Presentation is loading. Please wait.

Presentation is loading. Please wait.

Faculty of Electrical Engineering, Technion DSN 2004 Gal Badishi Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Faculty of Electrical Engineering, Technion DSN 2004 Gal Badishi Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based."— Presentation transcript:

1 Faculty of Electrical Engineering, Technion DSN 2004 Gal Badishi Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based Multicast Gal Badishi, Idit Keidar, Amir Sasson

2 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 AgendaAgenda The problem The problem Overview of gossip-based multicast Overview of gossip-based multicast Proposed solution - Drum Proposed solution - Drum Analysis and simulations Analysis and simulations Implementation and measurements Implementation and measurements Conclusions Conclusions The problem The problem Overview of gossip-based multicast Overview of gossip-based multicast Proposed solution - Drum Proposed solution - Drum Analysis and simulations Analysis and simulations Implementation and measurements Implementation and measurements Conclusions Conclusions

3 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Denial of Service (DoS) Unavailability of service Unavailability of service –Exhausting resources Remote attacks Remote attacks –Network level Solutions do not solve all application problems Solutions do not solve all application problems –Application level Got little attention Got little attention Quantitative analysis of impact on application and identification of vulnerabilities needed Quantitative analysis of impact on application and identification of vulnerabilities needed Unavailability of service Unavailability of service –Exhausting resources Remote attacks Remote attacks –Network level Solutions do not solve all application problems Solutions do not solve all application problems –Application level Got little attention Got little attention Quantitative analysis of impact on application and identification of vulnerabilities needed Quantitative analysis of impact on application and identification of vulnerabilities needed

4 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 ChallengesChallenges Quantify the effect of DoS at the application level Quantify the effect of DoS at the application level Expose vulnerabilities Expose vulnerabilities Find effective DoS-mitigation techniques Find effective DoS-mitigation techniques –Prove their usefulness using the found metric Quantify the effect of DoS at the application level Quantify the effect of DoS at the application level Expose vulnerabilities Expose vulnerabilities Find effective DoS-mitigation techniques Find effective DoS-mitigation techniques –Prove their usefulness using the found metric

5 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 MulticastMulticast A group of members A group of members At least one member is a source – generates messages At least one member is a source – generates messages Messages should arrive to all of the group members in a timely fashion Messages should arrive to all of the group members in a timely fashion Network level vs. application level (ALM) Network level vs. application level (ALM) A group of members A group of members At least one member is a source – generates messages At least one member is a source – generates messages Messages should arrive to all of the group members in a timely fashion Messages should arrive to all of the group members in a timely fashion Network level vs. application level (ALM) Network level vs. application level (ALM)

6 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Tree-Based Multicast Use a spanning tree – most common solution Use a spanning tree – most common solution No duplicates (optimal BW when network-level) No duplicates (optimal BW when network-level) Single points of failure Single points of failure Use a spanning tree – most common solution Use a spanning tree – most common solution No duplicates (optimal BW when network-level) No duplicates (optimal BW when network-level) Single points of failure Single points of failure Source

7 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Gossip-Based Multicast Progresses in rounds Progresses in rounds Every round Every round –Choose random partners (view ) –Send or receive messages –Discard old msgs from buffer Probabilistic reliability Probabilistic reliability Uses redundancy to achieve robustness Uses redundancy to achieve robustness Two methods Two methods –Push –Pull Progresses in rounds Progresses in rounds Every round Every round –Choose random partners (view ) –Send or receive messages –Discard old msgs from buffer Probabilistic reliability Probabilistic reliability Uses redundancy to achieve robustness Uses redundancy to achieve robustness Two methods Two methods –Push –Pull

8 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 PushPush Source

9 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 PullPull Source

10 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Effects of DoS on Gossip Reasonable to assume that source is attacked Reasonable to assume that source is attacked Surprisingly, we show that naïve gossip is vulnerable to DoS attacks Surprisingly, we show that naïve gossip is vulnerable to DoS attacks Attacking a process in pull-based gossip may prevent it from sending messages Attacking a process in pull-based gossip may prevent it from sending messages Attacking a process in push-based gossip may prevent it from receiving messages Attacking a process in push-based gossip may prevent it from receiving messages Reasonable to assume that source is attacked Reasonable to assume that source is attacked Surprisingly, we show that naïve gossip is vulnerable to DoS attacks Surprisingly, we show that naïve gossip is vulnerable to DoS attacks Attacking a process in pull-based gossip may prevent it from sending messages Attacking a process in pull-based gossip may prevent it from sending messages Attacking a process in push-based gossip may prevent it from receiving messages Attacking a process in push-based gossip may prevent it from receiving messages

