2009-03-16 1

Countering DoS Attacks with Stateless Multipath Overlays

Presented by Yan Zhang

2 2009-03-16

OverviewBackgroundProblem formulationArchitecture ImplementationEvaluation

3 2009-03-16

DDoS Attack

Distributed Denial of Service An attacker is able to recruit a number of

hosts (zombies) throughout the Internet to simultaneously or in a coordinated fashion launch an attack upon the target.

Typical DDoS: SYN flood attack, ICMP attack

4 2009-03-16

DDoS Attack-Direct

5 2009-03-16

DDoS Attack-Indirect

6 2009-03-16

Overlay Network

Overlay network :A computer network which is built on top of another network.

 Node: in the overlay can be thought of as being connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network

7 2009-03-16

IP network as an overlay network

8 2009-03-16

Overlay network & Benefits

Purpose: To implement a network service that is not available in the existing network

--Routing, Addressing, Security, Multicast, Mobility

Benefits:

1. Do not have to deploy new equipment, or modify existing software/protocols

2. Do not have to deploy at every node

9 2009-03-16

OverviewBackgroundProblem formulationArchitecture ImplementationEvaluation

10 2009-03-16

Traditional ION

Traditional Indirection-based overlay network methods (like SOS,MayDay) make two assumptions:

Attack on fixed and bounded set of overlay nodes can only affect a small fraction of users

Attacker could not eavesdrop on link inside the network

11 2009-03-16

Problem

Traditional ION has weakness: Target attack: Attacker can follow the client’s

connection and bring down the nodes which client tries to connect to.

Sweep attack: Degrade the connection by bringing down a portion of the overlay nodes at a time

12 2009-03-16

Related work

SOS (Keromytis et al) --Suggested using an overlay network to route traffic from

legitimate users to a secret node

Stateless flow filter (Xuan et al) --By adding capabilities to packets

Ticket mechanism (Gligor ) --Clients must obtain tickets before they are allowed to access

protected service

13 2009-03-16

OverviewBackgroundProblem formulationArchitecture ImplementationEvaluation

14 2009-03-16

Spread-spectrum

 Electromagnetic energy generated in a particular bandwidth is deliberately spread in the frequency domain, resulting in a signal with a wider bandwidth.

CDMA is a typical spread spectrum communication

15 2009-03-16

Intuitive

To prevent “following” attack: By adopting “spread spectrum” approach, the client spreads its packets randomly across all access points.

To verify the authenticity: Using a token, at the expense of bandwidth

16 2009-03-16

Attack models

Sweep attack: Without internal knowledge of system, blindly sweep all nodes

---TCP SYN, ICMP flooding etc

----Like radio jamming in all channels

Targeted attack: Know which overlay node a client is using. More sophisticated

----Like eavesdrop and jam target frequency

17 2009-03-16

Traffic spreading issues

Spread the packets from clients across all overlay nodes in a pesudo-random manner

Randomly attack will only cause a fraction of packets loss

Duplicate the packets or using forward error correction to recover the loss

18 2009-03-16

Traffic Spreading

19 2009-03-16

Key and ticket establishment Protocol

Randomly redirect the authentication

The client sends packet to a random overlay

The receiving node forward the request to another random overlay node

The attacker cold not determine which nodes to target

20 2009-03-16

Key and ticket establishment Protocol

One round-trip only use first and last connection (from A to D)

Two round-trip guarantees the liveness

21 2009-03-16

Client-Overlay communication protocol

22 2009-03-16

Key and ticket establishment Protocol

To avoid reuse of the same ticket by multiple DDoS zombies, the range of valid sequence numbers for the ticket is kept relatively small (e.g., 500 packets)

The ticket is bound to the client’s IP,

23 2009-03-16

OverviewBackgroundProblem formulationArchitecture ImplementationEvaluation

24 2009-03-16

Implementation

Connection Establishment Phase

-- As described in the protocol part

-- Establish session key and ticket

-- Usually two round-trip

25 2009-03-16

Implementation

Packet Transmission Phase

the client computes the index in the sorted list of IPs as:

index = UMAC(Ku XOR sequence number) mod(n)

Ticket Renewal Phase

When valid tickets are about to expire, the overlay node issues a new ticket with the same session key but larger max sequence number.

26 2009-03-16

OverviewBackgroundProblem formulationArchitecture ImplementationEvaluation

27 2009-03-16

Evaluation

Impact of Sweeping attack

with a modest amount of packet replication and striping at the client, the proposed method can handle even massive DoS attacks against the overlay

General ION attack resistance

28 2009-03-16

Performance evaluation

Throughput under attack

Only 33% in the worst case scenario

Increase the replication rate, the throughput get closer to the direct connection

29 2009-03-16

Performance evaluation

As the replication factor is increased, and for larger networks, we get better average latency results.

In the worst-case scenario, we get a 2.5 increase in latency,

30 2009-03-16

Performance evaluation

The attack happens on a random fraction of the overlay nodes.

Packet replication helps us achieve higher network resilience.

31 2009-03-16

Performance evaluation

Latency V.S. Node failures

32 2009-03-16

Summary

Proposed the first non-trivial attack model: both the simple types of flooding attacks, as well as more

sophisticated attackers that can eavesdrop the victim’s communication link

Proposed the use of a spread-spectrum-like paradigm to create per-packet path diversity.