1 / 15

Protecting Web Servers from Content Request Floods

Protecting Web Servers from Content Request Floods. Srikanth Kandula ▪ Shantanu Sinha ▪ Dina Katabi ▪ Matthias Jacob. CSAIL –MIT. The Attack. GET LargeFile.zip. DO LongDBQuery. www.foo.com. Want to protect DB and disk bandwidth, socket buffers, processes, ….

alexa-zimmerman
Download Presentation

Protecting Web Servers from Content Request Floods

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Web Servers from Content Request Floods Srikanth Kandula ▪ Shantanu Sinha ▪Dina Katabi ▪Matthias Jacob CSAIL –MIT

  2. The Attack GET LargeFile.zip DO LongDBQuery www.foo.com Want to protect DB and disk bandwidth, socket buffers, processes, … Hard to detect or counter because malicious requests look normal!

  3. Humans Machines User Filter A Fairness Problem – Filters Server Resources ●●● Problem – Each machine gets equal share Solution – Ensure that each human gets equal share

  4. Suspected attack! To access www.foo.com enter the above letters: Use Reverse Turing Test Establishing Fairness

  5. Suspected attack! To access www.foo.com enter the above letters: Give Me www.foo.com Under attack. Come back later. Use Reverse Turing Test Establishing Fairness Existing Sols Our Solution Under attack. Come back later. BTW, can solve test to access now.

  6. Normal Under Attack 2 Modes Common case: Server behavior unchanged

  7. SYN SYN Cookie SYNACKACK HTTP Request Send Test TCP RST Solution Overview Unchanged Client Server Other Characteristics: • One test per session • Tests generated offline • Test expires • Replay attacks are harmless • Each answer grants up to 4 TCPs • Can’t attack by duplicating answers SYN Cookie Ignore! Verify SYN Cookie No connection until test answered

  8. Solution Overview SYN SYN RECV State SYNACK SYNACKACK Establish Connection HTTP Request HTTP Response N/W Stack App Server Client Server Vulnerable to SYN Floods

  9. SYN SYN Create Cookie Create Cookie SYN Cookie SYN Cookie SYNACKACK SYNACKACK Establish Connection Ignore HTTP Request HTTP Request Verify Cookie Send Test RST HTTP Response Client N/W Stack App Server N/W Stack App Server Client Server Server Send out a test from memory Solution Overview Common Case

  10. SYN SYN Create Cookie Create Cookie SYN Cookie SYN Cookie SYNACKACK SYNACKACK Ignore Establish Connection Test Answer HTTP Request Verify Cookie & Answer HTTP Response HTTP Response N/W Stack N/W Stack App Server App Server Client Client Server Server Solution Overview Common Case Grant access if answer is correct Tests are generated offline

  11. Solution Overview Server behavior unchanged (Common case) SYN Create Cookie SYN Cookie • Create session after a correct answer • Up to 4 TCP connections per answer • One test per browsing session • Tests generated offline SYNACKACK Ignore HTTP Request Verify Cookie Send Test RST N/W Stack App Server Client Server

  12. SYN Create Cookie SYN Cookie SYNACKACK Ignore Test Answer Verify Cookie & Answer HTTP Response N/W Stack App Server Client Server Solution Overview Server behavior unchanged (Common case) • Create session after a correct answer • Up to 4 TCP connections per answer • One test per browsing session • Tests generated offline

  13. Give Me www.foo.com Under attack. Come back later. BTW, solve the test to access now. Under attack. Come back later. Extra – What If? User doesn’t want to solve the test? Attacker distributes a few answers to all worms? Each test allows access to limited resources

  14. Use Reverse Turing Test Establishing Fairness Suspected attack! To access www.foo.com enter the above letters: Different from Prior Work • Crypto puzzles are easy since computation power is cheap • Yahoo! only protects disk space during account creation • We want to receive requests, deliver puzzles, validate answers before establishing a TCP connection

  15. Use Reverse Turing Test Establishing Fairness Suspected attack! To access www.foo.com enter the above letters: Yahoo uses RTT to protect disk space We receive requests, serve tests, validate answers before establishing a TCP connection Give Me www.foo.com Under attack. Come back later. BTW, solve the test to access now. Under attack. Come back later. Users who Solve a Test can access the server

More Related