11 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 DrumDrum A new gossip-based ALM protocol A new gossip-based ALM protocol Utilizes DoS-mitigation techniques Utilizes DoS-mitigation techniques –Using random one-time ports to communicate –Combining both push and pull –Separating and bounding resources Eliminates vulnerabilities to DoS Eliminates vulnerabilities to DoS Proven robust using formal analysis and quantitative evaluation Proven robust using formal analysis and quantitative evaluation A new gossip-based ALM protocol A new gossip-based ALM protocol Utilizes DoS-mitigation techniques Utilizes DoS-mitigation techniques –Using random one-time ports to communicate –Combining both push and pull –Separating and bounding resources Eliminates vulnerabilities to DoS Eliminates vulnerabilities to DoS Proven robust using formal analysis and quantitative evaluation Proven robust using formal analysis and quantitative evaluation

12 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Random Ports Any request necessitating a reply contains a random port number Any request necessitating a reply contains a random port number –“Invisible” to the attacker (e.g., encrypted) The reply is sent to that random port The reply is sent to that random port Assumption: attacking other ports does not affect the random port’s queue (i.e., there is no BW exhaustion) Assumption: attacking other ports does not affect the random port’s queue (i.e., there is no BW exhaustion) Any request necessitating a reply contains a random port number Any request necessitating a reply contains a random port number –“Invisible” to the attacker (e.g., encrypted) The reply is sent to that random port The reply is sent to that random port Assumption: attacking other ports does not affect the random port’s queue (i.e., there is no BW exhaustion) Assumption: attacking other ports does not affect the random port’s queue (i.e., there is no BW exhaustion)

13 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Combining Push and Pull Attacking push cannot prevent receiving messages via pull (random ports) Attacking push cannot prevent receiving messages via pull (random ports) Attacking pull cannot prevent sending via push Attacking pull cannot prevent sending via push Each process has some control over the processes it communicates with Each process has some control over the processes it communicates with Attacking push cannot prevent receiving messages via pull (random ports) Attacking push cannot prevent receiving messages via pull (random ports) Attacking pull cannot prevent sending via push Attacking pull cannot prevent sending via push Each process has some control over the processes it communicates with Each process has some control over the processes it communicates with

14 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Bounding Resources Motivation: prevent resource exhaustion Motivation: prevent resource exhaustion Each round process a random subset of the arriving messages and discard the rest Each round process a random subset of the arriving messages and discard the rest Separate resources for orthogonal operations Separate resources for orthogonal operations Motivation: prevent resource exhaustion Motivation: prevent resource exhaustion Each round process a random subset of the arriving messages and discard the rest Each round process a random subset of the arriving messages and discard the rest Separate resources for orthogonal operations Separate resources for orthogonal operations Valid Request Bogus Request Round Duration

15 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Evaluation Methodology Compare 3 protocols Compare 3 protocols –Push (push-based with bounded resources) –Pull (pull-based with bounded resources) –Drum Under various DoS attacks Under various DoS attacks –Increasing strength (shows trend under DoS) –Fixed strength (exposes vulnerabilities) Source is always attacked Source is always attacked Evaluates combination of Push and Pull Evaluates combination of Push and Pull Compare 3 protocols Compare 3 protocols –Push (push-based with bounded resources) –Pull (pull-based with bounded resources) –Drum Under various DoS attacks Under various DoS attacks –Increasing strength (shows trend under DoS) –Fixed strength (exposes vulnerabilities) Source is always attacked Source is always attacked Evaluates combination of Push and Pull Evaluates combination of Push and Pull

