1

Vulnerability of Network Mechanisms toSophisticated DDoS Attacks

Udi Ben-Porat, Student Member, IEEE, Anat Bremler-Barr, Member, IEEE,and Hanoch Levy, Member, IEEE.

Abstract—In recent years we have experienced a wave of DDoS attacks threatening the welfare of the internet. These arelaunched by malicious users whose only incentive is to degrade the performance of other, innocent, users. The traditionalsystems turn out to be quite vulnerable to these attacks.The objective of this work is to take a first step to close this fundamental gap, aiming at laying a foundation that can be usedin future computer/network designs taking into account the malicious users. Our approach is based on proposing a metric thatevaluates the vulnerability of a system. We then use our vulnerability metric to evaluate a data structure which is commonly usedin network mechanisms – the Hash table data structure. We show that Closed Hash is much more vulnerable to DDoS attacksthan Open Hash, even though the two systems are considered to be equivalent by traditional performance evaluation. We alsoapply the metric to queueing mechanisms common to computer and communications systems. Further more, we apply it to thepractical case of a hash table whose requests are controlled by a queue, showing that even after the attack has ended, theregular users still suffer from performance degradation or even a total denial of service.

Index Terms—DDoS, hash, queue, vulnerability, metric, malicious.

F

1 INTRODUCTION

IN RECENT years the welfare of the Internet hasbeen threatened by malicious Distributed Denial of

Service (DDoS) attacks. DDoS attackers consume theresources of the victim, a server or a network, causinga performance degradation or even the total failureof the victim. In DDoS attacks, attackers send a largeamount of traffic, consuming the CPU or the band-width of the victim. The ease with which such attacksare generated makes them very popular. According toLabovitz et al. [1], large backbone networks observeDDoS attacks on a daily basis.

The basic form of a DDoS attack is the simple high-bandwidth DDoS attack. That is, simple brute forceflooding, where the attacker sends as much trafficas he can to consume the network resources, namelythe bandwidth of the server’s incoming link, withoutusing any knowledge of the system design. This canbe achieved by sending a huge amount of traffic overa raw socket or by using an army of Zombies1, eachmimicking the requests of a regular user.

Sophisticated low-bandwidth DDoS attacks use lesstraffic and increase their effectiveness by aiming ata weak point in the victim’s system design, i.e. the at-tacker sends traffic consisting of complicated requeststo the system. While it requires more sophistication

U. Ben-Porat is with the Computer Engineering and Networks Laboratory(TIK), ETH Zurich, Switzerland. e-mail: ehud.benporat@tik.ee.ethz.ch.Anat Bremler-Barr is with the Computer Science Dpt., InterdisciplinaryCenter, Herzliya, Israel. email: bremler@idc.ac.il.Hanoch Levy is with the Computer Science Dpt., Tel-Aviv University,Tel-Aviv, Israel. email: hanoch@post.tau.ac.il.

1. A zombie is a compromised machine that is controlled by aremote hacker. The current estimate is that there are millions ofzombie machines today, in private homes and institutes.

and understanding of the attacked system, a lowbandwidth DDoS attack has three major advantages incomparison to a high bandwidth attack: 1. Lower cost– since it uses less traffic; 2. Smaller footprint – hence itis harder to detect; 3. Ability to hurt systems which areprotected by flow control mechanisms. An exampleof such attacks is an attack against HTTP servers byrequesting pages that are rarely requested (forcing theserver to search in the disk). Similar attacks can beconducted on search engines or on database serversby sending difficult queries that force them to spendmuch CPU time or disk access time. In fact, an exam-ple of such a sophisticated attack can be seen even inthe classic SYN attack [2] which aims hurting the TCPstack mechanism at its weakest point, the three-way-handshake process and its corresponding queue.

In this work we focus on sophisticated low-bandwidth attacks. We define sophisticated low-bandwidth DDoS attacks as attacks that increase theireffectiveness by aiming at hurting a weak point in thevictim’s system design, i.e. the attacker sends trafficconsisting of complicated requests to the system. Thisgeneralized definition covers all the different attacktypes described in recent papers [3]–[9] includingthe two new major breeds: the Complexity Attack[3] and the Reduction of Quality (RoQ) attacks [5],[6]. In Section 2 we give a short overview of thedifferent DDoS attack types that fall into the categoryof sophisticated attacks.

Our first contribution in this work (Section 3) is aproposal of a new metric that evaluates the vulnera-bility of a system for any kind of sophisticated attacks.Our approach is based on proposing a Vulnerability

2

Metric that accounts for the maximal performancedegradation (damage) that sophisticated malicioususers can inflict on the system using a specific amountof resources (cost) normalized by the performancedegradation attributed to regular users, using thesame resources. Having a metric for computer secu-rity [10] is an important step for improving security.As a well known phrase states : “If you cannot mea-sure, you cannot manage. If you cannot manage, youcannot improve”. Our metric provides the ability tounderstand the resilience of systems to DDoS attacksand, in the case that multiple algorithms/designs areavailable for the same problem, helps in selecting themost resilient one.

Vulnerabilities to sophisticated DDoS attacks seemto be an inherent part of existing computer and net-work systems. Traditionally, these systems have beendesigned and operated under the underlying funda-mental principle that each user aims at maximizing theperformance he/she receives from the system. While oper-ational strategies have been divided to social optimiza-tion (optimize operation to the benefit of the overallpopulation) or individual optimization (each user acts toimprove his own performance), see e.g. [11], the basicparadigms were still based on this principle, namelythat each user aims at maximizing his own perfor-mance. This paradigm does not hold any more in thenew “DDoS environment” where some users do notaim to maximize their own performance, but rather todegrade the performance of other users. Thus, there isa major gap between traditional assumptions on userbehavior and practical behavior in modern networks.Due to this gap it is both natural and inherent thattraditional algorithms, protocols and mechanisms willbe quite vulnerable in this environment.

Our second contribution, presented in Section 4, isan evaluation of the Hash data structure, commonlyused in network mechanisms, using our vulnerabilitymetric. The sophisticated attack against the Hash datastructure was first introduced in the work of Crosbyand Wallach [3]. However, their work focused only onOpen Hash, using only experimental results on real-life Hash implementations. In contrast, we provideanalytic results using our Vulnerability Factor metricon the two Hash types: Open Hash and Closed Hash.An important finding of this simple analysis, whichcan affect practical designs, is that these two commonHash types (which are known to be equivalent accord-ing to many performance aspects) drastically differfrom each other in their vulnerability to sophisticatedattacks.

Our third contribution, presented in Section 5, isan examination of the vulnerability of some queueingmechanisms, commonly used in computer networks.We address this subject by considering a very simpleexample of the First Come First Served (FCFS) queue.We show that though attackers, under this mecha-nism, “must wait like everyone else” and thus have no

control of their place in the queue, they can still causesignificant damage even if they use, on average, thesame amount of resources that regular users do. Thestrategy of the malicious users is simple - just submitlarge jobs from time to time. In fact the vulnerabilitylevel (using the proposed metric) of this system canbe unbounded.

Our fourth contribution, provided in Section 6,shows that in the case of an attack either on an OpenHash system or on a Closed Hash system, the regularuser still suffers from performance degradation oreven a total denial of service, even after the attackhas ended (note that the degradation is not due tothe extra load of the attack but due to its sophistica-tion). Our results show that even a data structurewhose amortized complexity (whether attacked ornot) is O(1), such as Open Hash, is vulnerable tomalicious attacks when the structure is combined witha queue. Although the data structure itself is immuneto complexity attacks (since it still operates with O(1)amortized complexity), the waiting time in the queuecan dramatically increase if an attacker manages toincrease the variance of the request processing time.

As far as we are aware, we are the first to point outpost attack performance degradation. We demonstratethis by using the analysis of a practical and commoncase that combines the Hash table data structurewith a queue preceding it (post-attack degradationis demonstrated, for Closed Hash, also in Section 4).Using this model, we further derive the precise size ofthe attack that will “harm” the Hash system in sucha way that, even after the attack has ended, it willmake the regular users suffer from complete denial ofservice (and not only from performance degradation).In Section 7 we compare the vulnerability of Open andClosed Hash. A short paper with preliminary resultsfrom this work has been published in [12].

2 SOPHISTICATED ATTACKS

We define a Sophisticated DDoS attack as an attackin which the attacker sends traffic aiming to hurt aweak point in the system design in order to conductdenial of service or just to significantly degrade theperformance (such as Reduction of Quality attackslike [5], [6]). The sophistication lies in the fact thatthe attack is tailored to the system design, aiming toincrease the effectiveness of the attack.

