260 likes | 327 Views
Adaptive Selective Verification. Sanjeev Khanna, Santosh Venkatesh, UPenn Omid Fatemieh , Fariba Khan, Carl A. Gunter, UIUC IEEE INFOCOM 2008. Problem. Legitimate clients and attackers indistinguishable IPs may be spoofed Distinct hosts may share an IP (NAT boxes in ISPs)
E N D
Adaptive Selective Verification Sanjeev Khanna, Santosh Venkatesh, UPenn Omid Fatemieh, Fariba Khan, Carl A. Gunter, UIUC IEEE INFOCOM 2008
Problem • Legitimate clients and attackers indistinguishable • IPs may be spoofed • Distinct hosts may share an IP (NAT boxes in ISPs) • Examples: IKE key exchanges, digitally signed DNS, capability request channel, etc Processes Requests Legitimate Clients Responses Server Requests Overloaded (CPU, memory, etc.) Attackers
Outline • Introduction and Related Work • Solution Overview • Omniscient Protocol • Adaptive Protocol • Simulation Study • Summary
Service-level DDoS Defense • Denial of service are still a threat to availability in Internet • A classification of defense approaches • Filtering / rate limiting based on profiling [Srivatsa et al. Middleware 06, Ranjan et al. INFOCOM 06, Khattab et al. INFOCOM 08, etc] • Filtering / rate limiting based on Reverse Turing Tests [Morein et al. CCS 03, Gligor IWSP 03, Kandula et al. NSDI 05, etc] • Capability-based [Yaar et al. S&P 04, Yang et al. SIGCOMM 05, etc] • Currency-based: money [Mankins et al. ACSAC 01], CPU cycles [Wang et al. S&P 03, Parno et al. SIGCOMM 07, etc]bandwidth[Gunter et al. NDSS 04, Sterr et al. NPSec 05, Walfish et al. SIGCOMM 06] • Protection has costs: • Need to understand costs and trade-offs • Need adaptation strategy
Bandwidth as Currency • Intuition: Attackers are already maxed-out, whereas clients can use additional bandwidth to get access • Assumptions: • Attack traffic hard to filter / rate limit explicitly • Botnet not much larger than good clients • Server has a lot of bandwidth • Selective Verification [Gunter et al. NDSS 04, Sterr et al. NPSec 05]: • Clients send a fixed number of extra requests • Server probabilistically selects (processes) a fixed portion of requests • No adaptation strategy • Bandwidth Auctions [Walfish et al. SIGCOMM 06]: • Clients build credit by sending bytes to an accounting system • Server takes requests from clients that have built the most credit • Adaptive in nature, but potentially requires significant server state • Question: Is there a good adaptive stateless bandwidth scheme?
Solution Overview • Shared channel model:Attack and client rates varywithin fixed bounds • Clients respond to an attack by boosting request rates • Server performs probabilistic random sampling • Theoretically and experimentally shown to be efficient in terms of bandwidth consumption • Requires limited state on the server
Analytical Setting • Time-out window T known to clients and server • In each window: • REQ factor (per sec):(number of REQs)/(server capacity S) • ρ:Agg. client REQ factor: 0 ≤ ρ ≤ ρmax; ρmax << 1 • α:Agg. attack REQ factor: 0 ≤ α ≤ αmax; αmax >> 1 REQ Clients (REQ Factor=ρ) ACK REQ Attackers (REQ Factor=α) Server (capacity=S) ACK
Omniscient Protocol • Attack and client factors in each window (α and ρ) are made known to all clients and the server • Benefits: • Unrealistic, but simple to analyze • “Total bandwidth consumption” and “client success probability” easily calculated • Provides benchmarks for comparisons in more realistic settings • Client Protocol: • Transmit α/ρ copies of the REQ • If no ACK in T seconds, quit • Server Protocol: • Accept an arriving REQ packet with probability • Send an ACK for each accepted REQ
Adaptive Selective Verification (ASV) • Server Protocol • Store the first ST REQs in a reservoir • If the number of packets (in a round) exceeds ST, perform reservoir-based random sampling on the incoming REQs • At the end of the window: process the REQs in the reservoir and send ACKs accordingly • Empty the reservoir and go back to step 1 Adaptive Client Protocol • Start with sending one REQ • Calculate J as the retrial span: • Double REQ rates after not getting service (i.e. ACK) in a round (T seconds) for up to J rounds
