Flash Crowds And

Denial of Service Attacks:Characterization and Implications

for CDNs and Web Sites Aaron Beach

Cs395 network security

OVERVIEW• What is a “Flash Event?” (FE) • What is a “Denial of Service Attack?”• What is the difference?• How can we distinguish between them?• What is/are the solution(s)?

– Adaptive Content Distribution Networks?– Others?– Do you have any ideas??? Think about it

Flash Events• A flash event (FE) is a large surge in

traffic to a particular Web site causing a dramatic increase in server load and putting severe strain on the network links leading to the server, which results in considerable increase in packet loss and congestion

• “Flash crowds”

Denial of Service Attack (DoS)• An explicit attempt by attackers to prevent

legitimate users of a service from using that service

• Their definition: – any attempt to undermine a Web site

• What do you think?

The Major Differences• Flash Events represent legitimate

traffic to a website. This often means the website wants to service these requests as well as possible, while DoS attacks our unwanted and should not be serviced, but ignored or controlled.

Distinguishing Between Them

• 3 main characteristics– Traffic patterns– Client characteristics– File reference characteristics

Traffic Patterns• Overall traffic volume determines how

much a server should provision resources to keep the site operational

• Servers can shut down from over use• Studying these patterns allows us to

articulate the period when an unusually large number of clients can overwhelm a site

• We also can understand how and in what time pattern the server must defend against these rises in traffic

How substantial can an FE be?

88.2% of traffic in 11% of time71% of traffic in 7% of time

You can see the spikes in traffic

They look indistinguishable?

Now do they look the same?

Quite different… however

Behavior of traffic• First fifteen minutes• They both rise, one over a period of • One over 70 minutes• One over 40 seconds

Client Characteristics and clustering

• They use a network-aware clustering technique to determine the topological distribution of clients in FE and DoS.

• Client clustering allows one to aggregate individual clients into groups belonging to the same administrative domain.

• Clustering uses a large collection of unique network prefixes assembled from a wide set of BGP routing tables.

• The various client IP addresses are grouped into clusters based on longest prefix matching.

Clusters and Clients trends• Spikes in request volumes during an

FE correspond closely with the spikes in the number of clients accessing the site. Thus, the number of clients in a flash event follows the same increase patterns as the overall request rate.

No large change in averageper-client request rate

“Old” clusters during an FE• Clusters that have already visited the

site VS new clusters during an FE

• During the two FEs we are studying there was 42.7% in the Play-along trace and 82.9% in the Chile trace that were “old” clusters demonstrating that in these FEs a large percentage had made previous requests

File Reference Characteristics• Locality of reference enables a

reduction of server load through caching.

• They use these characteristics in designing an “adaptive CDN.”

• We consider:– aggregate file references – reference patterns of individual clients– reference patterns of client clusters.

What files are accessed in FE• 60% (61% and 82% for Play-along and

Chile, respectively) of documents are accessed only during flash events.

• So, CDN’s will not cache and not be prepared for the FE

• Indeed, most CDN caches will not have these documents at the beginning of the FE

• So there will be many misses at the beginning of an FE

Popularity of files

Also about clusters and file popularity

• Requests for documents come from many different Clusters…

• This means that current CDNs will result in many different serves getting requests for the same file… resulting in more misses for the files popular only during FEs

Password cracking• Much like DoS attacks• We must detect early and stop them

• Detect “401 unauthorized” messages

Trends during attacks• During attacks most clients making

requests were new… never had made requests before

• Only 0.6% of the clusters seen at one site during the attack had been seen before, and the percentage of these clusters drops to 0.1% for another site.

Trends in DoS requests (Code Red)

Rise in Clusters vs Clients

FE

DoS

Overlap of clusters during DoS• Calculated overlap for DoS was:• 0.6% in the creighton site• 0% in the fullnote site• 1.8% in the spccctxus site • 14.3% rellim site. • Compare this to:• 42.7% and 82.9% in the FEs studied

Comparing the two: DoS vs FE

SOLUTION TIME!!!• What should the server do when it is being

overwhelmed??– Discard “more malicious” requests

• How?– Monitor users and average request rate– Periodically “cluster” addresses– When overwhelmed… drop malicious

addresses (must belong to old clusters and continue “normal” request rates

- Solution not too taxing on processes and you can implement it in an filtering accept() function

Will this always work??• Sometimes DoS attacks are able to

flood links… and the server can do nothing…

• Since attacker does not know who is using site they cannot know which clusters to send with (the author thinks this is a way to avoid letting this information prepare attackers… what do you think??

What about FEs?• If we know how to deal with DoS

attacks… we still have the problem of what to do when flash events happen

• Solution ： Adaptive CDN

Adaptive CDN• “Dynamic Delegation”• The more caches the more requests,

so make less caches with more space• Have primaries and delegates… • When a FE is detected the DNS

servers sends requests to delegates first and they go to primaries…

• Only primaries can make requests to origin server, clustering caches

Algorithm for Dynamic Delegation• When a node “P” is overloaded it

redirects packets to another node that has a low load, using it as a “delegate”

• When a node goes low it stops using delegates

• Tests show this lowered load on origin server by: a factor of 50 in one test and 30 in the other… without too high load distribution in the caches.

Review• Flash Event (Flash Crowd)• FE vs DoS• Difference and Detection• Detecting and stopping• Dealing with FE using adaptive CDN