Adaptive selective verification
Download
1 / 26

Adaptive Selective Verification - PowerPoint PPT Presentation


  • 52 Views
  • Uploaded on

Adaptive Selective Verification. Sanjeev Khanna, Santosh Venkatesh, UPenn Omid Fatemieh , Fariba Khan, Carl A. Gunter, UIUC IEEE INFOCOM 2008. Problem. Legitimate clients and attackers indistinguishable IPs may be spoofed Distinct hosts may share an IP (NAT boxes in ISPs)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Adaptive Selective Verification' - eyal


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Adaptive selective verification

Adaptive Selective Verification

Sanjeev Khanna, Santosh Venkatesh, UPenn

Omid Fatemieh, Fariba Khan, Carl A. Gunter, UIUC

IEEE INFOCOM 2008


Problem
Problem

  • Legitimate clients and attackers indistinguishable

  • IPs may be spoofed

  • Distinct hosts may share an IP (NAT boxes in ISPs)

  • Examples: IKE key exchanges, digitally signed DNS, capability request channel, etc

Processes

Requests

Legitimate

Clients

Responses

Server

Requests

Overloaded

(CPU, memory, etc.)

Attackers


Outline
Outline

  • Introduction and Related Work

  • Solution Overview

  • Omniscient Protocol

  • Adaptive Protocol

  • Simulation Study

  • Summary


Service level ddos defense
Service-level DDoS Defense

  • Denial of service are still a threat to availability in Internet

  • A classification of defense approaches

    • Filtering / rate limiting based on profiling [Srivatsa et al. Middleware 06, Ranjan et al. INFOCOM 06, Khattab et al. INFOCOM 08, etc]

    • Filtering / rate limiting based on Reverse Turing Tests [Morein et al. CCS 03, Gligor IWSP 03, Kandula et al. NSDI 05, etc]

    • Capability-based [Yaar et al. S&P 04, Yang et al. SIGCOMM 05, etc]

    • Currency-based: money [Mankins et al. ACSAC 01], CPU cycles [Wang et al. S&P 03, Parno et al. SIGCOMM 07, etc]bandwidth[Gunter et al. NDSS 04, Sterr et al. NPSec 05, Walfish et al. SIGCOMM 06]

  • Protection has costs:

    • Need to understand costs and trade-offs

    • Need adaptation strategy


Bandwidth as currency
Bandwidth as Currency

  • Intuition: Attackers are already maxed-out, whereas clients can use additional bandwidth to get access

  • Assumptions:

    • Attack traffic hard to filter / rate limit explicitly

    • Botnet not much larger than good clients

    • Server has a lot of bandwidth

  • Selective Verification [Gunter et al. NDSS 04, Sterr et al. NPSec 05]:

    • Clients send a fixed number of extra requests

    • Server probabilistically selects (processes) a fixed portion of requests

    • No adaptation strategy

  • Bandwidth Auctions [Walfish et al. SIGCOMM 06]:

    • Clients build credit by sending bytes to an accounting system

    • Server takes requests from clients that have built the most credit

    • Adaptive in nature, but potentially requires significant server state

  • Question: Is there a good adaptive stateless bandwidth scheme?


Solution overview
Solution Overview

  • Shared channel model:Attack and client rates varywithin fixed bounds

  • Clients respond to an attack by boosting request rates

  • Server performs probabilistic random sampling

  • Theoretically and experimentally shown to be efficient in terms of bandwidth consumption

  • Requires limited state on the server


Analytical setting
Analytical Setting

  • Time-out window T known to clients and server

  • In each window:

    • REQ factor (per sec):(number of REQs)/(server capacity S)

    • ρ:Agg. client REQ factor: 0 ≤ ρ ≤ ρmax; ρmax << 1

    • α:Agg. attack REQ factor: 0 ≤ α ≤ αmax; αmax >> 1

REQ

Clients

(REQ Factor=ρ)

ACK

REQ

Attackers

(REQ Factor=α)

Server (capacity=S)

ACK


Omniscient protocol
Omniscient Protocol

  • Attack and client factors in each window (α and ρ) are made known to all clients and the server

  • Benefits:

    • Unrealistic, but simple to analyze

    • “Total bandwidth consumption” and “client success probability” easily calculated

    • Provides benchmarks for comparisons in more realistic settings

  • Client Protocol:

    • Transmit α/ρ copies of the REQ

    • If no ACK in T seconds, quit

  • Server Protocol:

    • Accept an arriving REQ packet with probability

    • Send an ACK for each accepted REQ


Adaptive selective verification asv
Adaptive Selective Verification (ASV)

  • Server Protocol

  • Store the first ST REQs in a reservoir

  • If the number of packets (in a round) exceeds ST, perform reservoir-based random sampling on the incoming REQs

  • At the end of the window: process the REQs in the reservoir and send ACKs accordingly

  • Empty the reservoir and go back to step 1

Adaptive Client Protocol

  • Start with sending one REQ

  • Calculate J as the retrial span:

  • Double REQ rates after not getting service (i.e. ACK) in a round (T seconds) for up to J rounds


Theoretical analysis results
Theoretical Analysis Results

  • We no longer assume attack and client factors in each window (α and ρ) are made known to clients or the server

  • Theoretically obtain the following under variable rate attacksbounded by αmax:

    • Lower bound on client success ratio

    • Tight upper bound on expected client bandwidth consumption

  • The expected bandwidth consumption for ASV is only times larger than the bandwidth consumed by the omniscient protocol

  • This would be for a non-adaptive SV which stays in high protection mode at all times


Extended asv
Extended ASV

  • What if the server is temporarily down?

