1 the good, the bad and the ugly: network performance in malicious environment udi ben-porat eth...
TRANSCRIPT
1
The Good, The Bad and the Ugly: Network Performance in Malicious
Environment
Udi Ben-PoratETH Zurich, Switzerland
Anat Bremler-BarrIDC Herzliya, Israel
Hanoch LevyTel-Aviv University,
Israel
First steps in Research CS – TAU – 1/2012
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
2
Traditional Network Analysis / Design
Expected Value Analysis Average over a variety of cases Traditional “performance people”
Worst Case Analysis Take the worst case scenario Traditionally CS people
BASIC ASSUMPTION: USERS WANT THE BEST FOR THEM
“The Good”
“The Bad”
11/1/2012 2FirstStepsInResearch - H. Levy -
CS TAU
3
Today’s Networks Can we still assume:
“Users Want the Best for THEM”? Mostly yes… … BUT Not ALL!
“The UGLY”MALICIOUS USERS :
WANT TO HARM OTHERS’ PERFORMANCE
11/1/2012 3FirstStepsInResearch - H. Levy -
CS TAU
4
“Malicious” Network performance and Design “Expected” and “Worst” may not be enough Need to account for the malicious Need a “Malicious” performance methodology WE WANT to Combine “Performance” with
“security” This talk:
How to evaluate effect on Performance How to evaluate SYSTEM VULNERABILITY
11/1/2012 4FirstStepsInResearch - H. Levy -
CS TAU
5
Distributed Denial of Service (DDoS)
Attacker adds more regular users Loading the server - degrades the performance
Server Performance
Server
Attacker
NormalDDoS S. DDoS
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
6
Sophisticated DDoS
NormalDDoS S. DDoS
Server Performance
Server
Attacker
Attacker adds sophisticated malicious users Each user creates maximal damage (per attack budget)
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
7
Study Objective Propose a DDoS Vulnerability performance metric
Vulnerability Measure To be used in addition to traditional system performance
metrics Understand the vulnerability of various systems to
attacks
This Talk Examples Describe DDoS Vulnerability performance metric Demonstrate Metric impact
Hash Table: Very Common in networking Performance (traditional) : OPEN equivalent CLOSED Vulnerability analysis: OPEN << CLOSED!!
11/1/2012 7FirstStepsInResearch - H. Levy -
CS TAU
8
This Talk (cont) Demonstrate Vulnerability in a distributed
environment Attacking the CDF Scheduling by collaboration
11/1/2012 8FirstStepsInResearch - H. Levy -
CS TAU
9
Example 1: Data Structures ((Worst Case Exploit Denial of Service via Algorithmic Complexity Attacks,
Scott A. Crosby and Dan S. Wallach, Usenix 2003 Attacker induces the worst-case behavior on real software.
Average case: O(1) Worst case: O(n)
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
10
Example 1: Bro Performance under Hash Attack
Bro intrusion detection system [Paxson ‘98]
High performance, open source IDS
Hash used by the port scanning detector
Attack: Carefully chosen source IPs and dest port numbers to achieve the worst case of the Hash
Cumulative Dropped Packets
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
20000
0 5 10 15 20 25
Time into attack (minutes)
Th
ou
sa
nd
s
Slides from the complexity attack paper presentation11/1/2012
FirstStepsInResearch - H. Levy - CS TAU
11
Example 2: Attack on Admission Control Mechanism (Traffic Pattern Exploit)
Reduction of Quality (RoQ) Attacks on Internet End-Systems, Mina Guirguis, Azer Bestavros, Ibrahim Matta and Yuting Zhang, INFOCOM 2005
Reduction of Quality attack - targets the adaptation mechanisms prevent convergrnce to steady-state.
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
12
Example 2: cont’ A simple admission control sets its admission rate as a function
of the utilization of its back-end system.
Web-ServerAdmission Controller
Admission
Rejections
Feedback
ClientClient
Client
Client Client
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
13
Example 2: cont’ Attacker sends a surge demand, from time to time, for a very
short period and pushes the system into overload.
Result: False rejection of traffic .
