Resisting Denial-of-Service Attacks Using Overlay Networks Ju Wang Advisor: Andrew A. Chien...
-
Upload
stuart-barton -
Category
Documents
-
view
212 -
download
0
Transcript of Resisting Denial-of-Service Attacks Using Overlay Networks Ju Wang Advisor: Andrew A. Chien...
![Page 1: Resisting Denial-of-Service Attacks Using Overlay Networks Ju Wang Advisor: Andrew A. Chien Department of Computer Science and Engineering, University.](https://reader036.fdocuments.net/reader036/viewer/2022083008/56649ea85503460f94bac1b2/html5/thumbnails/1.jpg)
Resisting Denial-of-Service Attacks Using Overlay NetworksJu Wang Advisor: Andrew A. Chien
Department of Computer Science and Engineering, University of California San Diego
Denial-of-Service Attacks
Summary and Status
• Denial-of-Service (DoS) is a critical security problem– Attack important websites (yahoo, Amazon, etc)– Economic impact and political repercussions– DoS attacks are on the rise
• Attackers prevent legitimate users from receiving service– Application level: large work load to overload applications– Infrastructure level: direct attack on the application physical
infrastructure (e.g. traffic flood)
InternetInternet
Application
Service Infrastructure
Legitimate User
Attacker
• Overlay (proxy) networks protect applications from infrastructure level DoS attacks– Location Hiding: mediate communication between users and applications
without disclosing applications’ IP addresses– DoS Resilience: maintain proxy network connectivity to tolerate massive proxy
node failure due to DoS attacks, keeping applications accessible to users
Overlay (Proxy) Network Approach
ApplicationLegitimate User
Proxy Network Attacker
where?
• Location-Hiding– Can proxy networks achieve location-hiding? If so, under
what circumstances? (feasibility)– How long will it take attackers to reveal application
location? (metrics for goodness)– How do properties of defense & proxy networks affect
location-hiding? (parametric)• Resource recovery• Proxy network reconfiguration• Proxy network topology
• DoS Resilience and Performance– How well can proxy networks resist DoS attacks?– What is the performance impact of proxy networks?
Problems
Generic Framework for Location-Hiding
Resource Pool
ApplicationProxy Network
User
Attacker
Proxy Network Layered View
User Edge Proxy
Proxy
Resource Pool
(IP Network)
Host
Proxy Network
Application
Attacker
Overlay
Proxy Network Top View
Attack Model
• Proxies: software components run on hosts
• Proxies adjacent: iff their IP addresses are mutually known
• Proxy Network Topology: adjacency structure
• Only edge proxies publish their IP addresses
• Users access applications via edge proxies
• Goal: reveal application location (IP address)• Compromise hosts and reveal (expose) location of
adjacent proxies• Penetrate proxy network based on exposed location
information• Consider correlated host vulnerabilities
Defense Model
• Goal: recover compromised hosts, invalidate information attackers acquired
• Resource recovery– Recover compromised hosts– Reactive recovery: detection-triggered– Proactive reset: periodic reload/security patch
• Proxy network reconfiguration– Invalidate information attackers acquired– E.g. proxy migration
CompromisedExposed
Intact
Proxy state transition
Infrastructure level DoS Attack
• System state change as a stochastic process
• Rate of host compromises
• True-positiveness and speed of reactive recoveries
• Rate of proactive resets
• Rate of proxy migrations
• Correlation among host vulnerabilities
• Topology of proxy networks
Analytical Model
CompromisedIntact
Host state transition
Impact of attackImpact of defense
Feasibility of Location-Hiding
0 5 10 15 2010
0
105
1010
1015
1020
Proxy Network Depth (d)
Tim
e to
App
licat
ion
Exp
osur
e(un
it:
-1)
No RecoveryPerfect Recovery
r=10
0 10 20 30 40 500
10
20
30
40
50
60
70
80
90
100
Proxy Network Depth (d)
Tim
e T
o A
pplic
atio
n E
xpos
ure
(uni
t: -
1 )
Perfect Recovery, r=0.1
Perfect Recovery, r=0.5
No reconfiguration
Log scaleLinear scale
• Without reconfiguration, proxy networks cannot hide location• With sufficient proxy migration, location-hiding is feasible• Without correlated host vulnerabilities, the time to penetrate a proxy
network grows exponentially with its depthInterleave proxies on diversified hosts
0 5 10 15 20 25 30 350
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Proxy Network Depth
Pe
ne
tra
tion
Pro
ba
bili
ty (
106 t
ime
ste
ps)
No Correlation ( domains)2 domains3 domains4 domains8 domains
r=10
0
s=10
0
v=0.99
0 5 10 15 20 25 30 350
50
100
150
200
250
300
350
400
Proxy Network Depth
Tim
e t
o A
pplic
atio
n E
xpo
sure
r=0.10,
0=0.01,
v=0.90
r=0.30,
0=0.01,
v=0.90
Correlated host vulnerability has qualitative impact; with high correlation, time to penetrate a proxy network grows sub-linearly with its depth
Exploit limited host diversity (below) to effectively contain this impact (behaves similarly to the uncorrelated case)
Impact of Topology on Location-Hiding
Robust (favorable)Vulnerable (unfavorable)
Overlay Topologies
Good or robust topologies: hard to penetrate and defenders can easily defeat attackers
Bad or vulnerable topologies: attackers can quickly propagate and remain inside the proxy network
,
,
,,
,
bad good
Theorem of Robustness Average degree 1 of G is smaller than the ratio of speed between defenders and attackers: (+)/ > 1, is speed of attack, and are speed of defense
- Even if many nodes are initially compromised, attackers’ impact can be quickly removed in O(logN) steps
- Low average degrees are favorable
Theorem of Vulnerability Neighborhood expansion property of G is larger than the ratio of speed between defenders and attackers: > /- Even if only one node is initially exposed, attackers’ impact quickly propagate, and will linger forever (applies to all sub-graphs)
- Large clusters (tightly connected sub-graphs) are unfavorable
hard to beat attackersinside the cluster
This work is supported in part by the National Science Foundation under awards NSF EIA-99-75020 Grads and NSF Cooperative Agreement ANI-0225642 (OptIPuter), NSF CCR-0331645 (VGrADS), NSF NGS-0305390, and NSF Research Infrastructure Grant EIA-0303622. Support from Hewlett-Packard, BigBangwidth, Microsoft, and Intel is also gratefully acknowledged.
• Location-Hiding: finished analytical and simulation study– Proxy networks are a feasible approach for location-
hiding to resist host compromise penetration attacks– Proxy network depth and reconfiguration rate are keys
to location-hiding; existing schemes (e.g. SOS, i3) employing static structures cannot hide location because attackers gain information monotonically
– Two theorems to characterize robust and vulnerable topologies for location-hiding; find popular overlays (e.g. Chord) not favorable
• DoS Resilience & Performance:– Simulation testbed: MicroGrid Internet emulator– A prototype proxy network implementation– A real app: apache, a real DoS attack tool “Trinoo”– Study performance impact and how distribution and
intensity/magnitude of DoS attack affect user observed delay and service disruption
Neighborhood expansion
In both figures, is host compromise rate, µr is proxy migration rate Domain corresponds to host diversity