KillBots Surviving Organized DDoS Attacks That Mimic Flash Crowds

1
Kill-Bots Surviving Organized DDoS Attacks That
Mimic Flash Crowds

• Srikanth Kandula, Dina Katabi, Matthias Jacob and
  Arthur Berger

Based on Srikanth Kandulas Presentation
Boris Korenfeldkorenf_at_post.tau.ac.il
2
CyberSlam

• 20,000 zombies issue requests that mimic
  legitimate browsing

www.foo.com
Requests Look Legitimate ? Standard filters dont
help
3
CyberSlam Attacks Happen!

• Instances of CyberSlam
• First FBI DDoS Case Hired professionals hit
  competitor
• Mafia extorts online gaming sites
• Code RED Worm
• Why CyberSlam?
• Avoid detection by NIDS firewalls
• High pay-off by targeting expensive resources
• E.g., CPU, DB, Disk, processes, sockets
• Large botnets are available

4
Tentative Solutions

• Filter big resource consumers?
• Passwords?
• Computational puzzles?

• No big consumers Commodity OS do not support
  fine-grained resource accounting
• Might not exist, expensive to check
• Computation is abundant in a botnet

????
5
Kill-Bots is a kernel extension for web servers
LOAD gt L1
Suspected Attack
Normal
LOAD lt L2 lt L1
New Clients are authenticated once and given HTTP
Cookie
No Overhead
6
Reverse Turing Test (e.g., CAPTCHAs) to
distinguish humans from zombies

• But

7
3 Problems with CAPTCHA Authentication

• (1) DDoS the authentication mechanism

• (2) Bias against users who cant or wont answer
  CAPTCHAs

• (3) How to divide resources between service and
  authentication as to maximize system goodput?

8
Authentication vulnerable to DDoS
Problem 1
Server
Client
Standard Network Stack
SYN Cookie
Check cookie, socket, reserve buffers Causes
context switch, buffer copies
Resources are reserved till client sends a FIN
but zombies dont FIN
9
Authentication vulnerable to DDoS
Problem 1
Modify network stack to issue CAPTCHAs without
state
Solution
Kill-Bots Server
Client
Modified Network Stack

• Stateless Cheap
• Keep congestion control semantics
• No browser mods.

SYN Cookie
Drop
Check cookie, send CAPTCHA without a socket!
10
Kill-Bots Token

• When the Kill-Bots server issues a puzzle, it
  creates a Token.
• Browser reports the answer to the server along
  with the Kill-Bots token.
• Server verifies the token by recomputing the
  hash.
• Server checks the Kill-Bots token to ensure the
  token was created no longer than 4 minutes ago.
• Server checks if the answer to the puzzle is
  correct.
• If all checks are successful, the server creates
  a Kill-Bots HTTP cookie and gives it to the user.
• Cookie allows the user to re-enter the system
  for 30 minutes.
• Each correctly answered graphical test allows
  the client to execute a maximum of 8 simultaneous
  HTTP requests.

11
Legit. Users who dont answer CAPTCHA
Problem 2
Solution

• Use reaction to CAPTCHA

• Humans
• Answer CAPTCHA
• Reload if doesnt work, give up

Zombies Cant answer CAPTCHA, but have
to bombard the server with requests

• Count the unanswered CAPTCHAs per IP, and drop if
  more than T

Cheap with a Bloom Filter
Bloom Filter
increase give captcha
decrease correct ans.
COUNTER
12
Bloom Learns All Zombie IPs

• Stage 1
• CAPTCHA Authentication
• Learn IP addresses of zombies using Bloom filter

• Stage 2
• Use only Bloom filter for Authentication
• No CAPTCHAs

Users who dont answer CAPTCHAs can access the
server despite the attack in Stage 2
13
To Authenticate or To Serve?
Problem 3

• Authenticate all new arrivals
• ? cant serve all authenticated clients
• Authenticate very few arrivals
• ? too few legitimate users are authenticated

Solution

• Authenticate new clients with prob. ? (drop
  others)
• But what ? maximizes goodput?

14
Analysis

• Modeled system using Queuing Theory
• Found Optimal ? (proof in paper)
• But ? depends on many unknown parameters
• attack rate
• mean service time
• mean session size
• legitimate request rate, etc

15
Solution to Problem 3
Kill-Bots adapts the authentication prob. by
measuring fraction of time CPU is idle
16
Variables used in the analysis
17
Tying it Together
18
Security Analysis

• Socially-engineered attack attacker force their
  own visitors to solve CAPTCHAs before granting
  access.
• Puzzles in Kill-Bots expire 4 minutes after they
  have been served.
• Maximum of 8 simultaneous connections per cookie
  .
• Polluting the Bloom Filter attacker try to spoof
  his IP address and pollute the Bloom filter.
• SYN cookies prevent IP spoofing and Bloom filter
  entries are modified after the SYN cookie check
  succeeds.
• Breaking the CAPTCHA automatic solving of simple
  CAPTCHAs.
• Such programs are not available to the public for
  security reasons yet.
• When one type of CAPTCHAs get broken, Kill-Bots
  can switch to a different kind.

19
Security Analysis

• Copy attacks attacker solves one graphical
  puzzle and distributes cookie to many zombies.
• Maximum of 8 simultaneous connections per cookie.
• Replay attacks attacker replay the answer packet
  to obtain many Kill-Bots cookies.
• If an adversary tries to replay a session cookie
  outside its time interval it gets rejected.
• Same Token yields the same cookie.
• Database attack attacker collects all possible
  puzzles and the corresponding answers.
• Kill-Bots uses a large number of puzzles and
  periodically replaces puzzles with a new set.
• The space of all possible graphical puzzles is
  huge.
• Building a database, distributing it to all
  zombies, and ensuring they can search it and
  obtain answers within 4 minutes is very
  difficult.

20
Performance
21
Metrics

• Goodput (of Legitimate Users)
• Response time (of Legitimate Users)
• Maximum survivable attack rate

22
Kill-Bots under DDoS
5-10 times better Goodput and Response Time
Goodput of Legit. (Mb/s)
Attack Rate (Request/sec)
Response Time (sec)
Attack Rate (Request/sec)
23
Why Adapt the Authentication Probability?
Server with adaptive authentication Server with
authentication Base server
Goodput of Legit. (Mb/s)
Attack Rate (Request/sec)
Adaptive ? is much better than authenticating
every new user
24
Orders of magnitude better Response Time
Flash Crowd
Goodput of legit. (Mb/s)
Response Time (sec)
Time (sec)
25
Kill-Bots under Flash Crowd
Adaptive ? provides admission control
Flash Crowd
Authentication Prob. ?
Time (sec)
Response Time (sec)
Time (sec)
26
Kill-Bots under Flash Crowd
Kill-Bots
Base Server
80,000
360,000
Number of dropped legitimate requests
Response Time (sec)
Kill-Bots authenticates new clients only if it
can serve them
Time (sec)
27
Kill-Bots Contributions

• First to protect Web servers from DDoS attacks
  that mimic legitimate browsing
• First to deal with CAPTCHAs bias against
  legitimates users who dont solve them
• Sends CAPTCHA and checks answer without any
  server state
• Addresses both DDoS attacks and Flash Crowds
• Orders of magnitude better response time,
  goodput, and survivable attack rate

28

• THANK YOU

Boris Korenfeld korenf_at_post.tau.ac.il
29
Home Work Assignment

• What are the differences between Stage1 and
  Stage2 in Kill-Bots?
• What is the Kill-Bots modification to the Network
  Stack?
• What problem the Admission Control solves?
• What are the key components of Kill-Bots
  architecture? (in paper)