SOS: An Architecture For Mitigating DDoS Attacks

Angelos D. Keromytis, Vishal Misra, Dan Rubenstein

ACM SIGCOMM 2002

Presented By: Tracy Wagner CDA 6938 April 12, 2007

Outline

Introduction SOS Architecture Defense Against Attacks Performance Strength Weaknesses Future Work

Introduction

SOS – Secure Overlay Services Proactively secure communications between

known entities against Denial of Service (DoS) Attacks

Assumes a pre-determined set of approved clients communicating with a target

Focus efforts on a site that stores information that is difficult to replace

SOS Architecture Diagram

SOS Architecture

Target Selects some subset of

nodes to act as Secret Servlets

Accepts traffic only from Secret Servlet IPs

Secret Servlets Verifies authenticity of

request to act as Secret Servlet

Identifies Beacon Nodes

SOS Architecture

Beacon Nodes Notified by either Secret Servlets or Target of

their role (“Hey, you’re a Beacon!”) Verify validity of information received Forwards traffic received to particular Secret

Servlet associated with Target

SOS Architecture

Secure Overlay Access Point (SOAP) Nodes Authenticates and authorizes request from

client to communicate with Target Securely routes all traffic to Target via Beacon

nodes

Protection Against DoS

If an SOAP node is attacked, source point can enter through an alternate SOAP node

If a node within the overlay is attacked, the node “exits” and the overlay provides new paths to Beacons

No node is more important or sensitive than any other

If Secret Servlet is compromised, new subset of Secret Servlets can be chosen

Defending Against Attack

Security Analysis Assumptions: An attacker knows and can attack overlay

nodes Attacker does not know functionality of any

given node, and cannot determine it Bandwidth available to launch an attack is

limited Attack packets can always be identified as

illegitimate traffic Different users access overlay via different

SOAPs A node can simultaneously act as a SOAP,

Beacon and/or Secret Servlet

Defending Against Static Attacks

~40% of nodes must be attacked simultaneously for attack to succeed once out of 10,000 attempts

Increasing number of Beacons and Secret Servlets quickly drops probability of successful attack

Defending Against Dynamic Attacks

Dynamic Attack allows for SOS to self-heal; Attacker can then alter attack in response

Centralized vs. Distributed Repair Process Centralized vs. Distributed Attack Process

Defending Against Network Attacks

Several zombies launch attack on Target Triggered immediately or at some specified

time Anonymizing the Attacked Node

When Secret Servlet Identity is unknown, attacks randomly launched into overlay

Only a fraction of attack traffic will reach appropriate servlet

Placing targeted servlet in an overlay of size 30 reduces probability of attack by 4 orders of magnitude

Performance

Measurement of time-to-completion of https requests

Depending upon the number of nodes in the overlay, the time-to-completion increases by a factor of 2-10

Performance

Shortcut Implementation SOAPs contact Beacon nodes to determine

Secret Servlet; cache information and route future traffic from source directly to Servlet

Latency increases by as little as a factor of 2

Strengths

Proactive approach to fighting Denial of Service (DoS) attacks

Overlay can self-heal when a participant node is attacked

Scalable access control

Weaknesses

Assumes, for security analysis, that no attack can come from inside the overlay

Assumes that an attacker cannot mask illegitimate traffic to appear legitimate

To improve scalability, the number of SOAPs, Beacons, and Secret Servlets are limited – which lessens protection from DoS attacks

Shortcut implementation does not protect secret information

Future Work

More details about how repair and attack processes will function

Evaluation of damage and attack that can come from inside the overlay

Consideration of attack traffic that may be able to pass through overlay

Exploration of overlays shared by multiple organizations in a secure manner

Investigation of possible shortcuts through the overlay that do not compromise security