Denial of Service Attacks and Resilient Overlay Networks

Transcription

1 Denial of Service Attacks and Resilient Overlay Networks Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University

2 Motivation: Network Service Availability

3 Motivation: Network Service Availability

4 Why Does It Matter? We are increasingly relying on Internet Services Financial services, Voice over IP (VoIP), e- Government, news, Cloud Computing,... But Internet Services are not dependable... Denial of Service attacks can disrupt online service DDoS attack on Estonia (2007) 2 Weeks, 1M computers, 5,000 clicks per second DDoS attacks against Georgia (2008) Storm Worm: 1.7M infected machines used for DDoS (typically extortion) Ease of assembling and controlling botnets means the problem will persist

5 Defenses End-users/sites: Bandwidth over-provisioning Multi-hosting/multi-homing Use of Content Delivery Networks ISPs: Blackhole routing Anomaly detection & blocking Centralized vs. distributed

6 Research Activity IP traceback (attribution) IP Pushback (reactive blocking) Collaborative filtering (reactive blocking) Router/receiver capabilities (proactive blocking) Improve host-based protection

7 Impediments to deployment Few economic incentives for deployment Most schemes require global adoption & deployment End-users lack the means to react DDoS is mostly an externality for ISPs no market opportunity for router manufacturers Cross-ISP collaboration not always feasible Competition concerns

8 Overlay Networks A different term of distributed system Collection of systems Connected over a wide-area network, such as the Internet Route traffic amongst them without considering physical topology Addressing, neighborhood, other properties may differ from those of the actual network fabric Good way of introducing new functionality into the network without changing routers/protocols (and, sometimes, end-hosts)

9 Using Overlay Networks Distribute logical function of a firewall across the Internet Allow users to contact any overlay node Any overlay node can validate a legitimate user Once admitted into overlay, user s traffic is treated preferentially Allowed to reach attacked site All other traffic dropped/rate-limited

10 Advantages of Overlay Networks Difficult to attack with a DDoS due to distributed nature Assumes large enough overlay Does not rely on ISP co-operation or goodwill Can take advantage of such, where it exists A single overlay can provide protection service to different users Commercialization model similar to CDN A large enough distributed organization can create its own overlay

11 Issues with Overlay Networks How do users discover (accessible) overlay nodes? Largely static content, users (software) can access any node Overlay network becomes obvious target of attack Dedicated nodes, easier to harden Performance issues Higher latency, lower throughput due to non-direct routing How can we tell who is a legitimate user, vs. a bot? How do we effectively discriminate overlay vs. non-overlay traffic?

12 WebSOS: Protection for Web Services

13 WebSOS: Protection for Web Services

14 WebSOS: Protection for Web Services

15 WebSOS: Protection for Web Services

16 WebSOS: Protection for Web Services Can we remove Packet Filtering?

17 Move: An End-to-End Solution for DDoS

18 Move: An End-to-End Solution for DDoS Attack

19 Move: An End-to-End Solution for DDoS

20 Move: An End-to-End Solution for DDoS

21 Prototype in Planet-Lab

22 Migration Performance Round Trip time

23 Limitations of WebSOS & MOVE Time (in seconds) Latency Overhead for various SSL Services Direct Original Request Cached Requests 1 0 Yahoo! Verisign Columbia Columbia (2nd) Latency increase by a factor of 2 when using indirection

24 Limitations of WebSOS & MOVE Time (in seconds) Latency Overhead for various SSL Services Direct Original Request Cached Requests 1 0 Yahoo! Verisign Columbia Columbia (2nd) Latency increase by a factor of 2 when using indirection Also vulnerable to some more intelligent attacks...

