; denial
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

denial

VIEWS: 31 PAGES: 111

  • pg 1
									Mitigating Denial-of-Service
By Dodging
    Sherif Khattab
    Ph.D. Proposal Defense
    April 27th, 2007




                               1
Outline

   Denial-of-Service Attack
   Dodging
   Preliminary Work
        Server Roaming
        Roaming Honeypots
        Live Baiting
   Proposed Work
   Conclusions

04/27/2007          Sherif Khattab-Mitigating DoS By Dodging   2
Denial-of-Service [Gligor, 84]

``A group of otherwise-authorized users of a specific
service is said to deny service to another group of
otherwise-authorized users if the former group makes
the specified service unavailable to the latter group for
a period of time which exceeds the intended (and
advertised) waiting time”




04/27/2007         Sherif Khattab-Mitigating DoS By Dodging   3
Denial-of-Service (DoS) Attacks

              Nine DNS root                  HTTP Flood         Six DNS root
                 servers                     (CyberSlam)           servers




   Feb 2000       Oct 2002                        Oct 2003        Feb 2007




04/27/2007           Sherif Khattab-Mitigating DoS By Dodging                  4
DoS Attacks (1/4)
                       Legitimate packets
                       consume network
                      resources, such as
                     router buffers and link
                             capacity                          Router

                                                                         Server


Legitimate Client
                                                They also consume
                                              server resources, such
                                               as interrupt processing
                                                 capacity, operating
                                                 system structures,
                                                processing time, etc.


04/27/2007          Sherif Khattab-Mitigating DoS By Dodging                  5
DoS Attacks (2/4)

Network-level DoS attacks flood network resources




                    Attackers


04/27/2007       Sherif Khattab-Mitigating DoS By Dodging   6
DoS Attacks (3/4)

Service-level DoS attacks exploit vulnerabilities
to crash servers




04/27/2007         Sherif Khattab-Mitigating DoS By Dodging   7
DoS Attacks (4/4)

Service-level DoS attacks flood server resources




                                                             Dropped
                                                             Requests

04/27/2007        Sherif Khattab-Mitigating DoS By Dodging       8
Our Focus: Service-level Flooding DoS

              DoS Attacks

Resource                                                   Resource
Destruction                                               Exhaustion

                                                 Brute-force           Vulnerability
                                                  Flooding             Exploitation

                              Service-level                   Network-level




04/27/2007     Sherif Khattab-Mitigating DoS By Dodging                         9
Why Service-level DoS?

   More attractive to attackers
        lower packet rate
        more ``stealthy’’
   Next-generation DoS
        after deployment of anti-spoofing defenses
        (e.g., ingress filtering and D-WARD)




04/27/2007            Sherif Khattab-Mitigating DoS By Dodging   10
The DoS Problem

Distinguish attack packets/requests from
legitimate packets/requests
        quickly
        accurately (low false positives and false
         negatives) and
        efficiently (small overhead)




04/27/2007             Sherif Khattab-Mitigating DoS By Dodging   11
Primary Metrics

   Legitimate Response Time
   Legitimate Throughput




04/27/2007      Sherif Khattab-Mitigating DoS By Dodging   12
Secondary Metrics

   Coverage
        Fraction of attack instances successfully handled
   Effectiveness :
        False Positive probability (FP)
        False Negative probability (FN)
        Detection time
   Efficiency :
        Storage overhead
        CPU complexity (on-line (per-request) vs. off-line)
        Message overhead


04/27/2007                Sherif Khattab-Mitigating DoS By Dodging   13
Related Problems
             Integrity
                                        Confidentiality




                     Denial-of-Service


                         Non-malicious
                             Faults



                       Fault-Tolerance




04/27/2007      Sherif Khattab-Mitigating DoS By Dodging   14
State-of-the-art
                Prevention Detection/                              Mitigation
                           Recovery
                Network-level             PacketScore;             Replication;
Network-level   puzzles                   RED-PD;                  Overlay-based
                                          Heavy-hitter
                                          detection;
                                          DCAP; Pushback;
                                          MOVE; Capabilities;
                                          IP Hopping
                Application-level         DDoS Shield;             Replication
Service-level   puzzles;                  Shadow Honeypots;
                Reservation-              Kill-Bots
                                                               Dodging
                based Schemes