16 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Evaluation Methodology (cont.) Measure propagation time – expected number of rounds it takes a message to reach all of the correct processes Measure propagation time – expected number of rounds it takes a message to reach all of the correct processes –99% in the simulations and actual measurements Use real implementation to measure actual latency and throughput Use real implementation to measure actual latency and throughput Measure propagation time – expected number of rounds it takes a message to reach all of the correct processes Measure propagation time – expected number of rounds it takes a message to reach all of the correct processes –99% in the simulations and actual measurements Use real implementation to measure actual latency and throughput Use real implementation to measure actual latency and throughput

17 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Analysis/Simulation Assumptions Static group with complete connectivity Static group with complete connectivity Processes have complete group knowledge Processes have complete group knowledge Propagation of a single message M Propagation of a single message M –But simulate situation where all procs have msgs to send M is never purged from local buffers M is never purged from local buffers Rounds are synchronized Rounds are synchronized All round operations complete within the same round All round operations complete within the same round All processes are correct (analysis) or 10% of them perform a DoS attack (simulation) All processes are correct (analysis) or 10% of them perform a DoS attack (simulation) Static group with complete connectivity Static group with complete connectivity Processes have complete group knowledge Processes have complete group knowledge Propagation of a single message M Propagation of a single message M –But simulate situation where all procs have msgs to send M is never purged from local buffers M is never purged from local buffers Rounds are synchronized Rounds are synchronized All round operations complete within the same round All round operations complete within the same round All processes are correct (analysis) or 10% of them perform a DoS attack (simulation) All processes are correct (analysis) or 10% of them perform a DoS attack (simulation)

18 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Analysis – Increasing Strength Assume static group, strict subset is attacked Assume static group, strict subset is attacked Lemma 1: Drum’s propagation time is bounded from above by a constant independent of the attack rate Lemma 1: Drum’s propagation time is bounded from above by a constant independent of the attack rate Lemma 2: The propagation time of Push grows at least linearly with the attack rate Lemma 2: The propagation time of Push grows at least linearly with the attack rate Lemma 3: The propagation time of Pull grows at least linearly with the attack rate Lemma 3: The propagation time of Pull grows at least linearly with the attack rate Assume static group, strict subset is attacked Assume static group, strict subset is attacked Lemma 1: Drum’s propagation time is bounded from above by a constant independent of the attack rate Lemma 1: Drum’s propagation time is bounded from above by a constant independent of the attack rate Lemma 2: The propagation time of Push grows at least linearly with the attack rate Lemma 2: The propagation time of Push grows at least linearly with the attack rate Lemma 3: The propagation time of Pull grows at least linearly with the attack rate Lemma 3: The propagation time of Pull grows at least linearly with the attack rate

19 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004

20 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Analysis – Fixed Strength Define c as the total attack strength divided by the total system capacity Define c as the total attack strength divided by the total system capacity Lemma 4: For c > 5, Drum’s expected propagation time is monotonically increasing as the percentage of attacked processes increases Lemma 4: For c > 5, Drum’s expected propagation time is monotonically increasing as the percentage of attacked processes increases Define c as the total attack strength divided by the total system capacity Define c as the total attack strength divided by the total system capacity Lemma 4: For c > 5, Drum’s expected propagation time is monotonically increasing as the percentage of attacked processes increases Lemma 4: For c > 5, Drum’s expected propagation time is monotonically increasing as the percentage of attacked processes increases

21 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004

22 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Implementation and Measurements Multithreaded processes in Java Multithreaded processes in Java Operations are not synchronized Operations are not synchronized Rounds are not synchronized among processes Rounds are not synchronized among processes 50 machines on a 100Mbit LAN (Emulab) 50 machines on a 100Mbit LAN (Emulab) One process per machine One process per machine 5 processes (10%) perform a DoS attack 5 processes (10%) perform a DoS attack Multithreaded processes in Java Multithreaded processes in Java Operations are not synchronized Operations are not synchronized Rounds are not synchronized among processes Rounds are not synchronized among processes 50 machines on a 100Mbit LAN (Emulab) 50 machines on a 100Mbit LAN (Emulab) One process per machine One process per machine 5 processes (10%) perform a DoS attack 5 processes (10%) perform a DoS attack

