1 the good, the bad and the ugly: network performance in malicious environment udi ben-porat eth...

1

The Good, The Bad and the Ugly: Network Performance in Malicious

Environment

Udi Ben-PoratETH Zurich, Switzerland

Anat Bremler-BarrIDC Herzliya, Israel

Hanoch LevyTel-Aviv University,

Israel

First steps in Research CS – TAU – 1/2012

11/1/2012FirstStepsInResearch - H. Levy -

CS TAU

2

Traditional Network Analysis / Design

Expected Value Analysis Average over a variety of cases Traditional “performance people”

Worst Case Analysis Take the worst case scenario Traditionally CS people

BASIC ASSUMPTION: USERS WANT THE BEST FOR THEM

“The Good”

“The Bad”

11/1/2012 2FirstStepsInResearch - H. Levy -

CS TAU

3

Today’s Networks Can we still assume:

“Users Want the Best for THEM”? Mostly yes… … BUT Not ALL!

“The UGLY”MALICIOUS USERS :

WANT TO HARM OTHERS’ PERFORMANCE


CS TAU

4

“Malicious” Network performance and Design “Expected” and “Worst” may not be enough Need to account for the malicious Need a “Malicious” performance methodology WE WANT to Combine “Performance” with

“security” This talk:

How to evaluate effect on Performance How to evaluate SYSTEM VULNERABILITY


CS TAU

5

Distributed Denial of Service (DDoS)

Attacker adds more regular users Loading the server - degrades the performance

Server Performance

Server

Attacker

NormalDDoS S. DDoS


CS TAU

6

Sophisticated DDoS

NormalDDoS S. DDoS

Server Performance

Server

Attacker

Attacker adds sophisticated malicious users Each user creates maximal damage (per attack budget)


CS TAU

7

Study Objective Propose a DDoS Vulnerability performance metric

Vulnerability Measure To be used in addition to traditional system performance

metrics Understand the vulnerability of various systems to

attacks

This Talk Examples Describe DDoS Vulnerability performance metric Demonstrate Metric impact

Hash Table: Very Common in networking Performance (traditional) : OPEN equivalent CLOSED Vulnerability analysis: OPEN << CLOSED!!


CS TAU

8

This Talk (cont) Demonstrate Vulnerability in a distributed

environment Attacking the CDF Scheduling by collaboration


CS TAU

9

Example 1: Data Structures ((Worst Case Exploit Denial of Service via Algorithmic Complexity Attacks,

Scott A. Crosby and Dan S. Wallach, Usenix 2003 Attacker induces the worst-case behavior on real software.

Average case: O(1) Worst case: O(n)


CS TAU

10

Example 1: Bro Performance under Hash Attack

Bro intrusion detection system [Paxson ‘98]

High performance, open source IDS

Hash used by the port scanning detector

Attack: Carefully chosen source IPs and dest port numbers to achieve the worst case of the Hash

Cumulative Dropped Packets

0

2000

4000

6000

8000

10000

12000

14000

16000

18000

20000

0 5 10 15 20 25

Time into attack (minutes)

Th

ou

sa

nd

s

Slides from the complexity attack paper presentation11/1/2012

FirstStepsInResearch - H. Levy - CS TAU

11

Example 2: Attack on Admission Control Mechanism (Traffic Pattern Exploit)

Reduction of Quality (RoQ) Attacks on Internet End-Systems, Mina Guirguis, Azer Bestavros, Ibrahim Matta and Yuting Zhang, INFOCOM 2005

Reduction of Quality attack - targets the adaptation mechanisms prevent convergrnce to steady-state.


CS TAU

12

Example 2: cont’ A simple admission control sets its admission rate as a function

of the utilization of its back-end system.

Web-ServerAdmission Controller

Admission

Rejections

Feedback

ClientClient

Client

Client Client


CS TAU

13

Example 2: cont’ Attacker sends a surge demand, from time to time, for a very

short period and pushes the system into overload.

Result: False rejection of traffic .

Web-ServerAdmission Controller

Rejections

Overload

Attacker

Zombies Client


CS TAU

14

Example 3: Attack on TCP Retransmission (Traffic Pattern Exploit)

Shrews: Low-Rate TCP-Targeted Denial of Service Attacks, A. Kuzmanovic and E.W.Knightly, Sigcomm 2003

Attacks exploit the timeout mechanism of TCP resulting in a complete denial of service.