Web-ServerAdmission Controller
Rejections
Overload
Attacker
Zombies Client
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
14
Example 3: Attack on TCP Retransmission (Traffic Pattern Exploit)
Shrews: Low-Rate TCP-Targeted Denial of Service Attacks, A. Kuzmanovic and E.W.Knightly, Sigcomm 2003
Attacks exploit the timeout mechanism of TCP resulting in a complete denial of service.
Shrew
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
15
Multiple Access Protocols (Protocol Deviation Exploit) Ethernet like protocol
Shared channel, a set of nodes send and receive frames over the same channel, only one node can transmit at a time
Each node runs a collision avoiding algorithm. Attackers disobey collision avoidance
disturb the transmission over the channel
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
16
Our goal Proposing a Vulnerability measurement
for all sophisticated DDoS attacks Vulnerability Measurement How easy it is to degrade your users
performance Understanding the vulnerability of different
systems to sophisticated attacks
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
17
Vulnerability Factor Definition
Vulnerability=v means: A malicious user degrades the server performance v-times more than a regular user
Performance
Degradation
Scales
c),ce(RegularΔPerforman
c),usce(MalicioΔPerformanmaxc)ity(CostVulnerabil st
st
(st = Malicious Strategy)11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
18
Vulnerability Interpretation
Vulnerability=v means: How many “innocent” users (operations) are denied service per one malicious user (operation)
Performance
Degradation
Scales
(st = Malicious Strategy)11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
20
Demonstration of Vulnerability metric: Attack on Hash Tables
Central component in networks Hash table is a data structure based on Hash
function and an array of buckets.
Operations: Insert, Search and Delete of elements according to their keys.
key
Insert (element) Buckets
Hash(key)
User Server
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
21
Hash Tables
Bucket = one element
Collision-> the array is repeatedly probed until an empty bucket is found
Bucket = list of elements that were hashed to that bucket
Open Hash Closed Hash
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
22
Performance Factors In Attack
While attack is on: Attacker’s operations are CPU intensive CPU loaded
Post Attack: Loaded Table insert/delete/search op’s suffer
Vulnerability: OPEN vs. CLOSEDTraditional Performance: OPEN = CLOSED*
What about Vulnerability? OPEN = CLOSED?
(* when the buckets array of closed hash is twice bigger)11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
23
Attacker strategy (InsStrategy)
Strategy: Insert k elements (cost=budget=k) where
all elements hash into the same bucket ( )
Theorem: InsStrategy is Optimal For both performance factors
Closed Hash:Cluster
Open Hash: One long list of elements
Attack Results
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
24
In Attack: Resource Consumption
V=
Analytic results:
Open Hash:Open Hash:
Closed Hash:Closed Hash:
In every malicious insertion, the server has to traverse all previous inserted elements (+ some existing elements)
Open Hash Closed Hash
V=
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
25
Post Attack: Operation Complexity
Open Hash Closed Hash
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
26
Why Open So Good, Closed So Bad
Open Hash
Access cost = approximately mean of chain
E[C]
Closed Hash
Access cost = approximately residual life of chain
E[C^2]/2E[C]
Like in M/G/1 !
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
27
Post Attack: account for queuing Requests for the server are queued up
Vulnerability of the (post attack) Waiting Time?
Hash Table
Server
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
28
Queue Analysis (M/G/1)
Waiting time is proportional to E[S^2] / E[s]
S = service time (Random variable)
Hash Table
Server
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
29
Post Attack Waiting Time
Open Hash:Open Hash:
Stability PointService times proportional to chain lengthE[S] = 1 E[S^2] > 1
Now is VULNERABLE !!
OPEN
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
30
Post Attack Waiting Time
Drastically more vulnerableNo longer stable for Load>48%
Stability Point
Closed Hash: Closed Hash:
Closed HashClosed Hash
Service times proportional to chain 2nd moment: E[S] ~ E[C^2] E[S^2] ~E[C^3]
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
31
Conclusions
HASH: Normal performance: Closed hash = Open Hash Under attack Closed hash >> Open Hash
Malicious Performance: Need Performance evaluation to account for
attacks Can use the vulnerability metric
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU
32
Questions?
11/1/2012FirstStepsInResearch - H. Levy -
CS TAU