Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Sophisticated

advertisement

Evaluating the Vulnerability of

Network Mechanisms to

Sophisticated DDoS Attacks

Udi Ben-Porat

Tel-Aviv University,

Israel

Anat Bremler-Barr

IDC Herzliya, Israel

Hanoch Levy

ETH Zurich,

Switzerland

1

Study Objective

Propose a DDoS Vulnerability performance metric

Vulnerability Measure

To be used in addition to traditional system performance metrics

Understanding the vulnerability of different systems to sophisticated attacks

This Talk

Describe DDoS Vulnerability performance metric

Demonstrate Metric impact

Hash Table: Very Common in networking

Performance (traditional) : OPEN equivalent CLOSED

Vulnerability analysis: OPEN << CLOSED!!

2

Distributed Denial of Service

(

DDoS

)

Attacker adds more regular users

Loading the server - degrades the performance

Server Performance

Attacker

Server

DDoS Normal S. DDoS

3

Sophisticated DDoS

Attacker adds sophisticated malicious users

Each user creates maximal damage (per attack budget)

Server Performance

Attacker

Server

DDoS Normal S. DDoS

4

Sophisticated Attacks Examples

Simple example: Database server

Make hard queries

Goal: consume CPU time

Sophisticated attacks in the research:

Reduction of Quality (RoQ) Attacks on Internet End-Systems

Mina Guirguis, Azer Bestavros, Ibrahim Matta and Yuting Zhang

INFOCOM 2005

Low-Rate TCP-Targeted Denial of Service Attacks

A. Kuzmanovic and E.W.Knightly

Sigcomm 2003

Denial of Service via Algorithmic Complexity Attacks

Scott A. Crosby and Dan S. Wallach Usenix 2003

5

Our goal

Proposing a Vulnerability measurement for all sophisticated DDoS attack

Vulnerability Measurement

Understanding the vulnerability of different systems to sophisticated attacks

Later: Hash Tables and Queuing

6

Vulnerability Factor Definition

Vulnerabil ity(Cost

 c)

 max st

ΔPerforman ce(Malicio us st

, c)

ΔPerforman ce(Regular , c)

Vulnerability= v means: Malicious user degrades the server performance v -times more than regular user

Performance

Degradation

Scales

(st = Malicious Strategy)

7

Demonstration of Vulnerability metric:

Attack on Hash Tables

Central component in networks

Hash table is a data structure based on Hash function and an array of buckets.

Operations:

Insert, Search and Delete of elements according to their keys.

Insert (element) key

Hash(key)

Buckets

User

Server

9

Hash Tables

Open Hash

Bucket = list of elements that were hashed to that bucket

Closed Hash

Bucket = one element

Collision-> the array is repeatedly probed until an empty bucket is found

10

Vulnerability: OPEN vs. CLOSED

Traditional Performance: OPEN = CLOSED *

What about Vulnerability? OPEN = CLOSED ?

Performance Factors

In Attack

While attack is on: Attacker’s operations are CPU intensive  CPU loaded

Post Attack:

Loaded Table  insert/delete/search op’s suffer

( * when the buckets array of closed hash is twice bigger)

11

Attacker strategy (InsStrategy)

Strategy:

Insert k elements (cost=budget=k) where all elements hash into the same bucket ( )

Theorem: InsStrategy is Optimal

For both performance factors

Open Hash:

One long list of elements

Attack Results

Closed Hash:

Cluster

12

In Attack: Resource Consumption

Analytic results:

Open Hash:

V =

In every malicious insertion, the server has to traverse all previous inserted elements

(+ some existing elements)

Closed Hash:

V =

Open Hash Closed Hash

13

Post Attack: Operation Complexity

Open Hash Closed Hash

Open Hash:

Vulnerability =1

No Post Attack degradation in

Open Hash

(Only small chance to traverse the malicious list)

Closed Hash:

Big chance the operation has to traverse part of the big cluster

14

Post Attack: account for queuing

Requests for the server are queued up

Vulnerability of the (post attack)

Waiting Time ?

Hash

Table

Server

15

Post Attack Waiting Time

Stability Point

Open Hash:

Vulnerable !!

While in the model of Post Attack

Operation Complexity the

Open Hash is not Vulnerable !

Closed Hash:

 Drastically more vulnerable resulting: clusters increase the second moment of the hash operation times

 No longer stable for

Load>48%

16

Conclusions

Closed Hash is much more vulnerable than the

Open Hash to DDoS, even though the two systems are considered to be equivalent via traditional performance evaluation.

After the attack has ended, regular users still suffer from performance degradation

Application using Hash in the Internet, where there is a queue before the hash, has high vulnerability.

17

Related Work

The alternative measure: Potency [RoQ]

Was defined only to RoQ

Only count the performance degradation of a specific attack  Vulnerability measures the system

Meaningless without additional numbers 

Vulnerability is meaningful information based on this number alone

Analyzing Hash: Comparing Closed to Open

Hash, also analyzing the post attack performance degradation

(Denial of Service via Algorithmic Complexity Attacks

Scott A. Crosby and Dan S. Wallach Usenix 2003)

18

Questions?

19

Related documents
What`s it all about? - an introductory tutorial (MS power point)
What`s it all about? - an introductory tutorial (MS power point)
Learning to Live with an Advanced Persistent Threat PPT Only
Learning to Live with an Advanced Persistent Threat PPT Only
P2P File Sharing Programs
P2P File Sharing Programs
Lecture 2 - Health Computing: Pitt CPATH Project
Lecture 2 - Health Computing: Pitt CPATH Project
1 - Cial
1 - Cial
Slide - Cristina Onete
Slide - Cristina Onete
ppt
ppt
Data Structures and Algorithms
Data Structures and Algorithms
Tripwire Enterprise Server - Rule Sets
Tripwire Enterprise Server - Rule Sets
Writing Your Own Food Defense Plan
Writing Your Own Food Defense Plan
Download
advertisement