Gal Badishi, Idit Keidar, Amir Sasson

Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion DrumDrumGal BadishiGal Badishi

Exposing and Eliminating Exposing and Eliminating Vulnerabilities to Denial of Vulnerabilities to Denial of Service Attacks in SecureService Attacks in SecureGossip-Based MulticastGossip-Based Multicast

Exposing and Eliminating Exposing and Eliminating Vulnerabilities to Denial of Vulnerabilities to Denial of Service Attacks in SecureService Attacks in SecureGossip-Based MulticastGossip-Based Multicast

Gal Badishi, Idit Keidar, Amir Gal Badishi, Idit Keidar, Amir SassonSasson

Gal Badishi, Idit Keidar, Amir Gal Badishi, Idit Keidar, Amir SassonSasson

Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (22))

AgendaAgendaAgendaAgenda

• The problemThe problem

• Overview of gossip-based multicastOverview of gossip-based multicast

• Proposed solution - DrumProposed solution - Drum

• Analysis and simulationsAnalysis and simulations

• Implementation and measurementsImplementation and measurements

• More DoS-mitigation techniquesMore DoS-mitigation techniques

• ConclusionsConclusions

• The problemThe problem

• Overview of gossip-based multicastOverview of gossip-based multicast

• Proposed solution - DrumProposed solution - Drum

• Analysis and simulationsAnalysis and simulations

• Implementation and measurementsImplementation and measurements

• More DoS-mitigation techniquesMore DoS-mitigation techniques

• ConclusionsConclusions


Denial of Service (DoS)Denial of Service (DoS)Denial of Service (DoS)Denial of Service (DoS)

• Unavailability of serviceUnavailability of service– Exhausting resourcesExhausting resources

• Remote attacksRemote attacks– Network levelNetwork level

•Solutions do not solve all application Solutions do not solve all application problemsproblems

– Application levelApplication level•Got little attentionGot little attention•Quantitative analysis of impact on application Quantitative analysis of impact on application

and identification of vulnerabilities neededand identification of vulnerabilities needed

• Unavailability of serviceUnavailability of service– Exhausting resourcesExhausting resources

• Remote attacksRemote attacks– Network levelNetwork level

•Solutions do not solve all application Solutions do not solve all application problemsproblems

– Application levelApplication level•Got little attentionGot little attention•Quantitative analysis of impact on application Quantitative analysis of impact on application

and identification of vulnerabilities neededand identification of vulnerabilities needed


Dollar Amount of Losses by TypeDollar Amount of Losses by TypeDollar Amount of Losses by TypeDollar Amount of Losses by Type


Remote Application-Level Remote Application-Level DoSDoS

Remote Application-Level Remote Application-Level DoSDoS

Valid RequestValid Request

Bogus RequestBogus Request

No AttackNo Attack

DoS AttackDoS Attack


ChallengesChallengesChallengesChallenges

• Quantify the effect of DoS at the Quantify the effect of DoS at the application levelapplication level

• Expose vulnerabilitiesExpose vulnerabilities

• Find effective DoS-mitigation Find effective DoS-mitigation techniquestechniques– Prove their usefulness using the found Prove their usefulness using the found

metricmetric

• Quantify the effect of DoS at the Quantify the effect of DoS at the application levelapplication level

• Expose vulnerabilitiesExpose vulnerabilities

• Find effective DoS-mitigation Find effective DoS-mitigation techniquestechniques– Prove their usefulness using the found Prove their usefulness using the found

metricmetric


MulticastMulticastMulticastMulticast

• A group of membersA group of members

• At least one member is a At least one member is a sourcesource – – generates messagesgenerates messages

• Messages should arrive to all of the Messages should arrive to all of the group members in a timely fashiongroup members in a timely fashion

• Network level vs. application level Network level vs. application level (ALM)(ALM)

• A group of membersA group of members

• At least one member is a At least one member is a sourcesource – – generates messagesgenerates messages

• Messages should arrive to all of the Messages should arrive to all of the group members in a timely fashiongroup members in a timely fashion

• Network level vs. application level Network level vs. application level (ALM)(ALM)


Tree-Based MulticastTree-Based MulticastTree-Based MulticastTree-Based Multicast

• Use a spanning tree – most common Use a spanning tree – most common solutionsolution

