SOS: An Architecture For Mitigating DDoS Attacks

1
SOS An Architecture For Mitigating DDoS Attacks
Angelos D. Keromytis, Vishal Misra, Dan Rubenstein

• -Maitreya Natu

2
Why SOS?

• DoS attacks overwhelm processing or link capacity
  at target site by saturating it with bogus
  packets
• DoS attacks can seriously disrupt legitimate
  communications at minimal cost and danger to the
  attacker
• By SOS, we address a problem of securing
  communication from DoS attacks

3
Claim

• Attacker that are able to launch massive attacks
  are very unlikely to prevent successful
  communication
• An attack of 50 of the nodes in overlay has
  roughly a chance of one in thousand of stopping
  communication

4
The Smart President
People
President
5
The Smart President
People
Secretary
President
6
The Smart President
People
Agents
Secretary
President
7
The Smart President
People
Agents
Guards
Secretary
President
8
The High Level Overview
2. Well known users, Located anywhere, Have
authorization
1. Predetermined target, Difficult to replicate
5. Complex verification at client end
Beacons
SOAP
Servlets
SOAP
SOAP
Target
6. Secure overlay tunneling
3. Simple and aggressive filtering at target end
4. Introducing anonymity by hiding identity of
forwarding proxies
9
The Target End
10
Firewall

• At a very basic level we need a functionality of
  a firewall to drop illegitimate traffic at some
  point in network
• Should be simple like filtering on the source IP
  address to prevent overwhelming the target end

Target
11
Firewall

• Architecture prevents
• traffic coming from Illegitimate IP addresses

Target

• Firewalls are also susceptible to attacks

12
Distribute the Firewalls

• Distribute the instances of firewall
• Only allow traffic forwarded from these proxy
  nodes

Target
13
Distribute the Firewalls

• Architecture prevents
• Damage by attack on firewall proxies

Target

• Spoofing of source address of firewall proxy

14
Hide the Firewalls

• Hide the identities of the secret nodes and give
  this information to a small set of nodes
• Periodically change this set of secret nodes

Target
15
The Target Side

• Architecture prevents
• Spoofing of source address of firewall proxies

Beacon
Secret Servlets
Target
16
The Client Side
17
SOAP

• Distribute expensive authentication close to
  source
• SOAP (Secure Overlay Access Point) is a node that
  will receive packets and will perform the
  verification (using IPsec, TLS, other
  authentication protocols)
• Allowing large number of SOAPS, increase the
  bandwidth that an attacker must obtain to prevent
  legitimate traffic from accessing the overlay

18
The Client End

• Architecture
• distributes the authentication job at source n/w
  end
• SOAPs drop illegitimate traffic

Beacon
SOAP
Secret Servlets
SOAP
SOAP
Target
19
Connecting Client-Server Ends
20
Possible Alternatives

• Each overlay node selects the next node at random
• Inefficient each node contacts a large number of
  overlay nodes
• Use Chord, a routing service that can be
  implemented atop existing IP network to form a
  network overlay

21
Chord
30
1
3
25
22
71 10 72 10 74 12 78 16 716 25
7
171 22
17
10
16
12
161 17 162 22 164 22 168
25 1616 1

• Each node is assigned a numerical identifier ID
  by a hashing function
• Each nodes table stores the identifiers of m
  other overlay nodes
• ith entry in the table of node x node whose
  identifier equals or most
• immediately follows (x2i-1)mod 2m

22
Chord
30
1
3
25
22
71 10 72 10 74 12 78 16 716 25
7
171 22
17
10
16
12
161 17 162 22 164 22 168
25 1616 1
When overlay node x receives a packet for y, it
forwards the packet to overlay node in its table
whose ID precedes y by the smallest amount
23
Chord
30
1
3
25
20
22
71 10 72 10 74 12 78 16 716 25
7
171 22
17
10
16
12
161 17 162 22 164 22 168
25 1616 1
Node 7 receives a packet whose destination is
the identifier 20
24
Chord
30
1
3
25
20
22
71 10 72 10 74 12 78 16 716 25
7
171 22
17
10
16
12
161 17 162 22 164 22 168
25 1616 1

• It looks for a node whose ID
• precedes 20 by smallest amount
• It routes the packet to 16

25
Chord
30
1
3
25
22
71 10 72 10 74 12 78 16 716 25
7
171 22
17
10
16
12
20
161 17 162 22 164 22 168
25 1616 1

• Node 16 looks for a node whose
• ID precedes 20 by smallest amount

26
Chord
30
1
3
25
22
71 10 72 10 74 12 78 16 716 25
7
171 22
17
10
16
12
20
161 17 162 22 164 22 168
25 1616 1

• Node 16 looks for a node whose
• ID precedes 20 by smallest amount
• It routes the packet to 17