04/27/2007          Sherif Khattab-Mitigating DoS By Dodging                       18
Our Contributions

                                Dodging DoS Attacks




     Dodging to Escape                                                     Dodging to Bait
             (Server Roaming)                                  (Primary-Effect-based Detection (PED))




      Proposed                  Camouflaged Baiting                            Live Baiting
                                    (Roaming Honeypots)



04/27/2007                      Sherif Khattab-Mitigating DoS By Dodging                           19
Outline

   Denial-of-Service Attack
   Dodging
   Preliminary Work
        Server Roaming
        Roaming Honeypots
        Live Baiting
   Proposed Work
   Conclusions

04/27/2007          Sherif Khattab-Mitigating DoS By Dodging   20
Physical-world Dodging

Float like a butterfly,
sting like a bee
    Muhammad Ali Clay




04/27/2007              Sherif Khattab-Mitigating DoS By Dodging   21
Service Model

   Public service with many clients
   A pool of servers behind packet-filtering
    firewalls
                                                               Servers




                        Internet




04/27/2007          Sherif Khattab-Mitigating DoS By Dodging             22
Main Concepts


                                 Dodging




             Virtualization                             Client-Server Mapping




04/27/2007                Sherif Khattab-Mitigating DoS By Dodging              23
Virtualization

   Dodging uses virtualization to increase
    ``elusiveness’’
   Physical servers divided into many virtual
    servers (buckets)
            isolated from each other
            monitored




04/27/2007                Sherif Khattab-Mitigating DoS By Dodging   24
 Virtualization




Virtual Servers
  (Buckets)


 Physical Server


 04/27/2007        Sherif Khattab-Mitigating DoS By Dodging   25
Buckets




                                                  Weighted Round-Robin




04/27/2007   Sherif Khattab-Mitigating DoS By Dodging                    26
Client-Server Mapping

Mapping based on
        round-robin
        location
        server load



                              Internet




04/27/2007             Sherif Khattab-Mitigating DoS By Dodging   27
Client-Server Mapping
                                                                       Idle
                              Idle                                    Servers
                             Buckets


                                                 




                                                                        Active Servers
                                 Active Buckets


             Clients



                            Buckets                                    Servers

04/27/2007                 Sherif Khattab-Mitigating DoS By Dodging                      28
Service Access Protocol

   On first access, clients obtain tokens
        mapped buckets
        mapped servers
   Tokens
        not for authentication
        different from tickets in reservation systems




04/27/2007             Sherif Khattab-Mitigating DoS By Dodging   29
Dodging
                                                                       Idle
                              Idle                                    Servers
                             Buckets


                                                 




                                                                        Active Servers
                                 Active Buckets


             Clients



                            Buckets                                    Servers

04/27/2007                 Sherif Khattab-Mitigating DoS By Dodging                      31
Physical vs. Logical Dodging

   Dodging
        physical (bucket-server)
        logical (client-bucket)
   Logical Dodging not enough
        attackers may bypass the logical layer and attack
         physical servers directly




04/27/2007             Sherif Khattab-Mitigating DoS By Dodging   32
Attack Types
 Rate



                                                        Detection
       High




                                                       Mitigation
       Normal




                Non-Compliant                    Compliant          Compliance
04/27/2007               Sherif Khattab-Mitigating DoS By Dodging           33
Outline

   Denial-of-Service Attack
   Dodging
   Preliminary Work
        Server Roaming
        Roaming Honeypots
        Live Baiting
   Proposed Work
   Conclusions

04/27/2007          Sherif Khattab-Mitigating DoS By Dodging   34
                          Dodging DoS Attacks




