Gal Badishi, Idit Keidar, Amir Sasson
Gal Badishi Faculty of Electrical Engineering, Technion Drum

• The problem
• Overview of gossip-based multicast
• Proposed solution - Drum
• Analysis and simulations
• Implementation and measurements
• More DoS-mitigation techniques
• Conclusions
Gal Badishi Faculty of Electrical Engineering, Technion Drum (2)

• Unavailability of service
– Exhausting resources
• Remote attacks
– Network level
• Solutions do not solve all application problems
– Application level
• Got little attention
• Quantitative analysis of impact on application and identification of vulnerabilities needed
Gal Badishi Faculty of Electrical Engineering, Technion Drum (3)

Dollar Amount of Losses by Type
Gal Badishi Faculty of Electrical Engineering, Technion Drum (4)

No Attack
DoS Attack
Valid Request
Gal Badishi
Bogus Request
Faculty of Electrical Engineering, Technion Drum (5)

• Quantify the effect of DoS at the application level
• Expose vulnerabilities
• Find effective DoS-mitigation techniques
– Prove their usefulness using the found metric
Gal Badishi Faculty of Electrical Engineering, Technion Drum (6)

• A group of members
• At least one member is a source – generates messages
• Messages should arrive to all of the group members in a timely fashion
• Network level vs. application level (ALM)
Gal Badishi Faculty of Electrical Engineering, Technion Drum (7)

• Use a spanning tree – most common solution
• No duplicates (optimal BW when network-level)
• Single points of failure
Source
Gal Badishi Faculty of Electrical Engineering, Technion Drum (8)

• Progresses in rounds
• Every round
– Choose random partners (
– Send or receive messages view
– Discard old msgs from buffer
)
• Probabilistic reliability
• Uses redundancy to achieve robustness
• Two methods
– Push
– Pull
Gal Badishi Faculty of Electrical Engineering, Technion Drum (9)

Source
Gal Badishi Faculty of Electrical Engineering, Technion Drum (10)

Source
Gal Badishi Faculty of Electrical Engineering, Technion Drum (11)

• Reasonable to assume that source is attacked
• Surprisingly, we show that naïve gossip is vulnerable to DoS attacks
• Attacking a process in pull-based gossip may prevent it from sending messages
• Attacking a process in push-based gossip may prevent it from receiving messages
Gal Badishi Faculty of Electrical Engineering, Technion Drum (12)

• A new gossip-based ALM protocol
• Utilizes DoS-mitigation techniques
– Using random one-time ports to communicate
– Combining both push and pull
– Separating and bounding resources
• Eliminates vulnerabilities to DoS
• Proven robust using formal analysis and quantitative evaluation
Gal Badishi Faculty of Electrical Engineering, Technion Drum (13)

• Any request necessitating a reply contains a random port number
– “Invisible” to the attacker (e.g., encrypted)
• The reply is sent to that random port
• Assumption: attacking other ports does not affect the random port’s queue (i.e., there is no BW exhaustion)
Gal Badishi Faculty of Electrical Engineering, Technion Drum (14)

• Attacking push cannot prevent receiving messages via pull (random ports)
• Attacking pull cannot prevent sending via push
• Each process has some control over the processes it communicates with
Drum (15) Gal Badishi Faculty of Electrical Engineering, Technion

• Motivation: prevent resource exhaustion
• Each round process a random subset of the arriving messages and discard the rest
• Separate resources for orthogonal operations
Valid Request
Round Duration
Bogus Request
Gal Badishi Faculty of Electrical Engineering, Technion Drum (16)

• Alice sends Bob a push-offer
• Bob replies with a digest of messages he has already received
• Alice only sends Bob messages missing from his digest
• Random ports
Gal Badishi Faculty of Electrical Engineering, Technion Drum (17)

• Compare 3 protocols
– Push (push-based with bounded resources)
– Pull (pull-based with bounded resources)
– Drum
• Under various DoS attacks
– Increasing strength (shows trend under DoS)
– Fixed strength (exposes vulnerabilities)
• Source is always attacked
• Evaluates combination of Push and Pull
• Separately evaluate the other two techniques
Gal Badishi Faculty of Electrical Engineering, Technion Drum (18)