25 New Attack: Sweeping Attack

26 New Attack: Sweeping Attack

27 New Attack: Sweeping Attack

28 New Attack: Stalker Attack

29 New Attack: Stalker Attack

30 New Attack: Stalker Attack

31 New Attack: Stalker Attack

32 EXAMPLE: TCP assumes low-latency, stable, fixed capacity, high-quality link Resilience Results: Throughput Throughput vs Degradation Error Rate of in SACK regular with TCP PER 10 9 C7,06;6/8*+-*?-%&"'-B8/9-5!!-I6+;-#F5K RTT: 6ms RTT: 24ms RTT: 104ms Goodput (Mbps) Performance region of wired networks Performance region of MANETs!"#$%&"'( )*+,-.*+/0*1-1**234-56/7-.*+/0*1-83-/97-* 6;62/6/8*+- < < Packet Error Rate(%) %*=0.7(-5*>=3/-!"#-?*0-)60,7@A6+;B8;/9-C716:D-#6.E7/-F063=07-6+;-G=1/8@#6/9-F+H80*+<7+/34 %98HE=<60 '61:6+606<6+ I5#JKD-'4'4-56<6E I&!L!-)6> K

33 Fix attempt: use many entry points But this solution increases the state stored!!!

34 Ticket-based mechanism to the rescue Move state to the ticket Ticket is issued by the Overlay using a shared key Ticket becomes a contract between the user and the overlay Use of a shared key guarantees honor of the agreement

35 Key & Ticket Establishment protocol

36 Ticket Design Random spreading sequence protects against stalker attacks Packet sequence range guarantees traffic control Ticket design and issue protocol prevent replay, spoofing and computational attacks

37 Client Connection Initiation

38 Spread Spectrum Architecture - Replication Multi-Path + Spreading + Ticket allows Packet Replication

39 A2M: Access Assured Mobile Desktop Computing

40 Performance Results: Latency End-to-End Latency with Client Packet Replication nodes 16 nodes 32 nodes 76 nodes Overlay / Direct No Repl. 1.5x 2x 3x Client Packet Replication

41 Resilience Results: Throughput Throughput vs Node Failure 600 Direct No Repl. 1.5x 2x 3x KB/Sec % 3% 4% 9% 17% 21% 27% 35% 43% 46% 55% % Node Failure

42 Resilience Results: Latency (Web) End-to-End Latency vs Node Failure (Web) No Repl. 1.5x 2x 3x

43 Performance Results: Latency (Web) Web Latency vs Packet Replication Video Quality vs Packet Replication hosts 8 hosts 100% Size: 352 x hosts 8 hosts % Latency (s) Video Quality 60% 40% % 0.00 Direct 0% 50% Replication 100% 200% 0% Direct 0% 50% Replication 100% 200%

44 Ticket Generation Benchmark

45 Resilience Results: Video Streaming 100% Video Quality vs Node Failure Video Quality 80% 60% 40% 20% 0% 0% 50% 100% 200% % Node Failures

46 Resilience Results: Video Streaming Video Quality vs Node Failure for Wireless 100% 80% Video Quality 60% 40% 20% 0% 0% 50% 100% 200% % Node Failures

47 Resilience Results: Video Streaming Video Quality vs Node Failure 100% 80% Video Quality 60% 40% 20% 0% 5 clients - 0% 5 clients - 50% 5 clients - 100% 5 clients - 200% 8 clients - 0% 8 clients - 50% 8 clients - 100% 8 clients - 200% % Node Failures

48 TCP Friendliness of Approach Initial implementation non-tcp friendly provided the worst case scenario (use of non-responsive channels) Current implementation encodes path in the TCP options field for acknowledgments generating a different TCP-window for each path Works for regular TCP, UDP, and UDP-encapsulated TCP Existence of multiple paths makes attacks against TCP more difficult

49 Conclusion Recent events have demonstrated the continued and real threat of DDoS as an effectve instrument of both cyber-warfare and cyber-crime Overlay-based mechanisms can mitigate the impact of large DDoS attacks Topology- and provider-independent deployment at relatively low cost Performance impact low (< 10%), only incurred during attack periods A pan-european DDoS Protection Network? Leverage PlanetLab/GRID sites as seeds

50 What is the underlying problem? How clients connect to the overlay: Connection to a single indirection node (entry point) Client s state is stored to this entry point End-to-End connection depends on a small but static set of overlay nodes

51 What is the underlying problem (II)? How the overlay sees the client: User can establish multiple connections to an overlay node An authenticated client can inject any amount of traffic to the overlay network Even if there is access control in the entry point the user can reset that by attacking the entry point