2009-03-16 1 Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
Countering DoS Attacks with Stateless Multipath Overlays
description
Transcript of Countering DoS Attacks with Stateless Multipath Overlays
![Page 1: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/1.jpg)
2009-03-16 1
Countering DoS Attacks with Stateless Multipath Overlays
Presented by Yan Zhang
![Page 2: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/2.jpg)
2 2009-03-16
OverviewBackgroundProblem formulationArchitecture ImplementationEvaluation
![Page 3: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/3.jpg)
3 2009-03-16
DDoS Attack
Distributed Denial of Service An attacker is able to recruit a number of
hosts (zombies) throughout the Internet to simultaneously or in a coordinated fashion launch an attack upon the target.
Typical DDoS: SYN flood attack, ICMP attack
![Page 4: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/4.jpg)
4 2009-03-16
DDoS Attack-Direct
![Page 5: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/5.jpg)
5 2009-03-16
DDoS Attack-Indirect
![Page 6: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/6.jpg)
6 2009-03-16
Overlay Network
Overlay network :A computer network which is built on top of another network.
Node: in the overlay can be thought of as being connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network
![Page 7: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/7.jpg)
7 2009-03-16
IP network as an overlay network
![Page 8: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/8.jpg)
8 2009-03-16
Overlay network & Benefits
Purpose: To implement a network service that is not available in the existing network
--Routing, Addressing, Security, Multicast, Mobility
Benefits:
1. Do not have to deploy new equipment, or modify existing software/protocols
2. Do not have to deploy at every node
![Page 9: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/9.jpg)
9 2009-03-16
OverviewBackgroundProblem formulationArchitecture ImplementationEvaluation
![Page 10: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/10.jpg)
10 2009-03-16
Traditional ION
Traditional Indirection-based overlay network methods (like SOS,MayDay) make two assumptions:
Attack on fixed and bounded set of overlay nodes can only affect a small fraction of users
Attacker could not eavesdrop on link inside the network
![Page 11: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/11.jpg)
11 2009-03-16
Problem
Traditional ION has weakness: Target attack: Attacker can follow the client’s
connection and bring down the nodes which client tries to connect to.
Sweep attack: Degrade the connection by bringing down a portion of the overlay nodes at a time
![Page 12: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/12.jpg)
12 2009-03-16
Related work
SOS (Keromytis et al) --Suggested using an overlay network to route traffic from
legitimate users to a secret node
Stateless flow filter (Xuan et al) --By adding capabilities to packets
Ticket mechanism (Gligor ) --Clients must obtain tickets before they are allowed to access
protected service
![Page 13: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/13.jpg)
13 2009-03-16
OverviewBackgroundProblem formulationArchitecture ImplementationEvaluation
![Page 14: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/14.jpg)
14 2009-03-16
Spread-spectrum
Electromagnetic energy generated in a particular bandwidth is deliberately spread in the frequency domain, resulting in a signal with a wider bandwidth.
CDMA is a typical spread spectrum communication
![Page 15: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/15.jpg)
15 2009-03-16
Intuitive
To prevent “following” attack: By adopting “spread spectrum” approach, the client spreads its packets randomly across all access points.
To verify the authenticity: Using a token, at the expense of bandwidth
![Page 16: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/16.jpg)
16 2009-03-16
Attack models
Sweep attack: Without internal knowledge of system, blindly sweep all nodes
---TCP SYN, ICMP flooding etc
----Like radio jamming in all channels
Targeted attack: Know which overlay node a client is using. More sophisticated
----Like eavesdrop and jam target frequency
![Page 17: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/17.jpg)
17 2009-03-16
Traffic spreading issues
Spread the packets from clients across all overlay nodes in a pesudo-random manner
Randomly attack will only cause a fraction of packets loss
Duplicate the packets or using forward error correction to recover the loss
![Page 18: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/18.jpg)
18 2009-03-16
Traffic Spreading
![Page 19: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/19.jpg)
19 2009-03-16
Key and ticket establishment Protocol
Randomly redirect the authentication
The client sends packet to a random overlay
The receiving node forward the request to another random overlay node
The attacker cold not determine which nodes to target
![Page 20: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/20.jpg)
20 2009-03-16
Key and ticket establishment Protocol
One round-trip only use first and last connection (from A to D)
Two round-trip guarantees the liveness
![Page 21: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/21.jpg)
21 2009-03-16
Client-Overlay communication protocol
![Page 22: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/22.jpg)
22 2009-03-16
Key and ticket establishment Protocol
To avoid reuse of the same ticket by multiple DDoS zombies, the range of valid sequence numbers for the ticket is kept relatively small (e.g., 500 packets)
The ticket is bound to the client’s IP,
![Page 23: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/23.jpg)
23 2009-03-16
OverviewBackgroundProblem formulationArchitecture ImplementationEvaluation
![Page 24: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/24.jpg)
24 2009-03-16
Implementation
Connection Establishment Phase
-- As described in the protocol part
-- Establish session key and ticket
-- Usually two round-trip
![Page 25: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/25.jpg)
25 2009-03-16
Implementation
Packet Transmission Phase
the client computes the index in the sorted list of IPs as:
index = UMAC(Ku XOR sequence number) mod(n)
Ticket Renewal Phase
When valid tickets are about to expire, the overlay node issues a new ticket with the same session key but larger max sequence number.
![Page 26: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/26.jpg)
26 2009-03-16
OverviewBackgroundProblem formulationArchitecture ImplementationEvaluation
![Page 27: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/27.jpg)
27 2009-03-16
Evaluation
Impact of Sweeping attack
with a modest amount of packet replication and striping at the client, the proposed method can handle even massive DoS attacks against the overlay
General ION attack resistance
![Page 28: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/28.jpg)
28 2009-03-16
Performance evaluation
Throughput under attack
Only 33% in the worst case scenario
Increase the replication rate, the throughput get closer to the direct connection
![Page 29: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/29.jpg)
29 2009-03-16
Performance evaluation
As the replication factor is increased, and for larger networks, we get better average latency results.
In the worst-case scenario, we get a 2.5 increase in latency,
![Page 30: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/30.jpg)
30 2009-03-16
Performance evaluation
The attack happens on a random fraction of the overlay nodes.
Packet replication helps us achieve higher network resilience.
![Page 31: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/31.jpg)
31 2009-03-16
Performance evaluation
Latency V.S. Node failures
![Page 32: Countering DoS Attacks with Stateless Multipath Overlays](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815a9c550346895dc81e08/html5/thumbnails/32.jpg)
32 2009-03-16
Summary
Proposed the first non-trivial attack model: both the simple types of flooding attacks, as well as more
sophisticated attackers that can eavesdrop the victim’s communication link
Proposed the use of a spread-spectrum-like paradigm to create per-packet path diversity.