Countering Dos Attacks with Stateless Multipath Overlays
Download
Report
Transcript Countering Dos Attacks with Stateless Multipath Overlays
Countering DoS Attacks with
Stateless Multipath Overlays
Presented by Yan Zhang
1
2009-03-16
Overview
Background
Problem formulation
Architecture
Implementation
Evaluation
2
2009-03-16
DDoS Attack
3
Distributed Denial of Service
An attacker is able to recruit a number of
hosts (zombies) throughout the Internet to
simultaneously or in a coordinated fashion
launch an attack upon the target.
Typical DDoS: SYN flood attack, ICMP
attack
2009-03-16
DDoS Attack-Direct
4
2009-03-16
DDoS Attack-Indirect
5
2009-03-16
Overlay Network
6
Overlay network :A computer network which
is built on top of another network.
Node: in the overlay can be thought of as
being connected by virtual or logical links,
each of which corresponds to a path,
perhaps through many physical links, in the
underlying network
2009-03-16
IP network as an overlay network
7
2009-03-16
Overlay network & Benefits
Purpose: To implement a network service that
is not available in the existing network
--Routing, Addressing, Security, Multicast,
Mobility
Benefits:
1. Do not have to deploy new equipment, or
modify existing software/protocols
2. Do not have to deploy at every node
8
2009-03-16
Overview
Background
Problem formulation
Architecture
Implementation
Evaluation
9
2009-03-16
Traditional ION
Traditional Indirection-based overlay network
methods (like SOS,MayDay) make two
assumptions:
Attack on fixed and bounded set of overlay
nodes can only affect a small fraction of
users
Attacker could not eavesdrop on link inside
the network
10
2009-03-16
Problem
Traditional ION has weakness:
Target attack: Attacker can follow the
client’s connection and bring down the nodes
which client tries to connect to.
Sweep attack: Degrade the connection by
bringing down a portion of the overlay nodes
at a time
11
2009-03-16
Related work
SOS
(Keromytis et al)
--Suggested using an overlay network to route traffic from
legitimate users to a secret node
Stateless flow filter (Xuan et al)
--By adding capabilities to packets
Ticket mechanism (Gligor )
--Clients must obtain tickets before they are allowed to access
protected service
12
2009-03-16
Overview
Background
Problem formulation
Architecture
Implementation
Evaluation
13
2009-03-16
Spread-spectrum
Electromagnetic energy generated in a particular bandwidth is
deliberately spread in the frequency domain, resulting in
a signal with a wider bandwidth.
CDMA is a typical spread spectrum communication
14
2009-03-16
Intuitive
15
To prevent “following” attack: By adopting
“spread spectrum” approach, the client
spreads its packets randomly across all
access points.
To verify the authenticity: Using a token, at
the expense of bandwidth
2009-03-16
Attack models
Sweep attack: Without internal knowledge of
system, blindly sweep all nodes
---TCP SYN, ICMP flooding etc
----Like radio jamming in all channels
Targeted attack: Know which overlay node a
client is using. More sophisticated
----Like eavesdrop and jam target frequency
16
2009-03-16
Traffic spreading issues
17
Spread the packets from clients across all
overlay nodes in a pesudo-random manner
Randomly attack will only cause a fraction of
packets loss
Duplicate the packets or using forward error
correction to recover the loss
2009-03-16
Traffic Spreading
18
2009-03-16
Key and ticket establishment Protocol
19
2009-03-16
Randomly redirect the
authentication
The client sends packet
to a random overlay
The receiving node
forward the request to
another random overlay
node
The attacker cold not
determine which nodes
to target
Key and ticket establishment Protocol
20
2009-03-16
One round-trip only use
first and last connection
(from A to D)
Two round-trip
guarantees the liveness
Client-Overlay communication protocol
21
2009-03-16
Key and ticket establishment Protocol
22
To avoid reuse of the same ticket by multiple
DDoS zombies, the range of valid sequence
numbers for the ticket is kept relatively small
(e.g., 500 packets)
The ticket is bound to the client’s IP,
2009-03-16
Overview
Background
Problem formulation
Architecture
Implementation
Evaluation
23
2009-03-16
Implementation
24
Connection Establishment Phase
-- As described in the protocol part
-- Establish session key and ticket
-- Usually two round-trip
2009-03-16
Implementation
25
Packet Transmission Phase
the client computes the index in the sorted list of IPs
as:
index = UMAC(Ku XOR sequence number) mod(n)
Ticket Renewal Phase
When valid tickets are about to expire, the overlay
node issues a new ticket with the same session key
but larger max sequence number.
2009-03-16
Overview
Background
Problem formulation
Architecture
Implementation
Evaluation
26
2009-03-16
Evaluation
Impact of Sweeping attack
with a modest amount of packet replication
and striping at the client, the proposed
method can handle even massive DoS
attacks against the overlay
General ION attack resistance
27
2009-03-16
Performance evaluation
28
2009-03-16
Throughput under
attack
Only 33% in the worst
case scenario
Increase the replication
rate, the throughput get
closer to the direct
connection
Performance evaluation
29
2009-03-16
As the replication factor
is increased, and for
larger networks, we get
better average latency
results.
In the worst-case
scenario, we get a 2.5
increase in latency,
Performance evaluation
30
2009-03-16
The attack happens on
a random fraction of the
overlay nodes.
Packet replication helps
us achieve higher
network resilience.
Performance evaluation
31
2009-03-16
Latency V.S. Node
failures
Summary
Proposed the first non-trivial attack model:
both the simple types of flooding attacks, as well as more
sophisticated attackers that can eavesdrop the victim’s
communication link
32
Proposed the use of a spread-spectrum-like
paradigm to create per-packet path diversity.
2009-03-16