Theoretical Analysis Results • We no longer assume attack and client factors in each window (α and ρ) are made known to clients or the server • Theoretically obtain the following under variable rate attacksbounded by αmax: • Lower bound on client success ratio • Tight upper bound on expected client bandwidth consumption • The expected bandwidth consumption for ASV is only times larger than the bandwidth consumed by the omniscient protocol • This would be for a non-adaptive SV which stays in high protection mode at all times
Extended ASV • What if the server is temporarily down? • Server replies dropped REQs with Drop ACKs (DACK) • Lossy network could cause the clients to quit: • If no DACK received for K consecutive packets then quit • Serves as a crude congestion control mechanism • Server bandwidth concerns • Trade-off client success probability for bandwidth • Client bandwidth concerns • The server notifies clients of the success probability function, based on which the clients choose theappropriate retrial spanJ
Simulation Setup • NS-2 network simulator • Each attacker sends 400 REQ/s • 50 clients join every sec • ρmax = 0.08 • αmax = 66 • Attack factor = 66 / 0.08 = 825 • RTT = 60ms • T = 400ms
Adaptive vs. Non-adaptive • Client behaviors: • Naive: Send one REQ every T seconds. Quit if an ACK is received or JT seconds pass. • Aggressive (Non-Adaptive):Send 2J REQs. Quit if an ACK is received or JT seconds pass. • ASV: Implement ASV for one REQ (which means for a maximum of JT seconds).
Pulse and Variable Rate Attacks (ASV) • Pulse attacks: The system fully adapts itself to attack conditions (and recovers to pre-attack conditions when the attack stops) in less than 2s • Highly variable rate attacks:“Time to Service” and “Aggregate Client BW Usage” remain within reasonable bounds at all times • Attackers do not gain any advantage by sharply varying attack rates
Effect on TCP Cross Traffic • Server S2 is a back-up server • Client C aims to back-up data on S2 over TCP at 512kbps • In parallel, S is experiencing an DoS attack and employs ASV • Communications to S over UDP • Bottleneck capacity: 10Mbps • We measure C’s success in terms of the amount of data it can upload to S2 in 30s • ASV minimally affects TCP cross traffic
Summary of Contributions • We have introduced a stateless adaptive bandwidth currency algorithm called Adaptive Selective Verification (ASV) • We have developed a novel analysis technique asserting an optimality property and proved that ASV is optimal • We have added practical features to ASV and demonstrated its effectiveness in NS-2 simulations
Outline • Introduction and Related Work • Solution Overview / Setting • Omniscient Protocol • Adaptive Protocol • Simulation Study • Summary
Outline • Introduction and Related Work • Solution Overview / Setting • Omniscient Protocol • Adaptive Protocol • Simulation Study • Summary
Outline • Introduction and Related Work • Solution Overview / Setting • Omniscient Protocol • Adaptive Protocol • Simulation Study • Summary
Outline • Introduction and Related Work • Solution Overview / Setting • Omniscient Protocol • Adaptive Protocol • Simulation Study • Summary
Adaptive Selective Verification (ASV) Server Protocol
Bandwidth as Currency • Intuition: Attackers are already maxed-out, whereas clients can use additional bandwidth to get access • Two general strategies • Selective Verification [Gunter et al. NDSS ‘04, Sterr et al. NPSec ’05]: • Clients send a fixed number of extra requests • Server selects (processes) some probabilistically • No adaptation strategy • Bandwidth Auctions [Walfish et al. SIGCOMM ‘06] : • Clients build credit by sending bytes to an accounting system • Server takes requests from clients that have built the most credit • Adaptive in nature, but potentially requires significant server state • Is there a good adaptive stateless bandwidth scheme? ρ Gunter Khanna Tan Venkatesh 04Sherr Greenwald Gunter Khanna Venkatesh 05 Walfish Balakrishnan Karger Shenker 06
Pulse and Variable Rate Attacks (ASV) • Pulse attack results: The system fully adapts itself to attack conditions (and recovers to pre-attack conditions when the attack stops) in less than 2s • Variable rate attacks:
Outline • Introduction and Related Work • Solution Overview / Setting • Omniscient Protocol • Adaptive Protocol • Simulation Study • Summary