The motivation of the attacker is to minimize theamount of traffic it sends while achieving similar oreven better results. Using sophisticated attacks theattacker reduces the cost of attacks i.e., reduces thenumber of required zombies2 and reduces the so-phistication in coordinating the attack. Moreover, the

2. Today, there is a market in zombie machines. Attackers canskip the time consuming process of taking control of new machinesand just buy “off the shelf” zombies. Hence the number of machinesrequired to launch the attack translate directly to the cost of money.

3

use of sophisticated attacks increases the likelihoodthat the attack will succeed in going unnoticed (goingunder the radar) by the DDoS mitigation mechanisms,which are usually based on detecting the fact thatthe victim was subject to higher-than-normal trafficvolume. Note that designing a sophisticated attacktool requires only a one-time effort of understandingthe system design in order to find its weak point.However, after such a tool is constructed, other at-tackers can use the tool as an “off-the shelf” black boxattack tool without any knowledge of the system. Sim-ilar evolutions were observed in other DDoS attacktypes such as “SYN-attack” where general tools suchas Trinoo and TFN were designed and distributedover the web to layman attackers [13]. Due to thecomplexity of the applications, they are usually morevulnerable to Sophisticated DDoS attacks. However,the Sophisticated attacks are not just against appli-cations and may also be conducted against protocols(see, for example, attacks against TCP [7]).

Roughly speaking, we can classify the methodsof launching sophisticated attacks into two classes:Malicious Job Content and Malicious Jobs Arrival Pattern.

1) Malicious Job Content - Attacker exploits theworst-case performance of the system which differsfrom the average case that the system was designedfor. In [3] Crosby and Wallach demonstrate the phe-nomenon on Open Hash table implementations intwo versions of Perl, the Squid web proxy, and theBro intrusion detection system. They showed that anattacker can design an attack that achieves worst casecomplexity of O(n) elementary operations per insertoperation instead of the average case complexity ofO(1). It caused, for example, the Bro server to drop71% of the traffic. Examples of systems and algo-rithms that can potentially yield to complexity attacksare quicksort [14] regular expression matcher [15],Intrusion Detection Systems [9], [16] and the Linuxroute-table cache [17]. Moscibroda and Multu [18]discuss a sophisticated DDoS attack which degradesthe performance of a Multi-Core System. The attack isconducted by one process (running on one core) tar-geting the weakest point in such a system - the sharedmemory - and degrades the performance of otherprocesses in the system. Smith et al. [9] describe alow bandwidth sophisticated attack on a Network In-trusion Detection System (NIDS). This attack disablesthe NIDS of the network by exploiting the behaviorof the rule matching mechanism by sending packetswhich require a very long inspection times. Anotherexample is the SSL handshake dropping DoS attack[19], which abuses the fact that clients can requestthe server to perform computationally expensive op-erations without doing any work themselves. In the802.11 standard, malicious users can steal additionaltime share by using Network Allocation Vectors to re-serve a long period of time for themselves [20]. Similarattacks can be conducted against cellular networks;

In [21] the authors show how malicious users canbehave according to the worst case scenario of theretransmission algorithm to obtain a larger time share.

2) Malicious Jobs Arrival Pattern - Attacker ex-ploits the (stochastic) worst case traffic pattern thatcan be applied to the system. This case is similarto the first one with the difference that the worstcase scenario involves a specific traffic arrival patternof requests from multiple users. This type of attackis demonstrated in the Reduction of Quality (RoQ)attacks papers [5], [6], [9]. RoQ attacks target theadaptation mechanisms by hindering the adaptivecomponent from converging to steady-state. This isdone by sending - from time to time - a very shortduration of surge demand imitating many users andthus pushing the system into an overload condition.Using a similar technique, Kuzmanovic and Knightly[7] presented the Shrew Attack which is tailored anddesigned to exploit TCP’s deterministic retransmis-sion timeout mechanism. In [22] the authors showhow a group of malicious users can attack a schedulerof a cellular network and increase their allocatedtime share significantly by coordinating their reportedchannel condition values. The pattern created by thisbehavior allows them to consistently obtain exagger-ated priority and obtain a larger time share (at theexpense of others). Another example of an attack ex-ploiting the stochastic worst case is given in Bremler-Barr et al. [4]. There it is shown that Weighted FairQueueing (WFQ), a commonly deployed mechanismto protect traffic from DDoS attacks, is ineffective in anenvironment consisting of bursting applications suchas the Web client application.

3 THE VULNERABILITY FACTOROur work is based on the observation that the tradi-tional performance analysis of computer systems andalgorithms is not adequate to analyze the vulnerabil-ity of a system to sophisticated DDoS attack and anew metric is needed. Such a vulnerability metric canhelp a system designer to:

Choose between two equal systems: Such univer-sal vulnerability metric can be used to compare thevulnerability of two alternative systems. For example,a system designer of a modern cellular base stationcould use the vulnerability metric to compare betweenthe CDF [22] and PFS [21] wireless scheduling algo-rithms.

Select the values of system operating variables:The analysis (either analytically or empirically) of thevulnerability value can expose the contribution of thedifferent system parameters to the system vulnera-bility and help the designer to balance trade-offs be-tween the system vulnerability and its efficiency. Forexample, in the PFS wireless scheduler [21], increas-ing the maximal number of retransmissions increasesthe base station throughput on the one hand whileincreasing its vulnerability on the other hand.

4

Use vulnerable systems safely: A vulnerabilitymetric assessing the amount of damage that can beinflicted by malicious sophisticated users can help touse known vulnerable systems wisely. For example,consider the Bro intrusion detection systems that candrop up to 71% of the traffic during an attack [3]. Acompany that already owns and uses vulnerable Brosystems can still use them safely by rearranging theservers and the network such that none of them willhave to handle more that 29% of its original traffic(and hence will not drop traffic even under attack).

It is important to note that the analysis of theworst-case performance of a system versus that of theaverage-case is not sufficient in order to comprehendthe vulnerability of a system. This is due to threemajor factors: First, the worst case analysis does nottake into consideration the cost of producing the worstcase scenario. However, in the context of analyzingthe vulnerability of a system, the cost is an importantfactor, since a scenario that is expensive to produce,does not really pose a threat to the system. Second,traditionally the assumption in the worst case analysisof a system is that all the participants follow theprotocol rules. However, dealing with a malicious at-tacker, the attacker can form his own protocol, mainlydesigned to damage the system as much as possible.Third, usually the worst case analysis deals with themost difficult input into the system per user. Howeverin the vulnerability assessment we also need to takeinto account the most difficult scenario of interactionbetween the users of the system. That is, we also needto analyze the system using the “stochastic” worstcase scenario (as shown in the sophisticated attacks[5], [7]).

Sophisticated DDoS

Hurting a weak link of the system design

Sophisticated DDoS

Hurting a weak link of the system design

Amount of traffic that is required to overload the server1

DoS - NOT DDoS

Application bug

DoS - NOT DDoS

Application bug

A lot

Vulnerability factor

1KInfinity

Basic DDoS

Brute Force - flooding

Basic DDoS

Brute Force - flooding

Fig. 1. Vulnerability Factor and Sophisticated DDoSattack.

Our proposal for the definition of the VulnerabilityFactor of a system is to account for the maximalperformance degradation (damage) that sophisticatedmalicious users can inflict on the system using aspecific amount of resources (cost) normalized bythe performance degradation attributed to regularusers using the same amount of resources. Figure 1demonstrates the concept of the Vulnerability Factor.Mechanisms that are vulnerable only to brute forceattacks will have a Vulnerability Factor of one, whilemechanisms that are vulnerable to sophisticated at-

tacks will receive a factor of K > 1 indicating that themaximal attacker’s power is equivalent to that of Kregular users3.

Formally, we define the Vulnerability Factor as fol-lows: Let the usersType parameter be equal to eitherregular users (R) or malicious attackers (Mst ) withstrategy st . Note that we use the plural terms sincesome of the attack types occur only in specific sce-narios of multiple coordinated access of users to thesystem [5]. Let the budget be the amount of resourcesthat the users of usersType spend on producing theadditional traffic to the system, i.e., the cost of pro-ducing the attack is limited by the budget parameter.The budget can be measured differently in the variousmodels, e.g. as the required bandwidth, or the numberof required computers or as the required amountof CPU and so on. Let ∆Perf (usersType, budget) bethe change in the performance of the system due tobeing subject to additional traffic added to the regulartraffic of the system, where the traffic is generated byusers from type usersType with resource budget . Theperformance can be measured by different means suchas the CPU consumption, the delay experienced bya regular user, the number of users the system canhandle, and so on.

