Resisting DoS Attacks using Agile Objects

1
Resisting DoS Attacks using Agile Objects

• Ju (Tony) Wang
• University of California, San Diego
• Agile Objects Project
• Concurrent Systems Architecture Group
• September 2001

2
Outline

• DoS Problem Analysis
• Problem Definition
• Application Model and Threat Model
• Metrics for Study
• Current Approaches for DoS Resistance
• Proposed Solution
• Key ideas
• System overview
• Initial design of the proxy network
• Current Status, Remaining Challenges Plans
• Summary

3
DoS Problem Analysis

• Definition
• A denial of service attack targets at diminishing
  the availability of a specific application
  service to some or all legitimate users. In its
  distributed form, a large number of machines in
  the Internet can be compromised and used to
  participate a distributed denial of service
  attack.
• Application model
• Publicly accessible application service (for
  example, websites)
• Threat model
• Physical attacks ? attack hosts or network where
  the application resides
• Logical attacks ? abuse the application by floods
  of legitimate requests

4
Metrics for study
Probability Density Function for this users
requests
A
B
pdf
Average Response Time
t
Application
Application Response Time
DoS Attack!!!
Worst Case Response Time
C
pdf
t

• From quality of service point of view
• Distribution of user request delay affected by
  DoS attacks
• Delay distribution in terms of affected area (A
  is less affected than B)
• Delay distribution in terms of duration of the
  effect (how long the effect on a user will last)
• The intensity of the attack, distribution of
  users as parameters

5
Current Approaches for DoS Resistance
Legitimate Users
Application
Attacker
compromise hosts in the Internet
DDoS Attack!!

• Reactive schemes
• detect and filter out attack traffic
• Trace back to attackers or compromised hosts in
  order to stop them
• Punitive schemes
• The ability to trace back to attackers or
  compromised hosts may deter attackers from
  attacking.

6
Current Approaches for DoS Resistance
Legitimate Users
Application
Attacker
compromise hosts in the Internet
DDoS Attack!!

• Preventive schemes
• protect machines from being compromised
• These approaches primarily focus on disrupting
  attack mechanisms rather than defeating the
  foundation of attacks

7
Why are DoS attacks possible?

• Publicly accessible application services always
  reside on well-known physical locations
• Physical attacks strike on those physical
  locations to break down the services
• Most publicly accessible application services do
  not have fair schedule, there is unfairness among
  users
• Individual requests from attackers and from
  legitimate users are indistinguishable
• Logical attacks consume significant amount of
  resource on the victim application service by
  asking it to process huge amount of (legitimate)
  requests, so that legitimate requests have less
  chance to be processed.

8
Key Ideas of Proposed Solution

• Novel idea -- make application service location
  elusive to defeat direct physical attacks on
  application services
• Location of the application is a secret no users
  know, so that attackers do not know where to
  attack
• Location of the application is changing, so that
  attack on fixed locations can only affect the
  application for a short period of time before it
  moves.
• Novel idea -- separate applications access point
  from the application itself
• Build access points in a highly distributed and
  redundant way to tolerate physical attacks
• Access points (we call them proxy network) act
  as a shield to protect the application. (This is
  fundamentally different to todays proxies, which
  primarily focus on filtering and address
  translation, and are not designed to be shields
  against DoS attacks.)
• Novel idea proxy network performs distributed
  fair schedule on user requests to defeat logical
  attacks

9
Proposed Solution Distributed DoS-Tolerant
Proxy Network

• Shield against physical attacks
• Scheduler to defeat logical attacks

Distributed Location Elusive Application
Proxy
Proxy
User
User
User
User
Proxy
Proxy
User
User
User
User
User
User
10
Requirement of the Proxy Network

• Distributed Fair Schedule
• provide global fair schedule for users to
  tolerate logical attacks.
• DoS Tolerance on Individual Proxies
• tolerate compromise/failures of individual
  proxies and balance load across proxies in order
  to tolerate physical attacks.
• Persistent Accessibility to the Application
• keep track of how to contact the application
  without disclosing such information to un-trusted
  parties.