  Dodging to Escape                                               Dodging to Bait
       (Server Roaming)                                (Primary-Effect-based Detection (PED))




                          Camouflaged Baiting                          Live Baiting
                            (Roaming Honeypots)




04/27/2007                  Sherif Khattab-Mitigating DoS By Dodging                            35
Attack Types
 Rate
       High
       Normal




                Non-Compliant                    Compliant          Compliance
04/27/2007               Sherif Khattab-Mitigating DoS By Dodging           36
Mitigation
                                                                       Idle
                              Idle                                    Servers
                             Buckets


                                                 




                                                                        Active Servers
                                 Active Buckets
                                 Active Buckets


             Clients



                            Buckets                                    Servers

04/27/2007                 Sherif Khattab-Mitigating DoS By Dodging                      37
Dodging to Escape

   Dodging dilutes attack ``fire-power’’ over
    many attack targets
   Dodging creates opportunity time-windows
        idle servers switching to active
        empty queues
        opportunity to service legitimate connections




04/27/2007             Sherif Khattab-Mitigating DoS By Dodging   38
Opportunity Time-Windows




04/27/2007   Sherif Khattab-Mitigating DoS By Dodging   39
FreeBSD Prototype

   File transfer service
   Periodically (e.g., every minute)
        clients switch server
        drop current connections and establish new
         ones with an active server
        resume the transfer
        idle server close connections
   We compared our scheme to replication
        requests load-balanced over all servers

04/27/2007            Sherif Khattab-Mitigating DoS By Dodging   40
Service-level DoS Attack

   Attackers flood all servers with requests
   Follow Attack
        attack the active servers with a delay




04/27/2007             Sherif Khattab-Mitigating DoS By Dodging   41
Experiment Topology



                                2 Mb/s




                All machines run FreeBSD with
             Dummynet [Rizzo] for bandwidth control



04/27/2007       Sherif Khattab-Mitigating DoS By Dodging   42
 Follow Attack
 (Attack load of 400%)


                         250
         Average Response Time




                         200

Even with follow attacks, roaming
   decreases response times
               (seconds)




         150

                                          Replication with attack            Roaming with follow attack
                         100
                                                                                  Replication: attack requests
                                 50                                                 spread over 2 servers
                                  0
                                      0           15                    30                   45           60

                                                          Follow Delay (seconds)



 04/27/2007                                       Sherif Khattab-Mitigating DoS By Dodging                     43
Roaming Overhead
(No Attack, 2 servers)
                                                                    Roaming incurs about 14% increase
                                                                        in average response time
                                                                                       (50% Client Load)
                                               8
             Average Response Time (Seconds)




                                               7


                                               6


                                               5


                                               4


                                               3


                                               2


                                               1


                                               0

                                                   Roaming                              Replication


04/27/2007                                           Sherif Khattab-Mitigating DoS By Dodging              44
                          Dodging DoS Attacks




  Dodging to Escape                                               Dodging to Bait
       (Server Roaming)                                (Primary-Effect-based Detection (PED))




                          Camouflaged Baiting                          Live Baiting
                            (Roaming Honeypots)




04/27/2007                  Sherif Khattab-Mitigating DoS By Dodging                            45
Primary-Effect-based Detection
(PED) (1/3)

Current detection approaches are based on
attack mechanism or secondary effects:
        anomaly
        misuse
        specification




04/27/2007               Sherif Khattab-Mitigating DoS By Dodging   46
Primary-Effect-based Detection
(PED) (2/3)

PED based on primary attack effect
        waiting time > maximum
        aggregate request rate > server capacity
        access to idle server or bucket




04/27/2007            Sherif Khattab-Mitigating DoS By Dodging   47
Primary-Effect-based Detection
(PED) (3/3)
Given:
  an attack-detection function Δ(ρ, τ)
        indicates whether resource ρ is under attack
         during time interval τ


Required: detect the attackers among service
users



04/27/2007            Sherif Khattab-Mitigating DoS By Dodging   48
Attack-Mechanism Independence