We define the Effectiveness of a strategy st on thesystem as

Est(budget = b) =∆Perf (Mst , b)

∆Perf (R, b), (1)

and the Vulnerability Factor V of the system as:

V (budget = b) = maxst{Est(b)}. (2)

If the Vulnerability Factor of a system equals the ef-fectiveness of a strategy st, then st is said to be an Op-timal Malicious Users Strategy. In practice, there may bea system in which no strategy can be proved to be theoptimal because the effectiveness of all other possiblestrategies cannot be evaluated or bounded. In thiscase, the most effective (known) malicious strategy isconsidered to be a lower bound on the vulnerabilityof the system. Note that for the same system there canbe more than one Optimal Malicious Users Strategy andthat an Optimal Malicious Users Strategy maximizes∆Perf (Mst , b). Observe that for systems invulnerableto attacks V = 1 since ∆Perf (Mst , b) = ∆Perf (R, b).

Note that we focus on the attacker’s strategy thathas the maximum effect in performance degradation,since the common assumption in the field of securityis that the vulnerability of a system is measured at itsweakest point.

3. Placing the DoS attack on the same baseline, the DoS attack(exploiting a bug in the application, leading to a total systemfailure) receives the factor of infinity.

5

3.1 Related Work

The first step for measuring system vulnerability,was done by Guirguis et al. [5]4, which concentratedonly on measuring RoQ attacks. Their work pro-poses the attack Potency measure which evaluates theamount of performance degradation inflicted by anattacker according to his budget. The reader can ob-serve that this measure is similar to our definition of∆Perf (Mst , budget = b). However, the difference be-tween the Effectiveness (Est) and the Potency measures,is that we normalize the performance degradation thesystem suffers due to an attacker by the performancedegradation the system suffers due to a regular user.Clearly, Potency can be generalized to measure anysophisticated attack, however we think that the Ef-fectiveness is preferable since it allows for derivingmeaningful information based on this (dimensionless)number alone. Consider the case of a system with aVulnerability Factor of K. In this case we can deducethat the system can cope with a number of sophis-ticated attackers, which is only 1

K of the number ofregular users the system can handle. In contrast, if thepotency level is P it means that the attacker obtainsP units of damage per one unit of cost; this numberis meaningless without comparing it to the potencyof other scenarios, such as the potency of a regularuser, or the potency of other attacks. Moreover, theunit used by the potency measure (damage per cost)is not fully defined and left for the interpretation ofwhoever uses it. Both the Potency and Effectivenessmeasures focus on the power of a specific attack. Incontrast, we propose that a more interesting metric isthe Vulnerability Factor that focuses on the system andprovides bounds on its performance under any typeof attack.

In this work we present results relating to the vul-nerability of Hash systems. The sophisticated attackagainst Hash tables was first introduced in [3] whichconcentrated only on Open Hash, using only experi-mental results on real-life Hash implementations. Incontrast, we provide analytic results using our Vul-nerability Factor metric on the two Hash types: OpenHash and Closed Hash. An important finding of thissimple analysis, which can affect practical designs,is that these two common Hash types (which areknown to be equivalent according to many perfor-mance aspects) drastically differ from each other intheir vulnerability to sophisticated attacks. Moreover,by analyzing the effect of sophisticated attacks onqueueing with Hash, our work further shows that theregular users suffer from performance degradationeven after the attack has ended.

4. The primal work of Gilgor [23] presents a formal specificationand verification in order to prevent denial of service, but did nottry to measure the vulnerability of the system. Moreover, the workconcentrates on denial of service of a different type, where someusers can lead the system to a situation where part of the usersreach a “deadlock” situation.

4 SOPHISTICATED ATTACKS ON HASH TA-BLES

Many network applications, such as the Squid WebProxy and the Bro Intrusion Detection System, usethe common Hash data structure. This data structuresupports the dictionary operations of Insert, Searchand Delete of elements according to their keys. Hashtables are used when the number of keys (elements)actually stored is relatively low compared to the totalnumber of possible key values. A Hash table is basedon an array of size M , where an entry in the arrayis called a bucket. The main idea of a Hash table isto transform the key k of an element, using a Hashfunction h, into an integer that is used as an indexto locate a bucket (corresponding to the element) inthe array. In the event that two or more keys arehashed to the same bucket, a collision occurs andthere are two Hash strategies to handle the collision:Open Hash (a.k.a Closed Addressing) and ClosedHash (a.k.a Open Addressing). In Open Hash eachbucket in the array points to a linked list of the recordsthat were hashed to that bucket. In Closed Hash allelements are stored in the array itself as follows; Inthe Insert operation, the array is repeatedly probeduntil an empty bucket is found. The Hash functionin this case can be thought of as being extended tobe a two parameter function depending on the key kand the number of the probe attempts i i.e. h(k, i) (fordetailed explanations about Open and Closed Hashsee [24]). The particular probing mechanism whereh(k, i) = H(k) + i− 1(modM) is called linear probing.

In the Hash data structure (Closed or Open), theaverage complexity of performing a Hash operation(Insert, Search and Delete) is O(1) elementary op-erations5 while the worst case complexity is O(N)elementary operations per Hash operation, where N isthe number of existing elements in the Hash table. TheInsert operation consists of a search to check whetherthe element already exists in the Hash table and inaddition, an insertion of the new element (in the casewhere it does not exist). In both Closed and OpenHash the Insert operation of a new element is the mosttime consuming operation.

In [3] it is shown that an attacker, in the commoncase where the Hash function is publicly known6, candrive the system into the worst case performance,and thus dramatically degrade the performance ofthe server application. Naturally, the Hash examplebelongs to the class of Malicious Job Content so-phisticated attacks. Note that Universal Hash func-tions were introduced by Carter and Wegman [25]and are cited as a solution suitable for adversarialenvironments. However, it has not been standardpractice to follow this advice (mainly due to thefear of unacceptable performance overheads in critical

5. The precise complexity is a function of the load in the table.6. Due to the Open Source paradigm.

6

regions of code). Moreover, Smith et al. [9] claim thatit may be possible to force the worst case scenarioeven in the case of universal hashing, by statisticallyidentifying whether two items collide or not, usingthe detectable processing latency. Another counter-measure is to randomize the Hash table. However,Bar-Yosef and Wool [26] show that there is an attackthat can overcome this solution.

4.1 ModelConsider a Hash system consisting of M buckets andN elements, where the Hash function is known tothe attackers. In this model the resource-budget of theusers is measured by the number of Hash operations(k) they can perform, where Hash operations can beeither Insert, Delete or Search. In our analysis wewill use three metrics: i) The number of memoryreferences the k operations require during attack time(In Attack Resource Consumption), ii) The complexityof performing an arbitrary Hash operation after theattack has ended, i.e, after these k Hash-operations arecompleted (Post Attack Operation Complexity). iii) Thewaiting time of a regular user while performing anarbitrary Hash operation after the attack has ended, i.e.,after the k Hash-operations are completed (Post AttackWaiting Time). Note that both metrics, (i) and (ii), aremeasured by the number of memory references7. Inaddition, note that the post attack damage endureswhile the keys inserted by the malicious user are heldin the table. For example, in a hash table used as cachethe post attack damage lasts until the keys insertedby the malicious user are flushed out. Hence, whenevaluating the vulnerability of a designed system, thevulnerability of the system to post attack damageshould be considered in the context of the durationin which the post attack damage lasts.

The analysis of the first two metrics is given inthis section while the results of the analysis and theirpractical implications are discussed in Section 7 anddepicted in Figure 2. The analysis of the third metric isgiven in Section 6. In order to carry out the analysisone needs to decide on what type of operations ofregular users to base the computation of the denomi-nator of (1), that is ∆Perf (R, b). In analyzing the Vul-nerability Factor, we take the conservative approachand assume that the regular users effect the systemby conducting the most time consuming operationtypes. In both Closed and Open Hash, this is theInsert operation. Thus we receive a lower bound onthe actual Vulnerability Factor. Note that as opposedto the traditional elementary operation complexityanalysis, in the Vulnerability Factor analysis we are alsointerested in the specific constant and not only in theorder of magnitude.

