Mitigating DenialofService By Dodging

1
Mitigating Denial-of-Service By Dodging

• Sherif Khattab
• Ph.D. Proposal Defense
• April 27th, 2007

2
Outline

• Denial-of-Service Attack
• Dodging
• Preliminary Work
• Server Roaming
• Roaming Honeypots
• Live Baiting
• Proposed Work
• Conclusions

3
Denial-of-Service Gligor, 84

• A group of otherwise-authorized users of a
  specific
• service is said to deny service to another group
  of
• otherwise-authorized users if the former group
  makes
• the specified service unavailable to the latter
  group for
• a period of time which exceeds the intended (and
• advertised) waiting time

4
Denial-of-Service (DoS) Attacks
5
DoS Attacks (1/4)
Legitimate packets consume network resources,
such as router buffers and link capacity
Router
Server
Legitimate Client
They also consume server resources, such as
interrupt processing capacity, operating system
structures, processing time, etc.
6
DoS Attacks (2/4)

• Network-level DoS attacks flood network resources

Attackers
7
DoS Attacks (3/4)

• Service-level DoS attacks exploit vulnerabilities
• to crash servers

8
DoS Attacks (4/4)

• Service-level DoS attacks flood server resources

Dropped Requests
9
Our Focus Service-level Flooding DoS
10
Why Service-level DoS?

• More attractive to attackers
• lower packet rate
• more stealthy
• Next-generation DoS
• after deployment of anti-spoofing defenses
• (e.g., ingress filtering and D-WARD)

11
The DoS Problem

• Distinguish attack packets/requests from
• legitimate packets/requests
• quickly
• accurately (low false positives and false
  negatives) and
• efficiently (small overhead)

12
Primary Metrics

• Legitimate Response Time
• Legitimate Throughput

13
Secondary Metrics

• Coverage
• Fraction of attack instances successfully handled
• Effectiveness
• False Positive probability (FP)
• False Negative probability (FN)
• Detection time
• Efficiency
• Storage overhead
• CPU complexity (on-line (per-request) vs.
  off-line)
• Message overhead

14
Related Problems
Denial-of-Service
Compromised Clients
Spoofing
Non-malicious Faults
15
DoS Prevention

• Puzzles
• Attackers forced to exert some effort
• Bandwidth Walfish et al, 2005
• Crypto Juels and Brainard, 99 Wang and Reiter
  03
• Network-level Feng, 2003
• CAPTCHA Morein et al, 2003
• Ticket-based systems
• Gligor, 2003
• But,
• not effective against determined attackers
• restricted to services with human users

16
Detection and Recovery

• DDoS Shield
• Ranjan et al, 2006
• Recovery
• Capability-based systems
• e.g., Yang et al, 2005
• Server relocation
• Khattab et al, 2003 Stavrou et al, 2005
• But,
• hard to detect service-level DoS
• high overhead

17
Mitigation

• Sustain service under attack
• Replication
• Anycast Routing
• Overlay-based
• SOS Keromytis et al, 2002
• But,
• high overhead
• private services

18
State-of-the-art
Dodging
19
Our Contributions
20
Outline

• Denial-of-Service Attack
• Dodging
• Preliminary Work
• Server Roaming
• Roaming Honeypots
• Live Baiting
• Proposed Work
• Conclusions

21
Physical-world Dodging

• Float like a butterfly,
• sting like a bee
• Muhammad Ali Clay

22
Service Model

• Public service with many clients
• A pool of servers behind packet-filtering
  firewalls

Servers
Internet
23
Main Concepts
24
Virtualization

• Dodging uses virtualization to increase
  elusiveness
• Physical servers divided into many virtual
  servers (buckets)
• isolated from each other
• monitored

25
Virtualization
Physical Server
26
Buckets
Weighted Round-Robin
27
Client-Server Mapping

• Mapping based on
• round-robin
• location
• server load

Internet
28
Client-Server Mapping
Clients
Servers
Buckets
29
Service Access Protocol

• On first access, clients obtain tokens
• mapped buckets
• mapped servers
• Tokens
• not for authentication
• different from tickets in reservation systems

30
Attack Mapping
Attackers
Servers
Buckets
31
Dodging
Idle Servers
Idle Buckets
Clients
Servers
Buckets
32
Physical vs. Logical Dodging

