1 / 27

Sustaining Availability of Web Services under Distributed Denial of Service Attacks

Sustaining Availability of Web Services under Distributed Denial of Service Attacks. Jun Xu, Member, IEEE, and Wooyong Lee (Georgia Institute of Technology, Atlanta, GA). Presented by Oleg Rekutin. Overview. Web defense focus Two stages of defense Game theory proof Measurements. Overview.

shawna
Download Presentation

Sustaining Availability of Web Services under Distributed Denial of Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sustaining Availability of Web Services under Distributed Denial of Service Attacks Jun Xu, Member, IEEE, and Wooyong Lee (Georgia Institute of Technology, Atlanta, GA) Presented by Oleg Rekutin

  2. Overview • Web defense focus • Two stages of defense • Game theory proof • Measurements Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS Outline: Overview

  3. System Model Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  4. Normal Flow • Connect to victim.com:80 • Receive an HTTP redirect to an IP:port pair: • 123.34.56.[MAC]:[MAC] • MAC based on source IP • Randomly drop SYN packets under attack • Connect to 123.34.56.[MAC]:[MAC] • from correct source IP: • Normal HTTP browsing occurs • from incorrect source IP: • Drop packets Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS Outline: 2-Step Protection

  5. System Model Overview 2-Step Protection Game Theory Simulation Conclusion - Public IP - Pseudo-IP set Sustaining Availability of Web Services under DDoS

  6. First Redirect Protection • Use SYN cookie in TCP seqnum • Extend cookie to all redirect packets Overview 2-Step Protection Game Theory Simulation 10 bits 22 bits Conclusion MAC xor source port 0000000000 Fits first redirect packets Sustaining Availability of Web Services under DDoS

  7. Spoofed IP protection server client Overview SYN src: srcIP:port dst: vicitm:80 2-Step Protection Game Theory SYN-ACK dst: srcIP, MAC:0000 in seqno Simulation Conclusion ACK src: srcIP:port dst: vicitm:80 ackno: MAC:0001 HTTP redirect uses MAC no’ssrc: srcIP:port dst: vicitm:80 Sustaining Availability of Web Services under DDoS

  8. Pseudo-IP MAC • IP address: • Port: • Replay attack • Change key based on timestamp in header Overview 4 bits 28 bits 2-Step Protection Subnet belonging to web site MAC Game Theory Simulation Conclusion MAC( srcIP, key ) 1 1 14 bits Is MAC? Is SSL? MAC Sustaining Availability of Web Services under DDoS

  9. Rate Limiting • Fair bandwidth for all legit IP users • Uses Deficit Round Robin • Complexity O(1) • Tight fairness • Detect attackers • Regular users class: • fair share • Attacking users class: • much smaller share (1/10th) Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  10. Detecting Attackers: Flooding • DRR drops packets • count them per flow • If # of dropped packets > threshold H • Attacker that does not obey TCP congestion control • What if many attackers using fair share? Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  11. Detecting Attackers: Loitering • Regular transactions: • 100’s to 1000’s packets • Q – maximum legit packets quota • Low probability of legit transaction using more than Q packets • If client uses > Q, attacker Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  12. Game Theory • Model effectiveness • Guide design • Minmax utility • Performance of the system under all possible attacks • Minmax sound • maximizes minmax utility Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS Outline: Game Theory

  13. Guide Design • Most effective strategies for adversary: • TCP SYN flood using spoofed IPs • (unprivileged traffic) • Many attackers consume fair share with legit IPs • (privileged traffic) • Not effective: • Frame innocent IPs • Flood with legitimate IP Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  14. Predict Performance • System utility function • (# new clients per second) * (average satisfaction of each client) • X - # of attackers: unprivileged traffic • Z - # of attackers: privileged traffic • Y - bandwidth allocated to unprivileged traffic • Minmax utility: Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  15. System Utility Function • f(p) • Tolerate 4 consecutive packet losses, because delay is less than 8 seconds • p  percentage of unprivileged traffic • U(r) • r = average download rate g(X, Y, Z) = f(p) * A * U(r) Overview 2-Step Protection percentage of new clients that get service arrival rate of new clients user-perceived utility Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  16. Choosing Utility Function • Naïve/folkore: • U1(r) = c * r c > 0 • Empirical study-based Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  17. Empirical Utility Curve Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  18. Numerical Simulation • g(X, Y, Z) • Adversary optimal strategy: • Constraints: X<=N, Z<=N/10 • X=N and Z=N/10 • Defense: maximize g(N, Y, N/10) • Example numerical simulation: • B = 400,000 pps • W = 1,000 p • Average effective bandwidth = 40 pps • Attacker sending rate = 1,000 pps Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  19. Numerical Results Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  20. Simulation • Simulate using ns-2 • Goals: • Verify that fair scheduling (DRR) works • (privileged traffic limitation) • Study dynamics (change over time): • Client bandwidth • Page retrieval time • Packet drop probability • Non-goals: • Does not verify unprivileged vs privileged dynamics Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS Outline: Simulation

  21. Simulation Setup • Topology: • DRR applied to outgoing bandwidth • Use HTTP/1.0 • Clients: web-like behavior, 1000 packets • Loitering threshold Q is 3000 packets Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  22. Simulation Scenarios • Severe attack, light load • Moderate attack, heavy load • Severe attack, heavy load • Severe attack = 300 attackers • Moderate attack = 100 attackers • Light load = 25% • Heavy load = 75% Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  23. Severe Attack, Light Load Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  24. Moderate Attack, Heavy Load Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  25. Severe Attack, Heavy Load Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

  26. Conclusion • Simulation results show DRR works and show dynamics • Sustains web services under severe attacks • Practically deployable • Game theory framework models performance of system Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS Outline: Conclusion

  27. Acknowledgements • Charts used from original article Overview 2-Step Protection Game Theory Simulation Conclusion Sustaining Availability of Web Services under DDoS

More Related