420 likes | 557 Views
Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based Multicast. Agenda. Overview of gossip-based multicast The problem Proposed solution Analysis and simulations Implementation and measurements Conclusions. Multicast. A group of members
E N D
Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in SecureGossip-Based Multicast Strayer University at Arlington, VA
Agenda • Overview of gossip-based multicast • The problem • Proposed solution • Analysis and simulations • Implementation and measurements • Conclusions Strayer University at Arlington, VA
Multicast • A group of members • At least one member is a source – generates messages • Messages should arrive to all of the group members in a timely fashion • Network level vs. application level (ALM) Strayer University at Arlington, VA
Source Tree-Based Multicast • Use a spanning tree – most common solution • No duplicates (optimal BW when network-level) • Single points of failure Strayer University at Arlington, VA
Gossip-Based Multicast • Progresses in rounds • Every round • Choose random partners (view ) • Send or receive messages • Discard old msgs from buffer • Probabilistic reliability • Trades latency and BW for redundancy • Two methods • Push • Pull Strayer University at Arlington, VA
Push Source Strayer University at Arlington, VA
Pull Source Strayer University at Arlington, VA
Hostility over the Internet • Forgery/spoofing • Penetration • Denial of Service (DoS) Strayer University at Arlington, VA
Denial of Service • Unavailability of service • Methods • Exploiting bugs • Exhausting resources • Remote attacks • Network level • Application level • Got little attention • No quantitative analysis of impact on application Strayer University at Arlington, VA
Dollar Amount of Losses by Type Strayer University at Arlington, VA
Valid Request Bogus Request Remote Application-Level DoS No Attack DoS Attack Strayer University at Arlington, VA
Effects of DoS on Gossip • Reasonable to assume that source is attacked • Surprisingly, we show that naïve gossip is vulnerable to DoS attacks • Attacking a process in pull-based gossip may prevent it from sending messages • Attacking a process in push-based gossip may prevent it from receiving messages Strayer University at Arlington, VA
Our Solution • Drum – a new gossip-based ALM protocol • Utilizes DoS-mitigation techniques • Separating and bounding resources • Combining both push and pull • Using random one-time ports to communicate • Proven robust using formal analysis and quantitative evaluation • Provides general methods for analyzing and quantitatively evaluating resistance to DoS-attacks Strayer University at Arlington, VA
Round Duration Valid Request Bogus Request Bounding Resources • Motivation: prevent resource exhaustion • Each round process a random subset of the arriving messages and discard the rest Strayer University at Arlington, VA
Combining Push and Pull • Attacking push cannot prevent receiving messages via pull (random ports) • Attacking pull cannot prevent sending via push Strayer University at Arlington, VA
Random Ports • Any request necessitating a reply contains a random port number • “Invisible” to the attacker (e.g., encrypted) • The reply is sent to that random port • Assumption: attacking other ports does not affect the random port’s queue (i.e., there is no BW exhaustion) Strayer University at Arlington, VA
Drum’s Push Mechanism • Alice sends Bob a push-offer • Bob replies with a digest of messages he has already received • Alice only sends Bob messages missing from his digest • Random ports Strayer University at Arlington, VA
Evaluation Methodology • Compare 3 protocols • Push (push-based with bounded resources) • Pull (pull-based with bounded resources) • Drum • Under various DoS attacks • Fixed strength • Increasing strength • Source is always attacked • Evaluates combination of Push and Pull Strayer University at Arlington, VA
Evaluation Methodology (cont.) • Measure propagation time – expected number of rounds it takes a message to reach all of the correct processes • 99% in the simulations and actual measurements • Use real implementation to measure actual latency and throughput Strayer University at Arlington, VA
Analysis/Simulation Assumptions • Static group with complete connectivity • Processes have complete group knowledge • Propagation of a single message M • But simulate situation where all procs have msgs to send • M is never purged from local buffers • Rounds are synchronized • All round operations complete within the same round • All processes are correct (analysis) or 10% of them perform a DoS attack (simulation) Strayer University at Arlington, VA
Validating Known Results • The propagation time of gossip-based multicast protocols is O(log n) [P87, KSSV00] Strayer University at Arlington, VA
Validating Known Results (cont.) • The performance of gossip-based multicast protocols degrades gracefully as failures amount [LMM00, GvRB01] Strayer University at Arlington, VA
Definitions • n – number of processes in the group • F – size of view, and max # of requests to process in a round (F = 4 ) • – percentage of attacked processes • x – number of bogus messages an attacked process receives in a round • B – total attack strength (B = nx ) Strayer University at Arlington, VA
Analysis – Increasing Strength • Lemma 1: Fix and n. Drum’s propagation time is bounded from above by a constant independent of x • Proof idea • Define effective fan-in and effective fan-out • Both have an element independent of x • When x this element is dominant • The effective fans are bounded from below Strayer University at Arlington, VA
Analysis – Increasing Strength • Lemma 2: Fix and n. The propagation time of Push grows at least linearly with x • Proof idea • Assume all non-attacked processes already have the message (and so does the source) • Bound the expected number of processes having M at round k from above • Find the minimal k in which all processes have M • Reaching all attacked processes takes at least a time linear in x Strayer University at Arlington, VA
Analysis – Increasing Strength • Lemma 3: Fix and n. The propagation time of Pull grows at least linearly with x • Proof idea • Denote by p the probability that the source reads a valid pull request in a round • # of rounds for M to leave the source is geometrically distributed with p • The expectation is 1/p • 1/p is at least linear in x Strayer University at Arlington, VA
Analysis – Fixed Strength • Define c = B/nF (total attack strength divided by total system capacity) • Lemma 4: For c > 5, Drum’s expected propagation time is monotonically increasing with • Proof idea • Effective fan-in and effective fan-out are monotonically decreasing with Strayer University at Arlington, VA
Implementation and Measurements • Uses the Java programming language • Multithreaded processes • Operations are not synchronized • Rounds are not synchronized among processes • 50 machines on a 100Mbit LAN (Emulab) • One process per machine • 5 processes (10%) perform a DoS attack Strayer University at Arlington, VA
Validating the Simulations • Evaluate the protocols in the same scenarios tested by simulation • High correlation shows that the simplifying assumptions have little effect on the results Strayer University at Arlington, VA
High-Throughput Experiments • Single source • Creates 40 messages (50 bytes long) per second • Total of 10,000 messages • Round duration = 1 second • Messages are purged after 10 rounds • Each process sends at most 80 data messages to another process in a round • Throughput and latency are measured at the 44 correct receiving processes Strayer University at Arlington, VA
Conclusions • DoS attacks are a real problem • Gossip-based protocols have no single points of failure • However, naïve gossip-based protocols are vulnerable to targeted DoS attacks • Drum uses simple techniques to mitigate the effects of DoS attacks • Evaluations show Drum’s resistance to DoS • The most effective attack against Drum is a broad one • General DoS-mitigation techniques: random ports and neighbor-selection • Analysis and quantitative evaluation techniques may be applicable to other systems as well Strayer University at Arlington, VA
The End Strayer University at Arlington, VA