denial-of-service flooding detection in anonymity networks
DESCRIPTION
MonAM 2007 LAAS-CNRS, Toulouse, France 5. November 2007. Denial-of-Service Flooding Detection in Anonymity Networks. Computer Networks & Communications Group Institute for IT-Security and Security Law University of Passau Germany. Jens Oberender Melanie Volkamer Hermann de Meer. - PowerPoint PPT PresentationTRANSCRIPT
Denial-of-Service Flooding Detectionin Anonymity Networks
Computer Networks & Communications GroupInstitute for IT-Security and Security LawUniversity of PassauGermany
Performance Measurement and Management for Two-Level Optimization of Networks and Peer-to-Peer Applications (GR/S69009/01)
Network of Excellence: Design and Engineering of the Future Generation Internet(IST-028022)
Jens Oberender Melanie VolkamerHermann de Meer
MonAM 2007LAAS-CNRS,
Toulouse, France5. November 2007
jens.oberender@
uni-passau.d
e
Attacks in Anonymity Networks
Chaum’s Mixer A sender remains anonymous,
if an adversary catches no evidence on sender identity
How to protect receivers from anonymous flooding attacks?
1. Enable traffic flow detection DoS attack detection2. Prevent anonymity breach protect sender identity Message Tagging
20.04.23 DoS Flooding Detection in Anonymity Networks 2
DoS Detection ReceiverSender
Anonymity Network
Gateway
ApplicationTransportNetwork
Data Link
Attacks
AccessControlEntity
DoS Detection ReceiverSender
Anonymity Network
jens.oberender@
uni-passau.d
e
Linkability Continuum
Two messages are linkable by an adversary,if evidence on their relation can be provided.
Pseudonyms– Adversary links all messages malicious profiling
Unobservability+ Observer cannot link any messages together
Limited Linkability Restricted number of linkable messages Enables traffic flow clustering
20.04.23 DoS Flooding Detection in Anonymity Networks 3
1
None Lifelong
# Messages per Profile
Message Linkability Limited
jens.oberender@
uni-passau.d
eAttacker Model
Security Objectives1. Limited linkability2. Linkability resistant
to malicious influence
20.04.23 DoS Flooding Detection in Anonymity Networks 4
Privacy Adversary• Aim: disclose sender anonymity• Observe incoming tags• Collude with other DoS engines
Message Flooding Attacker• Aim: Denial-of-Service• Exhausts victim resources
DoS Mitigation
AdversaryAccess Control
Attacker Anonymity NetworkAccess Control
Adversary ReceiverAccess Control Adversary Receiver
Assumptions Anonymity Network unbroken Access Control Entity trusted
by sender & receivers
jens.oberender@
uni-passau.d
e
Message tagging
Fast, local traffic flow cluster criteria Hash from characteristic strings (key derivation function)
Values not comparable with fresh salt Linkability control
Tag properties
Sender differentiate senders
Receiver disables cross-server profiling
Time Frame disables lifelong linkability
20.04.23 DoS Flooding Detection in Anonymity Networks 5
h(Sender, ... ) 4 Xà R 4 Yà R¹
h(..., Receiver, ... ) 4 Xà R1 4 Xà R2¹
jens.oberender@
uni-passau.d
e
DoS Detection
MixerAccessControlEntity
Ingress EgressMixer
DoS Detection
Mixer EgressMixerMalicious Ingress
Collude with Adversary
Internal vs. External Tags
Anonymity Attack using external tags Collude to learn anonymous paths
Proposed internal Message Tagging Tags reside within encrypted channel
20.04.23 DoS Flooding Detection in Anonymity Networks 6
h(SenderX, Receiver, )¹
jens.oberender@
uni-passau.d
e
Clustering of Anonymous Traffic Flows
Anonymous Messages Header data stripped off, application level analysis needed
Message tags enable flow clustering
Clusters of [ Sender, ] at Engine Detection frames cluster partial message flows Arrival rate
20.04.23 DoS Flooding Detection in Anonymity Networks 7
h(SenderX, Receiver, )¹
Time
Mes
sage
Tag
DtDt Dtat Access Control Entity
Detection Frames
DoS Detection
Time
Flooding
Regular Use
jens.oberender@
uni-passau.d
e
Clustering of time-based Tags
20.04.23 DoS Flooding Detection in Anonymity Networks 8
jens.oberender@
uni-passau.d
e
Scalability Issues
Clock skew in distributed systems misuse degrades linkability
Access control entity Counts messages
per sender Logarithm
effects on tag
20.04.23 DoS Flooding Detection in Anonymity Networks 9
DoS Detection Receiver
Anonymity Network
Traffic flow classification Arrival rate per message tag
Activity profiling
DoS Detection
Anonymity NetworkCounters
Counters
Flooding
Regular Use
Time
Mes
sage
Tag
SenderX
SenderY
coun
t
SenderX
22
22
22
22
22
22
2021
22
23
¹¹
¹
...
jens.oberender@
uni-passau.d
e
Sender Linkability
Scales with message volume Depends on arrival rate towards each receiver Message tags collisions
Flow splitting increases linkability
Incentive mechanism Strategic players’ goal: maximize privacy Inoffensive communication encouraged
20.04.23 DoS Flooding Detection in Anonymity Networks 10
Offset Flooding
Time
Mes
sage
Tag
Access Control Entity 1 Entity 2
Atta
cker
DoS Detection
Malicious Senders
MalfunctioningApplicationsp p
jens.oberender@
uni-passau.d
e
Multiple sender identities
Equivalent to DDoS No defense against attacks from different sender identities,
but…
Example BotNets Anonymity for attacker only Proxy functionality Yet these don’t spy SMTP authentication
Anonymity networks No need to operate a BotNet Anonymous attacks using real identity Hard-to-detect without add-ons
Benefits the privacy of the broad public!
20.04.23 DoS Flooding Detection in Anonymity Networks 11
jens.oberender@
uni-passau.d
e
Conclusions
Partial traffic flows Ability to detect Anonymous DoS Flooding Attacks
state-of-the-art techniques applicable Sender Anonymity maintained Sender Privacy
Defense of cross-server profiling Restricted amount of message linkable Arrival Rate Linkability
20.04.23 DoS Flooding Detection in Anonymity Networks 12
Message Tag g
Jens Oberender <[email protected]>