• Dodging
• physical (bucket-server)
• logical (client-bucket)
• Logical Dodging not enough
• attackers may bypass the logical layer and attack
  physical servers directly

33
Attack Types
Rate
Roaming Honeypots
Detection
Detection Mitigation
Live Baiting
Mitigation
Server Roaming
Compliance
34
Outline

• Denial-of-Service Attack
• Dodging
• Preliminary Work
• Server Roaming
• Roaming Honeypots
• Live Baiting
• Proposed Work
• Conclusions

35
(No Transcript)
36
Attack Types
Rate
Mitigation
Compliance
37
Mitigation
38
Dodging to Escape

• Dodging dilutes attack fire-power over many
  attack targets
• Dodging creates opportunity time-windows
• idle servers switching to active
• empty queues
• opportunity to service legitimate connections

39
Opportunity Time-Windows
40
FreeBSD Prototype

• File transfer service
• Periodically (e.g., every minute)
• clients switch server
• drop current connections and establish new ones
  with an active server
• resume the transfer
• idle server close connections
• We compared our scheme to replication
• requests load-balanced over all servers

41
Service-level DoS Attack

• Attackers flood all servers with requests
• Follow Attack
• attack the active servers with a delay

42
Experiment Topology
2 Mb/s
2 Mb/s
2 Mb/s
All machines run FreeBSD with Dummynet Rizzo
for bandwidth control
43
Follow Attack(Attack load of 400)
Even with follow attacks, roaming decreases
response times
Replication attack requests spread over 2
servers
44
Roaming Overhead (No Attack, 2 servers)
Roaming incurs about 14 increase in average
response time (50 Client Load)
45
(No Transcript)
46
Primary-Effect-based Detection (PED) (1/3)

• Current detection approaches are based on
• attack mechanism or secondary effects
• anomaly
• misuse
• specification

47
Primary-Effect-based Detection (PED) (2/3)

• PED based on primary attack effect
• waiting time gt maximum
• aggregate request rate gt server capacity
• access to idle server or bucket

48
Primary-Effect-based Detection (PED) (3/3)

• Given
• an attack-detection function ?(?, t)
• indicates whether resource ? is under attack
  during time interval t
• Required detect the attackers among service
• users

49
Attack-Mechanism Independence

• Service-level attack mechanisms hard to detect in
  general
• high request rate
• expensive requests
• images
• heavy queries
• hard to detect from packet headers and content

PED is independent of attack mechanism
50
Outline

• Denial-of-Service Attack
• Dodging
• Preliminary Work
• Server Roaming
• Roaming Honeypots
• Live Baiting
• Proposed Work
• Conclusions

51
Attack Types
Rate
Detection
Compliance
52
(No Transcript)
53
Honeypots SpitznerProvos

• Honeypots are
• decoy resources to trap attackers
• useful in detecting worm-infected hosts
• However, honeypots are
• at fixed locations
• separate from real servers

DoS Attackers can evade honeypots
54
Roaming Honeypots

• In roaming honeypots, the locations of
• honeypots are
• continuously changing
• unpredictable to non-compliant attackers
• disguised within servers

55
Attack-detection function (?)

• When an idle server (or idle bucket) accessed
• ?(?, t) ATTACK

56
Compliant Clients

• How to make compliant clients distinguish
  between active servers and designated honeypots?

57
Compliant Clients (contd.)

• Time is divided into epochs
• Keys from a one-way hash chain determine
• active servers during each epoch
• length of each epoch
• ns total number of servers
• ks number of active servers during each epoch

58
Compliant Clients (contd.)
The next key is computed using a one-way hash
function
Ex. ns 4, ks 3
A random key is generated
Ki
1,2,3 1,2,4 1,3,4 2,3,4
combinations
59
Compliant Clients (contd.)

• Servers know Kn
• Each client is assigned a (potentially) different
  key Ki depending on its trust level for
  example.
• Client keys are updated periodically

60
Connection Migration

• How to migrate active compliant connections from
  servers switching to idle?

