Resisting Denial-of-Service Attacks Using Overlay NetworksJu Wang Advisor: Andrew A. Chien

Department of Computer Science and Engineering, University of California San Diego

Denial-of-Service Attacks

Summary and Status

• Denial-of-Service (DoS) is a critical security problem– Attack important websites (yahoo, Amazon, etc)– Economic impact and political repercussions– DoS attacks are on the rise

• Attackers prevent legitimate users from receiving service– Application level: large work load to overload applications– Infrastructure level: direct attack on the application physical

infrastructure (e.g. traffic flood)

InternetInternet

Application

Service Infrastructure

Legitimate User

Attacker

• Overlay (proxy) networks protect applications from infrastructure level DoS attacks– Location Hiding: mediate communication between users and applications

without disclosing applications’ IP addresses– DoS Resilience: maintain proxy network connectivity to tolerate massive proxy

node failure due to DoS attacks, keeping applications accessible to users

Overlay (Proxy) Network Approach

ApplicationLegitimate User

Proxy Network Attacker

where?

• Location-Hiding– Can proxy networks achieve location-hiding? If so, under

what circumstances? (feasibility)– How long will it take attackers to reveal application

location? (metrics for goodness)– How do properties of defense & proxy networks affect

location-hiding? (parametric)• Resource recovery• Proxy network reconfiguration• Proxy network topology

• DoS Resilience and Performance– How well can proxy networks resist DoS attacks?– What is the performance impact of proxy networks?

Problems

Generic Framework for Location-Hiding

Resource Pool

ApplicationProxy Network

User

Attacker

Proxy Network Layered View

User Edge Proxy

Proxy

Resource Pool

(IP Network)

Host

Proxy Network

Application

Attacker

Overlay

Proxy Network Top View

Attack Model

• Proxies: software components run on hosts

• Proxies adjacent: iff their IP addresses are mutually known

• Proxy Network Topology: adjacency structure

• Only edge proxies publish their IP addresses

• Users access applications via edge proxies

• Goal: reveal application location (IP address)• Compromise hosts and reveal (expose) location of

adjacent proxies• Penetrate proxy network based on exposed location

information• Consider correlated host vulnerabilities

Defense Model

• Goal: recover compromised hosts, invalidate information attackers acquired

• Resource recovery– Recover compromised hosts– Reactive recovery: detection-triggered– Proactive reset: periodic reload/security patch

• Proxy network reconfiguration– Invalidate information attackers acquired– E.g. proxy migration

CompromisedExposed

Intact

Proxy state transition

Infrastructure level DoS Attack

• System state change as a stochastic process

• Rate of host compromises

• True-positiveness and speed of reactive recoveries

• Rate of proactive resets

• Rate of proxy migrations

• Correlation among host vulnerabilities

• Topology of proxy networks

Analytical Model

CompromisedIntact

Host state transition

Impact of attackImpact of defense

Feasibility of Location-Hiding

0 5 10 15 2010

0

105

1010

1015

1020

Proxy Network Depth (d)

Tim

e to

App

licat

ion

Exp

osur

e(un

it:

-1)

No RecoveryPerfect Recovery

r=10

0 10 20 30 40 500

10

20

30

40

50

60

70

80

90

100

Proxy Network Depth (d)

Tim

e T

o A

pplic

atio

n E

xpos

ure

(uni

t: -

1 )

Perfect Recovery, r=0.1

Perfect Recovery, r=0.5

No reconfiguration

Log scaleLinear scale

• Without reconfiguration, proxy networks cannot hide location• With sufficient proxy migration, location-hiding is feasible• Without correlated host vulnerabilities, the time to penetrate a proxy

network grows exponentially with its depthInterleave proxies on diversified hosts

0 5 10 15 20 25 30 350

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Proxy Network Depth

Pe

ne

tra

tion

Pro

ba

bili

ty (

106 t

ime

ste

ps)

No Correlation ( domains)2 domains3 domains4 domains8 domains

r=10

0

s=10

0

v=0.99

0 5 10 15 20 25 30 350

50

100

150

200

250

300

350

400

Proxy Network Depth

Tim

e t

o A

pplic

atio

n E

xpo

sure

r=0.10,

0=0.01,

v=0.90

r=0.30,

0=0.01,

v=0.90

Correlated host vulnerability has qualitative impact; with high correlation, time to penetrate a proxy network grows sub-linearly with its depth

Exploit limited host diversity (below) to effectively contain this impact (behaves similarly to the uncorrelated case)

Impact of Topology on Location-Hiding

Robust (favorable)Vulnerable (unfavorable)

Overlay Topologies

Good or robust topologies: hard to penetrate and defenders can easily defeat attackers

Bad or vulnerable topologies: attackers can quickly propagate and remain inside the proxy network

,

,

,,

,

bad good

Theorem of Robustness Average degree 1 of G is smaller than the ratio of speed between defenders and attackers: (+)/ > 1, is speed of attack, and are speed of defense

- Even if many nodes are initially compromised, attackers’ impact can be quickly removed in O(logN) steps

- Low average degrees are favorable

Theorem of Vulnerability Neighborhood expansion property of G is larger than the ratio of speed between defenders and attackers: > /- Even if only one node is initially exposed, attackers’ impact quickly propagate, and will linger forever (applies to all sub-graphs)

- Large clusters (tightly connected sub-graphs) are unfavorable

hard to beat attackersinside the cluster

This work is supported in part by the National Science Foundation under awards NSF EIA-99-75020 Grads and NSF Cooperative Agreement ANI-0225642 (OptIPuter), NSF CCR-0331645 (VGrADS), NSF NGS-0305390, and NSF Research Infrastructure Grant EIA-0303622. Support from Hewlett-Packard, BigBangwidth, Microsoft, and Intel is also gratefully acknowledged.

• Location-Hiding: finished analytical and simulation study– Proxy networks are a feasible approach for location-

hiding to resist host compromise penetration attacks– Proxy network depth and reconfiguration rate are keys

to location-hiding; existing schemes (e.g. SOS, i3) employing static structures cannot hide location because attackers gain information monotonically

– Two theorems to characterize robust and vulnerable topologies for location-hiding; find popular overlays (e.g. Chord) not favorable

• DoS Resilience & Performance:– Simulation testbed: MicroGrid Internet emulator– A prototype proxy network implementation– A real app: apache, a real DoS attack tool “Trinoo”– Study performance impact and how distribution and

intensity/magnitude of DoS attack affect user observed delay and service disruption

Neighborhood expansion

In both figures, is host compromise rate, µr is proxy migration rate Domain corresponds to host diversity