170 likes | 315 Views
SOS: An Architecture For Mitigating DDoS Attacks. Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938 April 12, 2007. Outline. Introduction SOS Architecture Defense Against Attacks Performance Strength Weaknesses Future Work.
E N D
SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By: Tracy Wagner CDA 6938 April 12, 2007
Outline • Introduction • SOS Architecture • Defense Against Attacks • Performance • Strength • Weaknesses • Future Work
Introduction • SOS – Secure Overlay Services • Proactively secure communications between known entities against Denial of Service (DoS) Attacks • Assumes a pre-determined set of approved clients communicating with a target • Focus efforts on a site that stores information that is difficult to replace
SOS Architecture • Target • Selects some subset of nodes to act as Secret Servlets • Accepts traffic only from Secret Servlet IPs • Secret Servlets • Verifies authenticity of request to act as Secret Servlet • Identifies Beacon Nodes
SOS Architecture • Beacon Nodes • Notified by either Secret Servlets or Target of their role (“Hey, you’re a Beacon!”) • Verify validity of information received • Forwards traffic received to particular Secret Servlet associated with Target
SOS Architecture • Secure Overlay Access Point (SOAP) Nodes • Authenticates and authorizes request from client to communicate with Target • Securely routes all traffic to Target via Beacon nodes
Protection Against DoS • If an SOAP node is attacked, source point can enter through an alternate SOAP node • If a node within the overlay is attacked, the node “exits” and the overlay provides new paths to Beacons • No node is more important or sensitive than any other • If Secret Servlet is compromised, new subset of Secret Servlets can be chosen
Defending Against Attack • Security Analysis Assumptions: • An attacker knows and can attack overlay nodes • Attacker does not know functionality of any given node, and cannot determine it • Bandwidth available to launch an attack is limited • Attack packets can always be identified as illegitimate traffic • Different users access overlay via different SOAPs • A node can simultaneously act as a SOAP, Beacon and/or Secret Servlet
Defending Against Static Attacks • ~40% of nodes must be attacked simultaneously for attack to succeed once out of 10,000 attempts • Increasing number of Beacons and Secret Servlets quickly drops probability of successful attack
Defending Against Dynamic Attacks • Dynamic Attack allows for SOS to self-heal; Attacker can then alter attack in response • Centralized vs. Distributed Repair Process • Centralized vs. Distributed Attack Process
Defending Against Network Attacks • Several zombies launch attack on Target • Triggered immediately or at some specified time • Anonymizing the Attacked Node • When Secret Servlet Identity is unknown, attacks randomly launched into overlay • Only a fraction of attack traffic will reach appropriate servlet • Placing targeted servlet in an overlay of size 30 reduces probability of attack by 4 orders of magnitude
Performance • Measurement of time-to-completion of https requests • Depending upon the number of nodes in the overlay, the time-to-completion increases by a factor of 2-10
Performance • Shortcut Implementation • SOAPs contact Beacon nodes to determine Secret Servlet; cache information and route future traffic from source directly to Servlet • Latency increases by as little as a factor of 2
Strengths • Proactive approach to fighting Denial of Service (DoS) attacks • Overlay can self-heal when a participant node is attacked • Scalable access control
Weaknesses • Assumes, for security analysis, that no attack can come from inside the overlay • Assumes that an attacker cannot mask illegitimate traffic to appear legitimate • To improve scalability, the number of SOAPs, Beacons, and Secret Servlets are limited – which lessens protection from DoS attacks • Shortcut implementation does not protect secret information
Future Work • More details about how repair and attack processes will function • Evaluation of damage and attack that can come from inside the overlay • Consideration of attack traffic that may be able to pass through overlay • Exploration of overlays shared by multiple organizations in a secure manner • Investigation of possible shortcuts through the overlay that do not compromise security