   Service-level attack mechanisms hard to
    detect in general
        high request rate
        expensive requests
            images
            heavy queries
        hard to detect from packet headers and content


               PED is independent of attack mechanism

04/27/2007               Sherif Khattab-Mitigating DoS By Dodging   49
Outline

   Denial-of-Service Attack
   Dodging
   Preliminary Work
     Server Roaming

        Roaming Honeypots
        Live Baiting
   Proposed Work
   Conclusions

04/27/2007          Sherif Khattab-Mitigating DoS By Dodging   50
Attack Types
 Rate
       High
       Normal




                Non-Compliant                    Compliant          Compliance
04/27/2007               Sherif Khattab-Mitigating DoS By Dodging           51
                                                                       Idle
                              Idle                                    Servers
                             Buckets


                                                 




                                                                        Active Servers
                                 Active Buckets
                                 Active Buckets


             Clients



                            Buckets                                    Servers

04/27/2007                 Sherif Khattab-Mitigating DoS By Dodging                      52
Honeypots [Spitzner][Provos]

   Honeypots are:
        decoy resources to trap attackers
        useful in detecting worm-infected hosts
   However, honeypots are
        at fixed locations
        separate from real servers

                DoS Attackers can evade honeypots



04/27/2007             Sherif Khattab-Mitigating DoS By Dodging   53
Roaming Honeypots

In roaming honeypots, the locations of
honeypots are:
        continuously changing
        unpredictable to non-compliant attackers
        disguised within servers




04/27/2007            Sherif Khattab-Mitigating DoS By Dodging   54
Attack-detection function (Δ)

When an idle server (or idle bucket) accessed
 Δ(ρ, τ) = ATTACK




04/27/2007     Sherif Khattab-Mitigating DoS By Dodging   55
Compliant Clients


    How to make compliant clients distinguish
    between active servers and designated
    honeypots?




04/27/2007       Sherif Khattab-Mitigating DoS By Dodging   56
Compliant Clients (contd.)

   Time is divided into epochs
   Keys from a one-way hash chain determine:
        active servers during each epoch
        length of each epoch
   ns : total number of servers
   ks : number of active servers during each
    epoch



04/27/2007            Sherif Khattab-Mitigating DoS By Dodging   57
Compliant Clients (contd.)
                                                         The next key is
    Ex. ns = 4, ks = 3                                computed using a one-
                                                        way hash function


                                                                          A random
                                                                            key is
                                           Kn-2            Kn-1      Kn   generated
     K1       K2

                                              Ki

                                                                  1,2,3
                                                                  1,2,4
                                                                  1,3,4
             Epoch length                                                  4
                                                                  2,3,4     combinations
                                                                           3


04/27/2007             Sherif Khattab-Mitigating DoS By Dodging                       58
Compliant Clients (contd.)

   Servers know Kn           K1              K2      K3        K4

   Each client is assigned
    a (potentially) different
    key Ki depending on its
    ``trust level’’ for
    example.
   Client keys are updated
    periodically

                                      K1      K2                Kn-2 Kn-1 Kn




04/27/2007           Sherif Khattab-Mitigating DoS By Dodging                  59
Connection Migration


    How to migrate active compliant connections
    from servers switching to idle?




04/27/2007       Sherif Khattab-Mitigating DoS By Dodging   60
Connection Migration (contd.)

Clients keep state and send it to the new server
to resume connection (if possible)




04/27/2007      Sherif Khattab-Mitigating DoS By Dodging   61
NS-2 Simulation




                                          1 Mb/s link
                                          10 Mb/s link




04/27/2007   Sherif Khattab-Mitigating DoS By Dodging    62
Service-level DoS

Fixed target attackers attack a subset of
servers continuously




04/27/2007      Sherif Khattab-Mitigating DoS By Dodging   63
Compared Schemes

We compared three schemes:
        Roaming Honeypots
        Server Roaming
        Replication




04/27/2007          Sherif Khattab-Mitigating DoS By Dodging   64
Time Series




04/27/2007    Sherif Khattab-Mitigating DoS By Dodging   65
Effect of Attack Load

                             Average Client Response Time vs.
                              Attack Load (Client Load 80%)
    With roaming honeypots, the service exhibits a
         140
      stable average response time even in the
    Average Reponse




         120
     Time (seconds)




    presence of attacks with increasing intensity
         100

                      80

                      60

                      40

                      20

                      0
                       48%                 60%                                 80%            100%

                                                    Attack Load
             Roaming Honeypots (once every 10 seconds)                               Replication


04/27/2007                          Sherif Khattab-Mitigating DoS By Dodging                         66
Effect of Roaming Interval (Epoch
Length)




04/27/2007   Sherif Khattab-Mitigating DoS By Dodging   67
Outline

   Denial-of-Service Attack
   Dodging
   Preliminary Work
     Server Roaming

        Roaming Honeypots
        Live Baiting
   Proposed Work
   Conclusions

04/27/2007          Sherif Khattab-Mitigating DoS By Dodging   68
Attack Types
 Rate




                                                   Detection
       High
       Normal




                Non-Compliant                    Compliant          Compliance
04/27/2007               Sherif Khattab-Mitigating DoS By Dodging           69
                                                                       Idle
                              Idle                                    Servers
                             Buckets


                                                 




                                                                        Active Servers
                                 Active Buckets
                                 Active Buckets


             Clients



                            Buckets                                    Servers

04/27/2007                 Sherif Khattab-Mitigating DoS By Dodging                      70
One-to-one Mapping

   Unique bucket per client
   Detection Algorithm
        a bucket is attacked if request rate > normal
        clients assigned to attacked buckets are identified
         as attackers
   Analysis
        high memory overhead
        FP = FN = 0


04/27/2007             Sherif Khattab-Mitigating DoS By Dodging   71
PED Problem

Given Δ(ρ, τ), design a client-bucket mapping
function that
        minimizes number of buckets
        keeps false positive rate and false negative rate
         below given thresholds




04/27/2007             Sherif Khattab-Mitigating DoS By Dodging   73
Attack-detection function (Δ)

Aggregate request rate > bucket capacity
 Δ(ρ, τ) = ATTACK




04/27/2007     Sherif Khattab-Mitigating DoS By Dodging   74
Group Testing

First used in WWII to identify all defective
elements within a population (blood testing)
        minimum number of tests for zero false positives
        each test applied to a group of samples
        many-to-many mapping




04/27/2007            Sherif Khattab-Mitigating DoS By Dodging   75
Group Testing (contd.)

Non-adaptive group-testing based on a matrix
that determines member assignments to tests




04/27/2007     Sherif Khattab-Mitigating DoS By Dodging   76
Group-Testing Matrix
                                                                         Bucket
                                    Clients                             Attacked?
                           1 2 3 4 5 6 7 8 9 10
                       1   0100001000                                      0
                                                                           1
                       2   1010000000                                      0
             Buckets


                       3   0001010000                                      1
                                                                           0
                       4   1000100000                                      0
                       5   0010010100                                      0
                                                                           1
                       6   0001000001                                      0
                       7   0000001000                                      0
04/27/2007                   Sherif Khattab-Mitigating DoS By Dodging               77
0100001000    1
1010000000    0
0001010000    1
1000100000    0                                        Weighted Round-Robin
0010010100    1
0001000001    0
0000001000    0


 04/27/2007       Sherif Khattab-Mitigating DoS By Dodging                    78
Randomized Matrix Construction

Each bit in the matrix is set to 1 with probability

                                    1
                               p
                                  d 1
    d is an estimate of the number of attackers




04/27/2007             Sherif Khattab-Mitigating DoS By Dodging   79
Detection Algorithm

   A bucket is attacked if request rate > normal
   Exclude negative (non-attacker) clients.
   A client is excluded if it is assigned to a non-
    attacked bucket