23 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 High-Throughput Experiments Single source Single source Creates 40 messages per second Creates 40 messages per second Round duration = 1 second Round duration = 1 second Messages are purged after 10 rounds Messages are purged after 10 rounds Each process sends at most 80 data messages to another process in a round Each process sends at most 80 data messages to another process in a round Throughput and latency are measured at the 44 correct receiving processes Throughput and latency are measured at the 44 correct receiving processes Single source Single source Creates 40 messages per second Creates 40 messages per second Round duration = 1 second Round duration = 1 second Messages are purged after 10 rounds Messages are purged after 10 rounds Each process sends at most 80 data messages to another process in a round Each process sends at most 80 data messages to another process in a round Throughput and latency are measured at the 44 correct receiving processes Throughput and latency are measured at the 44 correct receiving processes

24 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004

25 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004

26 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 SummarySummary Gossip-based protocols are very robust, but… Gossip-based protocols are very robust, but… –naïve gossip-based protocols are vulnerable to targeted DoS attacks Drum uses simple techniques to mitigate the effects of DoS attacks Drum uses simple techniques to mitigate the effects of DoS attacks Evaluations show Drum’s resistance to DoS Evaluations show Drum’s resistance to DoS The most effective attack against Drum is a broad one The most effective attack against Drum is a broad one Gossip-based protocols are very robust, but… Gossip-based protocols are very robust, but… –naïve gossip-based protocols are vulnerable to targeted DoS attacks Drum uses simple techniques to mitigate the effects of DoS attacks Drum uses simple techniques to mitigate the effects of DoS attacks Evaluations show Drum’s resistance to DoS Evaluations show Drum’s resistance to DoS The most effective attack against Drum is a broad one The most effective attack against Drum is a broad one

27 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 General Principles DoS-mitigation techniques: DoS-mitigation techniques: –random ports –neighbor-selection by local choices –separate resource bounds Design goal: eliminate vulnerabilities Design goal: eliminate vulnerabilities –The most effective attack is a broad one Analysis and quantitative evaluation of impact of DoS Analysis and quantitative evaluation of impact of DoS DoS-mitigation techniques: DoS-mitigation techniques: –random ports –neighbor-selection by local choices –separate resource bounds Design goal: eliminate vulnerabilities Design goal: eliminate vulnerabilities –The most effective attack is a broad one Analysis and quantitative evaluation of impact of DoS Analysis and quantitative evaluation of impact of DoS

28 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004

29 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Validating Known Results The propagation time of gossip-based multicast protocols is O(log n) [P87, KSSV00] The propagation time of gossip-based multicast protocols is O(log n) [P87, KSSV00]

30 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004

31 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Validating Known Results (cont.) The performance of gossip-based multicast protocols degrades gracefully as failures amount [LMM00, GvRB01] The performance of gossip-based multicast protocols degrades gracefully as failures amount [LMM00, GvRB01]

32 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004

33 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004

34 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004 Validating the Simulations Evaluate the protocols in the same scenarios tested by simulation Evaluate the protocols in the same scenarios tested by simulation High correlation shows that the simplifying assumptions have little effect on the results High correlation shows that the simplifying assumptions have little effect on the results Evaluate the protocols in the same scenarios tested by simulation Evaluate the protocols in the same scenarios tested by simulation High correlation shows that the simplifying assumptions have little effect on the results High correlation shows that the simplifying assumptions have little effect on the results

35 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004

36 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004

37 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004

38 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004

39 Gal BadishiFaculty of Electrical Engineering, TechnionDSN 2004

Download ppt "Faculty of Electrical Engineering, Technion DSN 2004 Gal Badishi Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based."

Similar presentations

DISTRIBUTED SYSTEMS II FAULT-TOLERANT BROADCAST Prof Philippas Tsigas Distributed Computing and Systems Research Group.

DISTRIBUTED SYSTEMS II FAULT-TOLERANT BROADCAST Prof Philippas Tsigas Distributed Computing and Systems Research Group.
Consistency and Replication Chapter 7 Part II Replica Management & Consistency Protocols.

Consistency and Replication Chapter 7 Part II Replica Management & Consistency Protocols.
Congestion Control Reasons: - too many packets in the network and not enough buffer space S = rate at which packets are generated R = rate at which receivers.

