kill-bots by wuyunqing

VIEWS: 6 PAGES: 29

									                         Kill-Bots
        Surviving Organized DDoS
         Attacks That Mimic Flash
                  Crowds

         Srikanth Kandula, Dina Katabi, Matthias Jacob and
                           Arthur Berger

                    Based on Srikanth Kandula’s Presentation




Boris Korenfeld
korenf@post.tau.ac.il
                    CyberSlam
  20,000+ zombies issue requests that mimic legitimate
  browsing
            GET File.zip



            DO DBQuery




                       www.foo.com


Requests Look Legitimate  Standard filters don’t help
        CyberSlam Attacks Happen!
   Instances of CyberSlam
       First FBI DDoS Case – Hired professionals hit
        competitor
       Mafia extorts online gaming sites …
       Code RED Worm

   Why CyberSlam?
       Avoid detection by NIDS & firewalls
       High pay-off by targeting expensive resources
          E.g., CPU, DB, Disk, processes, sockets
       Large botnets are available
             Tentative Solutions
   Filter big resource    No big consumers;
                            Commodity OS do not
    consumers?              support fine-grained
                            resource accounting
                           Might not exist,
   Passwords?              expensive to check
   Computational          Computation is abundant
    puzzles?                in a botnet




      ????
Kill-Bots is a kernel extension for web
servers
                   LOAD > L1


                                     Suspected
     Normal                            Attack



                 LOAD < L2 < L1

   No Overhead                    New Clients are
                                  authenticated once
                                  and given HTTP Cookie
   Reverse Turing Test (e.g.,
CAPTCHAs) to distinguish humans
        from zombies




But…
         3 Problems with CAPTCHA
               Authentication
   (1) DDoS the authentication mechanism


   (2) Bias against users who can’t or won’t answer
    CAPTCHAs



                       N         Can’t
                                 see it
                       O

   (3) How to divide resources between service and
    authentication as to maximize system goodput?
Problem 1:          Authentication vulnerable to DDoS


  Client               Server         Standard Network Stack
             SYN

                         SYN Cookie
           SYNACK

           SYNACKACK

                         Check cookie, socket, reserve buffers
      HTTP Request
                         Causes context switch, buffer copies
      Send CAPTCHA

             TCP FIN
                         Resources are reserved till client
                         sends a FIN but zombies don’t FIN
Problem 1:      Authentication vulnerable to DDoS
Solution:      Modify network stack to issue
               CAPTCHAs without state
   Client               Kill-Bots      Modified Network Stack
                        Server
              SYN
                                       •   Stateless & Cheap
                          SYN Cookie
                                       •   Keep congestion
            SYNACK                         control semantics
            SYNACKACK
                                       •   No browser mods.
                           Drop;
        HTTP Request
                           Check cookie, send
       Send CAPTCHA        CAPTCHA without a socket!
              TCP FIN
                 Kill-Bots Token
• When the Kill-Bots server issues a puzzle, it creates a Token.
• Browser reports the answer to the server along with the Kill-
Bots token.
• Server verifies the token by recomputing the hash.
• Server checks the Kill-Bots token to ensure the token was
created no longer than 4 minutes ago.
• Server checks if the answer to the puzzle is correct.
• If all checks are successful, the server creates a Kill-Bots
HTTP cookie and gives it to the user.
• Cookie allows the user to re-enter the system for 30 minutes.
• Each correctly answered graphical test allows the client to
execute a maximum of 8 simultaneous HTTP requests.
Problem 2:     Legit. Users who don’t answer CAPTCHA
Solution:    Use reaction to CAPTCHA
   Humans                         Zombies
   (1) Answer CAPTCHA            Can’t answer CAPTCHA,
   (2) Reload; if doesn’t        but have to bombard the
      work, give up              server with requests

  • Count the unanswered CAPTCHAs per IP, and drop
    if more than T; Cheap with a Bloom Filter
                       Bloom Filter
         increase       COUNTER        decrease
       give captcha                   correct ans.
Stage 1:            Bloom Learns
                    All Zombie IPs
 CAPTCHA
  Authentication
 Learn IP addresses of
  zombies using Bloom       Stage 2:
  filter                     Use only Bloom filter
                               for Authentication
                             No CAPTCHAs




