1 / 18

Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks

Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks. Anat Bremler-Barr IDC Herzliya, Israel. Udi Ben-Porat Tel-Aviv University, Israel. Hanoch Levy ETH Zurich, Switzerland. Study Objective. Propose a DDoS Vulnerability performance metric

valiant
Download Presentation

Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks Anat Bremler-Barr IDC Herzliya, Israel Udi Ben-Porat Tel-Aviv University, Israel Hanoch Levy ETH Zurich, Switzerland

  2. Study Objective Propose a DDoS Vulnerability performance metric Vulnerability Measure To be used in addition to traditional system performance metrics Understanding the vulnerability of different systems to sophisticated attacks This Talk • Describe DDoS Vulnerability performance metric • Demonstrate Metric impact • Hash Table: Very Common in networking • Performance (traditional) : OPEN equivalent CLOSED • Vulnerability analysis: OPEN << CLOSED!! 2

  3. Distributed Denial of Service (DDoS) • Attacker adds more regular users • Loading the server - degrades the performance Server Performance Attacker Server DDoS Normal S. DDoS

  4. SophisticatedDDoS • Attacker adds sophisticated malicious users • Each user creates maximal damage(per attack budget) Server Performance Attacker Server DDoS Normal S. DDoS

  5. Sophisticated Attacks Examples • Simple example: Database server • Make hard queries • Goal: consume CPU time • Sophisticated attacks in the research: • Reduction of Quality (RoQ) Attacks on Internet End-SystemsMina Guirguis, AzerBestavros, Ibrahim Matta and Yuting ZhangINFOCOM 2005 • Low-Rate TCP-Targeted Denial of Service AttacksA. Kuzmanovic and E.W.KnightlySigcomm 2003 • Denial of Service via Algorithmic Complexity AttacksScott A. Crosby and Dan S. Wallach Usenix 2003

  6. Our goal • Proposing a Vulnerability measurement for all sophisticated DDoS attack • Vulnerability Measurement • Understanding the vulnerability of different systems to sophisticated attacks • Later: Hash Tables and Queuing

  7. Vulnerability Factor Definition Vulnerability=v means: Malicious user degrades the server performance v-times more than regular user Performance Degradation Scales (st = Malicious Strategy)

  8. Demonstration of Vulnerability metric: Attack on Hash Tables • Central component in networks • Hash table is a data structure based on Hash function and an array of buckets. • Operations: Insert, Search and Delete of elements according to their keys. Insert (element) Buckets key Hash(key) Server User

  9. Hash Tables Closed Hash Open Hash • Bucket = one element • Collision-> the array is repeatedly probed until an empty bucket is found • Bucket = list of elements that were hashed to that bucket

  10. Vulnerability: OPEN vs. CLOSED Traditional Performance: OPEN = CLOSED* What about Vulnerability? OPEN = CLOSED ? Performance Factors • In Attack • While attack is on: Attacker’s operations are CPU intensive CPU loaded • Post Attack: • Loaded Table insert/delete/search op’s suffer (* when the buckets array of closed hash is twice bigger)

  11. Attacker strategy (InsStrategy) • Strategy: • Insertk elements (cost=budget=k) where all elements hash into the same bucket ( ) • Theorem: InsStrategy is Optimal • For both performance factors Attack Results Open Hash:One long list of elements Closed Hash: Cluster

  12. In Attack: Resource Consumption Analytic results: Open Hash: Closed Hash: V = Open Hash Closed Hash In every malicious insertion, the server has to traverse all previous inserted elements (+ some existing elements) V =

  13. Post Attack: Operation Complexity Open Hash Closed Hash Open Hash: Vulnerability =1 No Post Attack degradation in Open Hash (Only small chance to traverse the malicious list) Closed Hash: Big chance the operation has to traverse part of the big cluster

  14. Post Attack: account for queuing • Requests for the server are queued up • Vulnerability of the (post attack)Waiting Time? Hash Table Server

  15. Stability Point Post Attack Waiting Time • Open Hash: • Vulnerable !!While in the model of Post Attack Operation Complexity the Open Hash is not Vulnerable ! • Closed Hash: • Drastically more vulnerable resulting: clusters increase the second moment of the hash operation times • No longer stable for Load>48%

  16. Conclusions • Closed Hash is much more vulnerable than the Open Hash to DDoS, even though the two systems are considered to be equivalent via traditional performance evaluation. • After the attack has ended, regular users still suffer from performance degradation • Application using Hash in the Internet, where there is a queue before the hash, has high vulnerability.

  17. Related Work • The alternative measure: Potency [RoQ] • Was defined only to RoQ • Only count the performance degradation of a specific attack  Vulnerability measures the system • Meaningless without additional numbers  Vulnerability is meaningful information based on this number alone • Analyzing Hash: Comparing Closed to Open Hash, also analyzing the post attack performance degradation (Denial of Service via Algorithmic Complexity AttacksScott A. Crosby and Dan S. Wallach Usenix 2003)

  18. Questions?

More Related