5/18/2015 samarpita hurkute ddos defense by offense 1 ddos defense by offense michael...

04/18/2304/18/23Samarpita Hurkute DDoS Samarpita Hurkute DDoS

Defense By OffenseDefense By Offense 11

DDoS Defense by OffenseDDoS Defense by Offense

Michael Walfish,Mythili Michael Walfish,Mythili Vutukuru,Hari Vutukuru,Hari

Balakrishnan,David Balakrishnan,David Karger,Scott ShenkerKarger,Scott Shenker



What is this paper aboutWhat is this paper about

““Speak-up” a defense mechanism Speak-up” a defense mechanism against application level DDoS.against application level DDoS.

It’s a defense mechanism against It’s a defense mechanism against legitimate looking requests that legitimate looking requests that consume computational resources.consume computational resources.

The server encourages clients to send The server encourages clients to send higher volumes of traffic wherein the higher volumes of traffic wherein the inflated traffic volume from good inflated traffic volume from good clients crowd out the bad ones.clients crowd out the bad ones.



IntroductionIntroduction

Application level DDoS – It is a noxious Application level DDoS – It is a noxious attack where in an “open clientele” attack where in an “open clientele” environment the attacker forces the victim environment the attacker forces the victim server to spend much of its resources on server to spend much of its resources on spurious requests.spurious requests.

Carried over an ICMP link its effect is two-Carried over an ICMP link its effect is two-fold – First the servers resources are often fold – First the servers resources are often depleted by “proper-depleted by “proper-looking”requests.Second the traffic is looking”requests.Second the traffic is in-band so is harder to identify.in-band so is harder to identify.



IntroductionIntroduction

Examples of such attack – Using bots Examples of such attack – Using bots to attack web sites by : requesting to attack web sites by : requesting large files,making queries of search large files,making queries of search engines and issuing computationally engines and issuing computationally expensive requests.expensive requests.

Approach to counter this attack is Approach to counter this attack is encourage all clients to speak …encourage all clients to speak …



Defenses usedDefenses used

Detect and Block : Distinguish between Detect and Block : Distinguish between good clients and bad clients.eg. good clients and bad clients.eg. Profiling IP address ,rate limiting Profiling IP address ,rate limiting alone,CAPATCHA based defenses.alone,CAPATCHA based defenses.

Charge clients some currency – An Charge clients some currency – An attacked server gives a client a services attacked server gives a client a services only after it pays some currency in form only after it pays some currency in form of CPU cycles and money.of CPU cycles and money.



Mechanism UsedMechanism Used

In a speakup the “thinner” protects the In a speakup the “thinner” protects the server from overload and performs server from overload and performs encouragements.encouragements.

When the server is overloaded the thinner When the server is overloaded the thinner causes each new client to automatically send causes each new client to automatically send a congestion controlled stream of dummy a congestion controlled stream of dummy bytes on a separate payment channel.bytes on a separate payment channel.

When the server is ready to process requests When the server is ready to process requests the thinner selects a client that has sent the the thinner selects a client that has sent the most bytes.most bytes.



Attacked Server with Attacked Server with “speakup” and without “speakup” and without

“speakup”“speakup”



Applicability of SpeakupApplicability of Speakup

How much aggregate bandwidth does How much aggregate bandwidth does the legitimate client need for speakup the legitimate client need for speakup to be effective ?to be effective ?

Could small Web sites eben when Could small Web sites eben when defended by speakup be harmed ?defended by speakup be harmed ?

As bandwidth is a communal resource As bandwidth is a communal resource doesn't the encouragement to send doesn't the encouragement to send more traffic damage the network ?more traffic damage the network ?



Threat ModelThreat Model

The attacker can send difficult The attacker can send difficult requests intentionally.requests intentionally.

An attacker can repeatedly request An attacker can repeatedly request service from a site while having service from a site while having different IP addresses.different IP addresses.



Conditions necessary for Conditions necessary for “Speakup” to be successful“Speakup” to be successful

Adequate link bandwidth : enough bandwidth to handle Adequate link bandwidth : enough bandwidth to handle incoming stream of requests.ISP’s which have incoming stream of requests.ISP’s which have significant bandwidth offering speakup as a service.significant bandwidth offering speakup as a service.

Adequate client bandwidth – the good clients must Adequate client bandwidth – the good clients must have totally the same number of magnitude bandwidth have totally the same number of magnitude bandwidth as the bad clients.as the bad clients.

No pre defined clientele to avoid filtering to permit No pre defined clientele to avoid filtering to permit traffic from only known clients.traffic from only known clients.

Non – human clientele – If clientele is exclusively Non – human clientele – If clientele is exclusively human one may be able to use proof of humanity tests.human one may be able to use proof of humanity tests.

