44 Good and Bad Clients Sharing a Bottleneck 30 clients, each with a bandwidth of 2 Mbits/s, connect to the thinner through a common link l Bandwidth of l is 40 Mbits/s, clients generate 60 Mbits/s 10 good, 10 bad clients, each with bandwidth 2 Mbits/s, connect to the thinner directly through a LAN Server’s capacity c=50 requests/s Vary number of good and bad clients behind l

45 DDoS Defense by Offense45 Good and Bad Clients Sharing a Bottleneck

46 DDoS Defense by Offense46 The clients behind l together capture half of the server’s capacity “Bottleneck service” is the portion of the server captured by all clients behind l Good clients get less than the bandwidth- proportional allocation because bad clients “hog” l Effect on good clients more pronounced when bottleneck’s bandwidth is a smaller fraction of clients’ combined bandwidth Good and Bad Clients Sharing a Bottleneck

47 DDoS Defense by Offense47 Impact of Speak-up on Other Traffic What happens when a TCP endpoint, H, shares a bottleneck link, m, with clients that are currently uploading dummy bytes? When H is a TCP sender When H is a receiver For request-response protocols like HTTP

48 DDoS Defense by Offense48 Impact of Speak-up on Other Traffic Experiment with H as a receiver and investigate effects on HTTP download 10 good speak-up clients sharing a bottleneck link, m, with H, a host that runs the HTTP client wget m has a bandwidth of 1 Mbit/s and one-way delay 100 ms Each of the 11 clients has a bandwidth of 2 Mbits/s Thinner fronting a server with c=2 requests/s and a separate Web server, S

49 DDoS Defense by Offense49 Impact of Speak-up on Other Traffic

50 DDoS Defense by Offense50 Impact of Speak-up on Other Traffic Download times inflate considerably However, this experiment is very pessimistic: large RTTs, highly restrictive bottleneck bandwidth (20x smaller than demand), low server capacity Obviously, speak-up is the exacerbating factor but it will not have the same effect on every link

51 DDoS Defense by Offense51 Concerns

52 DDoS Defense by Offense52 Concerns Bandwidth envy Variable bandwidth costs Incentives for ISPs Solving the wrong problem Flash crowds

53 DDoS Defense by Offense53 Conclusions

54 DDoS Defense by Offense54 Conclusions Main Advantages Main Disadvantages

55 DDoS Defense by Offense55 Questions?

Download ppt "DDoS Defense by Offense1 Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D., (MIT) and Shenker, S. (UC Berkeley), SIGCOMM ’06 Presented by Ivanka."

Similar presentations

Martin Suchara, Ryan Witt, Bartek Wydrowski California Institute of Technology Pasadena, U.S.A. TCP MaxNet Implementation and Experiments on the WAN in.

Martin Suchara, Ryan Witt, Bartek Wydrowski California Institute of Technology Pasadena, U.S.A. TCP MaxNet Implementation and Experiments on the WAN in.
15-441 Computer Networking Lecture 20 – Queue Management and QoS.

Computer Networking Lecture 20 – Queue Management and QoS.
Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Cloud Control with Distributed Rate Limiting Raghaven et all Presented by: Brian Card CS 577 - Fall 2014 - Kinicki 1.

Cloud Control with Distributed Rate Limiting Raghaven et all Presented by: Brian Card CS Fall Kinicki 1.
Playback-buffer Equalization For Streaming Media Using Stateless Transport Prioritization By Wai-tian Tan, Weidong Cui and John G. Apostolopoulos Presented.

Playback-buffer Equalization For Streaming Media Using Stateless Transport Prioritization By Wai-tian Tan, Weidong Cui and John G. Apostolopoulos Presented.
Restricted Slow-Start for TCP William Allcock 1,2, Sanjay Hegde 3 and Rajkumar Kettimuthu 1,2 1 Argonne National Laboratory 2 The University of Chicago.

Restricted Slow-Start for TCP William Allcock 1,2, Sanjay Hegde 3 and Rajkumar Kettimuthu 1,2 1 Argonne National Laboratory 2 The University of Chicago.
A Flexible Model for Resource Management in Virtual Private Networks Presenter: Huang, Rigao Kang, Yuefang.

A Flexible Model for Resource Management in Virtual Private Networks Presenter: Huang, Rigao Kang, Yuefang.
10/10/14 INASP: Effective Network Management Workshops Unit 6: Solving Network Problems.

10/10/14 INASP: Effective Network Management Workshops Unit 6: Solving Network Problems.
Dynamic Adaptive Streaming over HTTP2.0. What’s in store ▪ All about – MPEG DASH, pipelining, persistent connections and caching ▪ Google SPDY - Past,

Dynamic Adaptive Streaming over HTTP2.0. What’s in store ▪ All about – MPEG DASH, pipelining, persistent connections and caching ▪ Google SPDY - Past,
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
DDOS Defense by Offense OFFENSE Presented by: Anup Goyal Aojan Su.

DDOS Defense by Offense OFFENSE Presented by: Anup Goyal Aojan Su.
DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by: Boris Kurktchiev and Kimberly.

DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by: Boris Kurktchiev and Kimberly.
5/18/2015 Samarpita Hurkute DDoS Defense By Offense 1 DDoS Defense by Offense Michael Walfish,Mythili Vutukuru,Hari Balakrishnan,David Karger,Scott Shenker.

5/18/2015 Samarpita Hurkute DDoS Defense By Offense 1 DDoS Defense by Offense Michael Walfish,Mythili Vutukuru,Hari Balakrishnan,David Karger,Scott Shenker.
DDoS: Defense by Offense 1 DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker, SIGCOMM ‘06 Presented.

DDoS: Defense by Offense 1 DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker, SIGCOMM ‘06 Presented.
1 DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, Scott Shenker, SIGCOMM ‘06 Presented by Lianmu Chen DDoS:

1 DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, Scott Shenker, SIGCOMM ‘06 Presented by Lianmu Chen DDoS:
Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense.

Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense.
PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,

PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,
The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Similar presentations

Ads by Google