Title: Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks
1Portcullis Protecting Connection Setupfrom
Denial-of-Capability Attacks
- Paper by
- Bryan Parno et al. (CMU)
- Presented by
- Ionut Trestian
- Gergely Biczók
- (Slides in courtesy of Bryan Parno)
2Network-Level Distributed Denial of Service
Attacks
- Distributed DoS attack exhausts bandwidth of
links leading to victim - Recent example Estonian government and bank
sites attacked by Russian hackers (dispute over
Soviet statue) - Key issue receiver has no control over incoming
traffic! - Several capability systems are proposed to
alleviate this problem e.g. SIFF, TVA,
3Capability system basics
- 1. Client C sends a best-effort request packet
to server S. Packet accumulates a capability. - 2. If S wants to allow C to send privileged
traffic, S sends capability back to C - 3. Packets with a capability are given priority
over non- privileged packets
R
4Denial-of-Capability Attack
- That is nice but
- DDoS can block request packets too!
- So to prevent DDoS attacks
- capability systems need a DDoS defense
mechanism!
5Our starting claim
- Capability setup is fundamentally different from
normal data traffic - If one request goes through we succeed
- It can sustain more losses and higher cost (of
any kind) - Portcullis exploits this difference
- Setup is worth a reasonable cost to be safe from
DDoS - Cost is spread over all packets between source
and destination - Recall the definition of capability from TVA
6Design Goals
- Network cannot distinguish attackers from
defenders - Best feasible solution allocate bandwidth fairly
- Also, we need to bound the capability setup delay
- Setup time still depends on number of
users/attackers and network capacity
7How to Allocate Bandwidth Fairly?
- Identity-based fairness
- Per-source (e.g., IP address)
- NATs, spoofed addresses
- Per-path
- SIFF hurting legitimate senders
- TVA coarse-grained (per-interface)
- Per-destination
- Attacker can flood all destinations sharing the
victms bottleneck link - Legitimate user send packets only to single host
- Actually amplifies the power of attacker!
- We need something better!
8Proof-of-Work Schemes
- Demonstrate the use of a limited resource
- Access to network resources proportonal to work
done - Per-bandwidth fairness
- Only demonstrated on end-host resources, and on
an uncongested network - Large disparities bw legitimate users (modem vs.
fibre) - Per-computation fairness
- Probability of request packet delivery
computational effort of sender
9Per-computation fairness puzzles
- Measure work with solving puzzles
- Work is performed at the end-host, not in the
network - Smaller disparities in computational power (PC
vs. cellphone) - Work is verifiable, unlike identifiers
- Our work addresses limitations of previous puzzle
systems - Clients can create and solve variable-difficulty
puzzles without contacting the victim - Each router on the path can independently verify
the work performed
10Portcullis Overview
Router
Router
Client
Server
11Portcullis Overview
Router
Router
Client
Server
12Portcullis Overview
Router
Router
Client
Server
13Portcullis Overview
Capability Setup
Router
Router
Client
Server
14Portcullis Overview
Capability Setup
Router
Router
Client
Server
15Portcullis Overview
Capability Setup
Router
Router
Client
Server
16Portcullis Overview
Capability Setup
Capability Setup
Router
Router
Client
Server
17Portcullis Overview
Capability Setup
Capability Setup
Router
Router
Client
Server
18Portcullis Overview
Capability Setup
Capability Setup
Router
Router
Client
Server
19Portcullis Overview
Capability Setup
Capability Setup
Router
Router
Client
Server
Full Queue
20Portcullis Overview
Router
Router
Client
Server
21Portcullis Overview
Router
Router
Client
Server
22Portcullis Overview
Router
Router
Client
Server
23Portcullis Overview
Capability Setup
Router
Router
Client
Server
24Portcullis Overview
Capability Setup
Router
Router
Client
Server
25Portcullis Overview
Capability Setup
