Transcript Countering Dos Attacks with Stateless Multipath Overlays

Countering DoS Attacks with
Stateless Multipath Overlays
Presented by Yan Zhang
1
2009-03-16
Overview
Background
 Problem formulation
 Architecture
 Implementation
 Evaluation

2
2009-03-16
DDoS Attack



3
Distributed Denial of Service
An attacker is able to recruit a number of
hosts (zombies) throughout the Internet to
simultaneously or in a coordinated fashion
launch an attack upon the target.
Typical DDoS: SYN flood attack, ICMP
attack
2009-03-16
DDoS Attack-Direct
4
2009-03-16
DDoS Attack-Indirect
5
2009-03-16
Overlay Network


6
Overlay network :A computer network which
is built on top of another network.
Node: in the overlay can be thought of as
being connected by virtual or logical links,
each of which corresponds to a path,
perhaps through many physical links, in the
underlying network
2009-03-16
IP network as an overlay network
7
2009-03-16
Overlay network & Benefits
Purpose: To implement a network service that
is not available in the existing network
--Routing, Addressing, Security, Multicast,
Mobility
Benefits:
1. Do not have to deploy new equipment, or
modify existing software/protocols
2. Do not have to deploy at every node
8
2009-03-16
Overview
Background
 Problem formulation
 Architecture
 Implementation
 Evaluation

9
2009-03-16
Traditional ION
Traditional Indirection-based overlay network
methods (like SOS,MayDay) make two
assumptions:
 Attack on fixed and bounded set of overlay
nodes can only affect a small fraction of
users
 Attacker could not eavesdrop on link inside
the network
10
2009-03-16
Problem
Traditional ION has weakness:
 Target attack: Attacker can follow the
client’s connection and bring down the nodes
which client tries to connect to.
 Sweep attack: Degrade the connection by
bringing down a portion of the overlay nodes
at a time
11
2009-03-16
Related work

SOS
(Keromytis et al)
--Suggested using an overlay network to route traffic from
legitimate users to a secret node

Stateless flow filter (Xuan et al)
--By adding capabilities to packets

Ticket mechanism (Gligor )
--Clients must obtain tickets before they are allowed to access
protected service
12
2009-03-16
Overview
Background
 Problem formulation
 Architecture
 Implementation
 Evaluation

13
2009-03-16
Spread-spectrum
 Electromagnetic energy generated in a particular bandwidth is
deliberately spread in the frequency domain, resulting in
a signal with a wider bandwidth.
 CDMA is a typical spread spectrum communication
14
2009-03-16
Intuitive


15
To prevent “following” attack: By adopting
“spread spectrum” approach, the client
spreads its packets randomly across all
access points.
To verify the authenticity: Using a token, at
the expense of bandwidth
2009-03-16
Attack models

Sweep attack: Without internal knowledge of
system, blindly sweep all nodes
---TCP SYN, ICMP flooding etc
----Like radio jamming in all channels

Targeted attack: Know which overlay node a
client is using. More sophisticated
----Like eavesdrop and jam target frequency
16
2009-03-16
Traffic spreading issues



17
Spread the packets from clients across all
overlay nodes in a pesudo-random manner
Randomly attack will only cause a fraction of
packets loss
Duplicate the packets or using forward error
correction to recover the loss
2009-03-16
Traffic Spreading
18
2009-03-16
Key and ticket establishment Protocol




19
2009-03-16
Randomly redirect the
authentication
The client sends packet
to a random overlay
The receiving node
forward the request to
another random overlay
node
The attacker cold not
determine which nodes
to target
Key and ticket establishment Protocol


20
2009-03-16
One round-trip only use
first and last connection
(from A to D)
Two round-trip
guarantees the liveness
Client-Overlay communication protocol
21
2009-03-16
Key and ticket establishment Protocol


22
To avoid reuse of the same ticket by multiple
DDoS zombies, the range of valid sequence
numbers for the ticket is kept relatively small
(e.g., 500 packets)
The ticket is bound to the client’s IP,
2009-03-16
Overview
Background
 Problem formulation
 Architecture
 Implementation
 Evaluation

23
2009-03-16
Implementation

24
Connection Establishment Phase
-- As described in the protocol part
-- Establish session key and ticket
-- Usually two round-trip
2009-03-16
Implementation
25

Packet Transmission Phase
the client computes the index in the sorted list of IPs
as:
index = UMAC(Ku XOR sequence number) mod(n)

Ticket Renewal Phase
When valid tickets are about to expire, the overlay
node issues a new ticket with the same session key
but larger max sequence number.
2009-03-16
Overview
Background
 Problem formulation
 Architecture
 Implementation
 Evaluation

26
2009-03-16
Evaluation
Impact of Sweeping attack
with a modest amount of packet replication
and striping at the client, the proposed
method can handle even massive DoS
attacks against the overlay
 General ION attack resistance

27
2009-03-16
Performance evaluation



28
2009-03-16
Throughput under
attack
Only 33% in the worst
case scenario
Increase the replication
rate, the throughput get
closer to the direct
connection
Performance evaluation


29
2009-03-16
As the replication factor
is increased, and for
larger networks, we get
better average latency
results.
In the worst-case
scenario, we get a 2.5
increase in latency,
Performance evaluation


30
2009-03-16
The attack happens on
a random fraction of the
overlay nodes.
Packet replication helps
us achieve higher
network resilience.
Performance evaluation

31
2009-03-16
Latency V.S. Node
failures
Summary

Proposed the first non-trivial attack model:
both the simple types of flooding attacks, as well as more
sophisticated attackers that can eavesdrop the victim’s
communication link

32
Proposed the use of a spread-spectrum-like
paradigm to create per-packet path diversity.
2009-03-16