Mitigating DoS Attack Through Selective Bin Verification

1
Mitigating DoS Attack Through Selective Bin
Verification

• Micah Sherra, Michael Greenwaldb,
• Carl A. Gunterc, Sanjeev Khannaa, and
• Santosh S. Venkatesha
• NPSec 2005
• November 6th, 2005
• a University of Pennsylvania
• b Bell Labs
• c University of Illinois at Urbana-Champaign

2
Distributed Denial of Service (DDoS)
3
Existing Countermeasures

• Increase capacity
• Augment networks with additional equipment
• Costly
• Filter out DoS traffic
• Focus of academic literature
• Discriminate between normal and malicious traffic
• Assumes such disambiguation is possible
• Rely on traffic profiles or assistance from
  routers

4
Selective Bin Verification

• First proposed in DoS Protection for Reliably
  Authenticated Broadcast Gunter et al (NDSS
  '04)
• Contributions of this work
• Bin verification applied to client-server model
• Introduction of multiple simultaneous senders
• Mitigates DoS attack even when
• Attack packets permeate network
• No network disambiguation possible
• Does not hinder (even improves!) reliability
• Assumes sparse resource is computation, not
  network bandwidth

5
Sequential Selective Verification

• Broadcaster transmits authenticated broadcast
  stream
• expensive for receiver to validate (signature
  check)
• Observation disparity between bandwidth used by
  legitimate sender (broadcaster) and attacker
  (assume multicast communication)

1
2
3
4
5
6
n
...
1
3
2
...
6
Sequential Selective Verification Algorithm

• Assume DoS attack at maximum strength
• Assume sender uses small portion of available
  bandwidth
• Legitimate sender transmits c copies of each
  message
• Receivers selectively verify packet with
  probability p
• Probability that a legitimate packet will be
  discarded is (1-p)c
• Linear reduction in required number of
  inspections

7

• Can we apply the same principal for
• client-server architectures?
• Yes! Selective Bin Verification
• Server has n bins
• Each well-formed message has identifier b
• Honest client starts at some int r, increments
  identifier with each message copy
• Server places incoming message into bin (b mod n)
• After collection interval, receiver processes
  smallest k bins, discards the rest

8
Sender/Client (Alice)
Zombies
Copy 6
Copy 1
Copy 1
Copy 2
Copy 2
Copy 3
Copy 3
Copy 4
Copy 5
Copy 4
Copy 5
Copy 1
Copy 2
Copy 3
Copy 4
Copy 5
Copy 1
Copy 2
Copy 3
Copy 4
Copy 5
Server (Bob)
9
Experimental Setup

• Goal Determine how well binning technique
  protects expensive, real-world protocol.
• Multiple clients (threads) connected to single
  server
• X.509 Two-Pass securely transmit key k to
  receiver
• (1) A ? B cert, D, SA(D) where
• (2) B ? A OK D r,B,PB(k)
• Emulated loss rate (L)

10
DoS Resilience

• How well does selective bin verification perform
  compared to straightforward implementation?
• 50 senders/clients
• 1 server
• 20 bins
• 3 selected bins
• Attack diminished approximately by factor of
  bins inspected / of bins

11
Reliability of Binning Technique

• Message may not be processed (failure) due to
  loss rate
• w/o binning, fixed at 1-L
• Does binning impair reliability?
• Can derive expected failure rate
• Can adjust number of copies to compensate
• Experimental results confirms our analysis

• 100 senders
• 20 bins
• 20 loss rate

12
Subset Attack

• What if attacker doesn't stripe his attack?
• Remember sender (good or evil) controls message
  placement
• Theorem The contribution of inspections due to
  DoS is maximized when the attack is evenly
  distributed across all n bins. Pf see paper.
• Optimal strategy is therefore to use equal
  distribution policy.

13
Conclusions

• Under certain protocol and topology assumptions,
  selective bin verification is effective even when
  flood reaches receiver
• Tunable parameters make it a promising technique
  for large attacks
• Future enhancements
• Activating binning during attack, deactivated in
  steady state (reduces overhead)
• Formal analysis of which protocols may benefit
  best
• Combining with network-based defenses
• Formulate and prove optimality theorem

14
Questions?
15
Extra Slides(not part of presentation)
16

• Theorem The contribution of inspections due to
  DoS is maximized when the attack is evenly
  distributed across all n bins.
• Proof
• Let L(s)total number of adversary packets in S
  smallest bins, where s is attacker's distribution
  function (s(i) of packets sent to bin i).
• Let s' be the equal distribution (for simplicity,
  for all i,j, s'(i)s'(j)).
• Since the k-smallest bins can never contain more
  messages than k times the average bin load, then
  for all s, L(s) L(s').

17
Sequential vs. Bin Verification

• Bin verification
• Suppose we have n bins and m senders and each
  sender sends n copies
• In absence of network loss, satisfy all m senders
  by choosing single bin. Server's load is
  therefore 1 packet/sender
• Sequential verification
• To get load of 1 packet/sender, server needs to
  discard with probability (1-1/n)
• Probability that none of a sender's packets are
  received is roughly 1/e (m/e senders will have no
  packets received)
• With binning, 100 success rate, w/o binning only
  63.21

18
In n rounds of the protocol Without selective
verification With selective verification inspe
ctions n(1A) Einspections n(p(c
A)) failures 0 Efailures
n((1-p)c) E.g., n1000, A 1000 set c 25,
p0.12 Without selective verification With
selective verification inspections
1,001,000 Einspections 123,000 failures
0 Efailures 40.9 A attack
messages/round, p insp. probability, c sender
copies