kill-bots by wuyunqing


        Surviving Organized DDoS
         Attacks That Mimic Flash

         Srikanth Kandula, Dina Katabi, Matthias Jacob and
                           Arthur Berger

                    Based on Srikanth Kandula’s Presentation

Boris Korenfeld
  20,000+ zombies issue requests that mimic legitimate

            DO DBQuery


Requests Look Legitimate  Standard filters don’t help
        CyberSlam Attacks Happen!
   Instances of CyberSlam
       First FBI DDoS Case – Hired professionals hit
       Mafia extorts online gaming sites …
       Code RED Worm

   Why CyberSlam?
       Avoid detection by NIDS & firewalls
       High pay-off by targeting expensive resources
          E.g., CPU, DB, Disk, processes, sockets
       Large botnets are available
             Tentative Solutions
   Filter big resource    No big consumers;
                            Commodity OS do not
    consumers?              support fine-grained
                            resource accounting
                           Might not exist,
   Passwords?              expensive to check
   Computational          Computation is abundant
    puzzles?                in a botnet

Kill-Bots is a kernel extension for web
                   LOAD > L1

     Normal                            Attack

                 LOAD < L2 < L1

   No Overhead                    New Clients are
                                  authenticated once
                                  and given HTTP Cookie
   Reverse Turing Test (e.g.,
CAPTCHAs) to distinguish humans
        from zombies

         3 Problems with CAPTCHA
   (1) DDoS the authentication mechanism

   (2) Bias against users who can’t or won’t answer

                       N         Can’t
                                 see it

   (3) How to divide resources between service and
    authentication as to maximize system goodput?
Problem 1:          Authentication vulnerable to DDoS

  Client               Server         Standard Network Stack

                         SYN Cookie


                         Check cookie, socket, reserve buffers
      HTTP Request
                         Causes context switch, buffer copies
      Send CAPTCHA

             TCP FIN
                         Resources are reserved till client
                         sends a FIN but zombies don’t FIN
Problem 1:      Authentication vulnerable to DDoS
Solution:      Modify network stack to issue
               CAPTCHAs without state
   Client               Kill-Bots      Modified Network Stack
                                       •   Stateless & Cheap
                          SYN Cookie
                                       •   Keep congestion
            SYNACK                         control semantics
                                       •   No browser mods.
        HTTP Request
                           Check cookie, send
       Send CAPTCHA        CAPTCHA without a socket!
              TCP FIN
                 Kill-Bots Token
• When the Kill-Bots server issues a puzzle, it creates a Token.
• Browser reports the answer to the server along with the Kill-
Bots token.
• Server verifies the token by recomputing the hash.
• Server checks the Kill-Bots token to ensure the token was
created no longer than 4 minutes ago.
• Server checks if the answer to the puzzle is correct.
• If all checks are successful, the server creates a Kill-Bots
HTTP cookie and gives it to the user.
• Cookie allows the user to re-enter the system for 30 minutes.
• Each correctly answered graphical test allows the client to
execute a maximum of 8 simultaneous HTTP requests.
Problem 2:     Legit. Users who don’t answer CAPTCHA
Solution:    Use reaction to CAPTCHA
   Humans                         Zombies
   (1) Answer CAPTCHA            Can’t answer CAPTCHA,
   (2) Reload; if doesn’t        but have to bombard the
      work, give up              server with requests

  • Count the unanswered CAPTCHAs per IP, and drop
    if more than T; Cheap with a Bloom Filter
                       Bloom Filter
         increase       COUNTER        decrease
       give captcha                   correct ans.
Stage 1:            Bloom Learns
                    All Zombie IPs
 Learn IP addresses of
  zombies using Bloom       Stage 2:
  filter                     Use only Bloom filter
                               for Authentication
                             No CAPTCHAs

Users who don’t answer CAPTCHAs can access
the server despite the attack in Stage 2
Problem 3:      To Authenticate or To Serve?
      Authenticate all new arrivals
        can’t serve all authenticated clients
      Authenticate very few arrivals
        too few legitimate users are authenticated

 • Authenticate new clients with prob.  (drop others)

              But what  maximizes goodput?

