Overlay Network
Download
Report
Transcript Overlay Network
Tolerating Denial-of-Service Attacks Using
Overlay Networks – Impact of Topology
Ju Wang1, Linyuan Lu2 and Andrew A. Chien1
1CSE Department, UCSD
2Math Department, UCSD
October 31st, 2003
ACM SSRS'03
Outline
Background
System Model
Analytical Results
Summary & Future Work
October 31st, 2003
ACM SSRS'03
Motivation
DoS attacks compromise important websites
DoS is a critical security problem
“Code Red” worm attack on Whitehouse website
Yahoo, Amazon, eBay
Global corporations lost over $1.39 trillion (2000)
60% due to viruses and DoS attacks.
FBI reports DoS attacks are on the rise
=> DoS an important problem
October 31st, 2003
ACM SSRS'03
Denial-of-Service Attacks
Application Service
Internet
Service Infrastructure
Legitimate User
Attackers prevent legitimate users from
receiving service
Application level (large workload)
Infrastructure level
October 31st, 2003
ACM SSRS'03
Denial-of-Service Attacks
Application Service
Internet
Service Infrastructure
Legitimate User
Attackers prevent legitimate users from
receiving service
Application level
Infrastructure level (traffic flood) – require IP addr
October 31st, 2003
ACM SSRS'03
Use Overlay Network to Resist
Infrastructure DoS Attack
Legitimate User
App
Overlay
Network
Internet
132.233.202.13
where
?
attackers
Applications hide behind proxy network (location-hiding) this talk
Proxy network DoS-resilient – shielding applications
Need to tolerate massive proxy failures due to DoS attacks
Addressed in on-going research
October 31st, 2003
ACM SSRS'03
Proxy Network Topology & Location Hiding
B
Overlay Network
A
Proxy node: software component run on a host
Proxy nodes adjacent iff IP addresses are mutually known
Adjacent
Compromising one reveals IP addresses of adjacent nodes
Topology = structure of node adjacency how hard to penetrate,
effectiveness of location-hiding
October 31st, 2003
ACM SSRS'03
Problem Statement
Focus on location-hiding problem
Impact of topology on location-hiding
Good or robust topologies: hard to penetrate and defenders
can easily defeat attackers
Bad or vulnerable topologies: attackers can quickly
propagate and remain side the proxy network
Vulnerable (unfavorable) Robust (favorable)
topologies
October 31st, 2003
ACM SSRS'03
Attack: Compromise and Expose
Compromised!!
Overlay Network
intact
exposed
compromised
Attackers: steal location information using host compromise attacks
A proxy node is:
Compromised: attackers can see all its neighbors’ IP addresses
Exposed: IP addresses known to attackers
Intact: otherwise
October 31st, 2003
ACM SSRS'03
Defense: Recover and Reconfigure
Recovered!
Overlay Network
intact
exposed
compromised
Resource Recovery: compromised exposed/intact
Proactive (periodic clean system reload)
Reactive (IDS triggered system cleaning)
Proxy network reconfiguration: exposed/compromised intact
Proxy migration – move proxy to a different host
October 31st, 2003
ACM SSRS'03
Defense: Recover and Reconfigure
Move to
new location!
Overlay Network
intact
exposed
compromised
Resource Recovery: compromised exposed/intact
Proactive (periodic clean system reload)
Reactive (IDS triggered system cleaning)
Proxy network reconfiguration: exposed/compromised intact
Proxy migration – move proxy to a different host
October 31st, 2003
ACM SSRS'03
Defense: Recover and Reconfigure
Move to
new location!
Overlay Network
intact
exposed
compromised
Resource recovery + Proxy network reconfiguration
Exposed Intact (at certain probability )
Compromised Intact (at certain probability )
October 31st, 2003
ACM SSRS'03
Analytical Model
Model M(G, , , )
G: topology graph of the proxy network
: speed of attack (at prob , exp com)
: speed of defense (at prob , com intact)
: speed of defense (at prob , exp intact)
Nodes adjacent to a compromised node is exposed
intact
exposed
compromised
October 31st, 2003
ACM SSRS'03
Theorem I (Robust Topologies)
,
,
,
,
bad
good
Average degree 1 of G is smaller than the ratio of
speed between defenders and attackers:
(+)/ > 1
,
Even if many nodes are initially compromised, attackers’
impact can be quickly removed in O(logN) steps
Defenders are quick enough to suppress attackers’
propagation
Low average degrees are favorable
October 31st, 2003
ACM SSRS'03
Theorem II (Vulnerable Topologies)
hard to beat attackers
inside the cluster
Neighborhood expansion property of G is larger
than the ratio of speed between defenders and
attackers: > /
Even if only one node is initially exposed, attackers’ impact
quickly propagate, and will linger forever
Applies to all sub-graphs
Large clusters (tightly connected sub-graphs) are
unfavorable
October 31st, 2003
ACM SSRS'03
Case Study: existing overlays
N-Chord:
N node Chord
Defense Speed Needed To Be Robust
4K-Chord
2K-Chord
1K-Chord
512-Chord
4D-CAN
K-D CAN: k-dimensional
Cartesian space torus
3D-CAN
RR6
RR5
RR4
RR-k: random regular
graph, degree = k
October 31st, 2003
RR3
0
5
10
15
20
Defense Speed (# times faster than attack speed)
ACM SSRS'03
25
Related Work
Secure Overlay Services (SOS) [Keromytis02]
Internet Indirection Infrastructure (i3) [Stoica02]
Use Chord to provide anonymity to hide location of secret “servlets”
Uses Chord for location-hiding
Didn’t analyze how secure their location-hiding schemes are
We showed that Chord is not a favorable topology
Our previous work [Wang03]
Studied feasibility of location-hiding using proxy networks
Assumed favorable topology; focused on impact of defensive
mechanisms, such as resource recovery and proxy reconfiguration
This work focus on impact of topology
October 31st, 2003
ACM SSRS'03
Summary & Future Work
Summary
Studied impact of topology on location-hiding and presented two
theorems to characterize robust and vulnerable topologies
Derived design principles on proxy networks for location-hiding
Found popular overlays (such as Chord) not favorable
Future Work
Impact of correlated host vulnerabilities (, and non-constant)
Design proxy networks to tolerate massive failures due to DoS
attacks
Performance implications and resource requirement for proxy
networks
October 31st, 2003
ACM SSRS'03
References
[Wang03] J. Wang and A. A. Chien, “Using Overlay Networks to Resist
Denial-of-Service Attacks”, Technical report, CSE UCSD, 2003.
[Keromytis02] A. D. Keromytis, V. Misra, and D. Rubenstein, “SOS:
Secure Overlay Services”, In ACM SIGCOMM’02, Pittsburgh, PA, 2002.
[Stoica02] I. Stoica, D. Adkins, S. Zhuang, S. Shenker, and S. Surana,
“Internet Indirection Infrastructure”, In SIGCOMM, Pittsburge,
Pennsylvania USA, 2002.
October 31st, 2003
ACM SSRS'03