61
Connection Migration (contd.)

• Clients keep state and send it to the new server
• to resume connection (if possible)

62
NS-2 Simulation
63
Service-level DoS

• Fixed target attackers attack a subset of
• servers continuously

64
Compared Schemes

• We compared three schemes
• Roaming Honeypots
• Server Roaming
• Replication

65
Time Series
66
Effect of Attack Load
With roaming honeypots, the service exhibits a
stable average response time even in the presence
of attacks with increasing intensity
67
Effect of Roaming Interval (Epoch Length)
68
Outline

• Denial-of-Service Attack
• Dodging
• Preliminary Work
• Server Roaming
• Roaming Honeypots
• Live Baiting
• Proposed Work
• Conclusions

69
Attack Types
Rate
Detection
Compliance
70
(No Transcript)
71
One-to-one Mapping

• Unique bucket per client
• Detection Algorithm
• a bucket is attacked if request rate gt normal
• clients assigned to attacked buckets are
  identified as attackers
• Analysis
• high memory overhead
• FP FN 0

72
Attempt II

• Two clients per bucket
• Detection Algorithm
• a bucket is attacked if request rate gt twice
  normal
• clients assigned to attacked buckets are labeled
  attackers
• Analysis
• half the number of buckets in Attempt I
• FP gt 0 and FN 0

73
PED Problem

• Given ?(?, t), design a client-bucket mapping
• function that
• minimizes number of buckets
• keeps false positive rate and false negative rate
  below given thresholds

74
Attack-detection function (?)

• Aggregate request rate gt bucket capacity
• ?(?, t) ATTACK

75
Group Testing

• First used in WWII to identify all defective
• elements within a population (blood testing)
• minimum number of tests for zero false positives
• each test applied to a group of samples
• many-to-many mapping

76
Group Testing (contd.)

• Non-adaptive group-testing based on a matrix
• that determines member assignments to tests

77
Group-Testing Matrix
Bucket Attacked?
Clients
1 2 3 4 5 6 7 8 9 10
1 2 3 4 5 6 7 8 9 10
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
1 2 3 4 5 6 7
0 0 0 0 0 0 0
1 0 1 0 1 0 0
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
Buckets
78
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
1 0 1 0 1 0 0
Weighted Round-Robin
79
Randomized Matrix Construction

• Each bit in the matrix is set to 1 with
  probability
• d is an estimate of the number of attackers

80
Detection Algorithm

• A bucket is attacked if request rate gt normal
• Exclude negative (non-attacker) clients.
• A client is excluded if it is assigned to a
  non-attacked bucket

81
Group-Testing Matrix
Clients
Bucket Attacked?
1 2 3 4 5 6 7 8 9 10
1 2 3 4 5 6 7 8 9 10
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
1 2 3 4 5 6 7
0 0 0 0 0 0 0
1 0 1 0 1 0 0
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
Buckets
82
Group-Testing Matrix
Clients
Bucket Attacked?
1 2 3 4 5 6 7 8 9 10
1 2 3 4 5 6 7 8 9 10
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
1 2 3 4 5 6 7
0 0 0 0 0 0 0
1 0 1 0 1 0 0
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
Buckets
83
Group-Testing Matrix
Clients
Bucket Attacked?
1 2 3 4 5 6 7 8 9 10
1 2 3 4 5 6 7 8 9 10
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
1 2 3 4 5 6 7
0 0 0 0 0 0 0
1 0 1 0 1 0 0
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
Buckets
84
Group-Testing Matrix
Clients
Bucket Attacked?
1 2 3 4 5 6 7 8 9 10
1 2 3 4 5 6 7 8 9 10
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
1 2 3 4 5 6 7
0 0 0 0 0 0 0
1 0 1 0 1 0 0
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
0 1 0 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0
1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0
0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0
Buckets
85
Theoretical Results

• False negative probability 0
• False positive probability
• T is buckets

86
Buckets O( Attackers)
87
State-of-the-art
Dodging
O( attackers) instead of O( clients)
Opportunity time-windows
88
Outline

• Denial-of-Service Attack
• Dodging
• Preliminary Work
• Server Roaming
• Roaming Honeypots
• Live Baiting
• Proposed Work
• Conclusions

89
Attack Types
Rate
Detection
Mitigation
Compliance
90
(No Transcript)
91
Proposed Work 1

• Design the live baiting algorithm in detail
• at servers
• at clients
• Study false positive and false negative
  probabilities, detection time, and overhead
• analytically
• using NS-2 simulations
• using implementation in Apache webserver