• No duplicates (optimal BW when network-No duplicates (optimal BW when network-level)level)

• Single points of failureSingle points of failure

• Use a spanning tree – most common Use a spanning tree – most common solutionsolution

• No duplicates (optimal BW when network-No duplicates (optimal BW when network-level)level)

• Single points of failureSingle points of failure

Source


Gossip-Based MulticastGossip-Based MulticastGossip-Based MulticastGossip-Based Multicast

• Progresses in roundsProgresses in rounds• Every roundEvery round

– Choose random partners (Choose random partners (view view ))– Send or receive messagesSend or receive messages– Discard old msgs from bufferDiscard old msgs from buffer

• Probabilistic reliabilityProbabilistic reliability• Uses redundancy to achieve robustnessUses redundancy to achieve robustness• Two methodsTwo methods

– PushPush– PullPull

• Progresses in roundsProgresses in rounds• Every roundEvery round

– Choose random partners (Choose random partners (view view ))– Send or receive messagesSend or receive messages– Discard old msgs from bufferDiscard old msgs from buffer

• Probabilistic reliabilityProbabilistic reliability• Uses redundancy to achieve robustnessUses redundancy to achieve robustness• Two methodsTwo methods

– PushPush– PullPull


PushPushPushPush

Source


PullPullPullPull

Source


Effects of DoS on GossipEffects of DoS on GossipEffects of DoS on GossipEffects of DoS on Gossip

• Reasonable to assume that source is Reasonable to assume that source is attackedattacked

• Surprisingly, we show that naïve gossip Surprisingly, we show that naïve gossip is vulnerable to DoS attacksis vulnerable to DoS attacks

• Attacking a process in pull-based gossip Attacking a process in pull-based gossip may prevent it from may prevent it from sendingsending messages messages

• Attacking a process in push-based Attacking a process in push-based gossip may prevent it from gossip may prevent it from receivingreceiving messagesmessages

• Reasonable to assume that source is Reasonable to assume that source is attackedattacked

• Surprisingly, we show that naïve gossip Surprisingly, we show that naïve gossip is vulnerable to DoS attacksis vulnerable to DoS attacks

• Attacking a process in pull-based gossip Attacking a process in pull-based gossip may prevent it from may prevent it from sendingsending messages messages

• Attacking a process in push-based Attacking a process in push-based gossip may prevent it from gossip may prevent it from receivingreceiving messagesmessages


DrumDrumDrumDrum

• A new gossip-based ALM protocolA new gossip-based ALM protocol• Utilizes DoS-mitigation techniquesUtilizes DoS-mitigation techniques

– Using random one-time ports to Using random one-time ports to communicatecommunicate

– Combining both push and pullCombining both push and pull– Separating and bounding resourcesSeparating and bounding resources

• Eliminates vulnerabilities to DoSEliminates vulnerabilities to DoS• Proven robust using formal analysis Proven robust using formal analysis

and quantitative evaluationand quantitative evaluation

• A new gossip-based ALM protocolA new gossip-based ALM protocol• Utilizes DoS-mitigation techniquesUtilizes DoS-mitigation techniques

– Using random one-time ports to Using random one-time ports to communicatecommunicate

– Combining both push and pullCombining both push and pull– Separating and bounding resourcesSeparating and bounding resources

• Eliminates vulnerabilities to DoSEliminates vulnerabilities to DoS• Proven robust using formal analysis Proven robust using formal analysis

and quantitative evaluationand quantitative evaluation


Random PortsRandom PortsRandom PortsRandom Ports

• Any request necessitating a reply Any request necessitating a reply contains a random port numbercontains a random port number– ““Invisible” to the attacker (e.g., encrypted)Invisible” to the attacker (e.g., encrypted)

• The reply is sent to that random portThe reply is sent to that random port

• Assumption: attacking other ports does Assumption: attacking other ports does not affect the random port’s queue (i.e., not affect the random port’s queue (i.e., there is no BW exhaustion)there is no BW exhaustion)

• Any request necessitating a reply Any request necessitating a reply contains a random port numbercontains a random port number– ““Invisible” to the attacker (e.g., encrypted)Invisible” to the attacker (e.g., encrypted)

