1 evaluating the vulnerability of network mechanisms to sophisticated ddos attacks udi ben-porat...
TRANSCRIPT
1
Evaluating the Vulnerability of Network Mechanisms to
Sophisticated DDoS Attacks
Udi Ben-PoratTel-Aviv University,
Israel
Anat Bremler-BarrIDC Herzliya, Israel
Hanoch LevyETH Zurich, Switzerland
2
Study Objective Propose a DDoS Vulnerability performance metric
Vulnerability Measure To be used in addition to traditional system performance
metrics Understanding the vulnerability of different
systems to sophisticated attacks
This Talk Describe DDoS Vulnerability performance metric Demonstrate Metric impact
Hash Table: Very Common in networking Performance (traditional) : OPEN equivalent CLOSED Vulnerability analysis: OPEN << CLOSED!!
3
Distributed Denial of Service (DDoS)
Attacker adds more regular users Loading the server - degrades the performance
Server Performance
Server
Attacker
NormalDDoS S. DDoS
4
Sophisticated DDoS
NormalDDoS S. DDoS
Server Performance
Server
Attacker
Attacker adds sophisticated malicious users Each user creates maximal damage (per attack budget)
5
Sophisticated Attacks Examples Simple example: Database server
Make hard queries Goal: consume CPU time
Sophisticated attacks in the research: Reduction of Quality (RoQ) Attacks on Internet End-
Systems Mina Guirguis, Azer Bestavros, Ibrahim Matta and Yuting Zhang INFOCOM 2005
Low-Rate TCP-Targeted Denial of Service AttacksA. Kuzmanovic and E.W.Knightly Sigcomm 2003
Denial of Service via Algorithmic Complexity AttacksScott A. Crosby and Dan S. Wallach Usenix 2003
6
Our goal
Proposing a Vulnerability measurement for all sophisticated DDoS attack Vulnerability Measurement
Understanding the vulnerability of different systems to sophisticated attacks Later: Hash Tables and Queuing
7
Vulnerability Factor Definition
Vulnerability=v means: Malicious user degrades the server performance v-times more than regular user
Performance
Degradation
Scales
c),ce(RegularΔPerforman
c),usce(MalicioΔPerformanmaxc)ity(CostVulnerabil st
st
(st = Malicious Strategy)
9
Demonstration of Vulnerability metric: Attack on Hash Tables
Central component in networks Hash table is a data structure based on Hash
function and an array of buckets.
Operations: Insert, Search and Delete of elements according to their keys.
key
Insert (element) Buckets
Hash(key)
User Server
10
Hash Tables
Bucket = one element
Collision-> the array is repeatedly probed until an empty bucket is found
Bucket = list of elements that were hashed to that bucket
Open Hash Closed Hash
11
Performance Factors In Attack
While attack is on: Attacker’s operations are CPU intensive CPU loaded
Post Attack: Loaded Table insert/delete/search op’s suffer
Vulnerability: OPEN vs. CLOSEDTraditional Performance: OPEN = CLOSED*
What about Vulnerability? OPEN = CLOSED?
(* when the buckets array of closed hash is twice bigger)
12
Attacker strategy (InsStrategy)
Strategy: Insert k elements (cost=budget=k) where
all elements hash into the same bucket ( )
Theorem: InsStrategy is Optimal For both performance factors
Closed Hash:Cluster
Open Hash: One long list of elements
Attack Results
13
In Attack: Resource Consumption
V=
Analytic results:
Open Hash:Open Hash:
Closed Hash:Closed Hash:
In every malicious insertion, the server has to traverse all previous inserted elements (+ some existing elements)
Open Hash Closed Hash
V=
14
Post Attack: Operation Complexity
Open Hash Closed Hash
15
Post Attack: account for queuing Requests for the server are queued up
Vulnerability of the (post attack) Waiting Time?
Hash Table
Server
16
Post Attack Waiting Time
Open Hash:Open Hash:Vulnerable !! While in the model of Post Attack Operation Complexity the Open Hash is not Vulnerable !
Closed Hash: Closed Hash: Drastically more vulnerable resulting: clusters increase the second moment of the hash operation timesNo longer stable for Load>48%
Stability Point
17
Conclusions
Closed Hash is much more vulnerable than the Open Hash to DDoS, even though the two systems are considered to be equivalent via traditional performance evaluation.
After the attack has ended, regular users still suffer from performance degradation
Application using Hash in the Internet, where there is a queue before the hash, has high vulnerability.
18
Related Work The alternative measure: Potency [RoQ]
Was defined only to RoQ Only count the performance degradation of a
specific attack Vulnerability measures the system
Meaningless without additional numbers Vulnerability is meaningful information based on this number alone
Analyzing Hash: Comparing Closed to Open Hash, also analyzing the post attack performance degradation
(Denial of Service via Algorithmic Complexity AttacksScott A. Crosby and Dan S. Wallach Usenix 2003)
19
Questions?