7. It is common practice to count memory references in networkalgorithms since memory is defacto the bottleneck in most of thesystems.

Table of VariablesM # of buckets in the tableN # of existing keys in the tableL Load in the table (L = N/M )k # of additional keys inserted by a

malicious/regular user (budget)

4.2 The Insert Strategy

Let the Insert Strategy (INS ) be the malicious users’strategy of performing k insert operations of newelements so that all the inserted elements hash intothe same bucket.

Note that in order to create DDoS attacks using theInsert Strategy, multiple attackers only need to shareone bit of information - the bucket into which theyinsert the elements.

Theorem 1: In Open Hash and Closed Hash sys-tems, the Insert Strategy is an Optimal Malicious UsersStrategy under the In Attack Resource Consumptionmetric and Post Attack Operation Complexity metric.

Theorem 1 is proved separately for Open andClosed Hash in the Appendix.

Remark 1 (The effort of finding the keys): In thiswork we discuss the case where the selection ofelements is done prior to the attack, hence is notincluded in the attack’s budget. If finding the keyscan be done only during the attack then the “price” ofthis effort should be included in the budget and havea realistic proportion (which depends on the systemand the capabilities of the attacker) to the “price” ofperforming an insertion. Note that in Closed Hash,the effort of searching for the right elements can besignificantly reduced if the attacker aims at a rangeof buckets instead of a single bucket. For example, itwill be two times faster to find 100 elements whichhash into a range of two adjacent buckets than intoa specific single bucket. Such bucket-range approachcan be effective since the reduction in the damage(caused to the system) when aiming at two bucketsinstead of one is negligible compared to the searcheffort saved.

4.3 Open Hash

In this subsection we analyze the vulnerability of theOpen Hash table (denoted by OH ). We define the loadfactor8 L of the Open Hash to be equal to N

M , whichis the average number of elements in a bucket. Weassume each bucket is maintained as a linked list.The Insert operation of a new element, which is themost time consuming operation in Hash, requires anexpected number of memory references of L+ 1 [24].

8. This is the load factor as defined in the literature for datastructures [24]; it is different from the traffic load.

7

0 50 100 150 200 250 300 350 40010

0

101

102

103

104

105

Tot

al M

emor

y R

efer

ence

s (f

or N

inse

rtio

ns)

Existing values (N)

Consumption of System Resources

CH − Malicious usersOH − Malicious usersOH − Regular usersCH − Regular usersIdeal System (Y=N)

50 100 150 200 250 300 350 400

100

101

102

Use

r O

pera

tion

Com

plex

ity

Existing values (N)

Post Attack Operation Complexity

CH − Malicious usersCH − Regular usersOH − Regular/Malicious usersIdeal system (Y=1)

(a) (b)

Fig. 2. The performance degradation due to k operations by regular versus malicious users, in Open and ClosedHash under the metrics: (a) In Attack Resource Consumption (b) Post Attack Operation Complexity . The curvesare log scaled and as a function of the number of existing elements N , where k = N . The “Ideal System” curvesdepict the results in an hypothetic ideal invulnerable system where every operation requires exactly one memoryaccess.

4.3.1 In Attack Resource Consumption Metric

The use of the Insert Strategy by malicious userson an Open Hash system creates a growing list ofelements in one bucket. Every inserted key (of thek keys inserted by the malicious user) has to becompared against all the keys that already exist in thetarget bucket. Hence, the i-th key inserted has to becompared against the i−1 keys previously inserted bythe malicious user (and maybe against other alreadyexisting keys). Therefore, every insertion by the mali-cious user suffers an average O(k) complexity (insteadof the average case of O(1)) thus leading to high in-attack resource consumption.

Theorem 2: Under the In Attack Resource Consump-tion metric the Vulnerability Factor of Open Hash is

VOH (k) =k + 2L+ 1

k+1M

+ 2L+ 2. (3)

Proof: First we prove that ∆Perf OH (R, k) = k(1+L + k+1

2M ). After i − 1 regular insertions by regularusers the load of the table is L + i−1

M , therefore thei-th insertion is expected to require 1 + L + i−1

M

memory references, resulting in total of k(1+L+ k+12M )

memory references over k insertions. Next we provethat ∆Perf OH (MINS , k) = kL + k(k+1)

2 . The expectednumber of memory references required by the i-thinsertion of malicious users is L + i, summing up tokL+ k(k+1)

2 memory references for the entire insertionssequence.

Remark 2: Simplifying (3), we may deduce that theparameter k, the magnitude of the attack, is the mostdominant parameter that influences the Vulnerability.

Remark 3 (Simplifying population assumption): In or-der to simplify the already complex analysis, we

0 50 100 150 200 250−5%

−4%

−3%

−2%

−1%

0%

1%

2%

3%

4%

5%

Number of Existing Values (N)

Rel

ativ

e E

rorr

(R

.E.)

due

to th

e as

sum

ptio

n

Effect of the Simplifying Population Assumption

R.E. of Complexity of a single insertionR.E. of Vul. of In Attack Resource ConsumptionR.E. of Complexity of k=N insertions − Reg. UsersR.E. of Complexity of k=N insertions − Mal. Users

Fig. 3. The effect of using the simplifying populationassumption on various performance measures. Theplot depicts the relative error of using the simplifyingassumption as a function of the number of existingvalues. This graph is derived from simulation resultsof a Closed Hash table with 1000 buckets.

assume that the existing elements are uniformly dis-tributed in the table. In a real life scenario the elementstend to gather in clusters (due to the nature of linearprobing) which increases the average insertion com-plexity. Using simulations, we confirmed that the im-pact of this assumption on the final results is insignif-icant. We measured various performance measures -complexity of a single element insertion, complexityof k insertions by regular/malicious users and thevulnerability of the In Attack resource Consumptionmetric. Each was measured in two scenarios: Scenario

8

A – the existing elements are uniformly distributed inthe table; Scenario B – the elements are “naturally”distributed in the table (namely, they were placedaccording to hashing with linear probing). For eachof the performance measures, Figure 3 depicts thedeviation of the results in Scenario A from the resultsin Scenario B. We can see that the relative errors ofthe complexity of both a single insertion and of kregular insertions are very close and do not exceed−4.5% while the relative error of the complexity of kmalicious insertions is almost zero9 (−0.02%). That is,the negative deviation of ∆Perf (R, b) is larger thanthat of ∆Perf (Mst , b) when the assumption is used.Therefore, according to Eq. 1 (Section 3), the relativeerror of the vulnerability is positive and does notexceed +4.5% (as depicted in Figure 3).

4.3.2 Post Attack Operation Complexity Metric

Theorem 3: Under the Post Attack Operation Complex-ity metric, VOH (k) = 1.

Proof: The proof follows from the fact that theexpected length of an arbitrarily selected linked list inthe Hash table, after the insertion of the k elements,is always L + k/M . This holds regardless of theirdistribution in the buckets (and therefore regardlessof the malicious strategy used).

Remark 4: This characteristic of Open Hash,whereby the expected damage caused by malicioususers equals that of regular users, is an importantadvantage in terms of vulnerability. As Theorem3 shows, this advantage is well expressed by theVulnerability Factor.

4.4 Closed HashIn this subsection we analyze the vulnerability ofClosed Hash (denoted by CH ). Recall that L = N

M isthe fraction of occupied buckets. In practice, L is keptlow10 to keep the Hash table efficient (by decreasingthe expected number of rehashing operations neededduring a user’s request).

For the analysis we assume that collision reso-lution is done via linear probing; nonetheless, wewill explain later that the result derived for the InAttack Resource Consumption metric also holds for moresophisticated collision resolution schemes, such as thecommonly used double hashing probing. Recallingfrom Remark 3 that we assume that the existingelements are distributed uniformly over the buckets.

As in Open Hash, in Closed Hash the most timeconsuming operation is the insertion of a new ele-ment. Each such insertion requires on average ap-proximately 1

1−L elementary operations where L is thecurrent load in the Hash table (see [24]).

