Vulnerability Analysis of Hash Tables to Sophisticated DDoS Attacks



Similar documents
Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks

IN RECENT years the welfare of the Internet has

Abstract. Introduction. Section I. What is Denial of Service Attack?

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Firewalls Overview and Best Practices. White Paper

SECURING APACHE : DOS & DDOS ATTACKS - I

Multi-Channel DDOS Attack Detection & Prevention for Effective Resource Sharing in Cloud

Survey on DDoS Attack Detection and Prevention in Cloud

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

Provider-Based Deterministic Packet Marking against Distributed DoS Attacks

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

Efficient Detection of Ddos Attacks by Entropy Variation

Orchestration and detection of stealthy DoS/DDoS Attacks

Safeguards Against Denial of Service Attacks for IP Phones

Comparing Two Models of Distributed Denial of Service (DDoS) Defences

Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks

DoS: Attack and Defense

Network Threats and Vulnerabilities. Ed Crowley

Comparison of Various Passive Distributed Denial of Service Attack in Mobile Adhoc Networks

Secure Software Programming and Vulnerability Analysis

Gaurav Gupta CMSC 681

CS5008: Internet Computing

Firewalls and Intrusion Detection

Strategies to Protect Against Distributed Denial of Service (DD

A Senior Design Project on Network Security

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Entropy-Based Collaborative Detection of DDoS Attacks on Community Networks

: SENIOR DESIGN PROJECT: DDOS ATTACK, DETECTION AND DEFENSE SIMULATION

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Denial of Service Attacks, What They are and How to Combat Them

A Study of Network Security Systems

Malice Aforethought [D]DoS on Today's Internet

How To Protect A Dns Authority Server From A Flood Attack

Network Traffic Monitoring With Attacks and Intrusion Detection System

Project 4: (E)DoS Attacks

Denial of Service (DoS) Technical Primer

Denial of Service. Tom Chen SMU

Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA DDoS and IP Traceback. Overview

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Index Terms Denial-of-Service Attack, Intrusion Prevention System, Internet Service Provider. Fig.1.Single IPS System

How Cisco IT Protects Against Distributed Denial of Service Attacks

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

How To Mitigate A Ddos Attack

2.2 Methods of Distributed Denial of Service Attacks. 2.1 Methods of Denial of Service Attacks

V.Priyadharshini 1, Dr.K.Kuppusamy 2 Dept of Computer Science & Engg Alagappa University, Karaikudi,Tamilnadu,India

DDoS Vulnerability Analysis of Bittorrent Protocol

Denial of Service (DoS)

DDoS Protection Technology White Paper

Survey on DDoS Attack in Cloud Environment

Denial of Service in Sensor Networks

Application of Netflow logs in Analysis and Detection of DDoS Attacks

Prevention, Detection and Mitigation of DDoS Attacks. Randall Lewis MS Cybersecurity

Second-generation (GenII) honeypots

Network Bandwidth Denial of Service (DoS)

Packet-Marking Scheme for DDoS Attack Prevention

A Survey of IP Traceback Mechanisms to overcome Denial-of-Service Attacks

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

A Novel Packet Marketing Method in DDoS Attack Detection

Keywords Attack model, DDoS, Host Scan, Port Scan

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

Overview. Firewall Security. Perimeter Security Devices. Routers

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Application Denial of Service Is it Really That Easy?

An Efficient Way of Denial of Service Attack Detection Based on Triangle Map Generation

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

CS 356 Lecture 16 Denial of Service. Spring 2013

TLP WHITE. Denial of service attacks: what you need to know

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Adaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow. Feedback

Index Terms: DDOS, Flash Crowds, Flow Correlation Coefficient, Packet Arrival Patterns, Information Distance, Probability Metrics.

Frequent Denial of Service Attacks

Hypervisor Security - A Major Concern

Using SYN Flood Protection in SonicOS Enhanced

A Layperson s Guide To DoS Attacks

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Denial Of Service. Types of attacks

Taxonomic Modeling of Security Threats in Software Defined Networking

Security Issues In Cloud Computing and Countermeasures

IDS / IPS. James E. Thiel S.W.A.T.

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

A Catechistic Method for Traffic Pattern Discovery in MANET

Queuing Algorithms Performance against Buffer Size and Attack Intensities

A COMPREHENSIVE STUDY OF DDOS ATTACKS AND DEFENSE MECHANISMS

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks

Security vulnerabilities in the Internet and possible solutions

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Introduction of Intrusion Detection Systems

DDoS-blocker: Detection and Blocking of Distributed Denial of Service Attack

Transcription:

International Journal of Information & Computation Technology. ISSN 0974-2239 Volume 4, Number 12 (2014), pp. 1167-1173 International Research Publications House http://www. irphouse.com Vulnerability Analysis of Hash Tables to Sophisticated DDoS Attacks D. Jessica Prathyusha SREE VIDYANIKETHAN ENGINEERING COLLEGE TIRUPATHI Abstract In recent years, everybody experienced a flow of DDoS attacks threatening the welfare of the internet. These are launched by unauthorized users whose only motivation is to degrade the performance of other, innocent, users. The traditional systems turn out to be quite vulnerable to these attacks. The objective of this work is to aiming at laying a foundation that can be used in future computer/network designs taking into account the malicious users. This approach is based on proposing a metric that evaluates the vulnerability of a system. Then use this vulnerability metric to evaluate a data structure which is commonly used in network mechanisms the Hash table data structure and here presenting a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common application data structures. Then showing that Closed Hash is much more vulnerable to DDoS attacks than Open Hash. Due to this sophisticated DDOS attacks even after the attack has ended, the regular users still suffer from performance degradation or even a total denial of service. Keywords Network Mechanism, Hash, metric, malicious, DDoS, vulnerability, low-bandwidth attack 1. Introduction In recent years, the welfare of the Internet has been threatened by malicious Distributed Denial of Service (DDoS) attacks. A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users. The basic form of a DDoS attack is the simple high bandwidth DDoS attack. That is, simple brute force flooding.

1168 D. Jessica Prathyusha The first contribution in this work is a proposal of a new metric that evaluates the vulnerability of a system for any kind of sophisticated attacks. This approach is based on proposing a Vulnerability Metric[2] that accounts for the maximal performance degradation (damage) that sophisticated malicious users can inflict on the system using a specific amount of resources (cost) normalized by the performance degradation attributed to regular users, using the same resources. The second contribution, presented in is an evaluation of the Hash data structure, commonly used in network mechanisms and presenting a new class of low-bandwidth denial of service attacks[3] that exploit algorithmic deficiencies in many common application data structures. Finally shows that in the case of an attack either on an Open Hash system or on a Closed Hash system, the regular user still suffers from performance degradation or even a total denial of service, even after the attack has ended note that the degradation is not due to the extra load of the attack but due to its sophistication. 1. The Vulnerability Factor: This work is based on the observation that the traditional performance analysis of computer systems and algorithms is not adequate to analyze the vulnerability of a system to sophisticated DDoS attack and a new metric is needed. Such a vulnerability metric can help a system designer to Choose between two equal systems: Such universal vulnerability metric can be used to compare the vulnerability of two alternative systems. Select the values of system operating variables: The analysis (either analytically or empirically) of the vulnerability value can expose the contribution of the different system parameters to the system vulnerability and help the designer to balance tradeoffs between the system vulnerability and its efficiency. Use vulnerable systems safely: A vulnerability metric assessing the amount of damage that can be inflicted by malicious sophisticated users can help to use known vulnerable systems wisely. For example, consider the Bro intrusion detection systems that can drop up to 71 percent of the traffic during an attack. This proposal for the definition of the Vulnerability Factor[1] of a system is to account for the maximal performance degradation (damage) that sophisticated malicious users can inflict on the system using a specific amount of resources (cost) normalized by the performance degradation attributed to regular users using the same amount of resources. Formally defining of the Vulnerability Factor as follows: Let the users Type parameter be equal to either regular users (R) or malicious attackers (Mst) with strategy st. using the plural terms since some of the attack types

Vulnerability Analysis of Hash Tables to Sophisticated DDoS Attacks 1169 occur only in specific scenarios of multiple coordinated access of users to the system. Let the budget be the amount of resources that the users of users Type spend on producing the additional traffic to the system, i. e., the cost of producing the attack is limited by the budget parameter. The budget can be measured differently in the various models, e. g., as the required bandwidth, or the number of required computers or as the required amount of CPU and so on. Let Perf(users Type; budget) be the change in the performance of the system due to being subject to additional traffic added to the regular traffic of the system, where the traffic is generated by users from type users Type with resource budget. The performance can be measured by different means such as the CPU consumption, the delay experienced by a regular user, the number of users the system can handle, and so on. We define the Effectiveness of a strategy st on the system as and the Vulnerability Factor V of the system as If the Vulnerability Factor of a system equals the effectiveness of a strategy st, then st is said to be an Optimal Malicious Users Strategy. Generally, there may be a system in which no strategy can be proved to be the optimal because the effectiveness of all other possible strategies cannot be evaluated or bounded. here, the most effective(known) malicious strategy is considered to be a lower bound on the vulnerability of the system. 2. Sophisticated Attacks On Hash Tables Sophisticated low-bandwidth DDoS attacks use less traffic and increase their effectiveness by aiming at a weak point in the victim s system design, i. e., the attacker sends traffic consisting of complicated requests to the system [1][2]. While it requires more sophistication and understanding of the attacked system, a lowbandwidth DDoS attack has three major advantages in comparison to a highbandwidth attack: 1) Lower cost since it uses less traffic 2) Smaller footprint hence, it is harder to detect 3) Ability to hurt systems which are protected by flow control mechanisms. 2. 1 Algorithmic Complexity Attacks Against Hash Tables In a hash data structure, an item is hashed through a hash function which produces a hash output. The output is then stored in the hash bucket, corresponding to the output modulo the number of buckets in the hash table. Items that hash into the same bucket

1170 D. Jessica Prathyusha form a linked list in that hash bucket[3][8]. In order to retrieve a stored item, the server first computes the hash function to find the correct bucket, and then traverses through the list in the corresponding hash bucket to locate the item.

