Flash%20Crowds%20And%20Denial%20of%20Service%20Attacks: - PowerPoint PPT Presentation

About This Presentation
Title:

Flash%20Crowds%20And%20Denial%20of%20Service%20Attacks:

Description:

Servers can shut down from over use ... during an FE correspond closely with the spikes in the ... Requests for documents come from many different Clusters... – PowerPoint PPT presentation

Number of Views:99
Avg rating:3.0/5.0
Slides: 32
Provided by: aaron101
Category:

less

Transcript and Presenter's Notes

Title: Flash%20Crowds%20And%20Denial%20of%20Service%20Attacks:


1
Flash Crowds AndDenial of Service Attacks
Characterization and Implications for CDNs and
Web Sites Aaron BeachCs395 network security
2
OVERVIEW
  • What is a Flash Event? (FE)
  • What is a Denial of Service Attack?
  • What is the difference?
  • How can we distinguish between them?
  • What is/are the solution(s)?
  • Adaptive Content Distribution Networks?
  • Others?
  • Do you have any ideas??? Think about it

3
Flash Events
  • A flash event (FE) is a large surge in traffic to
    a particular Web site causing a dramatic increase
    in server load and putting severe strain on the
    network links leading to the server, which
    results in considerable increase in packet loss
    and congestion
  • Flash crowds

4
Denial of Service Attack (DoS)
  • An explicit attempt by attackers to prevent
    legitimate users of a service from using that
    service
  • Their definition
  • any attempt to undermine a Web site
  • What do you think?

5
The Major Differences
  • Flash Events represent legitimate traffic to a
    website. This often means the website wants to
    service these requests as well as possible, while
    DoS attacks our unwanted and should not be
    serviced, but ignored or controlled.

6
Distinguishing Between Them
  • 3 main characteristics
  • Traffic patterns
  • Client characteristics
  • File reference characteristics

7
Traffic Patterns
  • Overall traffic volume determines how much a
    server should provision resources to keep the
    site operational
  • Servers can shut down from over use
  • Studying these patterns allows us to articulate
    the period when an unusually large number of
    clients can overwhelm a site
  • We also can understand how and in what time
    pattern the server must defend against these
    rises in traffic

8
How substantial can an FE be?
88.2 of traffic in 11 of time71 of traffic in
7 of time
9
You can see the spikes in traffic
They look indistinguishable?
10
Now do they look the same?
Quite different however
11
Behavior of traffic
  • First fifteen minutes
  • They both rise, one over a period of
  • One over 70 minutes
  • One over 40 seconds

12
Client Characteristics and clustering
  • They use a network-aware clustering technique to
    determine the topological distribution of clients
    in FE and DoS.
  • Client clustering allows one to aggregate
    individual clients into groups belonging to the
    same administrative domain.
  • Clustering uses a large collection of unique
    network prefixes assembled from a wide set of BGP
    routing tables.
  • The various client IP addresses are grouped into
    clusters based on longest prefix matching.

13
Clusters and Clients trends
  • Spikes in request volumes during an FE correspond
    closely with the spikes in the number of clients
    accessing the site. Thus, the number of clients
    in a flash event follows the same increase
    patterns as the overall request rate.

14
No large change in averageper-client request rate
15
Old clusters during an FE
  • Clusters that have already visited the site VS
    new clusters during an FE
  • During the two FEs we are studying there was
    42.7 in the Play-along trace and 82.9 in the
    Chile trace that were old clusters
    demonstrating that in these FEs a large
    percentage had made previous requests

16
File Reference Characteristics
  • Locality of reference enables a reduction of
    server load through caching.
  • They use these characteristics in designing an
    adaptive CDN.
  • We consider
  • aggregate file references
  • reference patterns of individual clients
  • reference patterns of client clusters.

17
What files are accessed in FE
  • 60 (61 and 82 for Play-along and Chile,
    respectively) of documents are accessed only
    during flash events.
  • So, CDNs will not cache and not be prepared for
    the FE
  • Indeed, most CDN caches will not have these
    documents at the beginning of the FE
  • So there will be many misses at the beginning of
    an FE

18
Popularity of files
19
Also about clusters and file popularity
  • Requests for documents come from many different
    Clusters
  • This means that current CDNs will result in many
    different serves getting requests for the same
    file resulting in more misses for the files
    popular only during FEs

20
Password cracking
  • Much like DoS attacks
  • We must detect early and stop them
  • Detect 401 unauthorized messages

21
Trends during attacks
  • During attacks most clients making requests were
    new never had made requests before
  • Only 0.6 of the clusters seen at one site during
    the attack had been seen before, and the
    percentage of these clusters drops to 0.1 for
    another site.

22
Trends in DoS requests (Code Red)
23
Rise in Clusters vs Clients
DoS
FE
24
Overlap of clusters during DoS
  • Calculated overlap for DoS was
  • 0.6 in the creighton site
  • 0 in the fullnote site
  • 1.8 in the spccctxus site
  • 14.3 rellim site.
  • Compare this to
  • 42.7 and 82.9 in the FEs studied

25
Comparing the two DoS vs FE
26
SOLUTION TIME!!!
  • What should the server do when it is being
    overwhelmed??
  • Discard more malicious requests
  • How?
  • Monitor users and average request rate
  • Periodically cluster addresses
  • When overwhelmed drop malicious addresses (must
    belong to old clusters and continue normal
    request rates
  • - Solution not too taxing on processes and you
    can implement it in an filtering accept() function

27
Will this always work??
  • Sometimes DoS attacks are able to flood links
    and the server can do nothing
  • Since attacker does not know who is using site
    they cannot know which clusters to send with (the
    author thinks this is a way to avoid letting this
    information prepare attackers what do you think??

28
What about FEs?
  • If we know how to deal with DoS attacks we still
    have the problem of what to do when flash events
    happen
  • SolutionAdaptive CDN

29
Adaptive CDN
  • Dynamic Delegation
  • The more caches the more requests, so make less
    caches with more space
  • Have primaries and delegates
  • When a FE is detected the DNS servers sends
    requests to delegates first and they go to
    primaries
  • Only primaries can make requests to origin
    server, clustering caches

30
Algorithm for Dynamic Delegation
  • When a node P is overloaded it redirects
    packets to another node that has a low load,
    using it as a delegate
  • When a node goes low it stops using delegates
  • Tests show this lowered load on origin server by
    a factor of 50 in one test and 30 in the other
    without too high load distribution in the caches.

31
Review
  • Flash Event (Flash Crowd)
  • FE vs DoS
  • Difference and Detection
  • Detecting and stopping
  • Dealing with FE using adaptive CDN
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Flash%20Crowds%20And%20Denial%20of%20Service%20Attacks:" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!