Modeled system using Queuing Theory
Found Optimal * (proof in paper)

But * depends on many unknown parameters
  • attack rate
  • mean service time
  • mean session size
  • legitimate request rate, etc…
Solution to Problem 3:
Kill-Bots adapts the authentication prob. by measuring
fraction of time CPU is idle

         1      1       1        1
        , 1  ,  2  ,  3 
         8      8       4        4
Variables used in the analysis
Tying it Together
                 Security Analysis
   Socially-engineered attack: attacker force their own visitors to
    solve CAPTCHAs before granting access.
   Puzzles in Kill-Bots expire 4 minutes after they have been served.
   Maximum of 8 simultaneous connections per cookie .
   Polluting the Bloom Filter: attacker try to spoof his IP address and
    pollute the Bloom filter.
   SYN cookies prevent IP spoofing and Bloom filter entries are
    modified after the SYN cookie check succeeds.
   Breaking the CAPTCHA: automatic solving of simple CAPTCHAs.
   Such programs are not available to the public for security reasons
   When one type of CAPTCHAs get broken, Kill-Bots can switch to a
    different kind.
                  Security Analysis
   Copy attacks: attacker solves one graphical puzzle and distributes
    cookie to many zombies.
   Maximum of 8 simultaneous connections per cookie.
   Replay attacks: attacker replay the answer packet to obtain many
    Kill-Bots cookies.
   If an adversary tries to replay a session cookie outside its time
    interval it gets rejected.
   Same Token yields the same cookie.
   Database attack: attacker collects all possible puzzles and the
    corresponding answers.
   Kill-Bots uses a large number of puzzles and periodically replaces
    puzzles with a new set.
   The space of all possible graphical puzzles is huge.
   Building a database, distributing it to all zombies, and ensuring they
    can search it and obtain answers within 4 minutes is very difficult.
 Goodput (of Legitimate Users)
 Response time (of Legitimate Users)
 Maximum survivable attack rate
5-10 times better Goodput and Response Time
        Kill-Bots under DDoS
  Goodput of Legit. (Mb/s)

                             Attack Rate (Request/sec)
 Response Time (sec)

                             Attack Rate (Request/sec)
                           Why Adapt the Authentication
Goodput of Legit. (Mb/s)

                                                    Server with adaptive authentication
                                                    Server with authentication
                                                    Base server

                                     Attack Rate (Request/sec)

                             Adaptive  is much better than
                             authenticating every new user
Orders of magnitude better Response Time

Goodput of legit. (Mb/s)
  Response Time (sec)      Flash Crowd

                             Time (sec)
                         Adaptive  provides admission control
                         Kill-Bots under Flash Crowd
                                       Flash Crowd
Authentication Prob. 

                                        Time (sec)
  Response Time (sec)

                                         Time (sec)
                        Kill-Bots under Flash Crowd

                                    Base Server   Kill-Bots

     Number of dropped                 360,000    80,000
     legitimate requests
  Response Time (sec)

Kill-Bots authenticates new clients only if it can
                  serve them…
                                    Time (sec)
          Kill-Bots’ Contributions
   First to protect Web servers from DDoS attacks
    that mimic legitimate browsing
   First to deal with CAPTCHA’s bias against
    legitimates users who don’t solve them
   Sends CAPTCHA and checks answer without any
    server state
   Addresses both DDoS attacks and Flash Crowds
   Orders of magnitude better response time,
    goodput, and survivable attack rate

  Boris Korenfeld
       Home Work Assignment
1.   What are the differences between Stage1
     and Stage2 in Kill-Bots?
2.   What is the Kill-Bots modification to the
     Network Stack?
3.   What problem the Admission Control
4.   What are the key components of Kill-
     Bots architecture? (in paper)

To top