Vulnerability Analysis of Hash Tables to Sophisticated DDoS Attacks 1171 A properly implemented hash function will distribute its inputs evenly throughout the array, creating very short lists in the buckets, so that retrieving a stored item will perform in an O(1) average lookup time. However, if an adversary knows the details of the hash function, can control its input, and if the number of buckets is small enough, then he/she can produce inputs that all collide into the same hash bucket. In the worst case scenario one will have to traverse a list of all the items stored, resulting in the same lookup time complexity as that of a regular linked list, O(n), assuming n elements were hashed. 2. 2. Model Consider a Hash system consisting of M buckets and N elements, where the Hash function is known to the attackers. In this model, the resource budget of the users is measured by the number of Hash operations (k) they can perform, where Hash operations can be either Insert, Delete, or Search. In our analysis, we will use three metrics: 1) In-Attack Resource Consumption: The number of memory references the k operations require during attack time. 2) Post attack Operation Complexity: The complexity of performing an arbitrary Hash operation after the attack has ended, i. e., after these k Hash operations are completed. 3) Post attack Waiting Time: The waiting time of a regular user while performing an arbitrary Hash operation after the attack has ended, i. e., after the k Hash operations are completed (Post attack Waiting Time). Fig 3: The performance degradation due to k operations by regular versus malicious users, in Open and Closed Hash under the metrics: (a) In-Attack Resource Consumption (b) Postattack Operation Complexity. The curves are log scaled and as a function of the number of existing elementsn.

1172 D. Jessica Prathyusha 4. Application limits on hash tables Many applications are sensitive about their overall memory usage, and thus have limits designed to control how large their hash tables might grow. If a hash table can never have enough elements in it for the worst-case O(n2) behavior to dominate, then our attack will fail. 4. 1 Explicit limits Some applications have explicit limits on their hash tables[2]. We first consider the Linux IP fragment reassembly code. In response to earlier attacks, Linux currently allows at most 256 kbytes of storage toward reassembling incomplete packets. If we wish to attack the hash table being used to store these packet fragments, the longest hash chain we can induce will still be under 256 kbytes in total. 4. 2 Implicit limits The freedom of an attacker to construct arbitrary inputs may be limited. In the case of network packets intended to attack a network sniffer, the attacker is limited both by the packet fields being watched by the sniffer, and by the packet headers necessary to route the packet toward the targeted machine. 5. CONCLUSION This report proposed such a Vulnerability Factor that measures the relative effect of a malicious user on the system. Using the Vulnerability measure, this report made interesting observations regarding the vulnerability of Hash systems and presented algorithmic complexity attacks, a new class of low-bandwidth denial of service attacks. Algorithmic complexity attacks against hash table, in particular, count on the attacker having sufficient freedom over the space of possible inputs to find a sufficient number of hash collisions to induce worst-case behavior in an application s hash table. After an attack has ended, regular users still suffer from performance degradation. This performance degradation may reach the level of a total denial of service this report can calculate the exact magnitude of attack that can cause it. 6. REFERENCES [1] U. Ben-Porat, A. Bremler-Barr, and H. Levy, Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks, Proc. IEEE INFOCOM, Apr. 2008. [2] U. Ben-Porat, A. Bremler-Barr, H. Levy, "Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks, " IEEE Transactions on Computers, vol. 62, no. 5, pp. 1031-1043, May 2013. [3] S. A. Crosby and D. S. Wallach, Denial of Service via Algorithmic Complexity Attacks, Proc. USENIX Security Symp., Aug. 2003. [4] M. Guirguis, A. Bestavros, I. Matta, and Y. Zhang, Reduction of Quality (RoQ) Attacks on Dynamic Load Balancers: Vulnerability Assessment and

Vulnerability Analysis of Hash Tables to Sophisticated DDoS Attacks 1173 Design Tradeoffs, Proc. IEEE INFOCOM, May 2007. [5] T. Moscibroda and O. Mutlu, Memory Performance Attacks: Denial of Memory Service in Multi-Core Systems, Proc. USENIX Security Symp., June 2007. [6] TCP SYN Flooding and IP Spoofing Attacks, CERT, http:// www. cert. org/advisories/ca-1996-21. html, Sept. 1996. [7] J. L. Carter and M. N. Wegman, Universal Classes of Hash Functions, J. Computer and System Sciences, vol. 18, pp. 143-154, 1979. [8] N. Bar-Yosef and A. Wool, Remote Algorithmic Complexity Attacks against Randomized Hash Tables, master s thesis, Tel- Aviv Univ., Tel-Aviv, Israel, 2006.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information