Shrew


CS TAU

15

Multiple Access Protocols (Protocol Deviation Exploit) Ethernet like protocol

Shared channel, a set of nodes send and receive frames over the same channel, only one node can transmit at a time

Each node runs a collision avoiding algorithm. Attackers disobey collision avoidance

disturb the transmission over the channel


CS TAU

16

Our goal Proposing a Vulnerability measurement

for all sophisticated DDoS attacks Vulnerability Measurement How easy it is to degrade your users

performance Understanding the vulnerability of different

systems to sophisticated attacks


CS TAU

17

Vulnerability Factor Definition

Vulnerability=v means: A malicious user degrades the server performance v-times more than a regular user

Performance

Degradation

Scales

c),ce(RegularΔPerforman

c),usce(MalicioΔPerformanmaxc)ity(CostVulnerabil st

st

(st = Malicious Strategy)11/1/2012FirstStepsInResearch - H. Levy -

CS TAU

18

Vulnerability Interpretation

Vulnerability=v means: How many “innocent” users (operations) are denied service per one malicious user (operation)

Performance

Degradation

Scales

(st = Malicious Strategy)11/1/2012FirstStepsInResearch - H. Levy -

CS TAU

20

Demonstration of Vulnerability metric: Attack on Hash Tables

Central component in networks Hash table is a data structure based on Hash

function and an array of buckets.

Operations: Insert, Search and Delete of elements according to their keys.

key

Insert (element) Buckets

Hash(key)

User Server


CS TAU

21

Hash Tables

Bucket = one element

Collision-> the array is repeatedly probed until an empty bucket is found

Bucket = list of elements that were hashed to that bucket

Open Hash Closed Hash


CS TAU

22

Performance Factors In Attack

While attack is on: Attacker’s operations are CPU intensive CPU loaded

Post Attack: Loaded Table insert/delete/search op’s suffer

Vulnerability: OPEN vs. CLOSEDTraditional Performance: OPEN = CLOSED*

What about Vulnerability? OPEN = CLOSED?

(* when the buckets array of closed hash is twice bigger)11/1/2012FirstStepsInResearch - H. Levy -

CS TAU

23

Attacker strategy (InsStrategy)

Strategy: Insert k elements (cost=budget=k) where

all elements hash into the same bucket ( )

Theorem: InsStrategy is Optimal For both performance factors

Closed Hash:Cluster

Open Hash: One long list of elements

Attack Results


CS TAU

24

In Attack: Resource Consumption

V=

Analytic results:

Open Hash:Open Hash:

Closed Hash:Closed Hash:

In every malicious insertion, the server has to traverse all previous inserted elements (+ some existing elements)


V=


CS TAU

25

Post Attack: Operation Complexity



CS TAU

26

Why Open So Good, Closed So Bad

Open Hash

Access cost = approximately mean of chain

E[C]

Closed Hash

Access cost = approximately residual life of chain

E[C^2]/2E[C]

Like in M/G/1 !


CS TAU

27

Post Attack: account for queuing Requests for the server are queued up

Vulnerability of the (post attack) Waiting Time?

Hash Table

Server


CS TAU

28

Queue Analysis (M/G/1)

Waiting time is proportional to E[S^2] / E[s]

S = service time (Random variable)

Hash Table

Server


CS TAU

29

Post Attack Waiting Time

Open Hash:Open Hash:

Stability PointService times proportional to chain lengthE[S] = 1 E[S^2] > 1

Now is VULNERABLE !!

OPEN


CS TAU

30

Post Attack Waiting Time

Drastically more vulnerableNo longer stable for Load>48%

Stability Point

Closed Hash: Closed Hash:

Closed HashClosed Hash

Service times proportional to chain 2nd moment: E[S] ~ E[C^2] E[S^2] ~E[C^3]


CS TAU

31

Conclusions

HASH: Normal performance: Closed hash = Open Hash Under attack Closed hash >> Open Hash

Malicious Performance: Need Performance evaluation to account for

attacks Can use the vulnerability metric


CS TAU

32

Questions?


CS TAU

1 the good, the bad and the ugly: network performance in malicious environment udi ben-porat eth...

Documents

research cs tau

high performance

bro performance

malicious network performance

system vulnerability

attack budget

reduction of quality

sophisticated ddos normalddoss