Internet Cache Pollution Attacks and Countermeasures
-
Upload
blaze-rowe -
Category
Documents
-
view
33 -
download
0
description
Transcript of Internet Cache Pollution Attacks and Countermeasures
![Page 1: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/1.jpg)
Internet Cache Pollution Attacks and Countermeasures
Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen
Electrical Engineering and Computer Science Department
Northwestern University
![Page 2: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/2.jpg)
2
Outline
• Motivation• Pollution Attacks• Evaluation of Pollution Effects• Counter-Pollution Techniques &
Evaluation• Conclusion
![Page 3: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/3.jpg)
3
Motivation• Caching has been widely applied in the
Internet– Decrease the amount of requests in server side– Reduce the amount of traffic in the network– Improve the client-perceived latency
• Open proxy caches are used for various abuse-related activities
• Proxy caches themselves become victims– Little attention given to such attacks– Existing pollution attacks mostly on content
pollutions on P2P systems
![Page 4: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/4.jpg)
4
Contributions• Propose a class of pollution attacks targeted
against Internet proxy caches– Locality-disruption (LD) attacks – False-locality (FL) attacks
• Analyze the resilience of the current cache replacement algorithms to pollution attacks
• Propose two cache pollution detection mechanisms– Detect LD, FL attacks, and their combination– Leverage data streaming computation techniques
![Page 5: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/5.jpg)
5
Outline
• Motivation• Pollution Attacks• Evaluation of Pollution Effects• Counter-Pollution Techniques &
Evaluation• Conclusion
![Page 6: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/6.jpg)
6
Pollution Attack Scenarios (I)
Campus networkInternet
CacheCache
ISP1 ISP2
Downloaded traffic
Content Server
C lient
Requests
Attacking a web cache Attacking an ISP cache
![Page 7: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/7.jpg)
7
Pollution Attack Scenarios (II)
L o ca l D N S S erv er
R o o t D N S S erv er
T L D D N S S erv er
A u th o rita tiv eD N S S erv er
P o llu tio n A tta ck
E n d U ser
......
①
② ③ ④
⑤
⑥
⑦
⑧
Pollution attack against a local DNS server
![Page 8: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/8.jpg)
8
Pollution Attack: Locality Disruption
…...
. …...
.
Cache
…...
. …...
.
Cache
Before attack After attack
Popular filesNew
unpopular files
• Goal: degrade cache efficiency by ruining its file locality
• Activities: continuously generate requests for new unpopular files
![Page 9: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/9.jpg)
9
Pollution Attack: False Locality
…...
. …...
.
Cache
…...
. …...
.
Cache
Before attack After attack
Popular filesBogus
popular files
• Goal: degrade the hit ratio by creating false file locality
• Activities: repeatedly request the same set of unpopular files
![Page 10: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/10.jpg)
10
Outline
• Motivation• Pollution Attacks• Evaluation of Pollution Effects• Counter-Pollution Techniques &
Evaluation• Conclusion
![Page 11: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/11.jpg)
11
Evaluation Methodology
• Discrete-event simulator – Multiple DoS behaviors– Multiple workload characterizing behaviors– Effects of access and local network capacities
• Workloads– P2P [K. Gummadi et al. ACM SOSP 03]– Web [F. Smith et al. SIGMETRICS 01]– NAT effects
![Page 12: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/12.jpg)
12
Cache Replacement Algorithms
• Least Recently Used (LRU) algorithm – Evict the least recently accessed document first
• Least Frequently Used (LFU) algorithm – Evict the least frequently accessed document first
• Greedy Dual-Sized Frequency (GDSF) algorithm– Consider the frequency of the documents– Allow smaller document to be cached first– Use dynamic aging policy
![Page 13: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/13.jpg)
13
Baseline Experiments• Locality-disruption attacks
Small percent of malicious requests can significantly degrade the overall hit ratio
Total hit ratio = requests_total#
requests_hit#
Including attackers’ requests and regular users’ requests
Stealthy! (4%)
![Page 14: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/14.jpg)
14
Baseline Experiments• False-locality attacks
Total hit ratio is not a good indicator for attacks
![Page 15: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/15.jpg)
15
BHR(n)BHR(a)BHR(n)
BHR(n)—byte hit ratio of regular clients without attacks
BHR(a)—byte hit ratio of regular clients with attacks
Byte damage ratio =
![Page 16: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/16.jpg)
16
Replacement Algorithms • Locality-disruption attacks
LRU and LFU are more resilient to attacks, but still can not protect cache from pollution
![Page 17: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/17.jpg)
17
Outline
• Motivation• Pollution Attacks• Evaluation of Pollution Effects• Counter-Pollution Techniques &
Evaluation• Conclusion
![Page 18: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/18.jpg)
18
Detecting Locality Disruption Attacks
• Observations:
– Low total hit ratio
– Short average life-time of all cached files
• Design:
– Detection: compute the average durations for all files in the cache
– Mitigation: recognize the attackers
![Page 19: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/19.jpg)
19
Detecting False Locality Attacks• Observations:
– Clients who request a similar set of files residing in the cache
– The repeated requests from the same IP to cached files
• Design:– Large number of repeated requests– Large percent of repeated requests
• Scalability:– Attacker-based detection: Bloom filter– Object-based detection: Probabilistic Counting with
Stochastic Averaging (PCSA)
cachetheinhitsrequeststotalrequestsrepeated
![Page 20: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/20.jpg)
20
Evaluation of Pollution Detection• Results for false-locality attacks, more in paper
For attacker’s file detection:
True positive ratio =
filessker'attactotal#methodourbyecteddetfilesker'attac#
![Page 21: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/21.jpg)
21
• Realize the counter-pollution mechanisms
• Code and more details
http://networks.cs.northwestern.edu/AE/
Implementation
![Page 22: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/22.jpg)
22
Conclusions
• Propose and evaluate two classes of attacks: locality-disruption and false-locality attacks
• Show that pollution attacks are stealthy, but powerful, and different replacement algorithms have different resiliency
• Propose and evaluate a set of scalable and effective counter-pollution mechanisms
![Page 23: Internet Cache Pollution Attacks and Countermeasures](https://reader030.fdocuments.in/reader030/viewer/2022033104/56812d60550346895d926ded/html5/thumbnails/23.jpg)
23
Thank You !
Questions?