9. The distribution of the elements in the table has a small weightin the operation complexity of a malicious attack.

10. By increasing the number of buckets when the number ofelements increases.

0 50 100 150 200 2500

20

40

60

80

100

120

Vul

nera

bilit

y

Budget of additional user (k)

Consumption of System Resources (N=0)

OH (L =0)

CH (α =0)

0 50 100 150 200 2500

20

40

60

80

100

120

Budget of additional user (k)

Consumption of System Resources (N=100)

OH (L =0.2)

CH (α =0.1)

0 50 100 150 200 2500

20

40

60

80

100

120

Vul

nera

bilit

y

Budget of additional user (k)

Consumption of System Resources (N=400)

OH (L =0.8)

CH (α =0.4)

0 50 100 150 200 2500

20

40

60

80

100

120

Budget of additional user (k)

Consumption of System Resources (N=700)

OH (L =1.4)

CH (α =0.7)

Fig. 4. The vulnerability of the In Attack ResourceConsumption for different values of N . An ideal invul-nerable system has a V = 1 curve.

The Vulnerability Factor under both metrics inClosed Hash is influenced by the clustering effect(which also complicates the analysis). In Closed Hashlong runs of occupied buckets build up [24]. Forexample, consider the case of an linear probing Hashfunction, where the buckets B1, B2, B4 and B5 are oc-cupied, and an insert operation is made to an elementthat is hashed to bucket B1 (where B1, B2, ..., BM

are the buckets of the table). The result will be thatthe element will be inserted into B3, thus the twoclusters {B1, B2} and {B4, B5} will be combined intoone cluster consisting of 5 elements. These clusters ofoccupied buckets increase the average insertion time.

4.4.1 In Attack Resource Consumption Metric

The sophisticated attacker’s optimal strategy is theInsert Strategy, i.e., insert different keys that hash intothe same bucket and thus create a long cluster ofoccupied buckets. The attack creates a cluster whichcontains the k inserted elements plus the union ofmultiple clusters that existed before the attack asdemonstrated in Figure 5.

Note that under this metric we can avoid makingthe assumption that a linear probing technique isused. Formally, the attackers search for a pool of keys,such that for every two keys k1 and k2 in the poolh(k1, i) = h(k2, i) for all i where h(k, i) is the ClosedHash function. A commonly used open addressingHash function is the double hashing: h(k, i) = h(k) +ih′(k). It is easy to see that even with this doublehashing function the attackers can easily find11 suchk1 and k2 since they know h and h′.

11. Given kj , the expected amount of off-line simple hash calcu-lations the attacker needs to conduct to find kj+1 is M(2).

9

M a l i c i o u s C l u s t e r ( C = 1 3 )

I n s e r t i o n

L i n e a r P r o b i n g d i r e c t i o n

- F r e e b u c k e t

- M a l i c i o u s k e y

- E x i s t i n g r e g u l a r k e y

Fig. 5. A toy example of a cluster created by a mali-cious attack (M = 20, N = 6, k = 3). The “Maliciousinsertions” arrow points to the bucket where all themalicious keys are initially hashed into.

In Theorem 4, we compute the expected resourceconsumption and the vulnerability when applying theInsert Strategy, but first we derive (the distribution of)the resource consumption of the i-th insertion duringa malicious attack in Lemma 1.

Lemma 1: Let Xi be a the number of memory ref-erences used to insert the i-th element into the table,then:

P (Xi = t) =

(Nt−i

)(M−N

i

)(Mt

) · it. (4)

Proof: The i-th insertion of the malicious useralways traverses the previous i − 1 elements whichwere already inserted into the table, but the numberof the regular elements it traverses depends on thelayout of the elements in the table before the attacktakes place. Let B1, B2, ..., BM be the buckets of thetable (as defined above), and w.l.o.g let B1 be thebucket where all the insertions are hashed to whenfollowing the Insert Strategy. First observe that Xi = tmeans that B1, B2, ..., Bt−1 were occupied before thei-th insertion while Bt is the free bucket where theinserted element is finally placed. Namely, Xi = t ifand only if before the attack has started, there wereexactly t−i regular elements in B1, ..., Bt (which noneof them is in Bt). Let Yt be the number of the regularelements residing in B1, ..Bt, then

P (Xi = t) = P (Yt = t− i) · P (Bt is empty |Yt = t− i). (5)

Yt follows the hypergeometric distribution withparameters M , N and t and thus, for i ≤ t: P (Yt =

t − i) =( Nt−i)(

M−Ni )

(Mt ). In addition, P (Bt is empty |Yt =

t − i) = it , and according to these equalities and (5)

we get (4).

Theorem 4: Under the In Attack Resource Consump-tion metric the Vulnerability Factor of the Closed Hashis

VCH (k) =

∑k

i=1

∑i+N

t=i

(Nt−i

)(M−N

i

)(Mt

) · i∑k

i=11

1−(L+ i−1M

)

(6)

Proof: From the complexity of an insert oper-ation of a new element, we get that the resourceconsumption of k insertions by regular users is∆Perf CH (R, k) =

∑ki=1

11−(L+ i−1

M ). Next we prove the

numerator in (6):

∆Perf CH (MINS , k) =

k∑i=1

i+N∑t=i

(Nt−i

)(M−N

i

)(Mt

) · i. (7)

Let Xi be as defined in Lemma 1, then the ex-pected total complexity of the malicious users,∆Perf CH (MINS , k), is given by E(

∑ki=1 Xi) =∑k

i=1 Xi(1) where Xi

(1) =∑i+N

t=i P (Xi = t) · t. Using(4) we get (7).

Remark 5: Simplifying the Vulnerability Factor ex-pression, we obtain the result, similarly to the OpenHash case, that the parameter k is the dominantparameter influencing the Vulnerability.

4.4.2 Post Attack Operation Complexity Metric

In Closed Hash the cluster that was created due tothe attack, has a negative effect on the complexity of auser operation even after the attack has ended. Everyinserted element which is mapped into a bucket inthe cluster (not only to the bucket the attacker used)will require a search that starts at its mapped positionand ends at the cluster end12. The effect of this on theperformance of a user operation will be quite signif-icant. When a key is hashed into a cluster of size C,the expected number of buckets to be probed duringthe search is approximately C/2. In a table with Mbuckets, the probability to hit this cluster is C/M . Thatis, the larger the cluster is, the longer the search and,in addition, the higher the probability to hit the clusterin the first place. Therefore, the average search time isapproximately proportional the sum of the squares ofthe cluster sizes in the table ( 1

2M

∑i C

2i ). This property

highly resembles the waiting time in a single-serverFIFO queuing system, which is proportional to the”residual life” of the customer service time, namelyproportional to the second moment of the servicetimes. Therefore, unlike the case of the Open Hash,the Vulnerability Factor of the Closed Hash will be(significantly) greater than 1 under this metric, as wewill rigorously show in Theorem 5.

First, in Lemma 2 we calculate the complexity ofan insertion after a malicious attack has ended. Let

12. This high vulnerability property of Closed Hash may seemto be unique only to a linear probing Closed Hash model due toits primary clustering problem, but it is very hard to implement asimple Hash function which does not cause a clustering problemof some degree.

10

us look at a Closed Hash table consisting of Mbuckets, k ≥ 1 elements inserted by an attacker (usingthe Insert Strategy) and N elements existing in thetable before the attack. Let the random variable QM ,1 ≤ QM ≤ N + k + 1, denote the complexity ofone regular insertion into the table after the maliciousinsertions. In Section 6 we use the second moment ofQM , so in the following lemma we present a generalexpression where d is the order of the moment.

Lemma 2: Let QM , as defined above, be the com-plexity of an insertion after a malicious attack hasended, then:

E[(QM )d] =

N+k+1∑c=k+1

(N

c−k−1

)(M−Nk+2

)(Mc+1

) k + 2

c + 1[c

M

c∑s=1

1

csd−(1−

c

M)

·

N−k−(c−1)∑s=1

(

s−1∏i=1

N+K−c−i+2

M−c−i+1)M−N−K−1

M−c−s+1sd]. (8)

Proof: All the malicious elements concentrate inone large chain of occupied buckets which may con-tain some or all of the exiting elements. If an ele-ment is hashed into this chain, it will eventually berehashed into one of the two empty buckets trimmingthe chain. Define the malicious cluster as the chain ofconsecutive occupied buckets13 (consisting of the ma-licious insertions) and the empty bucket that followsthem (in the linear probing direction)as seem in Figure5. Let r.v k + 1 ≤ C ≤ N + k + 1 be the length of themalicious cluster (the number of elements in the chainis C−1). Given that C = c, an insertion can be hashedinto either the cluster area (AreaA) with probability c

Mor outside the cluster (AreaB ) with probability 1− c

M .Since there is an empty bucket at the end of both areas,it is impossible for an element to be hashed into onearea and then rehashed into the other, therefore weare looking for an expression of the following form:

E[(QM )d] =

N+k+1∑c=k+1

P (C = c)[c

M

c∑s=1

P (QM = s|C = c,AreaA)sd

+ (1 −c

M)

N+k−c+2∑s=1

P (QM = s|C = c,AreaB)sd]. (9)

The value of QM for an insertion into AreaA de-pends on the distance between the first bucket wherethe element was hashed and the empty bucket at theend of the cluster, therefore

P (QM = s|AreaA, C = c) =1

c, (1 ≤ s ≤ c). (10)

An insertion into AreaB is equivalent to an insertioninto a regular Closed Hash table with the same num-ber of buckets and elements as in AreaB , thereforeaccording to [24]:

13. Note that it is possible for a chain to start before the bucketwhich was targeted by the attack.

P (QM = s|AreaB , C = c) =M −N − k − 1

M − c− (s− 1)(11)

· (s−1∏i=1

N + k − (c− 1)− (i− 1)

M − c− (i− 1)).