• Measure propagation time – expected number of rounds it takes a message to reach all of the correct processes
– 99% in the simulations and actual measurements
• Use real implementation to measure actual latency and throughput
Gal Badishi Faculty of Electrical Engineering, Technion Drum (19)

• Static group with complete connectivity
• Processes have complete group knowledge
• Propagation of a single message M
– But simulate situation where all procs have msgs to send
• M is never purged from local buffers
• Rounds are synchronized
• All round operations complete within the same round
• All processes are correct (analysis) or 10% of them perform a DoS attack (simulation)
Gal Badishi Faculty of Electrical Engineering, Technion Drum (20)

• The propagation time of gossip-based multicast protocols is O(log n) [P87,
KSSV00]
Gal Badishi Faculty of Electrical Engineering, Technion Drum (21)

8
7
6
5
4
10
9
3
2
1
10
2
Gal Badishi
Expected Propagation Time
Push
Pull
Drum
# processes (log scale)
Faculty of Electrical Engineering, Technion
10
3
Drum (22)

• The performance of gossip-based multicast protocols degrades gracefully as failures amount [LMM00, GvRB01]
Gal Badishi Faculty of Electrical Engineering, Technion Drum (23)

15
10
5
30
Expected Propagation Time, n = 1000
25
Push
Pull
Drum
20
0
0
Gal Badishi
10 20 30 40 50 60
% failed processes
Faculty of Electrical Engineering, Technion
70 80 90
Drum (24)

• n – number of processes in the group
• F – size of view , and max # of requests to process in a round ( F = 4 )
•  – percentage of attacked processes
• x – number of bogus messages an attacked process receives in a round
• B – total attack strength ( B =  nx )
Gal Badishi Faculty of Electrical Engineering, Technion Drum (25)

• Lemma 1: Fix  < 1 and n . Drum’s propagation time is bounded from above by a constant independent of x
• Proof idea
– Define effective fan-in and effective fan-out
– Both have an element independent of x
– When x   this element is dominant
– The effective fans are bounded from below
Gal Badishi Faculty of Electrical Engineering, Technion Drum (26)

• Lemma 2: Fix  and n . The propagation time of
Push grows at least linearly with x
• Proof idea
– Assume all non-attacked processes already have the message (and so does the source)
– Bound the expected number of processes having at round k from above
M
– Find the minimal k in which all processes have M
– Reaching all attacked processes takes at least a time linear in x
Gal Badishi Faculty of Electrical Engineering, Technion Drum (27)

• Lemma 3: Fix  and n . The propagation time of
Pull grows at least linearly with x
• Proof idea
– Denote by p the probability that the source reads a valid pull request in a round
– # of rounds for M to leave the source is geometrically distributed with p
– The expectation is 1/p
– 1/p is at least linear in x
Gal Badishi Faculty of Electrical Engineering, Technion Drum (28)

10
5
0
0
Gal Badishi
Expected Propagation Time, 10% Attacked
30
25
20
Push, n = 1000
Push, n = 120
Pull, n = 1000
Pull, n = 120
Drum, n = 1000
Drum, n = 120
15
20 40 60 80 100
Attack Rate
Faculty of Electrical Engineering, Technion
120 140
Drum (29)

20
10
0
10
80
Expected Propagation Time, Rate = 128
70
60
50
Push, n = 1000
Push, n = 120
Pull, n = 1000
Pull, n = 120
Drum, n = 1000
Drum, n = 120
40
30
80
Gal Badishi
20 30 40 50 60
% attacked processes
Faculty of Electrical Engineering, Technion
70
Drum (30)

• Define c = B/nF (total attack strength divided by total system capacity)
• Lemma 4: For c > 5, Drum’s expected propagation time is monotonically increasing with 
• Proof idea
– Effective fan-in and effective fan-out are monotonically decreasing with 
Gal Badishi Faculty of Electrical Engineering, Technion Drum (31)

Expected Propagation Time, Fixed Strength (c = 10)
100
90
80
70
60
Push, n = 120
Push, n = 500
Pull, n = 120
Pull, n = 500
Drum, n = 120
Drum, n = 500
50
40
30
20
10
0
0 10 80 90
Gal Badishi
20 30 40 50 60
% attacked processes
70
Faculty of Electrical Engineering, Technion Drum (32)

