Resisting Denial-of-Service Attacks Using Overlay Networks Ju Wang Advisor: Andrew A. Chien Department of Computer Science and Engineering, University of California San Diego Denial-of-Service Attacks Summary and Status Denial-of-Service (DoS) is a critical security problem –Attack important websites (yahoo, Amazon, etc) –Economic impact and political repercussions –DoS attacks are on the rise Attackers prevent legitimate users from receiving service –Application level: large work load to overload applications –Infrastructure level: direct attack on the application physical infrastructure (e.g. traffic flood) Internet Internet Application Service Infrastructure Legitimate User Attacker Overlay (proxy) networks protect applications from infrastructure level DoS attacks –Location Hiding: mediate communication between users and applications without disclosing applications’ IP addresses –DoS Resilience: maintain proxy network connectivity to tolerate massive proxy node failure due to DoS attacks, keeping applications accessible to users Overlay (Proxy) Network Approach Application Legitimate User Proxy Network Attacker where? Location-Hiding –Can proxy networks achieve location-hiding? If so, under what circumstances? (feasibility) –How long will it take attackers to reveal application location? (metrics for goodness) –How do properties of defense & proxy networks affect location-hiding? (parametric) Resource recovery Proxy network reconfiguration Proxy network topology DoS Resilience and Performance –How well can proxy networks resist DoS attacks? –What is the performance impact of proxy networks? Problems Generic Framework for Location-Hiding Resource Pool Application Proxy Network User Attacker Proxy Network Layered View User Edge Proxy Proxy Resource Pool (IP Network) Host Proxy Network Application Attacker Overlay Proxy Network Top View Attack Model Proxies: software components run on hosts Proxies adjacent: iff their IP addresses are mutually known Proxy Network Topology: adjacency structure Only edge proxies publish their IP addresses Users access applications via edge proxies Goal: reveal application location (IP address) Compromise hosts and reveal (expose) location of adjacent proxies Penetrate proxy network based on exposed location information Consider correlated host vulnerabilities Defense Model Goal: recover compromised hosts, invalidate information attackers acquired Resource recovery –Recover compromised hosts –Reactive recovery: detection-triggered –Proactive reset: periodic reload/security patch Proxy network reconfiguration –Invalidate information attackers acquired –E.g. proxy migration Compromised Exposed Intact Proxy state transition Infrastructure level DoS Attack System state change as a stochastic process Rate of host compromises True-positiveness and speed of reactive recoveries Rate of proactive resets Rate of proxy migrations Correlation among host vulnerabilities Topology of proxy networks Analytical Model Compromised Intact Host state transition Impact of attack Impact of defense Feasibility of Location-Hiding No reconfiguration Log scale Linear scale Without reconfiguration, proxy networks cannot hide location With sufficient proxy migration, location-hiding is feasible Without correlated host vulnerabilities, the time to penetrate a proxy network grows exponentially with its depth Interleave proxies on diversified hosts Correlated host vulnerability has qualitative impact; with high correlation, time to penetrate a proxy network grows sub-linearly with its depth Exploit limited host diversity (below) to effectively contain this impact (behaves similarly to the uncorrelated case) Impact of Topology on Location-Hiding Robust (favorable) Vulnerable (unfavorable) Overlay Topologies Good or robust topologies: hard to penetrate and defenders can easily defeat attackers Bad or vulnerable topologies: attackers can quickly propagate and remain inside the proxy network      ,, ,, ,,,, ,, bad good Theorem of Robustness Average degree  1 of G is smaller than the ratio of speed between defenders and attackers:  (  +  )/  >  1,  is speed of attack,  and  are speed of defense - Even if many nodes are initially compromised, attackers’ impact can be quickly removed in O(logN) steps - Low average degrees are favorable Theorem of Vulnerability Neighborhood expansion property  of G is larger than the ratio of speed between defenders and attackers:  >  /  - Even if only one node is initially exposed, attackers’ impact quickly propagate, and will linger forever (applies to all sub-graphs) - Large clusters (tightly connected sub-graphs) are unfavorable hard to beat attackers inside the cluster This work is supported in part by the National Science Foundation under awards NSF EIA Grads and NSF Cooperative Agreement ANI (OptIPuter), NSF CCR (VGrADS), NSF NGS , and NSF Research Infrastructure Grant EIA Support from Hewlett-Packard, BigBangwidth, Microsoft, and Intel is also gratefully acknowledged. Location-Hiding: finished analytical and simulation study –Proxy networks are a feasible approach for location- hiding to resist host compromise penetration attacks –Proxy network depth and reconfiguration rate are keys to location-hiding; existing schemes (e.g. SOS, i3) employing static structures cannot hide location because attackers gain information monotonically –Two theorems to characterize robust and vulnerable topologies for location-hiding; find popular overlays (e.g. Chord) not favorable DoS Resilience & Performance: –Simulation testbed: MicroGrid Internet emulator –A prototype proxy network implementation –A real app: apache, a real DoS attack tool “Trinoo” –Study performance impact and how distribution and intensity/magnitude of DoS attack affect user observed delay and service disruption Neighborhood expansion In both figures, is host compromise rate, µ r is proxy migration rate Domain corresponds to host diversity