Information systems slide DOS attack

Gossip-Based Multicast• Progresses in rounds • Every round – Choose random partners view – Send or receive messages – Discard old msgs from buffer – Choose random partners view – Send

Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based Multicast

Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based Multicast

Agenda

• At least one member is a source –

generates messages

members in a timely fashion

• At least one member is a source –

generates messages

members in a timely fashion

Tree-Based Multicast

• Use a spanning tree – most common solution

• No duplicates (optimal BW when network-level)

• Single points of failure

• Use a spanning tree – most common solution

• No duplicates (optimal BW when network-level)

• Single points of failure Source

Gossip-Based Multicast

• Progresses in rounds

• Every round

– Choose random partners (view )

– Send or receive messages

– Discard old msgs from buffer

– Choose random partners (view )

– Send or receive messages

– Discard old msgs from buffer

Source

Source

Hostility over the Internet

Denial of Service Denial of Service

• Got little attention

• No quantitative analysis of impact on application

• Got little attention

• No quantitative analysis of impact on application

Dollar Amount of Losses by Type

Remote Application-Level DoS

Valid Request Bogus Request Bogus Request

No AttackDoS Attack

Effects of DoS on Gossip

attacked

vulnerable to DoS attacks

attacked

vulnerable to DoS attacks

Our Solution

• Drum – a new gossip-based ALM protocol

• Utilizes DoS-mitigation techniques

– Separating and bounding resources

– Combining both push and pull

– Using random one-time ports to communicate

• Proven robust using formal analysis and

quantitative evaluation

– Provides general methods for analyzing and

quantitatively evaluating resistance to DoS-attacks

• Drum – a new gossip-based ALM protocol

• Utilizes DoS-mitigation techniques

– Separating and bounding resources

– Combining both push and pull

– Using random one-time ports to communicate

• Proven robust using formal analysis and

quantitative evaluation

– Provides general methods for analyzing and

quantitatively evaluating resistance to DoS-attacks

Bounding Resources

the arriving messages and discard the rest

the arriving messages and discard the rest

Round Duration

Combining Push and Pull

messages via pull (random ports)

push

messages via pull (random ports)

push

Random Ports

a random port number

– “Invisible” to the attacker (e.g., encrypted)

not affect the random port’s queue (i.e., there is no BW exhaustion)

a random port number

– “Invisible” to the attacker (e.g., encrypted)

not affect the random port’s queue (i.e., there is no BW exhaustion)

Drum’s Push Mechanism

has already received

from his digest

has already received

from his digest

Evaluation Methodology Evaluation Methodology

• Compare 3 protocols

– Push (push-based with bounded resources)

– Pull (pull-based with bounded resources)

– Drum

• Under various DoS attacks

– Fixed strength

– Increasing strength

• Source is always attacked

• Evaluates combination of Push and Pull

• Compare 3 protocols

– Push (push-based with bounded resources)

– Pull (pull-based with bounded resources)

• Under various DoS attacks

– Fixed strength

– Increasing strength

• Source is always attacked

• Evaluates combination of Push and Pull

Evaluation Methodology (cont.)

number of rounds it takes a message to

reach all of the correct processes

– 99% in the simulations and actual

measurements

latency and throughput

number of rounds it takes a message to

reach all of the correct processes

– 99% in the simulations and actual

measurements

latency and throughput

Analysis/Simulation Assumptions

• Static group with complete connectivity

• Processes have complete group knowledge

• Propagation of a single message M

– But simulate situation where all procs have msgs to send

• M is never purged from local buffers

• Rounds are synchronized

• All round operations complete within the same round

• All processes are correct (analysis) or 10% of them

perform a DoS attack (simulation)

• Static group with complete connectivity

• Processes have complete group knowledge

• Propagation of a single message M

– But simulate situation where all procs have msgs to send

• M is never purged from local buffers

• Rounds are synchronized

• All round operations complete within the same round

• All processes are correct (analysis) or 10% of them

perform a DoS attack (simulation)

Validating Known Results

• The propagation time of gossip-based

multicast protocols is O(log n) [P87,

KSSV00]

• The propagation time of gossip-based

multicast protocols is O(log n) [P87,

KSSV00]

2 3 4 5 6 7 8 9 10

Validating Known Results (cont.)