(note that P (QM = 1|AreaB) = M−N−k−1M−c )

The length of the chain created by k (malicious)insertions plus both of the free buckets trimming itequals to Xk+2 where Xi is the complexity of the i-thmalicious insertion as defined in Section 4.4.1 (Thiswill not be proved here). According to that and thedefinition of C we get that C ∼ Xk+2 − 1. Therefore,the probability function of the cluster size is given by:

P (C = c) = P (Xk+2 = c+ 1) =

(N

c−k−1

)(M−Nk+2

)(Mc+1

) k + 2

c+ 1. (12)

Combining (9), (10), (11) and (12) results in (8).Theorem 5: Under the Post Attack Operation Complex-

ity metric the Vulnerability Factor of Closed Hash is:

∆VCH(k) =

(E[QM ]−

1

1−N/M

)/

(1

1− (k +N)/M−

1

1−N/M

), (13)

where E[QM ] is as given in (8).Proof: As already mentioned, the expected com-

plexity of an insertion to a normal Closed Hashtable consisting of R elements is given by 1

1−R/M .Therefore, the expected complexity of insertion whenthere are only the (N ) existing elements is 1

1−N/M , andafter adding k regular insertions it equals 1

1−(N+k)/M .The expected insertion complexity after k maliciousinsertions (E[QM ]) is extracted from Lemma 2 usingd = 1 and the proof is completed.

In our case (d = 1), the value of∑N+k−c+2

s=1 P (Qm =s|AreaB)sd in the proof of Lemma 2 can be replaced[24] by 1

1−N+k−c+1M−c

in order to produce a clearer ex-

pression, as we used along the text14. By doing so,we get the above expression of E[QM ].

5 SOPHISTICATED ATTACKS ON QUEUEINGMECHANISMS

Queues are major mechanisms used in a variety ofcomputer and communications systems. Their majorobjective is to control the system operation when it isunder a heavy traffic load in order to provide good andfair performance to the various users. For this reasonit is natural that they become the target of attacks andtheir vulnerability should be examined.

To demonstrate the vulnerability of queueing mech-anisms to attacks, if not designed properly, we con-sider a simple case study consisting of a single server

14. The related plots were drawn according to the exact expres-sion.

11

(with a single queue) system that operates under theFirst-Come-First-Served (FCFS) scheduling. This anal-ysis of FCFS is also an important step for us in orderto evaluate the vulnerability of practical applicationsthat use Hash (combined with a queue) in the Internet(see Section 6). Consider the M/G/1 queue modelwith arrival rate λ and service times distributed as arandom variable X with first two moments x(1) andx(2) and where the system utilization is ρ = λx(1).Let W

(1)scenario be the expected waiting time of an

arbitrary arrival where scenario can be either of C, Ror M , denoting respectively the cases of i) The queueis subject only to normal load by regular arrivals(“clean”), ii) The queue is subject to additional loaddue to additional regular arrivals, or iii) The queueis subject to additional load due to malicious arrivals.The performance of the system can be evaluated viathe mean waiting time experienced by the jobs inequilibrium, which is given by W

(1)C = λx(2)/(2(1−ρ)).

One way to attack a FCFS queue is to send largejobs. Consider attackers who behave like regular userswho pose additional arrival rate λ1 and whose jobsize is also distributed like X . Adding these usersto the system changes the mean waiting time toW

(1)R = (λ + λ1)x

(2)/(2(1 − ρ − λ1x(1)), and we have

∆Perf FCFS (R, λ1x(1)) = (λ+λ1)x

(2)

2(1−ρ−λ1x(1))− λx(2)

2(1−ρ) . NowConsider attackers A who send jobs of size x = Kx(1)

at rate λ2 = λ1/K, that is the additional trafficload they pose is identical to the additional load ofthe regular users, and thus the attack cost from thisperspective is the same (identical budget). The delayin the system, nonetheless, now becomes W

(1)M =

(λx(2)+λ1K(x(1))2)/(2(1−ρ−λ1x(1)). Thus, we have

∆Perf FCFS (M, b = λ1x(1)) = λx(2)+λ1K(x(1))2

2(1−ρ−λ1x(1))− λx(2)

2(1−ρ) .Thus if K is chosen to be large enough, (K(x(1))2 >>x(2)) the Vulnerability Factor VFCFS (b = λ1x

(1)) =∆Perf FCFS (M,b=λ1x

(1))

∆Perf FCFS (R,b=λ1x(1))can be made as large as one

wants, if the system allows arbitrarily large jobs. Thus,if job sizes are not limited, the simple FCFS mecha-nism is highly vulnerable. We therefore may concludethat queueing mechanisms can be quite sensitive toattacks, if not designed properly. The Vulnerabil-ity Factor allows a system designer to evaluate therelationship between the maximal job size allowedin the system and the vulnerability of the systemto malicious attack and choose the desired balancebetween the two.

6 COMBINING HASH WITH QUEUEING

In practical network systems, one would be interestedin the combined effect of a Hash table and a queue.This is the case where the requests to the Hash tableget queued up in a queue and then be served by theHash table.

To this end, the queueing analysis given abovereveals that the mean waiting time of a request is

affected not only by the mean processing time ofthe other requests but also by their second moment.Under the Post Attack Waiting Time metric one shouldrevisit the analysis of Open Hash using the Post AttackOperation Complexity metric (Theorem 3). Under thatanalysis the Vulnerability Factor of Open Hash wasdetermined to be 1 since the mean length of thelinked lists depends only on the load of the tableand not on the distribution of the elements in thebuckets. Nonetheless, since in the Insert Strategy, themalicious users force all items into the same list theycan drastically increase the second moment of the lengthof an arbitrary list. As a result, we show in this sectionthat they increase the waiting time to pursue a regularuser operation even in Open Hash.

Lemma 3: In Open Hash and Closed Hash systems,the Insert Strategy is an Optimal Malicious Users Strat-egy under the Post Attack Waiting Time metric.

Sketch of Proof: In the Post Attack Waiting Time metric,the attacker aims at increasing the mean waitingtime of a regular user operation after the attack hasended. This is achieved by maximizing the variance ofregular user operations: by inserting all the elementsinto the same bucket (i.e. the Insert Strategy) thuscreating in Open Hash one large linked list, and inClosed Hash one large cluster. The detailed proof iscarried out using induction on the k malicious useroperations.

Theorem 6: Under the Post Attack Waiting Time met-ric

VOH (k) ≥ 1 +(1− λL)(k − 1)(1− 1

M)

(1− λL)(k − 1)( 1M

) + 2L+ 1− λL(L+ 1M

).(14)

Proof: Assume an Open Hash table of size M

with load factor L. Let W (1)state be the expected waiting

time of a table operation according to the state of theHash table. Where state can be either of C, R or M ,denoting respectively the cases of i) no insertions weremade by additional users (“clean”), ii) k elementswere inserted by regular users, or iii) k elements wereinserted by malicious users.

In addition, assume an M/G/1 queueing modelwhere one processor handles insertion requests to anOpen Hash table at rate λ. The Vulnerability is givenas:

VOH(k) ≥∆Perf OH (MINS , k)

∆PerfOH (R, k)=

WM(1) −WC

(1)

WR(1) −WC

(1). (15)

Let Ystate be a random variable denoting the num-ber of elements in an arbitrary Hash bucket. We willuse YC , YR and YM to derive WC , WR and WM ,respectively. We assume that the service time for eachoperation equals the number of the elements in abucket related to the operation, so according to theM/G/1 waiting time formula we get: Wstate

(1) =λYstate

(2)

2(1−λYstate(1))

, which together with (15) yields:

VOH (k) ≥ 1 + (1 − λ(QC)1)((1 − λYC

(1))(YM

(2) − YR(2)

)) (16)

/[(1 − λY(1)

C)(YR

(2) − YC(2)

) + λ(YR(1) − YC

(1))YC

(2)]

12

For the individual models we get YC(1) = L,

YC(2) = L2+M−1

M L, YR(1)−YC

(1) = kM , YR

(2)−YC(2) =

kM (k−1

M + 2L + 1), YM(2) − YR

(2) = kM (k − 1)(1 − 1

M ),which now lead to (14).