04/27/2007         Sherif Khattab-Mitigating DoS By Dodging   80
Group-Testing Matrix
                                   Clients                               Bucket
                                                                        Attacked?
                           1 2 3 4 5 6 7 8 9 10
                       1   0100001000                                      0
                                                                           1
                       2   1010000000                                      0
             Buckets


                       3   0001010000                                      1
                                                                           0
                       4   1000100000                                      0
                       5   0010010100                                      0
                                                                           1
                       6   0001000001                                      0
                       7   0000001000                                      0
04/27/2007                   Sherif Khattab-Mitigating DoS By Dodging               81
Group-Testing Matrix
                                   Clients                               Bucket
                                                                        Attacked?
                           1 2 3 4 5 6 7 8 9 10
                       1   0100001000                                      0
                                                                           1
                       2   1010000000                                      0
             Buckets


                       3   0001010000                                      1
                                                                           0
                       4   1000100000                                      0
                       5   0010010100                                      0
                                                                           1
                       6   0001000001                                      0
                       7   0000001000                                      0
04/27/2007                   Sherif Khattab-Mitigating DoS By Dodging               82
Group-Testing Matrix
                                   Clients                               Bucket
                                                                        Attacked?
                           1 2 3 4 5 6 7 8 9 10
                       1   0100001000                                      0
                                                                           1
                       2   1010000000                                      0
             Buckets


                       3   0001010000                                      1
                                                                           0
                       4   1000100000                                      0
                       5   0010010100                                      0
                                                                           1
                       6   0001000001                                      0
                       7   0000001000                                      0
04/27/2007                   Sherif Khattab-Mitigating DoS By Dodging               83
Group-Testing Matrix
                                   Clients                               Bucket
                                                                        Attacked?
                           1 2 3 4 5 6 7 8 9 10
                       1   0100001000                                      0
                                                                           1
                       2   1010000000                                      0
             Buckets


                       3   0001010000                                      1
                                                                           0
                       4   1000100000                                      0
                       5   0010010100                                      0
                                                                           1
                       6   0001000001                                      0
                       7   0000001000                                      0
04/27/2007                   Sherif Khattab-Mitigating DoS By Dodging               84
Theoretical Results

   False negative probability = 0
   False positive probability


             FP  (1 p(1 p)d 1)
                                                                T




    T is # buckets


04/27/2007           Sherif Khattab-Mitigating DoS By Dodging       85
# Buckets = O(# Attackers)




04/27/2007   Sherif Khattab-Mitigating DoS By Dodging   86
State-of-the-art
                Prevention Detection/                                Mitigation
                           Recovery
                Network-level             PacketScore;               Replication;
Network-level   puzzles                   RED-PD;                    Overlay-based
                                          Heavy-hitter
                                          detection;
                                          DCAP; Pushback;
                                          MOVE; Capabilities;
                                          IP Hopping
                Application-level         DDoS Shield;               Replication
Service-level   puzzles;
                                             O(# attackers)
                                          Shadow Honeypots;           Opportunity
                Reservation-
                                                instead of
                                          Kill-Bots clients)
                                                               Dodging
                                                                     time-windows
                based Schemes                  O(#




04/27/2007          Sherif Khattab-Mitigating DoS By Dodging                         87
Outline

   Denial-of-Service Attack
   Dodging
   Preliminary Work
        Server Roaming
        Roaming Honeypots
        Live Baiting
   Proposed Work
   Conclusions

04/27/2007          Sherif Khattab-Mitigating DoS By Dodging   88
Attack Types
 Rate




                                                   Detection
       High




                                                 Mitigation
       Normal




                Non-Compliant                    Compliant          Compliance
04/27/2007               Sherif Khattab-Mitigating DoS By Dodging           89
                          Dodging DoS Attacks




  Dodging to Escape                                               Dodging to Bait
       (Server Roaming)                                (Primary-Effect-based Detection (PED))




                          Camouflaged Baiting                          Live Baiting
                            (Roaming Honeypots)