11
High-level Design

• Distributed fair schedule
• Partitioning users among proxies is one efficient
  way to achieve global fair schedule. (Each proxy
  can run centralized scheduler inside its
  partition without having to contact other
  proxies. This reduces communication cost.)
• DoS tolerance on individual proxies
• Tolerate failures/DoS attacks on individual
  proxies. In case one proxy is under attack (or
  fails), users have chance to use other proxies to
  contact the application. (Need dynamic mapping
  between users and proxies.)
• Solution Virtual Proxy Layer (novel idea)
• Each user is statically assigned to one (and only
  one) virtual proxy
• Virtual proxies are dynamically mapped to
  physical proxies and one virtual proxy is mapped
  to only one physical proxy.

12
Load Balance DoS-Tolerance
Gossip
A Lead
B Lead
Proxy Group A
Proxy Group B
gossip
gossip

• Physical proxies are organized into proxy groups.
  Proxy groups can form larger super-groups to
  construct a hierarchical proxy network
  corresponding to network topology.
• Gossip protocol is used to balance load among
  group members. Virtual proxies (users) may be
  reassigned to other physical proxies. (It can be
  viewed as migration). This load balance is done
  at every level of the hierarchy.
• During a physical DoS attack, an area of network
  may become slow. This load balance scheme can
  transfer most workload (user requests) to faster
  proxies, so that most users can still reach the
  application service.
• FT research uses gossip protocol to sync state.
  We borrow it to balance load.

13
Current Status

• Work has been done
• Analysis of DoS problem
• Studied most forms of known DoS attacks
  especially distributed attacks
• Formalized model of DoS attacks
• Formalized the metrics for DoS study
• Survey on research problems in this domain
• Prevent user machines from being compromised
• Intrusion detection
• Source back-tracing
• Fair schedule schemes (scalability and security
  aspect)
• Proposed a novel way to solve DoS problem
• Use location elusiveness proxy network as
  access point to resist physical DoS attacks
• Use distributed fair scheduler to resist logical
  DoS attacks
• Initial design of the proxy network

14
Remaining Challenges and Plans

• Fair scheduler requires distinguishing requests
  from different users or machines.
• Should not affect user privacy
• Should not make it inconvenient for users
• Plan study how to distinguish machines or
  instances of OS. From there, we can search for a
  solution for this problem.
• Routing scheme to keep track of the dynamic
  mapping between virtual proxies and physical
  proxies
• Good performance and scalability
• Some initial study has been conducted and there
  is a primitive design
• Plan further study in routing solutions for
  mobile systems, which share a lot of similarity
  with this problem. Enhance current primitive
  design
• How to tolerate the case when some proxies are
  compromised?
• Need to prevent those compromised proxies from
  malicious behavior
• Need to discover the intrusion and properly
  handle it.
• Plan study in the field of intrusion detection
  for candidate solutions

15
Remaining Tasks

• Complete the design of the proxy network,
  including
• Complete/enhance the gossip protocol for load
  balance and DoS-resistance (Finish by 4th quarter
  of 2001)
• Find solutions for the remaining challenges
  (Finish by 4th quarter of 2001)
• Implementation of this design (1st to early part
  of 3rd quarter of 2002)
• Parametric study (late 3rd to 4th quarter of
  2002)
• Build a test-bed to do experiments
• Study how well this scheme can tolerate DoS
  attacks
• Study the performance overhead of this scheme
• Study the scaling property of this scheme
• Comparison with other schemes in this area (4th
  quarter of 2002)

16
Summary

• Identified two important DoS attack models
  physical attacks and logical attacks
• Location elusiveness capability AO provides
  separating access points from applications enable
  us to tolerate physical DoS attacks.
• With the distributed fair schedule network we are
  developing, logical attacks can be tolerated.
• With the proposed solution and the capability
  provided by AO system, we expect to solve the DoS
  problems.