Transcript Overlay Network

Tolerating Denial-of-Service Attacks Using
Overlay Networks – Impact of Topology
Ju Wang1, Linyuan Lu2 and Andrew A. Chien1
1CSE Department, UCSD
2Math Department, UCSD
October 31st, 2003
ACM SSRS'03
Outline




Background
System Model
Analytical Results
Summary & Future Work
October 31st, 2003
ACM SSRS'03
Motivation

DoS attacks compromise important websites



DoS is a critical security problem




“Code Red” worm attack on Whitehouse website
Yahoo, Amazon, eBay
Global corporations lost over $1.39 trillion (2000)
60% due to viruses and DoS attacks.
FBI reports DoS attacks are on the rise
=> DoS an important problem
October 31st, 2003
ACM SSRS'03
Denial-of-Service Attacks
Application Service
Internet
Service Infrastructure

Legitimate User
Attackers prevent legitimate users from
receiving service


Application level (large workload)
Infrastructure level
October 31st, 2003
ACM SSRS'03
Denial-of-Service Attacks
Application Service
Internet
Service Infrastructure

Legitimate User
Attackers prevent legitimate users from
receiving service


Application level
Infrastructure level (traffic flood) – require IP addr
October 31st, 2003
ACM SSRS'03
Use Overlay Network to Resist
Infrastructure DoS Attack
Legitimate User
App
Overlay
Network
Internet
132.233.202.13
where
?
attackers


Applications hide behind proxy network (location-hiding)  this talk
Proxy network DoS-resilient – shielding applications
 Need to tolerate massive proxy failures due to DoS attacks
 Addressed in on-going research
October 31st, 2003
ACM SSRS'03
Proxy Network Topology & Location Hiding
B
Overlay Network


A
Proxy node: software component run on a host
Proxy nodes adjacent iff IP addresses are mutually known


Adjacent
Compromising one reveals IP addresses of adjacent nodes
Topology = structure of node adjacency  how hard to penetrate,
effectiveness of location-hiding
October 31st, 2003
ACM SSRS'03
Problem Statement


Focus on location-hiding problem
Impact of topology on location-hiding


Good or robust topologies: hard to penetrate and defenders
can easily defeat attackers
Bad or vulnerable topologies: attackers can quickly
propagate and remain side the proxy network
Vulnerable (unfavorable) Robust (favorable)
topologies
October 31st, 2003
ACM SSRS'03
Attack: Compromise and Expose


Compromised!!
Overlay Network
intact
exposed
compromised


Attackers: steal location information using host compromise attacks
A proxy node is:



Compromised: attackers can see all its neighbors’ IP addresses
Exposed: IP addresses known to attackers
Intact: otherwise
October 31st, 2003
ACM SSRS'03
Defense: Recover and Reconfigure
Recovered!
Overlay Network
intact
exposed
compromised

Resource Recovery: compromised  exposed/intact



Proactive (periodic clean system reload)
Reactive (IDS triggered system cleaning)
Proxy network reconfiguration: exposed/compromised  intact

Proxy migration – move proxy to a different host
October 31st, 2003
ACM SSRS'03
Defense: Recover and Reconfigure
Move to
new location!
Overlay Network
intact
exposed
compromised

Resource Recovery: compromised  exposed/intact



Proactive (periodic clean system reload)
Reactive (IDS triggered system cleaning)
Proxy network reconfiguration: exposed/compromised  intact

Proxy migration – move proxy to a different host
October 31st, 2003
ACM SSRS'03
Defense: Recover and Reconfigure
Move to
new location!
Overlay Network
intact
exposed
compromised

Resource recovery + Proxy network reconfiguration


Exposed  Intact (at certain probability )
Compromised  Intact (at certain probability )
October 31st, 2003
ACM SSRS'03
Analytical Model

Model M(G, , , )





G: topology graph of the proxy network
: speed of attack (at prob , exp  com)
: speed of defense (at prob , com  intact)
: speed of defense (at prob , exp  intact)
Nodes adjacent to a compromised node is exposed


intact
exposed
compromised

October 31st, 2003
ACM SSRS'03
Theorem I (Robust Topologies)
,
,


,



,

bad
good
Average degree 1 of G is smaller than the ratio of
speed between defenders and attackers:
(+)/ > 1



,
Even if many nodes are initially compromised, attackers’
impact can be quickly removed in O(logN) steps
Defenders are quick enough to suppress attackers’
propagation
Low average degrees are favorable
October 31st, 2003
ACM SSRS'03
Theorem II (Vulnerable Topologies)
hard to beat attackers
inside the cluster

Neighborhood expansion property  of G is larger
than the ratio of speed between defenders and
attackers:  > /



Even if only one node is initially exposed, attackers’ impact
quickly propagate, and will linger forever
Applies to all sub-graphs
Large clusters (tightly connected sub-graphs) are
unfavorable
October 31st, 2003
ACM SSRS'03
Case Study: existing overlays
N-Chord:
N node Chord
Defense Speed Needed To Be Robust
4K-Chord
2K-Chord
1K-Chord
512-Chord
4D-CAN
K-D CAN: k-dimensional
Cartesian space torus
3D-CAN
RR6
RR5
RR4
RR-k: random regular
graph, degree = k
October 31st, 2003
RR3
0
5
10
15
20
Defense Speed (# times faster than attack speed)
ACM SSRS'03
25
Related Work

Secure Overlay Services (SOS) [Keromytis02]


Internet Indirection Infrastructure (i3) [Stoica02]




Use Chord to provide anonymity to hide location of secret “servlets”
Uses Chord for location-hiding
Didn’t analyze how secure their location-hiding schemes are
We showed that Chord is not a favorable topology
Our previous work [Wang03]



Studied feasibility of location-hiding using proxy networks
Assumed favorable topology; focused on impact of defensive
mechanisms, such as resource recovery and proxy reconfiguration
This work focus on impact of topology
October 31st, 2003
ACM SSRS'03
Summary & Future Work

Summary




Studied impact of topology on location-hiding and presented two
theorems to characterize robust and vulnerable topologies
Derived design principles on proxy networks for location-hiding
Found popular overlays (such as Chord) not favorable
Future Work



Impact of correlated host vulnerabilities (,  and  non-constant)
Design proxy networks to tolerate massive failures due to DoS
attacks
Performance implications and resource requirement for proxy
networks
October 31st, 2003
ACM SSRS'03
References



[Wang03] J. Wang and A. A. Chien, “Using Overlay Networks to Resist
Denial-of-Service Attacks”, Technical report, CSE UCSD, 2003.
[Keromytis02] A. D. Keromytis, V. Misra, and D. Rubenstein, “SOS:
Secure Overlay Services”, In ACM SIGCOMM’02, Pittsburgh, PA, 2002.
[Stoica02] I. Stoica, D. Adkins, S. Zhuang, S. Shenker, and S. Surana,
“Internet Indirection Infrastructure”, In SIGCOMM, Pittsburge,
Pennsylvania USA, 2002.
October 31st, 2003
ACM SSRS'03