SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein...
-
Upload
oswald-jefferson -
Category
Documents
-
view
217 -
download
0
Transcript of SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein...
SOS: An Architecture For Mitigating DDoS Attacks
Angelos D. Keromytis, Vishal Misra, Dan Rubenstein
ACM SIGCOMM 2002
Presented By: Tracy Wagner CDA 6938 April 12, 2007
Outline
Introduction SOS Architecture Defense Against Attacks Performance Strength Weaknesses Future Work
Introduction
SOS – Secure Overlay Services Proactively secure communications between
known entities against Denial of Service (DoS) Attacks
Assumes a pre-determined set of approved clients communicating with a target
Focus efforts on a site that stores information that is difficult to replace
SOS Architecture Diagram
SOS Architecture
Target Selects some subset of
nodes to act as Secret Servlets
Accepts traffic only from Secret Servlet IPs
Secret Servlets Verifies authenticity of
request to act as Secret Servlet
Identifies Beacon Nodes
SOS Architecture
Beacon Nodes Notified by either Secret Servlets or Target of
their role (“Hey, you’re a Beacon!”) Verify validity of information received Forwards traffic received to particular Secret
Servlet associated with Target
SOS Architecture
Secure Overlay Access Point (SOAP) Nodes Authenticates and authorizes request from
client to communicate with Target Securely routes all traffic to Target via Beacon
nodes
Protection Against DoS
If an SOAP node is attacked, source point can enter through an alternate SOAP node
If a node within the overlay is attacked, the node “exits” and the overlay provides new paths to Beacons
No node is more important or sensitive than any other
If Secret Servlet is compromised, new subset of Secret Servlets can be chosen
Defending Against Attack
Security Analysis Assumptions: An attacker knows and can attack overlay
nodes Attacker does not know functionality of any
given node, and cannot determine it Bandwidth available to launch an attack is
limited Attack packets can always be identified as
illegitimate traffic Different users access overlay via different
SOAPs A node can simultaneously act as a SOAP,
Beacon and/or Secret Servlet
Defending Against Static Attacks
~40% of nodes must be attacked simultaneously for attack to succeed once out of 10,000 attempts
Increasing number of Beacons and Secret Servlets quickly drops probability of successful attack
Defending Against Dynamic Attacks
Dynamic Attack allows for SOS to self-heal; Attacker can then alter attack in response
Centralized vs. Distributed Repair Process Centralized vs. Distributed Attack Process
Defending Against Network Attacks
Several zombies launch attack on Target Triggered immediately or at some specified
time Anonymizing the Attacked Node
When Secret Servlet Identity is unknown, attacks randomly launched into overlay
Only a fraction of attack traffic will reach appropriate servlet
Placing targeted servlet in an overlay of size 30 reduces probability of attack by 4 orders of magnitude
Performance
Measurement of time-to-completion of https requests
Depending upon the number of nodes in the overlay, the time-to-completion increases by a factor of 2-10
Performance
Shortcut Implementation SOAPs contact Beacon nodes to determine
Secret Servlet; cache information and route future traffic from source directly to Servlet
Latency increases by as little as a factor of 2
Strengths
Proactive approach to fighting Denial of Service (DoS) attacks
Overlay can self-heal when a participant node is attacked
Scalable access control
Weaknesses
Assumes, for security analysis, that no attack can come from inside the overlay
Assumes that an attacker cannot mask illegitimate traffic to appear legitimate
To improve scalability, the number of SOAPs, Beacons, and Secret Servlets are limited – which lessens protection from DoS attacks
Shortcut implementation does not protect secret information
Future Work
More details about how repair and attack processes will function
Evaluation of damage and attack that can come from inside the overlay
Consideration of attack traffic that may be able to pass through overlay
Exploration of overlays shared by multiple organizations in a secure manner
Investigation of possible shortcuts through the overlay that do not compromise security