1

Evaluating the Vulnerability of Network Mechanisms to

Sophisticated DDoS Attacks

Udi Ben-PoratTel-Aviv University,

Israel

Anat Bremler-BarrIDC Herzliya, Israel

Hanoch LevyETH Zurich, Switzerland

2

Study Objective Propose a DDoS Vulnerability performance metric

Vulnerability Measure To be used in addition to traditional system performance

metrics Understanding the vulnerability of different

systems to sophisticated attacks

This Talk Describe DDoS Vulnerability performance metric Demonstrate Metric impact

Hash Table: Very Common in networking Performance (traditional) : OPEN equivalent CLOSED Vulnerability analysis: OPEN << CLOSED!!

3

Distributed Denial of Service (DDoS)

Attacker adds more regular users Loading the server - degrades the performance

Server Performance

Server

Attacker

NormalDDoS S. DDoS

4

Sophisticated DDoS

NormalDDoS S. DDoS

Server Performance

Server

Attacker

Attacker adds sophisticated malicious users Each user creates maximal damage (per attack budget)

5

Sophisticated Attacks Examples Simple example: Database server

Make hard queries Goal: consume CPU time

Sophisticated attacks in the research: Reduction of Quality (RoQ) Attacks on Internet End-

Systems Mina Guirguis, Azer Bestavros, Ibrahim Matta and Yuting Zhang INFOCOM 2005

Low-Rate TCP-Targeted Denial of Service AttacksA. Kuzmanovic and E.W.Knightly Sigcomm 2003

Denial of Service via Algorithmic Complexity AttacksScott A. Crosby and Dan S. Wallach Usenix 2003

6

Our goal

Proposing a Vulnerability measurement for all sophisticated DDoS attack Vulnerability Measurement

Understanding the vulnerability of different systems to sophisticated attacks Later: Hash Tables and Queuing

7

Vulnerability Factor Definition

Vulnerability=v means: Malicious user degrades the server performance v-times more than regular user

Performance

Degradation

Scales

c),ce(RegularΔPerforman

c),usce(MalicioΔPerformanmaxc)ity(CostVulnerabil st

st

(st = Malicious Strategy)

9

Demonstration of Vulnerability metric: Attack on Hash Tables

Central component in networks Hash table is a data structure based on Hash

function and an array of buckets.

Operations: Insert, Search and Delete of elements according to their keys.

key

Insert (element) Buckets

Hash(key)

User Server

10

Hash Tables

Bucket = one element

Collision-> the array is repeatedly probed until an empty bucket is found

Bucket = list of elements that were hashed to that bucket

Open Hash Closed Hash

11

Performance Factors In Attack

While attack is on: Attacker’s operations are CPU intensive CPU loaded

Post Attack: Loaded Table insert/delete/search op’s suffer

Vulnerability: OPEN vs. CLOSEDTraditional Performance: OPEN = CLOSED*

What about Vulnerability? OPEN = CLOSED?

(* when the buckets array of closed hash is twice bigger)

12

Attacker strategy (InsStrategy)

Strategy: Insert k elements (cost=budget=k) where

all elements hash into the same bucket ( )

Theorem: InsStrategy is Optimal For both performance factors

Closed Hash:Cluster

Open Hash: One long list of elements

Attack Results

13

In Attack: Resource Consumption

V=

Analytic results:

Open Hash:Open Hash:

Closed Hash:Closed Hash:

In every malicious insertion, the server has to traverse all previous inserted elements (+ some existing elements)

Open Hash Closed Hash

V=

14

Post Attack: Operation Complexity

Open Hash Closed Hash

15

Post Attack: account for queuing Requests for the server are queued up

Vulnerability of the (post attack) Waiting Time?

Hash Table

Server

16

Post Attack Waiting Time

Open Hash:Open Hash:Vulnerable !! While in the model of Post Attack Operation Complexity the Open Hash is not Vulnerable !

Closed Hash: Closed Hash: Drastically more vulnerable resulting: clusters increase the second moment of the hash operation timesNo longer stable for Load>48%

Stability Point

17

Conclusions

Closed Hash is much more vulnerable than the Open Hash to DDoS, even though the two systems are considered to be equivalent via traditional performance evaluation.

After the attack has ended, regular users still suffer from performance degradation

Application using Hash in the Internet, where there is a queue before the hash, has high vulnerability.

18

Related Work The alternative measure: Potency [RoQ]

Was defined only to RoQ Only count the performance degradation of a

specific attack Vulnerability measures the system

Meaningless without additional numbers Vulnerability is meaningful information based on this number alone

Analyzing Hash: Comparing Closed to Open Hash, also analyzing the post attack performance degradation

(Denial of Service via Algorithmic Complexity AttacksScott A. Crosby and Dan S. Wallach Usenix 2003)

19

Questions?