27
Chord
30
1
3
25
22
71 10 72 10 74 12 78 16 716 25
7
171 22
17
10
20
16
12
161 17 162 22 164 22 168
25 1616 1

• Node 17 knows that the next node
• in the overlay is node 22

28
Chord
30
1
3
25
22
71 10 72 10 74 12 78 16 716 25
20
7
171 22
17
10
16
12
161 17 162 22 164 22 168
25 1616 1

• Hence 22 is responsible for
• identifier 20

29
Chord
30
1
3
25
22
71 10 72 10 74 12 78 16 716 25
20
7
171 22
17
10
16
12
161 17 162 22 164 22 168
25 1616 1
The node to which Chord delivers packets is
called Beacon.
30
Connecting Client-Server Ends
Beacon
SOAP
Secret Servlets
SOAP
SOAP
Target
31
Summary
S
O
S
O
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O
32
Summary
S
O
S
O
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O
Target selects a number of SOS nodes to act as
Secret Servlets
33
Summary
S
O
S
O
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O
Routers at the perimeter of the target site are
instructed to allow packets only from secret
servlet
34
Summary
S
O
S
O
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O
Secret Servlets will compute key for hash
functions based on targets IP address. Each key
will identify Beacons
35
Summary
S
O
S
O
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O
Secret Servlets or target contact and notify
beacons of servlets identities
36
Summary
S
O
S
O
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O
Source contacts an secure overlay access point
(SOAP)
37
Summary
S
O
S
O
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O
SOAP authenticates the request and securely
routes the traffic to target via one of the
beacons
38
Summary
S
O
S
O
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O
Packet is routed to Beacon in a distributed
fashion using Chord by applying appropriate hash
functions to identify next overlay hop
39
Summary
S
O
S
O
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O
Finally Beacon routes the packet to Secret
Servlet that then routes the packet to target
through filtering router
40
Robustness
S
O
S
O
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O
Confirmed source point can select another SOAP
41
Robustness
S
O
S
O
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O
Node simply exits the overlay and Chord
self-heals, providing new paths over reformed
overlay to beacons
42
Robustness
S
O
S
O
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O
Even beacons are attacked and allowed to fail.
New sets of beacons can be selected by secret
servlet
43
Robustness
S
O
S
O
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O
If Secret Servlets identity is discovered and
server is targeted, the targets can choose
alternate set of secret servlets
44
Some Other Features

• Typically hash functions do not map two
  geographically close nodes to nearby identifiers
• All attack traffic will use BGP advertised best
  route to the target, while traffic from the SOS
  will use unused available capacity of the target
  site

45
Security Analysis
46
About the attacker

• Assumptions about the attacker
• Knows the set of nodes that form the overlay
• Can attack these nodes by bombarding traffic
• Does not know the precise functionality of these
  nodes (beacons, secret servlets)
• Bandwidth available to an attacker has an upper
  limit
• Can not breach the security protocols of overlay
  (i.e, the attack packets can always be identified
  as illegitimate)

47
A Static Attack

• An attacker selects a set of nodes to attack, and
  SOS takes no repairing action (e.g., by changing
  the node that acts as the secret servlet, or by
  having nodes dropping from the overlay)

48
10 SOAPs, 10 Beacons and 10 Secret Servlets
1 in 10,000 attempts
40 of N
Likelihood of an attack successfully terminating
communication is negligible unless the attacker
can simultaneously bring down significant
fraction of nodes.
49
N fixed 10,000 Na fixed 1,000 f Number of
Secret Servlets/Number of Beacons
1 Beacon, 1 Servlet
10 Beacon, 1 Servlet
10 Beacon, 10 Servlet
100 Beacon, 10 Servlet
Likelihood of an attack successfully terminating
communication is negligible unless the attacker
can simultaneously bring down significant
fraction of nodes.
50
Dynamic Attack

• SOS takes a repairing action and the attacker
  reacts to a repaired network by altering its
  attack

51
Dynamic Attack Scenario
S
O
S
O
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O

• SOS identifies an attack node

52
Dynamic Attack Scenario
S
O
S
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O
After Dr time units (Repair Delay), that node is
removed from the overlay such that its being
attacked does not prevent the communication
53
Dynamic Attack Scenario
S
O
S
Soap
R
S
O
T
Soap
R
Src
S
O
R
O
S
Soap
B
S
S
O
After Da time units (Attack Delay), attacker
reacts and redirects its attack toward a node
that still resides in the overlay
54
Centralized and Distributed

