Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds
description
Transcript of Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds
![Page 1: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/1.jpg)
Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds
Srikanth Kandula, Dina Katabi, Matthias Jacob, and Arthur Berger
Awarded Best Student Paper! (NSDI-2005)
Defense by Manan Sanghi
![Page 2: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/2.jpg)
Flash Crowd
![Page 3: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/3.jpg)
DDOS
![Page 4: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/4.jpg)
Botz-4-Sale
request
![Page 5: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/5.jpg)
Botz-4-Sale
Reverse Turing test
![Page 6: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/6.jpg)
Botz-4-Sale
Solution
![Page 7: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/7.jpg)
Botz-4-Sale
Welcome!
HTTP cookie• Allows at most 8 simultaneous connections• Valid for 30 minutes
![Page 8: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/8.jpg)
Botz-4-Sale
request
![Page 9: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/9.jpg)
Botz-4-Sale
Reverse Turing test
![Page 10: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/10.jpg)
Botz-4-Sale
request
![Page 11: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/11.jpg)
Botz-4-Sale
System is Busy, either solve puzzle or try later
![Page 12: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/12.jpg)
Botz-4-Sale
request
![Page 13: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/13.jpg)
Botz-4-Sale
Reverse Turing test
![Page 14: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/14.jpg)
Botz-4-Sale
request
![Page 15: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/15.jpg)
Botz-4-Sale
System is Busy, either solve puzzle or try later
![Page 16: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/16.jpg)
Botz-4-Sale
RequestRequestRequest…
![Page 17: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/17.jpg)
Botz-4-Sale
![Page 18: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/18.jpg)
Kill-Bots Overview
Graphical Puzzles served during Stage 1
![Page 19: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/19.jpg)
Example
Normal Load 40%
K1=70% K2=50%
Time out (5 minutes) unauthenticated users
![Page 20: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/20.jpg)
Two stages in Suspected Attack Mode Stage 1: CAPTCHA based Authentication
No state maintenance before authentication HTTP cookie Cryptographic support
Stage 2: Authenticating users who do not answer CAPTCHA No more reverse Turing tests Bloom filters to filter out over-zealous zombies
![Page 21: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/21.jpg)
![Page 22: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/22.jpg)
Resource Allocation and Admission Control
Tradeoff Authenticate new clients Serve already authenticated clients
![Page 23: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/23.jpg)
Adaptive Admission Control
Cute Queuing Theory type analysis
![Page 24: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/24.jpg)
![Page 25: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/25.jpg)
Security Analysis Socially-engineered Attacks
Copy Attacks Including IP address in one-way hash does not deal well with
proxies and mobile users
Replay Attacks Time information in the cookie hash
DoS attacks on the authentication mechanism No connection state for unauthenticated clients
In-kernel HTTP header processing HTTP headers not parsed Pattern match arguments to GET and Cookie fields Cost : less than 8 s
![Page 26: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/26.jpg)
System Architecture
![Page 27: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/27.jpg)
System Architecture
![Page 28: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/28.jpg)
Evaluation – Experimental Setup
![Page 29: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/29.jpg)
Evaluation
![Page 30: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/30.jpg)
Evaluation - Microbenchmarks
![Page 31: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/31.jpg)
Evaluation- CyberSlam attacks
![Page 32: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/32.jpg)
Evaluation- CyberSlam attacks
![Page 33: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/33.jpg)
Evaluation – Flash Crowds
![Page 34: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/34.jpg)
Evaluation – Flash Crowds
![Page 35: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/35.jpg)
On Admission Control
Authentication is not sufficient Good performance requires admission
control
![Page 36: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds](https://reader036.fdocuments.us/reader036/viewer/2022081513/5681515d550346895dbf8199/html5/thumbnails/36.jpg)
Threat Model
Bandwidth floods, DNS entries, routing entries not considered
Attacker cannot sniff legitimate users’ packets
Attacker cannot access server’s local network Zombies are not as smart as humans Attacker does not have a large number of
humans aiding his evil plans