Remark 6: Simplifying (14) we may deduce thatthe Vulnerability Factor is roughly proportional tok, namely attackers can be very effective. The term(1 − λL) should be considered as a finite non-smallnumber since in common system λL is kept, forstability purposes, below 0.8.

Lemma 4: Let the random variable Qreg(r), 1 ≤Qreg(r) ≤ r + 1, denote the complexity of one regu-lar element insertion into a table of size M with relements. Then its d-th moment is given by:

Qreg(r)(d) =

r+1∑s=1

(

s−1∏i=1

r − (i− 1)

M − (i− 1)) ·

M − r

M − r − (s− 1)sd. (17)

Proof: The expression results directly fromP (Qreg(r) = s) = (

∏s−1i=1

r−(i−1)M−(i−1) ) ·

M−rM−r−(s−1) which

is proved in [24].Theorem 7: Under the Post Attack Waiting Time met-

ric

VCH(k) ≥ 1 + (1− λ(QC)1)((QM )2 − (QR)2)/[(1− λ(QC)1)

·(QR(2) − (QC)2) + λ((QR)1 − (QC)1)(QC)2], (18)

where QM(d) follows (8), QC

(d) = Qreg(N)(d) and

QR(d) = Qreg(N+k)

(d) as given in (17).Proof: Let the random variables QC , QR, and QM

denote the complexity of one insertion to a closedhash table in the different states (similar to the defini-tion of Ystate in the proof of Theorem 6). The queueingmodel has not changed, and in the same way (16) wasproved for Ystate we get (18) for Qstate .

These results for Open Hash emphasize a generalobservation that can be made regarding any combina-tion a data structure with O(1) amortized complexityand a queue. Although a data structure with O(1)amortized complexity is immune to complexity at-tacks, when it is combined with a queue it is possibleto hurt the system by increasing the variance of therequest processing time by the data structure. Thisleads, as we showed, to an increased waiting time inthe queue.

7 Open and Closed Hash: VulnerabilityComparisonWe use the results derived above to compare thevulnerability of the Open and Closed Hash models. Toconduct the comparison we will adopt the commonapproach that an Open Hash table with M buckets isperformance-wise equivalent to a Closed Hash tablewith 2M buckets15. Unless otherwise stated, we use

15. It is common to consider them equivalent with respect to thespace they require due to the pointers required by Open Hash.

the parameters M = 500 and k = N , meaning thatthe additional user always doubles the number of theexisting values (k = N ) in the table.

Figures 6(a) and 6(b) and 6(c) depict the vulnera-bility of Open and Closed Hash as a function of thenumber of existing elements (N ) under the differentmetrics. The figures demonstrate a striking and verysignificant difference between Open and Closed Hash:Closed Hash is much more vulnerable to attacks thanOpen Hash. Regarding the resource consumptionduring an attack, we can see in Figure 6(a) that ClosedHash is more vulnerable than Open Hash, but bothare vulnerable. Nevertheless, Figure 6(b) depicts thatOpen Hash is invulnerable (V = 1) for the postattack operation complexity while Closed Hash isvulnerable due to the clustering created by the attack.The performance of the open and closed Hash forthe regular users waiting time metric is provided inFigure 6(c). The figure reveals two interesting andimportant properties of the system. First, under thismetric Open Hash is much more vulnerable thanunder the Post Attack Operation Complexity metric.This is due to the fact that the delay is proportionalto the second moment of chain length (and not tothe first moment as in Figure 6(b)). Second, ClosedHash is drastically more vulnerable (the y-axis scaleis logarithmic, reaching values of 104, the queue isno longer stable for N > 237) resulting from thecompounded effects of the tendency of requests toaddress large clusters and of the mean queueing delayto depend on the second moment of the hash operationtimes. Hence this performance degradation may reachthe level of a total denial of service.

In Figure 4 we study in more detail the vulnerabilityof Hash using the In Attack Resource Consumptionmetric, as a function of the attack size (k) and thenumber of existing elements in the table (N ), whichdefines the load before the attack (while in all otherfigures we used N = k). The figure demonstrates thatwhen the table is lightly populated (upper figures)the Vulnerability Factors of both Open and Closed arequite similar; the similarity stems from the fact thatin Closed Hash, with high likelihood, a simple chain,consisting only of the k elements of the attack, willbe formed (and thus will be similar in performanceto Open Hash). The more common/realistic cases aredepicted in the lower figures, representing mediumto high Hash population (load). In these cases thevulnerability of Closed Hash becomes much largerdue to the clustering effect16.

In order to show that the Vulnerability Factor ex-presses well the difference in the performance of the

16. In Figure 4, one might question why at high load (N = 700,k = 250) the vulnerability metric of Closed Hash starts decreasingand approaches that of the Open-Hash. The reason is that at thisload, the Closed Hash table is almost full and probably contains bigclusters, thus the insertion complexity for a regular user becomesclose to that of a malicious user, causing the Vulnerability todecrease.

13

0 50 100 150 200 2500

20

40

60

80

100

120

Vul

nera

bilit

y

Existing values (N)

In attack Resource Consumption

Open HashClosed Hash

0 50 100 150 200 2500

10

20

30

40

50

60

70

80

90

Vul

nera

bilit

y

Existing values (N)

Post Attack Operation Complexity

Open HashClosed Hash

0 50 100 150 200 25010

0

101

102

103

104

Vul

nera

bilit

y

Existing values (N)

Waiting Time Vulnerability (λ =0.01)

Open Hash

Closed Hash

(a) (b) (c)

Fig. 6. Vulnerability comparison of Open and Closed Hash as a function of N , the number of existing elementsand where k equals N in Metric (a) In Attack Resource Consumption (b) Post Attack Operation Complexity (c) PostAttack Waiting Time . An ideal invulnerable system has a V = 1 curve (as the curve for Open Hash in (b)).

system under attack, we show in Figures 2(a) and2(b) the performance degradation due to k operationsqueried by malicious users and by regular ones inthe first two metrics. In Figure 2(a) we show that inthe In Attack Resource Consumption metric, for regularusers up to the point of N = 313, the Closed Hashsystem handles the k additional elements better andonly after this point Open Hash becomes superior,the performance of both is not far from that of the“Ideal System” where every insertion requires exactlyone memory access. Nonetheless, when the additionalusers are malicious the Open Hash system is, byfar, more efficient for the whole range of parameters.In Figure 2(b) we show that in the Post Attack Op-eration Complexity metric the difference between theperformance of the two types of Hash is even moresignificant. When the additional users are malicious,the Open Hash system is by far more efficient for thewhole range of the parameters and stays. Note that inboth figures the vertical axis is depicted in log scale,namely, the gap between the consumption of regularand malicious users is very large in both models.Practical Implications: The analysis above demon-strates the importance of the vulnerability metric sinceit exposes major performance gaps between Open andClosed Hash. This is in contrast to the traditionalperformance measures that cannot identify these gapsand thus identify the two systems as performance-wise equivalent. Another implication is that in hostileenvironments one can no longer follow the simpleapproach of relying only on complexity based rules ofoperations in order to comply with the performancerequirements of a system. For example, based on tra-ditional performance one would double the size of theClosed Hash table (rehashing) when the table reaches70%−80% load. However, in a hostile environment therehashing must be done much earlier. For a specificHash state we can calculate the maximum magnitudeof an attack so that the queue remains stable after theattack has ended. Above this stability point, the statusof the Hash table is such that the arrival rate of regular

user operations, times their expected processing time,is greater than one. Therefore the system cannot copewith the users requests, and hence the users sufferfrom a total denial of service and not just partial per-formance degradation. For example consider Figure6(c) where the state of the Hash table is M = 1000 andk = N . In this system the stability point is N = 237(the plot ends at this point). Namely, with less than48% (N + k = 474) of buckets occupied, the queueis no longer stable. The attackers can destabilize thequeueing system even if the expected cluster size isnot too large, since the waiting delay is proportionalto the second moment of the cluster size.