• The reply is sent to that random portThe reply is sent to that random port

• Assumption: attacking other ports does Assumption: attacking other ports does not affect the random port’s queue (i.e., not affect the random port’s queue (i.e., there is no BW exhaustion)there is no BW exhaustion)


Combining Push and PullCombining Push and PullCombining Push and PullCombining Push and Pull

• Attacking push cannot prevent Attacking push cannot prevent receiving messages via pull (random receiving messages via pull (random ports)ports)

• Attacking pull cannot prevent Attacking pull cannot prevent sending via pushsending via push

• Each process has some control over Each process has some control over the processes it communicates withthe processes it communicates with

• Attacking push cannot prevent Attacking push cannot prevent receiving messages via pull (random receiving messages via pull (random ports)ports)

• Attacking pull cannot prevent Attacking pull cannot prevent sending via pushsending via push

• Each process has some control over Each process has some control over the processes it communicates withthe processes it communicates with


Bounding ResourcesBounding ResourcesBounding ResourcesBounding Resources

• Motivation: prevent resource Motivation: prevent resource exhaustionexhaustion

• Each round process a random subset Each round process a random subset of the arriving messages and discard of the arriving messages and discard the restthe rest

• Separate resources for orthogonal Separate resources for orthogonal operationsoperations

• Motivation: prevent resource Motivation: prevent resource exhaustionexhaustion

• Each round process a random subset Each round process a random subset of the arriving messages and discard of the arriving messages and discard the restthe rest

• Separate resources for orthogonal Separate resources for orthogonal operationsoperations

Valid RequestValid Request

Bogus RequestBogus Request

Round DurationRound Duration


Drum’s Push MechanismDrum’s Push MechanismDrum’s Push MechanismDrum’s Push Mechanism

• Alice sends Bob a push-offerAlice sends Bob a push-offer

• Bob replies with a digest of Bob replies with a digest of messages he has already receivedmessages he has already received

• Alice only sends Bob messages Alice only sends Bob messages missing from his digestmissing from his digest

• Random portsRandom ports

• Alice sends Bob a push-offerAlice sends Bob a push-offer

• Bob replies with a digest of Bob replies with a digest of messages he has already receivedmessages he has already received

• Alice only sends Bob messages Alice only sends Bob messages missing from his digestmissing from his digest

• Random portsRandom ports


Evaluation MethodologyEvaluation MethodologyEvaluation MethodologyEvaluation Methodology

• Compare 3 protocolsCompare 3 protocols– Push (push-based with bounded resources)Push (push-based with bounded resources)– Pull (pull-based with bounded resources)Pull (pull-based with bounded resources)– DrumDrum

• Under various DoS attacksUnder various DoS attacks– Increasing strength (shows trend under DoS)Increasing strength (shows trend under DoS)– Fixed strength (exposes vulnerabilities)Fixed strength (exposes vulnerabilities)

• Source is always attackedSource is always attacked• Evaluates combination of Push and PullEvaluates combination of Push and Pull• Separately evaluate the other two Separately evaluate the other two

techniquestechniques

• Compare 3 protocolsCompare 3 protocols– Push (push-based with bounded resources)Push (push-based with bounded resources)– Pull (pull-based with bounded resources)Pull (pull-based with bounded resources)– DrumDrum

• Under various DoS attacksUnder various DoS attacks– Increasing strength (shows trend under DoS)Increasing strength (shows trend under DoS)– Fixed strength (exposes vulnerabilities)Fixed strength (exposes vulnerabilities)

• Source is always attackedSource is always attacked• Evaluates combination of Push and PullEvaluates combination of Push and Pull• Separately evaluate the other two Separately evaluate the other two

techniquestechniques


Evaluation Methodology Evaluation Methodology (cont.)(cont.)

Evaluation Methodology Evaluation Methodology (cont.)(cont.)

