Overlay Network

					Tolerating Denial-of-Service Attacks Using
Overlay Networks – Impact of Topology



      Ju Wang1, Linyuan Lu2 and Andrew A. Chien1
                1CSE Department, UCSD

               2Math Department, UCSD




 October 31st, 2003      ACM SSRS'03
  Outline
      Background
      System Model
      Analytical Results
      Summary & Future Work




October 31st, 2003   ACM SSRS'03
  Motivation
      DoS attacks compromise important websites
           “Code Red” worm attack on Whitehouse website
           Yahoo, Amazon, eBay
      DoS is a critical security problem
           Global corporations lost over $1.39 trillion (2000)
           60% due to viruses and DoS attacks.
           FBI reports DoS attacks are on the rise
      => DoS an important problem

October 31st, 2003           ACM SSRS'03
   Denial-of-Service Attacks
Application Service



                           Internet



  Service Infrastructure                      Legitimate User




     Attackers prevent legitimate users from
      receiving service
          Application level (large workload)
          Infrastructure level
October 31st, 2003              ACM SSRS'03
  Denial-of-Service Attacks
Application Service



                           Internet



  Service Infrastructure                      Legitimate User




    Attackers prevent legitimate users from
     receiving service
         Application level
         Infrastructure level (traffic flood) – require IP addr
October 31st, 2003              ACM SSRS'03
      Use Overlay Network to Resist
      Infrastructure DoS Attack

                                                                Legitimate User


                     App
                              Internet
                           Overlay Network
              132.233.202.13
                                                                     where
                                                                       ?


                                                                 attackers

   Applications hide behind proxy network (location-hiding)  this talk
   Proxy network DoS-resilient – shielding applications
      Need to tolerate massive proxy failures due to DoS attacks

      Addressed in on-going research


    October 31st, 2003              ACM SSRS'03
    Proxy Network Topology & Location Hiding

                                                       B

                                                   Adjacent
                      Overlay Network
                                               A



   Proxy node: software component run on a host
   Proxy nodes adjacent iff IP addresses are mutually known
       Compromising one reveals IP addresses of adjacent nodes
   Topology = structure of node adjacency  how hard to penetrate,
    effectiveness of location-hiding

October 31st, 2003              ACM SSRS'03
  Problem Statement
      Focus on location-hiding problem
      Impact of topology on location-hiding
           Good or robust topologies: hard to penetrate and defenders
            can easily defeat attackers
           Bad or vulnerable topologies: attackers can quickly
            propagate and remain side the proxy network




       Vulnerable (unfavorable) Robust (favorable)
                          topologies

October 31st, 2003             ACM SSRS'03
         Attack: Compromise and Expose
                                                                
                                                        
                                                                          Compromised!!



                            Overlay Network

                                                                            intact
                                                                            exposed
                                                                             compromised
   Attackers: steal location information using host compromise attacks
   A proxy node is:
        Compromised: attackers can see all its neighbors’ IP addresses
        Exposed: IP addresses known to attackers
        Intact: otherwise
     October 31st, 2003               ACM SSRS'03
    Defense: Recover and Reconfigure

                                                           Recovered!

                       Overlay Network

                                                             intact
                                                             exposed
                                                             compromised
   Resource Recovery: compromised  exposed/intact
       Proactive (periodic clean system reload)
       Reactive (IDS triggered system cleaning)
   Proxy network reconfiguration: exposed/compromised  intact
       Proxy migration – move proxy to a different host
October 31st, 2003               ACM SSRS'03
    Defense: Recover and Reconfigure

                                                             Move to
                                                           new location!
                       Overlay Network

                                                             intact
                                                             exposed
                                                             compromised
   Resource Recovery: compromised  exposed/intact
       Proactive (periodic clean system reload)
       Reactive (IDS triggered system cleaning)
   Proxy network reconfiguration: exposed/compromised  intact
       Proxy migration – move proxy to a different host
October 31st, 2003               ACM SSRS'03
    Defense: Recover and Reconfigure