• Centralized
• Repair Each attacked node is handled
  sequentially (by a single centralized authority)
• Attack Only one attack node can be modified at a
  time
• Distributed
• Repair Performed in parallel (each node can
  independently perform its repair)
• Attack Separate attackers are responsible for
  detection and movement of their individual attacks

55
Insight by Modeling Closed Queuing System
Number of nodes currently under attack that are
active and are in overlay
Repair removes Nodes With repair delay Dr And
rate µ
Discovery and Redirection adds nodes With attack
delay Da And rate ?
Centralized
Centralized
Rate µ
Rate ?
Distributed
Distributed
Rate (na-i)?
Rate iµ
na Maximum Nodes that can be attacked i Nodes
that are active and are being attacked
56
N fixed 1,000, 10 SOAPs, 10 Secret Servlets,
10 Beacons, ??/µ
As ? grows large, attacks recover quicker than
repair, such that number of nodes attacked
approach na
57
N fixed 1,000, 10 SOAPs, 10 Secret Servlets,
10 Beacons, ??/µ
As ? increases, attacks recover more
quickly Attack nodes reach na
For small ?, attack diminishes as attack nodes
are removed
58
N fixed 1,000, 10 SOAPs, 10 Secret Servlets,
10 Beacons, ??/µ
DoS least likely
DoS most likely
59
N fixed 1,000, 10 SOAPs, 10 Secret Servlets,
10 Beacons, ??/µ
Even when ? lt 1, significant successful attack
time when large fraction of nodes are being
attacked
60
Performance

• Used Web proxies as overlay nodes and measured
  completion time of
• HTTPS requests
• The times reported are in seconds and are
  averaged over several
• HTTPS GET requests of the same page, which are
  not locally cached

61
Performance

• Overlay nodes were deployed using PlanetLab nodes
• PlanetLab is a wide-area overlay network, whose
  nodes are distributed in academic institutions
  across the country.
• Time to completion in this scenario increases by
  a factor of 2 to 10 depending on number of
  overlay nodes
• To simulate the attack on overlay nodes, specific
  nodes were brought down. The overlay healed
  within 10 seconds

62
Performance

• Using PlanetLab, the nodes are distributed in
  end-sites. A commercial deployment of SOS nodes
  is expected to be near the core of network
• While an increased end-to-end latency is a
  considerable factor, but
• More than acceptable in certain environments and
  in presence of a determined attack
• Better than the other alternative of having no
  web service while a DoS attack is occurring

63
Shortcut Implementation

• SOAPs use Chord routing to contact beacon and
  determine secret servlets identity and cache
  this information for directly routing subsequent
  traffic to servlet
• Overlay is used for signaling
• Actual data transfer takes only 2 hops
• Significant performance improvements,
  particularly on subsequent requests for the same
  site
• End to end latency increases by a small factor of
  2

64
Further Discussion

• Attacks from inside the overlay
• Shared Overlay
• Users can maintain privacy and integrity
• Breach in one organization should not affect
  others
• Timely Delivery
• Shortcuts
• Allow users to trade levels of security with
  timely delivery

65
References

• WebSOS Protecting Web Servers From DDoS Attacks
• D. Cook, W. Morein, A. Keromytis, V. Misra, D.
  Rubenstein
• Chord A Scalable Peer-to-peer Lookup Service For
  Internet Applications
• I. Stoica, R. Morris, D. Karger, M. Kaashoek, H.
  Balakrishnan

66
(No Transcript)
67
Appendix
68
Attacking the Underlying Network

• To this point we assumed that attacker will
  attack to deny service to nodes in the overlay
• Now considering an attack at the edge nodes that
  make up the overlay

69
Target has 20 units of resource, Both attack and
legitimate use 1 resource, Legitimate Traffic
Load arrival rate resource holding time 1
90 denial
Blocking probability Of legitimate traffic
Attack traffic load
For a significant DoS, load level of attack
traffic has to be significantly higher than That
of legitimate traffic.
70
Effects of 2 key features of SOS

• Increasing Capacity
• When we push the attack point perimeter into the
  interior of the core, the traffic handling
  capability of the attacked node increases
• Introducing Anonymity
• If the attacker does not know the identity of the
  secret servlet for a particular target, attacks
  will be launched randomly in the overlay. Thus
  effective arrival rate becomes a fraction f of
  total arrival rate

71
Effect of increasing the traffic handling capacity
Bandwidth increase by a factor of 12 reduces the
blocking probability by 3 orders of magnitude
Bandwidth Gain (Old Blocking Prob/ New Blocking
Prob)
Bandwidth Increase Factor
72
Effect of anonymity
Randomization Gain
(Old Blocking Prob/ New Blocking Prob)
Size of Overlay
As the number of nodes in overlay increase, a
smaller fraction of traffic reaches the target