• Measure Measure propagation timepropagation time – – expected number of rounds it takes a expected number of rounds it takes a message to reach all of the correct message to reach all of the correct processesprocesses– 99% in the simulations and actual 99% in the simulations and actual

measurementsmeasurements

• Use real implementation to measure Use real implementation to measure actual latency and throughputactual latency and throughput

• Measure Measure propagation timepropagation time – – expected number of rounds it takes a expected number of rounds it takes a message to reach all of the correct message to reach all of the correct processesprocesses– 99% in the simulations and actual 99% in the simulations and actual

measurementsmeasurements

• Use real implementation to measure Use real implementation to measure actual latency and throughputactual latency and throughput


Analysis/Simulation Analysis/Simulation AssumptionsAssumptions

Analysis/Simulation Analysis/Simulation AssumptionsAssumptions

• Static group with complete connectivityStatic group with complete connectivity• Processes have complete group knowledgeProcesses have complete group knowledge• Propagation of a single message Propagation of a single message MM

– But simulate situation where all procs have msgs to But simulate situation where all procs have msgs to sendsend

• MM is never purged from local buffers is never purged from local buffers• Rounds are synchronizedRounds are synchronized• All round operations complete within the same All round operations complete within the same

roundround• All processes are correct (analysis) or 10% of All processes are correct (analysis) or 10% of

them perform a DoS attack (simulation)them perform a DoS attack (simulation)

• Static group with complete connectivityStatic group with complete connectivity• Processes have complete group knowledgeProcesses have complete group knowledge• Propagation of a single message Propagation of a single message MM

– But simulate situation where all procs have msgs to But simulate situation where all procs have msgs to sendsend

• MM is never purged from local buffers is never purged from local buffers• Rounds are synchronizedRounds are synchronized• All round operations complete within the same All round operations complete within the same

roundround• All processes are correct (analysis) or 10% of All processes are correct (analysis) or 10% of

them perform a DoS attack (simulation)them perform a DoS attack (simulation)


Validating Known ResultsValidating Known ResultsValidating Known ResultsValidating Known Results

• The propagation time of gossip-The propagation time of gossip-based multicast protocols is O(log n) based multicast protocols is O(log n) [P87, KSSV00][P87, KSSV00]

• The propagation time of gossip-The propagation time of gossip-based multicast protocols is O(log n) based multicast protocols is O(log n) [P87, KSSV00][P87, KSSV00]


102

103

1

2

3

4

5

6

7

8

9

10#

rou

nd

s

# processes (log scale)

Expected Propagation Time

PushPullDrum


Validating Known Results Validating Known Results (cont.)(cont.)

Validating Known Results Validating Known Results (cont.)(cont.)

• The performance of gossip-based The performance of gossip-based multicast protocols degrades multicast protocols degrades gracefully as failures amount gracefully as failures amount [LMM00, GvRB01][LMM00, GvRB01]

• The performance of gossip-based The performance of gossip-based multicast protocols degrades multicast protocols degrades gracefully as failures amount gracefully as failures amount [LMM00, GvRB01][LMM00, GvRB01]


0 10 20 30 40 50 60 70 80 900

5

10

15

20

25

30

% failed processes

# ro

un

ds

Expected Propagation Time, n = 1000

PushPullDrum


DefinitionsDefinitionsDefinitionsDefinitions

• nn – number of processes in the group – number of processes in the group

• FF – size of – size of viewview, and max # of , and max # of requests to process in a round (requests to process in a round (F = 4 F = 4 ))

– – percentage of attacked processespercentage of attacked processes

• xx – number of bogus messages an – number of bogus messages an attacked process receives in a roundattacked process receives in a round

• BB – total attack strength ( – total attack strength (B = B = nx nx ))

• nn – number of processes in the group – number of processes in the group

• FF – size of – size of viewview, and max # of , and max # of requests to process in a round (requests to process in a round (F = 4 F = 4 ))

– – percentage of attacked processespercentage of attacked processes

• xx – number of bogus messages an – number of bogus messages an attacked process receives in a roundattacked process receives in a round

• BB – total attack strength ( – total attack strength (B = B = nx nx ))


Analysis – Increasing Analysis – Increasing StrengthStrength


• Lemma 1: Fix Lemma 1: Fix < 1 and < 1 and nn. . Drum’s Drum’s propagation time is bounded from propagation time is bounded from above by a constant independent of xabove by a constant independent of x

• Proof ideaProof idea– Define Define effective fan-ineffective fan-in and and effective fan-outeffective fan-out– Both have an element independent of Both have an element independent of xx– When When x x this element is dominant this element is dominant– The effective fans are bounded from belowThe effective fans are bounded from below

