1 / 32

Countering DoS Attacks with Stateless Multipath Overlays

Countering DoS Attacks with Stateless Multipath Overlays. Presented by Yan Zhang. Overview. Background Problem formulation Architecture Implementation Evaluation. DDoS Attack. Distributed Denial of Service

lwisdom
Download Presentation

Countering DoS Attacks with Stateless Multipath Overlays

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang

  2. Overview • Background • Problem formulation • Architecture • Implementation • Evaluation

  3. DDoS Attack • Distributed Denial of Service • An attacker is able to recruit a number of hosts (zombies) throughout the Internet to simultaneously or in a coordinated fashion launch an attack upon the target. • Typical DDoS: SYN flood attack, ICMP attack

  4. DDoS Attack-Direct

  5. DDoS Attack-Indirect

  6. Overlay Network • Overlay network :Acomputer network which is built on top of another network. • Node:in the overlay can be thought of as being connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network

  7. IP network as an overlay network

  8. Overlay network & Benefits Purpose: To implement a network service that is not available in the existing network --Routing, Addressing, Security, Multicast, Mobility Benefits: • Do not have to deploy new equipment, or modify existing software/protocols • Do not have to deploy at every node

  9. Overview • Background • Problem formulation • Architecture • Implementation • Evaluation

  10. Traditional ION Traditional Indirection-based overlay network methods (like SOS,MayDay) make two assumptions: • Attack on fixed and bounded set of overlay nodes can only affect a small fraction of users • Attacker could not eavesdrop on link inside the network

  11. Problem Traditional ION has weakness: • Target attack: Attacker can follow the client’s connection and bring down the nodes which client tries to connect to. • Sweep attack: Degrade the connection by bringing down a portion of the overlay nodes at a time

  12. Related work • SOS (Keromytis et al) --Suggested using an overlay network to route traffic from legitimate users to a secret node • Stateless flow filter (Xuan et al) --By adding capabilities to packets • Ticket mechanism (Gligor ) --Clients must obtain tickets before they are allowed to access protected service

  13. Overview • Background • Problem formulation • Architecture • Implementation • Evaluation

  14. Spread-spectrum • Electromagnetic energygenerated in a particularbandwidthis deliberately spread in thefrequency domain, resulting in asignalwith a wider bandwidth. • CDMA is a typical spread spectrum communication

  15. Intuitive • To prevent “following” attack: By adopting “spread spectrum” approach, the client spreads its packets randomly across all access points. • To verify the authenticity: Using a token, at the expense of bandwidth

  16. Attack models • Sweep attack: Without internal knowledge of system, blindly sweep all nodes ---TCP SYN, ICMP flooding etc ----Like radio jamming in all channels • Targeted attack: Know which overlay node a client is using. More sophisticated ----Like eavesdrop and jam target frequency

  17. Traffic spreading issues • Spread the packets from clients across all overlay nodes in a pesudo-random manner • Randomly attack will only cause a fraction of packets loss • Duplicate the packets or using forward error correction to recover the loss

  18. Traffic Spreading

  19. Randomly redirect the authentication The client sends packet to a random overlay The receiving node forward the request to another random overlay node The attacker cold not determine which nodes to target Key and ticket establishment Protocol

  20. One round-trip only use first and last connection (from A to D) Two round-trip guarantees the liveness Key and ticket establishment Protocol

  21. Client-Overlay communication protocol

  22. Key and ticket establishment Protocol • To avoid reuse of the same ticket by multiple DDoS zombies, the range of valid sequence numbers for the ticket is kept relatively small (e.g., 500 packets) • The ticket is bound to the client’s IP,

  23. Overview • Background • Problem formulation • Architecture • Implementation • Evaluation

  24. Implementation • Connection Establishment Phase -- As described in the protocol part -- Establish session key and ticket -- Usually two round-trip

  25. Implementation • Packet Transmission Phase the client computes the index in the sorted list of IPs as: index = UMAC(Ku XOR sequence number) mod(n) • Ticket Renewal Phase When valid tickets are about to expire, the overlay node issues a new ticket with the same session key but larger max sequence number.

  26. Overview • Background • Problem formulation • Architecture • Implementation • Evaluation

  27. Evaluation • Impact of Sweeping attack with a modest amount of packet replication and striping at the client, the proposed method can handle even massive DoS attacks against the overlay • General ION attack resistance

  28. Throughput under attack Only 33% in the worst case scenario Increase the replication rate, the throughput get closer to the direct connection Performance evaluation

  29. As the replication factor is increased, and for larger networks, we get better average latency results. In the worst-case scenario, we get a 2.5 increase in latency, Performance evaluation

  30. The attack happens on a random fraction of the overlay nodes. Packet replication helps us achieve higher network resilience. Performance evaluation

  31. Latency V.S. Node failures Performance evaluation

  32. Summary • Proposed the first non-trivial attack model: both the simple types of flooding attacks, as well as more sophisticated attackers that can eavesdrop the victim’s communication link • Proposed the use of a spread-spectrum-like paradigm to create per-packet path diversity.

More Related