04/27/2007                  Sherif Khattab-Mitigating DoS By Dodging                            90
Proposed Work 1

   Design the live baiting algorithm in detail
        at servers
        at clients
   Study false positive and false negative
    probabilities, detection time, and overhead
        analytically
        using NS-2 simulations
        using implementation in Apache webserver


04/27/2007            Sherif Khattab-Mitigating DoS By Dodging   91
Proposed Work 2

Adapting to # Attackers.
  investigate techniques to detect and adapt to a
number of attackers different than the estimate d




04/27/2007        Sherif Khattab-Mitigating DoS By Dodging   92
Over-estimating # Attackers




04/27/2007   Sherif Khattab-Mitigating DoS By Dodging   93
Under-estimating # Attackers




04/27/2007   Sherif Khattab-Mitigating DoS By Dodging   94
Adapting to # Attackers

# Attackers estimated from # Attacked Buckets.
                    Battacked
            log(1            )
                       T        , Battacked  T
                       1
             log(1         )
                     d 1
    Battacked is the observed number of attacked buckets




04/27/2007             Sherif Khattab-Mitigating DoS By Dodging   95
Proposed Work 3

Investigate the effect of
        ``bursty’’ request arrivals
        non-uniform service time
using NS-2 simulations based on real Web
traces




04/27/2007              Sherif Khattab-Mitigating DoS By Dodging   96
Proposed Work 4

Other matrix construction algorithms
(e.g., LDPC) with more ``compact’’ matrix than
the randomly constructed matrix




04/27/2007      Sherif Khattab-Mitigating DoS By Dodging   97
Proposed Work 5

   Detect a more stealthy attack model
        attackers leave some assigned buckets un-
         attacked so that they get cleared by the detection
         algorithm
   Adjust the detection algorithm accordingly




04/27/2007             Sherif Khattab-Mitigating DoS By Dodging   98
                          Dodging DoS Attacks




  Dodging to Escape                                               Dodging to Bait
       (Server Roaming)                                (Primary-Effect-based Detection (PED))




                          Camouflaged Baiting                          Live Baiting
                            (Roaming Honeypots)




04/27/2007                  Sherif Khattab-Mitigating DoS By Dodging                            99
Proposed Work 6

Mitigate attacks from compliant attackers by
creating opportunity time windows




04/27/2007      Sherif Khattab-Mitigating DoS By Dodging   100
Compliant-Attack Mitigation




    Virtual Servers
      (Buckets)


             Physical
              Server

04/27/2007              Sherif Khattab-Mitigating DoS By Dodging   101
 Conclusions

    Main contributions: Attacks
              Dodging DoS
      Dodging
    Primary-Effect-based Detection (PED)

    Opportunity-window Mitigation
Dodging to Escape                     Dodging to Bait
    Adaptivity to attack parameters
  (Server Roaming)            (Primary-Effect-based Detection (PED))


    Future Work
         dodging in other networks (e.g., sensor nets)
         privacy-preserving DoS defense
                   Camouflaged Baiting                              Live Baiting
                       (Roaming Honeypots)



 04/27/2007              Sherif Khattab-Mitigating DoS By Dodging                  102
Acknowledgements

The NetSec project
  (http://www.cs.pitt.edu/netsec)
  Chatree Sangpachatanaruk performed the
    simulation study of Roaming Honeypots




