MIDDLEWARE SYSTEMSRESEARCH GROUP

A Taxonomy for Denial of Service Attacks in Content-based

Publish/Subscribe Systems

Alex Wun, Alex Cheung, Hans-Arno JacobsenDepartment of Electrical and Computer Engineering

Department of Computer Science

University of Toronto

Current State of Denial of Service

Prominent DoS news in 2007: 6 of 13 Root DNS servers attacked

[ICANN2007] DC++ P2P networks used in attacks

[DCPP2007] Estonian sites: government, bank, police

[Yahoo2007] Plenty more …

DoS problems are not going away

Research Goals

Stimulate discussion about DoS in CPS Avoid repeating old DoS weaknesses (e.g.,

IPv6 source routing)

Identify new DoS Concerns Will DoS attacks in CPS systems be any

different? What are the prominent issues? How can potential DoS attacks be classified?

Our Contributions

Study impact of CPS features on DoS effects Distributed event delivery Content-based processing overhead State maintenance

Classify potential DoS attack characteristics

Identify CPS concepts with DoS implications

Messaging Middleware

S SP

Publishers

P

SubscribersEnterpriseServers

EmbeddedDevices

SensorNetworks A B

C

Content-based Publish/Subscribe

DoS Taxonomy

Message Propagation Effects

Multi-hop routing Localization Transmission

Propagation

Localized

Single-Hop

Multi-Hop

Global

• Non-matching message injection• Malicious unsubscribe• Edge broker access control• Local clients• Co-operative detection not helpful• Effects may still be distributed

• Broker multicast• Per-hop security schemes• Client location

• Matching message injection• Rendezvous routing• Remote clients• Transmitting DoS effects remotely

• Flooding• Global client interest• May span organizations

State Management Effects

Assumptions on distribution message type

Cumulative effects

Statefulness

Stateless

Stateful

Soft-state

Persistent

• Recovery through normal processing• Unretained publication injections• Connection attempts

• Effects continue due to state change• Malicious unsubscriptions• Subscription injections• Publications retained for CEP

• Recovery through normal maintenance• Expiry mechanisms• Periodic optimizations

• Recovered state causes DoS• DB-based Fault-tolerance• Historic data• Configuration corruptions

Time

Attack

Effects

Attack stops

Time

Attack

Effects

Attack stops

Time

Attack

Effects

Attack stops

Periodiccleanup

Time

Effects

Load frompersistent storage

Content-based Processing EffectsLowcontentcomplexity

Highcontentcomplexity

Content-based Processing Effects

Performance variability highly dependent on workload complexity Response times System recovery

Content-dependence

Independent

Proportional

Inverselyproportional

• Severity of DoS effects are the same regardless of content complexity• ID-based filter removal

• Higher complexity content produces more severe DoS effects• Inducing matching load

• Lower complexity content produces more sever DoS effects• Filter-based filter removal

Content complexity

Load# of Victims# of TargetsDowntime

Techniques - Thrashing

DoS from processing repeated state changes

Subscription cover thrashing example: Many non-covering subscriptions exist from other client(s) Adversary issues covering subscription (triggers removal) Adversary removes covering subscription (triggers

restoration) Repeat …

Techniques - Stockpiling

Store malicious state for use in future attack(s) Can be low rate to avoid detection

Subscription flood example: Stockpile subscription state Issue advertisement to attract subscriptions

Techniques - Traffic Amplification

Malicious traffic of adversary multiplied Known to be a problem in traditional Internet

Smurf attack Source routing Reflection (connection retries)

Fundamental to many CPS features? Highly generic subscriptions and advertisements Uncovering and Unmerging Historic data

Filter versus ID State Removal

Related Work

Mirkovic and Reiher [Mirkovic2004] DDoS taxonomy in traditional Internet domain

Srivatsa and Liu [Srivatsa2005] Authentication to limit flooding-based DoS

Wang et al. [Wang2002] Discussed DoS briefly along with other security

concerns

Conclusion

CPS characteristics with DoS implications Message propagation (remote attacks) Content complexity (highly variable performance) State maintenance (assumptions on message type

distribution)

Abusing features for DoS Stockpiling Traffic Amplification Filter Removal (Thrashing, Victims)

References

[ICANN2007] http://icann.org/announcements/factsheet-dns-attack-08mar07_v1.1.pdf

[DCPP2007] http://dcpp.wordpress.com/2007/05/22/denying-distributed-attacks/

[Yahoo2007] http://fe48.news.sp1.yahoo.com/s/infoworld/20070517/tc_infoworld/

88610 [Mirkovic2004]

A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, ACM SIGCOMM

[Srivatsa2005] Securing Publish-Subscribe Overlay Services with EventGuard, ACM

Conference on Computer and Communications Security [Wang2002]

Security Issues and Requirements for Internet-Scale Publish-Subscribe Systems, Hawaii International Conference on System Sciences

MIDDLEWARE SYSTEMSRESEARCH GROUP

Extra Slides

Messaging Middleware

Publishers SubscribersEnterpriseServers

EmbeddedDevices

SensorNetworks

xxxxxxxxxx

xxxxxxxxxx

xxxxxxxxxx

Distributed broker federationsSubscription state managementContent-based processing

S SP

Publishers

P

Subscribers

Content-based Publish/Subscribe