• Lemma 1: Fix Lemma 1: Fix < 1 and < 1 and nn. . Drum’s Drum’s propagation time is bounded from propagation time is bounded from above by a constant independent of xabove by a constant independent of x

• Proof ideaProof idea– Define Define effective fan-ineffective fan-in and and effective fan-outeffective fan-out– Both have an element independent of Both have an element independent of xx– When When x x this element is dominant this element is dominant– The effective fans are bounded from belowThe effective fans are bounded from below




• Lemma 2: Fix Lemma 2: Fix and and nn. . The propagation The propagation time of Push grows at least linearly with xtime of Push grows at least linearly with x

• Proof ideaProof idea– Assume all non-attacked processes already Assume all non-attacked processes already

have the message (and so does the source)have the message (and so does the source)– Bound the expected number of processes Bound the expected number of processes

having having MM at round at round kk from above from above– Find the minimal Find the minimal kk in which all processes have in which all processes have

MM– Reaching all attacked processes takes at least Reaching all attacked processes takes at least

a time linear in a time linear in xx

• Lemma 2: Fix Lemma 2: Fix and and nn. . The propagation The propagation time of Push grows at least linearly with xtime of Push grows at least linearly with x

• Proof ideaProof idea– Assume all non-attacked processes already Assume all non-attacked processes already

have the message (and so does the source)have the message (and so does the source)– Bound the expected number of processes Bound the expected number of processes

having having MM at round at round kk from above from above– Find the minimal Find the minimal kk in which all processes have in which all processes have

MM– Reaching all attacked processes takes at least Reaching all attacked processes takes at least

a time linear in a time linear in xx




• Lemma 3: Fix Lemma 3: Fix and and nn. . The propagation The propagation time of Pull grows at least linearly with xtime of Pull grows at least linearly with x

• Proof ideaProof idea– Denote by Denote by pp the probability that the source the probability that the source

reads a valid pull request in a roundreads a valid pull request in a round– # of rounds for # of rounds for MM to leave the source is to leave the source is

geometrically distributed with geometrically distributed with pp– The expectation is The expectation is 1/p1/p– 1/p1/p is at least linear in is at least linear in xx

• Lemma 3: Fix Lemma 3: Fix and and nn. . The propagation The propagation time of Pull grows at least linearly with xtime of Pull grows at least linearly with x

• Proof ideaProof idea– Denote by Denote by pp the probability that the source the probability that the source

reads a valid pull request in a roundreads a valid pull request in a round– # of rounds for # of rounds for MM to leave the source is to leave the source is

geometrically distributed with geometrically distributed with pp– The expectation is The expectation is 1/p1/p– 1/p1/p is at least linear in is at least linear in xx


0 20 40 60 80 100 120 1400

5

10

15

20

25

30

Attack Rate

# ro

un

ds

Expected Propagation Time, 10% Attacked

Push, n = 1000Push, n = 120Pull, n = 1000Pull, n = 120Drum, n = 1000Drum, n = 120


10 20 30 40 50 60 70 800

10

20

30

40

50

60

70

80#

rou

nd

s

% attacked processes

Expected Propagation Time, Rate = 128



Analysis – Fixed StrengthAnalysis – Fixed StrengthAnalysis – Fixed StrengthAnalysis – Fixed Strength

• Define Define c = B/nFc = B/nF (total attack (total attack strength divided by total system strength divided by total system capacity)capacity)

• Lemma 4: Lemma 4: For c > 5, Drum’s For c > 5, Drum’s expected propagation time is expected propagation time is monotonically increasing with monotonically increasing with

• Proof ideaProof idea– Effective fan-inEffective fan-in and and effective fan-outeffective fan-out are are

monotonically decreasing with monotonically decreasing with

• Define Define c = B/nFc = B/nF (total attack (total attack strength divided by total system strength divided by total system capacity)capacity)

• Lemma 4: Lemma 4: For c > 5, Drum’s For c > 5, Drum’s expected propagation time is expected propagation time is monotonically increasing with monotonically increasing with

• Proof ideaProof idea– Effective fan-inEffective fan-in and and effective fan-outeffective fan-out are are

monotonically decreasing with monotonically decreasing with


0 10 20 30 40 50 60 70 80 900

10

20

30

40

50

60

70

80

90

100#

rou

nd

s


Expected Propagation Time, Fixed Strength (c = 10)