8 CONCLUSION AND FUTURE WORK

The performance of today’s networks and computersis highly affected by DDoS attacks launched by mali-cious users. This work originated in the recognitionthat in order to properly evaluate the performanceand qualities of these systems one must bridge be-tween the world of security and that of quality ofservice, and add to the traditional performance mea-sures a metric that accounts for the resilience of thesystem to malicious users. We proposed such a Vul-nerability Factor that measures the relative effect of amalicious user on the system. Using the Vulnerabilitymeasure we made interesting observations regardingthe vulnerability of Hash systems: 1) The Closed Hashsystem is much more vulnerable to DDoS attacks thanthe Open Hash system. 2) After an attack has ended,regular users still suffer from performance degrada-tion. 3) This performance degradation may reach thelevel of a total denial of service; We can calculate theexact magnitude of attack that can cause it. 4) Anapplication which uses a Hash table in the Internet,where there is a queue in front of the Hash Table,is highly vulnerable. In this case the waiting timethe regular users suffer is proportional to the secondmoment, and hence the attack size has a duplicateeffect on the Vulnerability. This study has only just

14

begun and we believe that much more work is neededin order to evaluate many other traditional systemsand examine their vulnerability.

REFERENCES

[1] C. Labovitz, D. McPherson, and F. Jahanian, “InfrastructureAttack Detection and Mitigation,” in Proceedings of ACM SIG-COMM Conference on Applications, Aug. 2005.

[2] TCP SYN Flooding and IP Spoofing Attacks, CERT, Sep. 1996,http://www.cert.org/advisories/CA-1996-21.html.

[3] S. A. Crosby and D. S. Wallach, “Denial of Service via Algorith-mic Complexity Attacks,” in Proceedings of USENIX SecuritySymposium, Aug. 2003.

[4] A. Bremler-Barr, H. Levy, and N. Halachmi, “AggressivenessProtective Fair Queueing for Bursty Applications,” in Proceed-ings of IEEE IWQoS International Workshop on Quality of Service,Jun. 2006.

[5] M. Guirguis, A. Bestavros, and I. Matta, “Exploiting the Tran-sients of Adaptation for RoQ Attacks on Internet Resources,”in Proceedings of IEEE ICNP International Conference on NetworkProtocols, Mar. 2004.

[6] M. Guirguis, A. Bestavros, I. Matta, and Y. Zhang, “Reductionof Quality (RoQ) Attacks on Internet End-Systems,” in Pro-ceedings of IEEE INFOCOM International Conference on ComputerCommunications, Mar. 2005.

[7] A. Kuzmanovic and E. W. Knightly, “Low-Rate TCP-TargetedDenial of Service Attacks (The Shrew VS. the Mice andElephants),” in Proceedings of ACM SIGCOMM Conference onApplications, Aug. 2003.

[8] M. Guirguis, A. Bestavros, I. Matta, and Y. Zhang, “Reductionof Quality (RoQ) Attacks on Dynamic Load Balancers: Vul-nerability Assessment and Design Tradeoffs,” in Proceedings ofIEEE INFOCOM International Conference on Computer Commu-nications, May 2007.

[9] R. Smith, C. Estan, and S. Jha, “Backtracking AlgorithmicComplexity Attacks Against a NIDS,” in Proceedings of ACSACAnnual Computer Security Applications Conference, Dec. 2006.

[10] A. Jaquith, Security Metrics: Replacing Fear, Uncertainty, andDoubt. Addison-Wesley Professional, 2007.

[11] S. Lippman and S. Stidham, “Individual versus Social Op-timization in Exponential Congestion Systems,” OperationsResearch, vol. 25, pp. 233–247, 1997.

[12] U. Ben-Porat, A. Bremler-Barr, and H. Levy, “Evaluating theVulnerability of Network Mechanisms to Sophisticated DDoSAttacks,” in Proceedings of IEEE INFOCOM International Con-ference on Computer Communications, Apr. 2008.

[13] Distributed Denial of Service Tools, CERT, Dec. 1999,http://www.cert.org/incident notes/IN-99-07.html.

[14] M. D. McIlroy, “A Killer Adversary for Quicksort,” Software–Practice and Experience, pp. 341–344, 1999.

[15] T. Peters, “Algorithmic Complexity Attack on Python,” May2003, http://mail.python.org/pipermail/python-dev/2003-May/035916.html.

[16] M. Fisk and G. Varghese, “Fast Content-Based Packet Han-dling for Intrusion Detection,” University of California at SanDiego (UCSD) La Jolla, CA, USA, Tech. Rep., 2001.

[17] F. Weimer, “Algorithmic Complexity At-tacks and the Linux Networking Code,”http://www.enyo.de/fw/security/notes/linux-dst-cache-dos.html.

[18] T. Moscibroda and O. Mutlu, “Memory Performance Attacks:Denial of Memory Service in Multi-Core Systems,” in Proceed-ings of USENIX Security Symposium, Jun. 2007.

[19] C. Castelluccia, E. Mykletun, and G. Tsudik, “ImprovingSecure Server Performance by Re-balancing SSL/TLS Hand-shakes,” in Proceedings of USENIX Security Symposium, Apr.2005.

[20] J. Bellardo and S. Savage, “Abstract 802.11 Denial-of-ServiceAttacks: Real Vulnerabilities and Practical Solutions,” in Pro-ceedings of USENIX Security Symposium, Jun. 2003.

[21] U. Ben-Porat, A. Bremler-Barr, H. Levy, and B. Plattner, “Onthe Vulnerability of the Proportional Fairness Scheduler toRetransmission Attacks,” in Proceedings of IEEE INFOCOMInternational Conference on Computer Communications, Apr. 2011.

[22] U. Ben-Porat, A. Bremler-Barr, and H. Levy, “On the Exploita-tion of CDF Based Wireless Scheduling,” in Proceedings of IEEEINFOCOM International Conference on Computer Communica-tions, Apr. 2009.

[23] C.-F. Yu and V. D. Gligor, “A Formal Specification and Ver-ification Method for the Prevention of Denial of Service,” inIEEE Symposium on Security and Privacy, May 1998.

[24] T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein,Introduction to Algorithms, 2nd ed. MIT Press and McGraw-Hill, 2001.

[25] J. L. Carter and M. N. Wegman, “Universal Classes of HashFunctions,” Journal of Computer and System Sciences (JCSS), pp.143–154, 1979.

[26] N. Bar-Yosef and A. Wool, “Remote Algorithmic ComplexityAttacks Against Randomized Hash Tables,” Master’s thesis,Tel-Aviv University, Tel-Aviv, Israel, 2006.

Udi Ben-Porat received his B.Sc (2005) andM.sc (2009) degrees in Computer Sciencefrom Tel Aviv University. In 2009 he startedhis doctoral studies at the Computer Engi-neering and Network Laboratory (Commu-nication Systems group), ETH Zurich. Hisinterests include Wireless Networks, Com-munication Systems, Performance and Vul-nerability of shared systems.

Dr. Anat Bremler-Barr received the Ph.Ddegree (with distinction) in computer science,from Tel Aviv University. In 2001 she co-founded Riverhead Networks Inc., a com-pany that provides systems to protect fromDenial of Service attacks. She was the chiefscientist of the company. The company wasacquired by Cisco Systems in 2004. In 2004she joined the School of Computer Scienceat the Interdisciplinary Center Herzliya. Herresearch interests are in computer networks

and distributed computing. Her current works focused on designingrouters and protocols that support efficient and reliable communica-tion.

Prof. Hanoch Levy received the B.A. degreein Computer Science with distinctions fromthe Technion, Israel Institute of Technologyin 1980 and the M.Sc. and the Ph.D. de-grees in Computer Science from Universityof California at Los Angeles, in 1982 and1984, respectively. From 1984 to 1987 hewas a member of technical staff in the De-partment of Teletraffic Theory at AT&T BellLaboratories. From 1987 he has been withthe School of Computer Science, Tel-Aviv

University, Tel-Aviv, Israel. In 1992 - 1996 he was at the Schoolof Business and RUTCOR, Rutgers University, New-Brunswick, NJ,and in 2007 - 2008 he was at the Communication Systems group,ETH, Zurich, both on leave from Tel-Aviv University. His interestsinclude Computer Communications Networks, Wireless networks,Performance Evaluation of Computer Systems and Queuing Theory.