92
Proposed Work 2

• Adapting to Attackers.
• investigate techniques to detect and adapt to a
• number of attackers different than the estimate d

93
Over-estimating Attackers
94
Under-estimating Attackers
95
Adapting to Attackers

• Attackers estimated from Attacked Buckets.
• Battacked is the observed number of attacked
  buckets

96
Proposed Work 3

• Investigate the effect of
• bursty request arrivals
• non-uniform service time
• using NS-2 simulations based on real Web
• traces

97
Proposed Work 4

• Other matrix construction algorithms
• (e.g., LDPC) with more compact matrix than
• the randomly constructed matrix

98
Proposed Work 5

• Detect a more stealthy attack model
• attackers leave some assigned buckets un-attacked
  so that they get cleared by the detection
  algorithm
• Adjust the detection algorithm accordingly

99
(No Transcript)
100
Proposed Work 6

• Mitigate attacks from compliant attackers by
• creating opportunity time windows

101
Compliant-Attack Mitigation
Virtual Servers (Buckets)
Physical Server
102
Conclusions

• Main contributions
• Dodging
• Primary-Effect-based Detection (PED)
• Opportunity-window Mitigation
• Adaptivity to attack parameters
• Future Work
• dodging in other networks (e.g., sensor nets)
• privacy-preserving DoS defense

103
Acknowledgements

• The NetSec project (http//www.cs.pitt.edu/netsec)
  
• Chatree Sangpachatanaruk performed the simulation
  study of Roaming Honeypots

104
Publications

• Roaming Honeypots
• Sherif M. Khattab, Chatree Sangpachatanaruk,
  Daniel Mosse', Rami Melhem, and Taieb Znati,
  Roaming Honeypots for Mitigating Service-level
  Denial-of-Service Attacks'',  in Proceedings of
  the 24th International Conference on Distributed
  Computing Systems (ICDCS'04), March 2004.
• Sherif M. Khattab, Chatree Sangpachatanaruk, Rami
  Melhem, Daniel Mosse', and Taieb Znati,
  Proactive Server Roaming for Mitigating
  Denial-of-Service Attacks'', in Proceedings of
  the 1st International Conference on Information
  Technology Research and Education (ITRE'03),
  August 2003.
• Server Roaming
• C. Sangpachatanaruk, S. M. Khattab, T. Znati, R.
  Melhem, and D. Mosse', A Simulation Study of
  the Proactive Server Roaming for Mitigating
  Denial of Service Attacks'',in Proceedings of the
  36th Annual Simulation Symposium 2003 (ANSS'03),
  March 2003
• C. Sangpachatanaruk, S. M. Khattab, T. Znati, R.
  Melhem, and D. Mosse', Design and Analysis of a
  Replicated Elusive Server Scheme for Mitigating
  Denial of Service Attacks'', in Journal of
  Systems and Software, Vol 73(1), p15-29,
  September 2004, Elsevier. (Extended version of
  ANSS'03 paper)

105
Thank You!

• Questions?

106

• Backup Slides

107
Main Assumption
Unique, un-spoofable user identifier (dealing
with proxy servers is an open problem)
Proxy Server
108
Compliant Mitigation
109
DoS Attacks

• DoS attacks aim at throttling legitimate
  utilization of network and/or server resources
  through Millen92
• resource destruction (e.g., Teardrop)
• resource exhaustion (e.g., SYN attack)

110
Resource Exhaustion DoS

• Resource exhaustion DoS attacks
• vulnerability exploitation (e.g., SYN attack)
• brute-force flooding
• Network-level (e.g., UDP floods)
• Service-level (similar to flash crowds)

111
Service-level DoS

• A large number of attack hosts request service
  from the victim server at a high rate. For
  instance,
• download files from an FTP server, or
• get web pages from an WWW server

112
Front-ends

• Front-ends form a tree with the back-ends as its
  logical root.

113
Front-ends (contd.)

• Tree level of each front-end depends on its
  attack tolerance
• Front-ends run the Chord Stoica et al lookup
  service
• To join the network (or reconfigure), a front-end
  performs
• Parent registration
• Address registration

114
(No Transcript)
115
Packet Filtering
Not Scalable (Grows with number of users)
??
116
Packet Filtering
More Scalable attackers ltlt users
??