Implementation and Implementation and MeasurementsMeasurements

Implementation and Implementation and MeasurementsMeasurements

• Multithreaded processes in JavaMultithreaded processes in Java

• Operations are not synchronizedOperations are not synchronized

• Rounds are not synchronized among Rounds are not synchronized among processesprocesses

• 50 machines on a 100Mbit LAN (Emulab)50 machines on a 100Mbit LAN (Emulab)

• One process per machineOne process per machine

• 5 processes (10%) perform a DoS attack5 processes (10%) perform a DoS attack

• Multithreaded processes in JavaMultithreaded processes in Java

• Operations are not synchronizedOperations are not synchronized

• Rounds are not synchronized among Rounds are not synchronized among processesprocesses

• 50 machines on a 100Mbit LAN (Emulab)50 machines on a 100Mbit LAN (Emulab)

• One process per machineOne process per machine

• 5 processes (10%) perform a DoS attack5 processes (10%) perform a DoS attack


Validating the SimulationsValidating the SimulationsValidating the SimulationsValidating the Simulations

• Evaluate the protocols in the same Evaluate the protocols in the same scenarios tested by simulationscenarios tested by simulation

• High correlation shows that the High correlation shows that the simplifying assumptions have little simplifying assumptions have little effect on the resultseffect on the results

• Evaluate the protocols in the same Evaluate the protocols in the same scenarios tested by simulationscenarios tested by simulation

• High correlation shows that the High correlation shows that the simplifying assumptions have little simplifying assumptions have little effect on the resultseffect on the results


0 20 40 60 80 100 120 1400

5

10

15

20

25

Attack Rate

# ro

un

ds

Expected Propagation Time, 10% Attacked

Push measurementsPush simulationPull measurementsPull simulationDrum measurementsDrum simulation


0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.80

10

20

30

40

50

60

70

80


# ro

un

ds

Expected Propagation Time, Rate = 128

Push measurementsPush simulationPull measurementsPull simulationDrum measurementsDrum simulation


High-Throughput High-Throughput ExperimentsExperiments

High-Throughput High-Throughput ExperimentsExperiments

• Single sourceSingle source• Creates 40 messages per secondCreates 40 messages per second• Round duration = 1 secondRound duration = 1 second• Messages are purged after 10 roundsMessages are purged after 10 rounds• Each process sends at most 80 data Each process sends at most 80 data

messages to another process in a roundmessages to another process in a round• Throughput and latency are measured Throughput and latency are measured

at the 44 correct receiving processesat the 44 correct receiving processes

• Single sourceSingle source• Creates 40 messages per secondCreates 40 messages per second• Round duration = 1 secondRound duration = 1 second• Messages are purged after 10 roundsMessages are purged after 10 rounds• Each process sends at most 80 data Each process sends at most 80 data

messages to another process in a roundmessages to another process in a round• Throughput and latency are measured Throughput and latency are measured

at the 44 correct receiving processesat the 44 correct receiving processes


0 20 40 60 80 100 120 1405

10

15

20

25

30

35

40

45

Attack Rate

Ave

rag

e T

hro

ug

hp

ut

(msg

s/se

c)

Average Received Throughput, 10% Attacked

DrumPushPull


0 10 20 30 40 50 60 70 800

5

10

15

20

25

30

35

40

45


Ave

rag

e T

hro

ug

hp

ut

(msg

s/se

c)

Average Received Throughput, Rate = 128

DrumPushPull


1000 2000 3000 4000 5000 6000 7000 8000 9000 100000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Average Latency (msecs)

% o

f C

orr

ect

Pro

cess

es

CDF: Average Latency of Received Messages, 40% Attacked, Rate = 128

DrumPushPull


Evaluating Random PortsEvaluating Random PortsEvaluating Random PortsEvaluating Random Ports