Congestion Control Reasons: - too many packets in the network and not enough buffer space S = rate at which packets are generated R = rate at which receivers.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Playback delay in p2p streaming systems with random packet forwarding Viktoria Fodor and Ilias Chatzidrossos Laboratory for Communication Networks School.

Playback delay in p2p streaming systems with random packet forwarding Viktoria Fodor and Ilias Chatzidrossos Laboratory for Communication Networks School.
On Large-Scale Peer-to-Peer Streaming Systems with Network Coding Chen Feng, Baochun Li Dept. of Electrical and Computer Engineering University of Toronto.

On Large-Scale Peer-to-Peer Streaming Systems with Network Coding Chen Feng, Baochun Li Dept. of Electrical and Computer Engineering University of Toronto.
Optimizing Buffer Management for Reliable Multicast Zhen Xiao AT&T Labs – Research Joint work with Ken Birman and Robbert van Renesse.

Optimizing Buffer Management for Reliable Multicast Zhen Xiao AT&T Labs – Research Joint work with Ken Birman and Robbert van Renesse.
Gossip Algorithms and Implementing a Cluster/Grid Information service MsSys Course Amar Lior and Barak Amnon.

Gossip Algorithms and Implementing a Cluster/Grid Information service MsSys Course Amar Lior and Barak Amnon.
Reliable Group Communication Quanzeng You & Haoliang Wang.

Reliable Group Communication Quanzeng You & Haoliang Wang.
Gossip Scheduling for Periodic Streams in Ad-hoc WSNs Ercan Ucan, Nathanael Thompson, Indranil Gupta Department of Computer Science University of Illinois.

Gossip Scheduling for Periodic Streams in Ad-hoc WSNs Ercan Ucan, Nathanael Thompson, Indranil Gupta Department of Computer Science University of Illinois.
LightFlood: An Optimal Flooding Scheme for File Search in Unstructured P2P Systems Song Jiang, Lei Guo, and Xiaodong Zhang College of William and Mary.

LightFlood: An Optimal Flooding Scheme for File Search in Unstructured P2P Systems Song Jiang, Lei Guo, and Xiaodong Zhang College of William and Mary.
Forwarding Redundancy in Opportunistic Mobile Networks: Investigation and Elimination Wei Gao 1, Qinghua Li 2 and Guohong Cao 3 1 The University of Tennessee,

Forwarding Redundancy in Opportunistic Mobile Networks: Investigation and Elimination Wei Gao 1, Qinghua Li 2 and Guohong Cao 3 1 The University of Tennessee,
Faculty of Electrical Engineering, Technion Drum Gal Badishi Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based.

Faculty of Electrical Engineering, Technion Drum Gal Badishi Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based.
1 Principles of Reliable Distributed Systems Lecture 6: Synchronous Uniform Consensus Spring 2005 Dr. Idit Keidar.

1 Principles of Reliable Distributed Systems Lecture 6: Synchronous Uniform Consensus Spring 2005 Dr. Idit Keidar.
Distributed Algorithms for Secure Multipath Routing

Distributed Algorithms for Secure Multipath Routing
Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.

Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.
Implementing dynamic membership in a secure multicast protocol Ilana Sarfati and Orna Dutech Winter 2005 Supervisor : Gal Badishi הטכניון – מכון טכנולוגי.

Implementing dynamic membership in a secure multicast protocol Ilana Sarfati and Orna Dutech Winter 2005 Supervisor : Gal Badishi הטכניון – מכון טכנולוגי.
1 Principles of Reliable Distributed Systems Lecture 3: Synchronous Uniform Consensus Spring 2006 Dr. Idit Keidar.

1 Principles of Reliable Distributed Systems Lecture 3: Synchronous Uniform Consensus Spring 2006 Dr. Idit Keidar.
Internetworking Different networks –Different bit rates –Frame lengths –Protocols.

Internetworking Different networks –Different bit rates –Frame lengths –Protocols.
Network Coding for Large Scale Content Distribution Christos Gkantsidis Georgia Institute of Technology Pablo Rodriguez Microsoft Research IEEE INFOCOM.

Network Coding for Large Scale Content Distribution Christos Gkantsidis Georgia Institute of Technology Pablo Rodriguez Microsoft Research IEEE INFOCOM.

Similar presentations

Ads by Google