• Multithreaded processes in Java
• Operations are not synchronized
• Rounds are not synchronized among processes
• 50 machines on a 100Mbit LAN (Emulab)
• One process per machine
• 5 processes (10%) perform a DoS attack
Gal Badishi Faculty of Electrical Engineering, Technion Drum (33)

• Evaluate the protocols in the same scenarios tested by simulation
• High correlation shows that the simplifying assumptions have little effect on the results
Gal Badishi Faculty of Electrical Engineering, Technion Drum (34)

10
5
Expected Propagation Time, 10% Attacked
25
20
15
Push measurements
Push simulation
Pull measurements
Pull simulation
Drum measurements
Drum simulation
Gal Badishi
0
0 20 40 60 80 100
Attack Rate
Faculty of Electrical Engineering, Technion
120 140
Drum (35)

10
0
0.1
Gal Badishi
80
Expected Propagation Time, Rate = 128
70
60
50
Push measurements
Push simulation
Pull measurements
Pull simulation
Drum measurements
Drum simulation
40
30
20
0.2
0.3
0.4
0.5
0.6
% attacked processes
Faculty of Electrical Engineering, Technion
0.7
0.8
Drum (36)

• Single source
• Creates 40 messages per second
• Round duration = 1 second
• Messages are purged after 10 rounds
• Each process sends at most 80 data messages to another process in a round
• Throughput and latency are measured at the 44 correct receiving processes
Gal Badishi Faculty of Electrical Engineering, Technion Drum (37)

Average Received Throughput, 10% Attacked
45
40
15
10
5
0
Gal Badishi
35
30
25
20
20 40 60 80 100
Attack Rate
Faculty of Electrical Engineering, Technion
Drum
Push
Pull
120 140
Drum (38)

25
20
15
10
5
0
0
Average Received Throughput, Rate = 128
45
40
35
Drum
Push
Pull
30
10 70 80
Gal Badishi
20 30 40 50 60
% attacked processes
Faculty of Electrical Engineering, Technion Drum (39)

CDF: Average Latency of Received Messages, 40% Attacked, Rate = 128
1
0.9
Drum
Push
Pull
0.8
0.4
0.3
0.2
0.1
0.7
0.6
0.5
0
1000
Gal Badishi
2000 3000 4000 5000 6000 7000
Average Latency (msecs)
Faculty of Electrical Engineering, Technion
8000 9000 10000
Drum (40)

• Analyze Drum using simulations
• Assume pull-replies are returned to a wellknown port
– Different than the port for pull-requests
– Both ports are now being attacked
– Original attack on pull channels is equally divided between these ports
Gal Badishi Faculty of Electrical Engineering, Technion Drum (41)

Expected Propagation Time, 10% Attacked (of 1000)
30
Drum - Known Ports
Drum - Random Ports
25
20
15
10
5
0
0
Gal Badishi
20 40 60 80 100
Attack Rate
Faculty of Electrical Engineering, Technion
120 140
Drum (42)

• Analyze Drum using actual measurements
• Merge all bounds on reception of control messages
– Push-offers, push-replies, pull-requests
– Originally, allow reception of F/2 (= 2) messages/round on each listening control msgs port
– Now, allow reception of 3F/2 (= 6) messages/round in total, for all control messages
Gal Badishi Faculty of Electrical Engineering, Technion Drum (43)

Expected Propagation Time, 10% Attacked (of 50)
12
Drum - Shared Bounds
Drum - Separate Bounds
10
8
6
4
2
0
0
Gal Badishi
20 40 60 80 100
Attack Rate
Faculty of Electrical Engineering, Technion
120 140
Drum (44)

• Gossip-based protocols are very robust, but…
– naïve gossip-based protocols are vulnerable to targeted DoS attacks
• Drum uses simple techniques to mitigate the effects of DoS attacks
• Evaluations show Drum’s resistance to DoS
• The most effective attack against Drum is a broad one
Gal Badishi Faculty of Electrical Engineering, Technion Drum (45)

• DoS-mitigation techniques:
– random ports
– neighbor-selection by local choices
– separate resource bounds
• Design goal: eliminate vulnerabilities
– The most effective attack is a broad one
• Analysis and quantitative evaluation of impact of DoS
Gal Badishi Faculty of Electrical Engineering, Technion Drum (46)

Gal Badishi Faculty of Electrical Engineering, Technion Drum (47)