Capability Setup
Router
Router
Client
Server
26Portcullis Overview
Capability Setup
Capability Setup
Router
Router
Client
Server
27Portcullis Overview
Capability Setup
Capability Setup
Router
Router
Client
Server
28Key Insight
- Fundamental asymmetry favors a legitimate client
- The client only needs one packet to succeed, but
the adversary must keep the victims pipe full at
all times - A few hard puzzles will not congest the victims
link - Many easy puzzles can be bypassed by a legitimate
client who solves a single hard puzzle
29Puzzle Generation
- Client computes a flow-specific puzzle as
- p H( Server IP S R L X)
- Where
- H is a hash function
- S is the current puzzle seed
- R is a randomly chosen 64-bit number
- L is the puzzle difficulty level
- The solution X is chosen so that
- p 0 mod 2L
- Expected of operation to find X is 2L
30Router Verification and Scheduling
- Verify puzzle solution with a single hash
- H( Server IP S R L X ) 0 mod 2L
- Prioritize packets with harder puzzles (larger L)
- Prevent local puzzle reuse with a Bloom Filter
- - Only records correct puzzle solutions
31Legitimate Client Strategy
- Double the computational work included in each
subsequent request - Continue doubling until a request succeeds
- Our results show that this strategy succeeds
regardless of attackers resources - Knowledge of network congestion levels or
attackers resources allows optimization
32Puzzle Seed Creation and Distribution
33Puzzle Seed Creation and Distribution
34Puzzle Seed Creation and Distribution
35Puzzle Seed Creation and Distribution
Request
36Puzzle Seed Creation and Distribution
Request
37Seed Generation and Verification
- Trusted seed generator releases a new puzzle seed
every 5 minutes - Puzzle seeds must be
- Unpredictable
- Easily verified by hosts and routers
- Naïve implementation
- Seed generator
- Picks a random number for the puzzle seed
- Uses a public key to sign the seed
- Hosts and routers verify each signature
38Seed Distribution Service
- Takes puzzle seeds and makes them available to
clients - Requires distributed, well-provisioned Servers
- E.g., CDN or DNS
39EvaluationTheoretical Result 1
- Proof that legitimate clients succeed in time
O(M) - M Number of malicious machines
- Intuition
- Attacker can either fill the victims pipe or
solve hard puzzles - A legitimate client quickly sends a request at a
level higher than the attacker can "afford"
40Evaluation Theoretical Result 2
- Proof that for any routing policy, the time
needed for capability setup is O(M) - Intuition
- Subverted machines can behave just like
legitimate machines
41Evaluation
- Simulation based on real Internet topology
- CAIDA Skitter map of over 174,000 networks
- Randomly placed legitimate clients and attackers
at the edges - Victim placed at the root
- Attackers establish DDoS by flooding at max
uplink capacity - We measure the time needed for 1000 legitimate
clients to establish a capability
42Portcullis Attacker Strategies
- Evaluate various adversarial strategies
- Naïve attacker simply floods without solving
puzzles - Puzzle solver
- Chooses a flooding rate
- Pools all computational resources to solve the
hardest puzzles possible while maintaining the
chosen sending rate
43Portcullis Attacker Strategies
44Comparative Simulations
- Points of comparison
- Per-bandwidth fairness (Speak up) Walfish et al.
2006 - Legitimate clients send requests at maximum
uplink capacity - Per-path fairness (TVA) Yang et al. 2005
- Packets queued based on previous Autonomous
System (AS) - Legacy (Random)
- Routers randomly select packets to forward and
drop excess packets
45Comparative Results
46Comparative Results
47Comparative Results
48Conclusions
- Portcullis mitigates DoC attacks by allocating
bandwidth based on per-computation fairness - Novel puzzle mechanism strictly bounds the setup
delay imposed by a given number of attackers - Supported by proofs and simulations
- Makes capability systems a robust defense against
DDoS attacks