                                                            Move to
                                                          new location!
                     Overlay Network

                                                            intact
                                                            exposed
                                                            compromised
   Resource recovery + Proxy network reconfiguration
       Exposed  Intact (at certain probability )
       Compromised  Intact (at certain probability )


October 31st, 2003            ACM SSRS'03
  Analytical Model
     Model M(G, , , )
           G: topology graph of the proxy network
           : speed of attack (at prob , exp  com)
           : speed of defense (at prob , com  intact)
           : speed of defense (at prob , exp  intact)
           Nodes adjacent to a compromised node is exposed



                                            intact

                                              exposed

                                              compromised
                     
October 31st, 2003            ACM SSRS'03
  Theorem I (Robust Topologies)
       ,                     ,
                   
                          
,                                ,
                 ,                         bad         good

       Average degree 1 of G is smaller than the ratio of
        speed between defenders and attackers:
        (+)/ > 1
                 Even if many nodes are initially compromised, attackers’
                  impact can be quickly removed in O(logN) steps
                 Defenders are quick enough to suppress attackers’
                  propagation
       Low average degrees are favorable
October 31st, 2003                         ACM SSRS'03
  Theorem II (Vulnerable Topologies)

                                                     hard to beat attackers
                                                       inside the cluster




      Neighborhood expansion property  of G is larger
       than the ratio of speed between defenders and
       attackers:  > /
           Even if only one node is initially exposed, attackers’ impact
            quickly propagate, and will linger forever
           Applies to all sub-graphs
      Large clusters (tightly connected sub-graphs) are
       unfavorable
October 31st, 2003              ACM SSRS'03
        Case Study: existing overlays
                  N-Chord:                        Defense Speed Needed To Be Robust
                  N node Chord
                                 4K-Chord
                                 2K-Chord
                                 1K-Chord
                             512-Chord
                                  4D-CAN
K-D CAN: k-dimensional            3D-CAN
Cartesian space torus                RR6
                                     RR5

                                     RR4
                                     RR3
  RR-k: random regular                      0         5          10         15          20         25
  graph, degree = k                             Defense Speed (# times faster than attack speed)




      October 31st, 2003                    ACM SSRS'03
  Related Work
      Secure Overlay Services (SOS) [Keromytis02]
           Use Chord to provide anonymity to hide location of secret “servlets”
      Internet Indirection Infrastructure (i3) [Stoica02]
           Uses Chord for location-hiding
      Didn’t analyze how secure their location-hiding schemes are
      We showed that Chord is not a favorable topology
      Our previous work [Wang03]
           Studied feasibility of location-hiding using proxy networks
           Assumed favorable topology; focused on impact of defensive
            mechanisms, such as resource recovery and proxy reconfiguration
           This work focus on impact of topology



October 31st, 2003                ACM SSRS'03
  Summary & Future Work
      Summary
           Studied impact of topology on location-hiding and presented two
            theorems to characterize robust and vulnerable topologies
           Derived design principles on proxy networks for location-hiding
           Found popular overlays (such as Chord) not favorable
      Future Work
           Impact of correlated host vulnerabilities (,  and  non-constant)
           Design proxy networks to tolerate massive failures due to DoS
            attacks
           Performance implications and resource requirement for proxy
            networks




October 31st, 2003                ACM SSRS'03
  References
      [Wang03] J. Wang and A. A. Chien, “Using Overlay Networks to Resist
       Denial-of-Service Attacks”, Technical report, CSE UCSD, 2003.

      [Keromytis02] A. D. Keromytis, V. Misra, and D. Rubenstein, “SOS:
       Secure Overlay Services”, In ACM SIGCOMM’02, Pittsburgh, PA, 2002.

      [Stoica02] I. Stoica, D. Adkins, S. Zhuang, S. Shenker, and S. Surana,
       “Internet Indirection Infrastructure”, In SIGCOMM, Pittsburge,
       Pennsylvania USA, 2002.




October 31st, 2003               ACM SSRS'03

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:7
posted:11/1/2012
language:English
pages:19