    • Server replies dropped REQs with Drop ACKs (DACK)

  • Lossy network could cause the clients to quit:

    • If no DACK received for K consecutive packets then quit

    • Serves as a crude congestion control mechanism

  • Server bandwidth concerns

    • Trade-off client success probability for bandwidth

  • Client bandwidth concerns

    • The server notifies clients of the success probability function, based on which the clients choose theappropriate retrial spanJ


Simulation setup
Simulation Setup

  • NS-2 network simulator

  • Each attacker sends 400 REQ/s

  • 50 clients join every sec

  • ρmax = 0.08

  • αmax = 66

  • Attack factor = 66 / 0.08 = 825

  • RTT = 60ms

  • T = 400ms


Adaptive vs non adaptive
Adaptive vs. Non-adaptive

  • Client behaviors:

    • Naive: Send one REQ every T seconds. Quit if an ACK is received or JT seconds pass.

    • Aggressive (Non-Adaptive):Send 2J REQs. Quit if an ACK is received or JT seconds pass.

    • ASV: Implement ASV for one REQ (which means for a maximum of JT seconds).



Pulse and variable rate attacks asv
Pulse and Variable Rate Attacks (ASV)

  • Pulse attacks: The system fully adapts itself to attack conditions (and recovers to pre-attack conditions when the attack stops) in less than 2s

  • Highly variable rate attacks:“Time to Service” and “Aggregate Client BW Usage” remain within reasonable bounds at all times

  • Attackers do not gain any advantage by sharply varying attack rates


Effect on tcp cross traffic
Effect on TCP Cross Traffic

  • Server S2 is a back-up server

  • Client C aims to back-up data on S2 over TCP at 512kbps

  • In parallel, S is experiencing

    an DoS attack and employs ASV

  • Communications to S over UDP

  • Bottleneck capacity: 10Mbps

  • We measure C’s success in

    terms of the amount of data

    it can upload to S2 in 30s

  • ASV minimally affects TCP cross traffic


Summary of contributions
Summary of Contributions

  • We have introduced a stateless adaptive bandwidth currency algorithm called Adaptive Selective Verification (ASV)

  • We have developed a novel analysis technique asserting an optimality property and proved that ASV is optimal

  • We have added practical features to ASV and demonstrated its effectiveness in NS-2 simulations



Outline1
Outline

  • Introduction and Related Work

  • Solution Overview / Setting

  • Omniscient Protocol

  • Adaptive Protocol

  • Simulation Study

  • Summary


Outline2
Outline

  • Introduction and Related Work

  • Solution Overview / Setting

  • Omniscient Protocol

  • Adaptive Protocol

  • Simulation Study

  • Summary


Outline3
Outline

  • Introduction and Related Work

  • Solution Overview / Setting

  • Omniscient Protocol

  • Adaptive Protocol

  • Simulation Study

  • Summary


Outline4
Outline

  • Introduction and Related Work

  • Solution Overview / Setting

  • Omniscient Protocol

  • Adaptive Protocol

  • Simulation Study

  • Summary



Bandwidth as currency1
Bandwidth as Currency

  • Intuition: Attackers are already maxed-out, whereas clients can use additional bandwidth to get access

  • Two general strategies

    • Selective Verification [Gunter et al. NDSS ‘04, Sterr et al. NPSec ’05]:

      • Clients send a fixed number of extra requests

      • Server selects (processes) some probabilistically

      • No adaptation strategy

    • Bandwidth Auctions [Walfish et al. SIGCOMM ‘06] :

      • Clients build credit by sending bytes to an accounting system

      • Server takes requests from clients that have built the most credit

      • Adaptive in nature, but potentially requires significant server state

  • Is there a good adaptive stateless bandwidth scheme?

ρ

Gunter Khanna Tan Venkatesh 04Sherr Greenwald Gunter Khanna Venkatesh 05

Walfish Balakrishnan Karger Shenker 06


Pulse and variable rate attacks asv1
Pulse and Variable Rate Attacks (ASV)

  • Pulse attack results: The system fully adapts itself to attack conditions (and recovers to pre-attack conditions when the attack stops) in less than 2s

  • Variable rate attacks:


Outline5
Outline

  • Introduction and Related Work

  • Solution Overview / Setting

  • Omniscient Protocol

  • Adaptive Protocol

  • Simulation Study

  • Summary