Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology
-
Upload
jenette-mclaughlin -
Category
Documents
-
view
41 -
download
0
description
Transcript of Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology
October 31st, 2003 ACM SSRS'03
Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology
Ju Wang1, Linyuan Lu2 and Andrew A. Chien1
1CSE Department, UCSD2Math Department, UCSD
October 31st, 2003 ACM SSRS'03
Outline Background System Model Analytical Results Summary & Future Work
October 31st, 2003 ACM SSRS'03
Motivation DoS attacks compromise important
websites “Code Red” worm attack on Whitehouse website Yahoo, Amazon, eBay
DoS is a critical security problem Global corporations lost over $1.39 trillion (2000) 60% due to viruses and DoS attacks. FBI reports DoS attacks are on the rise
=> DoS an important problem
October 31st, 2003 ACM SSRS'03
Denial-of-Service Attacks
Attackers prevent legitimate users from receiving service Application level (large workload) Infrastructure level
InternetInternet
Application Service
Service Infrastructure Legitimate User
October 31st, 2003 ACM SSRS'03
Denial-of-Service Attacks
Attackers prevent legitimate users from receiving service Application level Infrastructure level (traffic flood) – require IP addr
InternetInternet
Application Service
Service Infrastructure Legitimate User
October 31st, 2003 ACM SSRS'03
Use Overlay Network to Resist Infrastructure DoS Attack
Applications hide behind proxy network (location-hiding) this talk Proxy network DoS-resilient – shielding applications
Need to tolerate massive proxy failures due to DoS attacks Addressed in on-going research
InternetInternet
Legitimate User
132.233.202.13
Overlay NetworkOverlay NetworkAppApp
attackers
where?
October 31st, 2003 ACM SSRS'03
Overlay NetworkOverlay Network
Proxy Network Topology & Location Hiding
Proxy node: software component run on a host Proxy nodes adjacent iff IP addresses are mutually known
Compromising one reveals IP addresses of adjacent nodes Topology = structure of node adjacency how hard to
penetrate, effectiveness of location-hiding
A
B
Adjacent
October 31st, 2003 ACM SSRS'03
Problem Statement Focus on location-hiding problem Impact of topology on location-hiding
Good or robust topologies: hard to penetrate and defenders can easily defeat attackers
Bad or vulnerable topologies: attackers can quickly propagate and remain side the proxy network
Robust (favorable)Vulnerable (unfavorable)
topologies
October 31st, 2003 ACM SSRS'03
Attack: Compromise and Expose
Attackers: steal location information using host compromise attacks A proxy node is:
Compromised: attackers can see all its neighbors’ IP addresses Exposed: IP addresses known to attackers Intact: otherwise
Overlay NetworkOverlay Network
intact
exposed
compromised
Compromised!!
October 31st, 2003 ACM SSRS'03
Defense: Recover and Reconfigure
Resource Recovery: compromised exposed/intact Proactive (periodic clean system reload) Reactive (IDS triggered system cleaning)
Proxy network reconfiguration: exposed/compromised intact Proxy migration – move proxy to a different host
Overlay NetworkOverlay Network
intact
exposed
compromised
Recovered!
October 31st, 2003 ACM SSRS'03
Defense: Recover and Reconfigure
Resource Recovery: compromised exposed/intact Proactive (periodic clean system reload) Reactive (IDS triggered system cleaning)
Proxy network reconfiguration: exposed/compromised intact Proxy migration – move proxy to a different host
Overlay NetworkOverlay Network
intact
exposed
compromised
Move to new location!
October 31st, 2003 ACM SSRS'03
Defense: Recover and Reconfigure
Resource recovery + Proxy network reconfiguration
Exposed Intact (at certain probability ) Compromised Intact (at certain probability )
Overlay NetworkOverlay Network
intact
exposed
compromised
Move to new location!
October 31st, 2003 ACM SSRS'03
Analytical Model Model M(G, , , )
G: topology graph of the proxy network : speed of attack (at prob , exp com) : speed of defense (at prob , com intact) : speed of defense (at prob , exp intact) Nodes adjacent to a compromised node is exposed
intact
exposed
compromised
October 31st, 2003 ACM SSRS'03
Theorem I (Robust Topologies)
Average degree 1 of G is smaller than the ratio of speed between defenders and attackers: (+)/ > 1
Even if many nodes are initially compromised, attackers’ impact can be quickly removed in O(logN) steps
Defenders are quick enough to suppress attackers’ propagation
Low average degrees are favorable
,
,
,,
,
bad good
October 31st, 2003 ACM SSRS'03
Theorem II (Vulnerable Topologies)
Neighborhood expansion property of G is larger than the ratio of speed between defenders and attackers: > /
Even if only one node is initially exposed, attackers’ impact quickly propagate, and will linger forever
Applies to all sub-graphs Large clusters (tightly connected sub-graphs) are
unfavorable
hard to beat attackersinside the cluster
October 31st, 2003 ACM SSRS'03
Case Study: existing overlays
K-D CAN: k-dimensional Cartesian space torus
RR-k: random regulargraph, degree = k
0 5 10 15 20 25
Defense Speed (# times faster than attack speed)
RR3
RR4
RR5
RR6
3D-CAN
4D-CAN
512-Chord
1K-Chord
2K-Chord
4K-Chord
Defense Speed Needed To Be RobustN-Chord:N node Chord
October 31st, 2003 ACM SSRS'03
Related Work Secure Overlay Services (SOS) [Keromytis02]
Use Chord to provide anonymity to hide location of secret “servlets”
Internet Indirection Infrastructure (i3) [Stoica02] Uses Chord for location-hiding
Didn’t analyze how secure their location-hiding schemes are We showed that Chord is not a favorable topology Our previous work [Wang03]
Studied feasibility of location-hiding using proxy networks Assumed favorable topology; focused on impact of defensive
mechanisms, such as resource recovery and proxy reconfiguration
This work focus on impact of topology
October 31st, 2003 ACM SSRS'03
Summary & Future Work Summary
Studied impact of topology on location-hiding and presented two theorems to characterize robust and vulnerable topologies
Derived design principles on proxy networks for location-hiding
Found popular overlays (such as Chord) not favorable Future Work
Impact of correlated host vulnerabilities (, and non-constant)
Design proxy networks to tolerate massive failures due to DoS attacks
Performance implications and resource requirement for proxy networks
October 31st, 2003 ACM SSRS'03
References [Wang03] J. Wang and A. A. Chien, “Using Overlay Networks to
Resist Denial-of-Service Attacks”, Technical report, CSE UCSD, 2003.
[Keromytis02] A. D. Keromytis, V. Misra, and D. Rubenstein, “SOS: Secure Overlay Services”, In ACM SIGCOMM’02, Pittsburgh, PA, 2002.
[Stoica02] I. Stoica, D. Adkins, S. Zhuang, S. Shenker, and S. Surana, “Internet Indirection Infrastructure”, In SIGCOMM, Pittsburge, Pennsylvania USA, 2002.