• Analyze Drum using simulationsAnalyze Drum using simulations

• Assume pull-replies are returned to a Assume pull-replies are returned to a well-known portwell-known port– Different than the port for pull-requestsDifferent than the port for pull-requests– Both ports are now being attackedBoth ports are now being attacked– Original attack on pull channels is Original attack on pull channels is

equally divided between these portsequally divided between these ports

• Analyze Drum using simulationsAnalyze Drum using simulations

• Assume pull-replies are returned to a Assume pull-replies are returned to a well-known portwell-known port– Different than the port for pull-requestsDifferent than the port for pull-requests– Both ports are now being attackedBoth ports are now being attacked– Original attack on pull channels is Original attack on pull channels is

equally divided between these portsequally divided between these ports


0 20 40 60 80 100 120 1400

5

10

15

20

25

30Expected Propagation Time, 10% Attacked (of 1000)

Attack Rate

# ro

un

ds

Drum - Known PortsDrum - Random Ports


Evaluating Resource Evaluating Resource SeparationSeparation

Evaluating Resource Evaluating Resource SeparationSeparation

• Analyze Drum using actual measurementsAnalyze Drum using actual measurements

• Merge all bounds on reception of control Merge all bounds on reception of control messagesmessages– Push-offers, push-replies, pull-requestsPush-offers, push-replies, pull-requests– Originally, allow reception of F/2 (= 2) Originally, allow reception of F/2 (= 2)

messages/round on each listening control msgs messages/round on each listening control msgs portport

– Now, allow reception of 3F/2 (= 6) Now, allow reception of 3F/2 (= 6) messages/round in total, for all control messages/round in total, for all control messagesmessages

• Analyze Drum using actual measurementsAnalyze Drum using actual measurements

• Merge all bounds on reception of control Merge all bounds on reception of control messagesmessages– Push-offers, push-replies, pull-requestsPush-offers, push-replies, pull-requests– Originally, allow reception of F/2 (= 2) Originally, allow reception of F/2 (= 2)

messages/round on each listening control msgs messages/round on each listening control msgs portport

– Now, allow reception of 3F/2 (= 6) Now, allow reception of 3F/2 (= 6) messages/round in total, for all control messages/round in total, for all control messagesmessages


0 20 40 60 80 100 120 1400

2

4

6

8

10

12

Attack Rate

# ro

un

ds

Expected Propagation Time, 10% Attacked (of 50)

Drum - Shared BoundsDrum - Separate Bounds


SummarySummarySummarySummary

• Gossip-based protocols are very robust, Gossip-based protocols are very robust, but…but…– naïve gossip-based protocols are vulnerable to naïve gossip-based protocols are vulnerable to

targeted DoS attackstargeted DoS attacks

• Drum uses simple techniques to mitigate Drum uses simple techniques to mitigate the effects of DoS attacksthe effects of DoS attacks

• Evaluations show Drum’s resistance to DoSEvaluations show Drum’s resistance to DoS

• The most effective attack against Drum is The most effective attack against Drum is a broad onea broad one

• Gossip-based protocols are very robust, Gossip-based protocols are very robust, but…but…– naïve gossip-based protocols are vulnerable to naïve gossip-based protocols are vulnerable to

targeted DoS attackstargeted DoS attacks

• Drum uses simple techniques to mitigate Drum uses simple techniques to mitigate the effects of DoS attacksthe effects of DoS attacks

• Evaluations show Drum’s resistance to DoSEvaluations show Drum’s resistance to DoS

• The most effective attack against Drum is The most effective attack against Drum is a broad onea broad one


General PrinciplesGeneral PrinciplesGeneral PrinciplesGeneral Principles

• DoS-mitigation techniques: DoS-mitigation techniques: – random portsrandom ports– neighbor-selection by local choicesneighbor-selection by local choices– separate resource boundsseparate resource bounds

• Design goal: eliminate vulnerabilities Design goal: eliminate vulnerabilities – The most effective attack is a broad oneThe most effective attack is a broad one

• Analysis and quantitative evaluation Analysis and quantitative evaluation of impact of DoSof impact of DoS

• DoS-mitigation techniques: DoS-mitigation techniques: – random portsrandom ports– neighbor-selection by local choicesneighbor-selection by local choices– separate resource boundsseparate resource bounds

• Design goal: eliminate vulnerabilities Design goal: eliminate vulnerabilities – The most effective attack is a broad oneThe most effective attack is a broad one

• Analysis and quantitative evaluation Analysis and quantitative evaluation of impact of DoSof impact of DoS

Gal Badishi, Idit Keidar, Amir Sasson

Documents

Transcript of Gal Badishi, Idit Keidar, Amir Sasson