Users who don’t answer CAPTCHAs can access
the server despite the attack in Stage 2
Problem 3:      To Authenticate or To Serve?
      Authenticate all new arrivals
        can’t serve all authenticated clients
      Authenticate very few arrivals
        too few legitimate users are authenticated

Solution:
 • Authenticate new clients with prob.  (drop others)



              But what  maximizes goodput?
                  Analysis

Modeled system using Queuing Theory
Found Optimal * (proof in paper)

But * depends on many unknown parameters
  • attack rate
  • mean service time
  • mean session size
  • legitimate request rate, etc…
Solution to Problem 3:
Kill-Bots adapts the authentication prob. by measuring
fraction of time CPU is idle




         1      1       1        1
        , 1  ,  2  ,  3 
         8      8       4        4
Variables used in the analysis
Tying it Together
                 Security Analysis
   Socially-engineered attack: attacker force their own visitors to
    solve CAPTCHAs before granting access.
   Puzzles in Kill-Bots expire 4 minutes after they have been served.
   Maximum of 8 simultaneous connections per cookie .
   Polluting the Bloom Filter: attacker try to spoof his IP address and
    pollute the Bloom filter.
   SYN cookies prevent IP spoofing and Bloom filter entries are
    modified after the SYN cookie check succeeds.
   Breaking the CAPTCHA: automatic solving of simple CAPTCHAs.
   Such programs are not available to the public for security reasons
    yet.
   When one type of CAPTCHAs get broken, Kill-Bots can switch to a
    different kind.
                  Security Analysis
   Copy attacks: attacker solves one graphical puzzle and distributes
    cookie to many zombies.
   Maximum of 8 simultaneous connections per cookie.
   Replay attacks: attacker replay the answer packet to obtain many
    Kill-Bots cookies.
   If an adversary tries to replay a session cookie outside its time
    interval it gets rejected.
   Same Token yields the same cookie.
   Database attack: attacker collects all possible puzzles and the
    corresponding answers.
   Kill-Bots uses a large number of puzzles and periodically replaces
    puzzles with a new set.
   The space of all possible graphical puzzles is huge.
   Building a database, distributing it to all zombies, and ensuring they
    can search it and obtain answers within 4 minutes is very difficult.
Performance
                Metrics
 Goodput (of Legitimate Users)
 Response time (of Legitimate Users)
 Maximum survivable attack rate
5-10 times better Goodput and Response Time
        Kill-Bots under DDoS
  Goodput of Legit. (Mb/s)




                             Attack Rate (Request/sec)
 Response Time (sec)




                             Attack Rate (Request/sec)
                           Why Adapt the Authentication
                                  Probability?
Goodput of Legit. (Mb/s)



                                                    Server with adaptive authentication
                                                    Server with authentication
                                                    Base server




                                     Attack Rate (Request/sec)

                             Adaptive  is much better than
                             authenticating every new user
Orders of magnitude better Response Time

Goodput of legit. (Mb/s)
  Response Time (sec)      Flash Crowd




                             Time (sec)
                         Adaptive  provides admission control
                         Kill-Bots under Flash Crowd
                                       Flash Crowd
Authentication Prob. 




                                        Time (sec)
  Response Time (sec)




                                         Time (sec)
                        Kill-Bots under Flash Crowd

                                    Base Server   Kill-Bots

     Number of dropped                 360,000    80,000
     legitimate requests
  Response Time (sec)




Kill-Bots authenticates new clients only if it can
                  serve them…
                                    Time (sec)
          Kill-Bots’ Contributions
   First to protect Web servers from DDoS attacks
    that mimic legitimate browsing
   First to deal with CAPTCHA’s bias against
    legitimates users who don’t solve them
   Sends CAPTCHA and checks answer without any
    server state
   Addresses both DDoS attacks and Flash Crowds
   Orders of magnitude better response time,
    goodput, and survivable attack rate
THANK YOU


  Boris Korenfeld
korenf@post.tau.ac.il
       Home Work Assignment
1.   What are the differences between Stage1
     and Stage2 in Kill-Bots?
2.   What is the Kill-Bots modification to the
     Network Stack?
3.   What problem the Admission Control
     solves?
4.   What are the key components of Kill-
     Bots architecture? (in paper)

								
To top