• The performance of gossip-based

multicast protocols degrades gracefully as failures amount [LMM00, GvRB01]

• The performance of gossip-based

multicast protocols degrades gracefully as failures amount [LMM00, GvRB01]

• F – size of view, and max # of requests to process in a round (F = 4 )

attacked process receives in a round

• B – total attack strength (B = nx )

• F – size of view, and max # of requests to process in a round (F = 4 )

attacked process receives in a round

• B – total attack strength (B = nx )

Analysis – Increasing Strength

• Lemma 1: Fix  and n Drum’s

propagation time is bounded from above

by a constant independent of x

– Define effective fan-in and effective fan-out

– Both have an element independent of x

– When x   this element is dominant

– The effective fans are bounded from below

• Lemma 1: Fix  and n Drum’s

propagation time is bounded from above

by a constant independent of x

– Define effective fan-in and effective fan-out

– Both have an element independent of x

– When x   this element is dominant

– The effective fans are bounded from below

Analysis – Increasing Strength

• Lemma 2: Fix  and n The propagation time of Push grows at least linearly with x

• Proof idea

– Assume all non-attacked processes already have the message (and so does the source)

– Bound the expected number of processes having M

at round k from above

– Find the minimal k in which all processes have M

– Reaching all attacked processes takes at least a time linear in x

• Lemma 2: Fix  and n The propagation time of Push grows at least linearly with x

• Proof idea

– Assume all non-attacked processes already have the

message (and so does the source)

– Bound the expected number of processes having M

at round k from above

– Find the minimal k in which all processes have M

– Reaching all attacked processes takes at least a time linear in x

Analysis – Increasing Strength

• Lemma 3: Fix  and n The propagation time of Pull grows at least linearly with x

• Proof idea

– Denote by p the probability that the source reads a valid pull request in a round

– # of rounds for M to leave the source is

geometrically distributed with p

– # of rounds for M to leave the source is

geometrically distributed with p

– The expectation is 1/p

0 20 40 60 80 100 120 140 0

5 10

Analysis – Fixed Strength

• Define c = B/nF (total attack strength

divided by total system capacity)

propagation time is monotonically

increasing with 

monotonically decreasing with 

• Define c = B/nF (total attack strength

divided by total system capacity)

propagation time is monotonically

increasing with 

monotonically decreasing with 

Implementation and Measurements

• Uses the Java programming language

• Multithreaded processes

• Operations are not synchronized

• Rounds are not synchronized among processes

• 50 machines on a 100Mbit LAN (Emulab)

• One process per machine

• 5 processes (10%) perform a DoS attack

• Uses the Java programming language

• Multithreaded processes

• Operations are not synchronized

• Rounds are not synchronized among processes

• 50 machines on a 100Mbit LAN (Emulab)

• One process per machine

• 5 processes (10%) perform a DoS attack

Validating the Simulations

scenarios tested by simulation

assumptions have little effect on the

results

scenarios tested by simulation

assumptions have little effect on the

results

Pull measurements Pull simulation

Drum measurements Drum simulation

Pull measurements Pull simulation

Drum measurements Drum simulation

High-Throughput Experiments

• Single source

• Creates 40 messages (50 bytes long) per second

• Total of 10,000 messages

• Round duration = 1 second

• Messages are purged after 10 rounds

• Each process sends at most 80 data messages

to another process in a round

• Throughput and latency are measured at the 44 correct receiving processes

• Single source

• Creates 40 messages (50 bytes long) per second

• Total of 10,000 messages

• Round duration = 1 second

• Messages are purged after 10 rounds

• Each process sends at most 80 data messages

to another process in a round

• Throughput and latency are measured at the 44 correct receiving processes

0 5 10

targeted DoS attacks

DoS attacks

neighbor-selection

applicable to other systems as well

targeted DoS attacks

DoS attacks

neighbor-selection

applicable to other systems as well