290 likes | 374 Views
A DoS -Resilient Information System for Dynamic Data Management. Stefan Schmid & Christian Scheideler Dept. of Computer Science University of Paderborn. Matthias Baumgart Dept. of Computer Science Technische Universität München. Motivation. In 2007, a major DoS attack was launched
E N D
A DoS-Resilient Information System for Dynamic Data Management Stefan Schmid & Christian Scheideler Dept. of Computer Science University of Paderborn Matthias Baumgart Dept. of Computer Science TechnischeUniversitätMünchen
Motivation In 2007, a majorDoSattack was launched againsttherootserversofthe DNS system d d Internet d d d d
DoS-resistant Information System Problem: DNS-approach of full replication not feasible in large information systems off-the-shelfservers Internet
DoS-resistant Information System Scalable information system: storage over-head limited to logarithmic factor d Internet d d
DoS-resistant Information System storageoverheadlimited tolog factor: scalableput und getoperationspossible d Internet d d
DoS-resistant Information System storageoverheadlimited tolog factor: but howtobe robust againstDoSattacks? d Internet d d
Fundamental Dilemma • Scalability: minimize replication of information • Robustness: maximize resources needed by attacker d Internet d d
Fundamental Dilemma • Limitation to „legal“ attacks / information hiding • Information hiding difficult under insider attacks d Internet d d
You are fired! DoS-resistant Information System Past-Insider-Attack:Attackerknowsevery-thingaboutsystemtill (unknown) time t0 Goal:scalableinformationsystem so thateverythingthat was insertedaftert0issafe (w.h.p.) againstanypast-insiderDoSattackthatcanshut down any-fractionoftheservers, forsome>0, andcreateany legal setofputandgetrequests
Formal Model Wearegiven a staticsetofnreliableservers. -boundedattacker: • knowsentiresystemtill time t0 (unknowntosystem) • can block any-fractionofservers • cangenerateanysetofput/getrequests, one per server Goals: • Scalability: everyserverspendsatmostpolylog time andwork on putandgetrequests • Robustness: everygetrequestto a data item insertedorupdated after t0isservedcorrectly • Correctness: everygetrequestto a data item isservedcorrectlyifthesystemis not underDoS-attack
DoS-resilient Information System Dilemma: • just polylogcopiesallowed per data item tobescalable ??? ??? deterministicplacement randomizedplacement
DoS-resilient Information System Basic strategy: • choosesuitablehashfunctionsh1,..,hc:DV(D: namespaceofdata, V: setofservers) • Store copyof item dforeveryiandjrandomlyin a setofserversofsize2jthatcontainshi(d) hi(d) difficultto find difficultto block easy to find easy to block
DoS-resilient Information System „Tie“ sufficientforgetrequests [DISC 07]: • Most getrequestscanaccessclose-bycopies, only a fewgetrequestshaveto find distantcopies • Work foreachserveraltogether just polylog(n)foranysetofngetrequests, one per server hi(d)
DoS-resilient Information System „Tie“ sufficientforgetrequests [DISC 07]: BUTforgetrequeststowork, all areas must haveup-to-datecopies, so putrequestsmayfailunderDoSattack hi(d)
DoS-resilient Information System Chameleonsystem: • Permanent distributedhashtable (p-store)h1,..,hcfixed, must satisfyexpansionproperties(that hold w.h.p. forrandomhashfunctions) • Temporarydistributedhashtable (t-store)hashfunctionh continuouslychanges t-store p-store
DoS-resilient Information System Phase ofChameleonsystem: • Adversaryblocksserversandinitiatesput & getrequests • buildnewt-store, transferdatafromoldtonew t-store • process all putrequests in t-store • process all getrequests in t-storeand p-store • trytotransferdataitemsfrom t-storetop-store t-store p-store Internet
Stage 2: Buildnew t-store t-store:distributedhashtable (DHT)(de Bruijnnetwork + consistenthashing) New t-store: • Joinprotocol: Every nodechoosesnewrandomlocation in de Bruijnnetwork, searchesforneighbors in p-store • Insert protocol: Data items in oldt-storearestored in newt-store (just O(n) itemsw.h.p.) O(log n) time andcongestionw.h.p. p-store
Stage 3: Processputs in t-store • t-putprotocol: de-Bruijnroutingwithcombiningtostoredata in new t-store O(log n) time andO(log2 n) congestion
Stage 4: ProcessgetRequests • t-getprotocol: de Bruijnroutingwithcombiningtolookupdata in t-store(O(log n) time andO(log2 n) congestion) • p-getprotocol(relatedto [DISC 07]): • Preprocessingstage: determineblockedareas in p-store via sampling(O(1) time andO(log2n)congestion) • Contractionstage:trytogetascloseaspossibletohash-basedpositions(O(log n) time andO(log3n) congestion) • Expansion stage:lookforcopiesatsuccessively wider areas(O(log2n) time andO(log3 n) congestion)
hi(x) log n 2 1 0 0 1 Contraction Stage
Expansion Stage hi(x) log n inactive 2 1 0 0 1
Stage 5: datafrom t-storeto p-store • p-putprotocol: • Preprocessingstage: determineblockedareasandaverageload in p-store via sampling(O(1) time andO(log2 n)congestion) • Contractionstage:trytogettosufficientlymanyhash-basedpositions in p-store(O(log n) time andO(log3 n) congestion) • Permanent storagestage: foreachsuccessfuldata item, storenewcopiesanddeleteasmanyoldonesaspossible(O(log n)time andO(log2n) congestion)
DoS-resistantInformation System Theorem:Underany-boundedpast-insiderattack (forsomeconstant>0), theChameleonsystemcanserveanysetofrequests (one per server) in O(log2 n)time s.t. everygetrequestto a data item insertedorupdated aftert0isservedcorrectly, w.h.p. Nodegradationover time: • O(log2 n)copies per data item • fair distributionofdataamongservers
Related Work Many scalable information systems: • Chord, CAN, Pastry, Tapestry,… But many of these designs not even robust against flash crowds
Related Work Caching strategies against flash crowds: • CoopNet, Backlash, PROOFS,… • Naor&Wieder 03 But not robust against adaptive lookup attacks a b c d
Related Work Systems robust against DoS-attacks: • SOS, WebSOS, Mayday, III,… • Basic strategy: indirection infrastructure to hide original location of data Does not work against past insiders
Related Work Awerbuch & Sch. (DISC 07):DoS-resistent informationsystemthatcanonly handle getrequestsunderDoSattack
Conclusion Applications:DoS-resistantplatformfor e-commerceorcriticalinformationservices Open problems: • More light-weightsolution • DoS-resistantsystemwithboundeddegree