04/27/2007     Sherif Khattab-Mitigating DoS By Dodging   103
Publications
   Roaming Honeypots
        Sherif M. Khattab, Chatree Sangpachatanaruk, Daniel Mosse', Rami
         Melhem, and Taieb Znati, ``Roaming Honeypots for Mitigating Service-
         level Denial-of-Service Attacks'', in Proceedings of the 24th International
         Conference on Distributed Computing Systems (ICDCS'04), March 2004.
        Sherif M. Khattab, Chatree Sangpachatanaruk, Rami Melhem, Daniel
         Mosse', and Taieb Znati, ``Proactive Server Roaming for Mitigating
         Denial-of-Service Attacks'', in Proceedings of the 1st International
         Conference on Information Technology: Research and Education (ITRE'03),
         August 2003.
   Server Roaming
        C. Sangpachatanaruk, S. M. Khattab, T. Znati, R. Melhem, and D. Mosse',
         ``A Simulation Study of the Proactive Server Roaming for Mitigating
         Denial of Service Attacks'',in Proceedings of the 36th Annual Simulation
         Symposium 2003 (ANSS'03), March 2003
        C. Sangpachatanaruk, S. M. Khattab, T. Znati, R. Melhem, and D. Mosse',
         ``Design and Analysis of a Replicated Elusive Server Scheme for
         Mitigating Denial of Service Attacks'', in Journal of Systems and Software,
         Vol 73(1), p15-29, September 2004, Elsevier. (Extended version of ANSS'03
         paper)


04/27/2007                    Sherif Khattab-Mitigating DoS By Dodging            104
Thank You!



             Questions?




04/27/2007   Sherif Khattab-Mitigating DoS By Dodging   105
   Backup Slides




04/27/2007      Sherif Khattab-Mitigating DoS By Dodging   106
Main Assumption

Unique, un-spoofable user identifier
    (dealing with proxy servers is an open problem)


                               Proxy Server




04/27/2007          Sherif Khattab-Mitigating DoS By Dodging   107
Compliant Mitigation

                                       1 d d  1
             Pr{# attack  0}  (1      )                      0.37
                                     d 1        e
                             1         1 d 1 d  1
      Pr{# attack  1}  d      (1      )                         0.37
                           d 1      d 1           e


                  Pr{# attack  1}  1  0.37  0.37 0.26




04/27/2007               Sherif Khattab-Mitigating DoS By Dodging             108
DoS Attacks

   DoS attacks aim at throttling legitimate
    utilization of network and/or server resources
    through [Millen92]:
        resource destruction (e.g., Teardrop)
        resource exhaustion (e.g., SYN attack)




04/27/2007            Sherif Khattab-Mitigating DoS By Dodging   109
Resource Exhaustion DoS
   Resource exhaustion DoS attacks:
        vulnerability exploitation (e.g., SYN attack)
        brute-force flooding
            Network-level (e.g., UDP floods)
            Service-level (similar to flash crowds)




04/27/2007                 Sherif Khattab-Mitigating DoS By Dodging   110
Service-level DoS
   A large number of attack hosts request
    service from the victim server at a high rate.
    For instance,
        download files from an FTP server, or
        get web pages from an WWW server




04/27/2007            Sherif Khattab-Mitigating DoS By Dodging   111
Front-ends




   Front-ends form a tree with the back-ends as its
    logical root.

04/27/2007          Sherif Khattab-Mitigating DoS By Dodging   112
Front-ends (contd.)

   Tree level of each front-end depends on its
    attack tolerance
   Front-ends run the Chord [Stoica et al] lookup
    service
   To join the network (or reconfigure), a front-
    end performs:
        Parent registration
        Address registration


04/27/2007            Sherif Khattab-Mitigating DoS By Dodging   113
                                 Attack
                                 Traffic

                                           Client    Web
                        The Internet       Traffic   Client


             Attacker
                                           Web
                                           Mirror
                                            Site



                                                                                  Firewall
                                                              Mirror
                                                               Site
                                                                          Bottleneck
                                                                           Router




                                                                          Web
                                                                         Server


                                                                                             Requests

                                                                                                        Server




04/27/2007                             Sherif Khattab-Mitigating DoS By Dodging                                  114
Packet Filtering
                     Firewall
                                                             White-list

             ??
                                                                Not Scalable
                                                             (Grows with number
                                                                  of users)




04/27/2007        Sherif Khattab-Mitigating DoS By Dodging                        115
Packet Filtering
                        Firewall
                                                              Black-list

             ??

                                                                 More Scalable
                                                             # attackers << # users




04/27/2007        Sherif Khattab-Mitigating DoS By Dodging                        116

								
To top