Unequal requests – Currency based approach can Unequal requests – Currency based approach can charge clients for harder requestscharge clients for harder requests



Design of Speak UpDesign of Speak Up

Design Goal : If the good clients make g Design Goal : If the good clients make g requests per second and have an requests per second and have an aggregate bandwidth of G requests per aggregate bandwidth of G requests per second to the server and if the bad second to the server and if the bad clients have aggregate bandwidth of B clients have aggregate bandwidth of B requests per second then the server requests per second then the server should process good requests at a rate should process good requests at a rate of min(g,(G/G+B)c) requests per second of min(g,(G/G+B)c) requests per second where c is the servers capacity to where c is the servers capacity to process requests.process requests.



Required mechanismRequired mechanism

Limit the requests to a server to c Limit the requests to a server to c per second.per second.

Perform encouragement : cause a Perform encouragement : cause a client to send more trafficclient to send more traffic

Speak up needs a proportional Speak up needs a proportional allocation mechanism to admit client allocation mechanism to admit client at rates proportional to their at rates proportional to their delivered bandwidth.delivered bandwidth.



Random drops and Aggressive Random drops and Aggressive triestries

The thinner implements proportional The thinner implements proportional allocation by dropping requests at allocation by dropping requests at random to reduce the rate to c.random to reduce the rate to c.

For each request it drops it For each request it drops it immediately asks the client to immediately asks the client to retry.This causes the good clients to retry.This causes the good clients to retry at higher rates.retry at higher rates.



Explicit payment channelExplicit payment channel

The thinner asks clients to pad their requests The thinner asks clients to pad their requests with dummy bytes.with dummy bytes.

The thinner asks the requesting client to send The thinner asks the requesting client to send their requests over a separate payment their requests over a separate payment channel.channel.

When the server notifies the thinner it is ready When the server notifies the thinner it is ready to fire a new request it admits the client which to fire a new request it admits the client which has sent the most no. of padded dummy has sent the most no. of padded dummy bytes.bytes.

However the drawback is good clients might However the drawback is good clients might have to pay a higher price for their requests.have to pay a higher price for their requests.



ImplementationImplementation

A prototype thinner is implemented in C++.A prototype thinner is implemented in C++. It runs on Linux 2.6 exporting a well know It runs on Linux 2.6 exporting a well know

URL.URL. When a web client requests this URL then When a web client requests this URL then

thinner decides , if and when to send this thinner decides , if and when to send this request to the server.request to the server.

When the server responds to that request When the server responds to that request the thinner returns HTML to the client with the thinner returns HTML to the client with that response.that response.




If the server is busy the thinner returns If the server is busy the thinner returns the javaScript to the client.the client the javaScript to the client.the client issues 2 responses : 1 is the actual issues 2 responses : 1 is the actual request to the server and 2 is HHTP request to the server and 2 is HHTP POST which holds the dummy bytes.POST which holds the dummy bytes.

The thinners delays responding the first The thinners delays responding the first HTTP because the server is busy and HTTP because the server is busy and the second HTTP is the payment the second HTTP is the payment channel.channel.




If by sending dummy bytes the client If by sending dummy bytes the client wins, the thinner terminates the 2wins, the thinner terminates the 2ndnd request and passes on the clients 1request and passes on the clients 1stst request to the server.request to the server.

If on the other had if the client has If on the other had if the client has not yet received any service the not yet received any service the thinner returns the Javascript which thinner returns the Javascript which causes the browser to send another causes the browser to send another large POST and the process goes on.large POST and the process goes on.



Objections to Speak UpObjections to Speak Up

Bandwidth envy : Since speakup allocates servers Bandwidth envy : Since speakup allocates servers resources in proportion to the clients bandwidth , “high resources in proportion to the clients bandwidth , “high bandwidth good clients” are better off .bandwidth good clients” are better off .

Variable bandwidth costs : For clients with access to Variable bandwidth costs : For clients with access to “speakup” defended servers would cost more than “speakup” defended servers would cost more than usual.usual.

Incentives for ISP’s : Does “speakup” give ISP’s an Incentives for ISP’s : Does “speakup” give ISP’s an incentive to encourage botnets as a way to increase incentive to encourage botnets as a way to increase the bandwidth demanded by good clients.the bandwidth demanded by good clients.

Solving the wrong problem – If the problem is bots Solving the wrong problem – If the problem is bots shouldn’t it be addresses than encouraging more trafficshouldn’t it be addresses than encouraging more traffic

Flash crowds – Speakup treats an overload of good Flash crowds – Speakup treats an overload of good clients alone just like an application level DDoS attack.clients alone just like an application level DDoS attack.



ConclusionsConclusions

This study has sought an answer to This study has sought an answer to two high level questions :two high level questions :

1.1. Which conditions call for speakup’s Which conditions call for speakup’s peculiar brand of protection ?peculiar brand of protection ?

2.2. Does speakup admit a practical Does speakup admit a practical design ?design ?

The missed question is The missed question is

““Who needs speakup?Who needs speakup?