270 likes | 448 Views
Sustaining Availability of Web Services under Distributed Denial of Service Attacks. Jun Xu, Member, IEEE, and Wooyong Lee (Georgia Institute of Technology, Atlanta, GA). Presented by Oleg Rekutin. Overview. Web defense focus Two stages of defense Game theory proof Measurements. Overview.
E N D
Sustaining Availability of Web Services under Distributed Denial of Service Attacks Jun Xu, Member, IEEE, and Wooyong Lee (Georgia Institute of Technology, Atlanta, GA) Presented by Oleg Rekutin
Overview • Web defense focus • Two stages of defense • Game theory proof • Measurements Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS Outline: Overview
System Model Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
Normal Flow • Connect to victim.com:80 • Receive an HTTP redirect to an IP:port pair: • 123.34.56.[MAC]:[MAC] • MAC based on source IP • Randomly drop SYN packets under attack • Connect to 123.34.56.[MAC]:[MAC] • from correct source IP: • Normal HTTP browsing occurs • from incorrect source IP: • Drop packets Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS Outline: 2-Step Protection
System Model Overview 2-Step Protection Game Theory Simulation Conclusion - Public IP - Pseudo-IP set Sustaining Availability of Web Services under DDoS
First Redirect Protection • Use SYN cookie in TCP seqnum • Extend cookie to all redirect packets Overview 2-Step Protection Game Theory Simulation 10 bits 22 bits Conclusion MAC xor source port 0000000000 Fits first redirect packets Sustaining Availability of Web Services under DDoS
Spoofed IP protection server client Overview SYN src: srcIP:port dst: vicitm:80 2-Step Protection Game Theory SYN-ACK dst: srcIP, MAC:0000 in seqno Simulation Conclusion ACK src: srcIP:port dst: vicitm:80 ackno: MAC:0001 HTTP redirect uses MAC no’ssrc: srcIP:port dst: vicitm:80 Sustaining Availability of Web Services under DDoS
Pseudo-IP MAC • IP address: • Port: • Replay attack • Change key based on timestamp in header Overview 4 bits 28 bits 2-Step Protection Subnet belonging to web site MAC Game Theory Simulation Conclusion MAC( srcIP, key ) 1 1 14 bits Is MAC? Is SSL? MAC Sustaining Availability of Web Services under DDoS
Rate Limiting • Fair bandwidth for all legit IP users • Uses Deficit Round Robin • Complexity O(1) • Tight fairness • Detect attackers • Regular users class: • fair share • Attacking users class: • much smaller share (1/10th) Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
Detecting Attackers: Flooding • DRR drops packets • count them per flow • If # of dropped packets > threshold H • Attacker that does not obey TCP congestion control • What if many attackers using fair share? Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
Detecting Attackers: Loitering • Regular transactions: • 100’s to 1000’s packets • Q – maximum legit packets quota • Low probability of legit transaction using more than Q packets • If client uses > Q, attacker Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
Game Theory • Model effectiveness • Guide design • Minmax utility • Performance of the system under all possible attacks • Minmax sound • maximizes minmax utility Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS Outline: Game Theory
Guide Design • Most effective strategies for adversary: • TCP SYN flood using spoofed IPs • (unprivileged traffic) • Many attackers consume fair share with legit IPs • (privileged traffic) • Not effective: • Frame innocent IPs • Flood with legitimate IP Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
Predict Performance • System utility function • (# new clients per second) * (average satisfaction of each client) • X - # of attackers: unprivileged traffic • Z - # of attackers: privileged traffic • Y - bandwidth allocated to unprivileged traffic • Minmax utility: Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
System Utility Function • f(p) • Tolerate 4 consecutive packet losses, because delay is less than 8 seconds • p percentage of unprivileged traffic • U(r) • r = average download rate g(X, Y, Z) = f(p) * A * U(r) Overview 2-Step Protection percentage of new clients that get service arrival rate of new clients user-perceived utility Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
Choosing Utility Function • Naïve/folkore: • U1(r) = c * r c > 0 • Empirical study-based Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
Empirical Utility Curve Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
Numerical Simulation • g(X, Y, Z) • Adversary optimal strategy: • Constraints: X<=N, Z<=N/10 • X=N and Z=N/10 • Defense: maximize g(N, Y, N/10) • Example numerical simulation: • B = 400,000 pps • W = 1,000 p • Average effective bandwidth = 40 pps • Attacker sending rate = 1,000 pps Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
Numerical Results Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
Simulation • Simulate using ns-2 • Goals: • Verify that fair scheduling (DRR) works • (privileged traffic limitation) • Study dynamics (change over time): • Client bandwidth • Page retrieval time • Packet drop probability • Non-goals: • Does not verify unprivileged vs privileged dynamics Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS Outline: Simulation
Simulation Setup • Topology: • DRR applied to outgoing bandwidth • Use HTTP/1.0 • Clients: web-like behavior, 1000 packets • Loitering threshold Q is 3000 packets Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
Simulation Scenarios • Severe attack, light load • Moderate attack, heavy load • Severe attack, heavy load • Severe attack = 300 attackers • Moderate attack = 100 attackers • Light load = 25% • Heavy load = 75% Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
Severe Attack, Light Load Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
Moderate Attack, Heavy Load Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
Severe Attack, Heavy Load Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS
Conclusion • Simulation results show DRR works and show dynamics • Sustains web services under severe attacks • Practically deployable • Game theory framework models performance of system Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS Outline: Conclusion
Acknowledgements • Charts used from original article Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS