botz-4-sale: surviving organized ddos attacks that mimic flash crowds

Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds

Srikanth Kandula, Dina Katabi, Matthias Jacob, and Arthur Berger

Awarded Best Student Paper! (NSDI-2005)

Defense by Manan Sanghi

Flash Crowd

DDOS

Botz-4-Sale

request

Botz-4-Sale

Reverse Turing test

Botz-4-Sale

Solution

Botz-4-Sale

Welcome!

HTTP cookie• Allows at most 8 simultaneous connections• Valid for 30 minutes

Botz-4-Sale

request

Botz-4-Sale

Reverse Turing test

Botz-4-Sale

request

Botz-4-Sale

System is Busy, either solve puzzle or try later

Botz-4-Sale

request

Botz-4-Sale

Reverse Turing test

Botz-4-Sale

request

Botz-4-Sale

System is Busy, either solve puzzle or try later

Botz-4-Sale

RequestRequestRequest…

Botz-4-Sale

Kill-Bots Overview

Graphical Puzzles served during Stage 1

Example

Normal Load 40%

K1=70% K2=50%

Time out (5 minutes) unauthenticated users

Two stages in Suspected Attack Mode Stage 1: CAPTCHA based Authentication

No state maintenance before authentication HTTP cookie Cryptographic support

Stage 2: Authenticating users who do not answer CAPTCHA No more reverse Turing tests Bloom filters to filter out over-zealous zombies

Resource Allocation and Admission Control

Tradeoff Authenticate new clients Serve already authenticated clients

Adaptive Admission Control

Cute Queuing Theory type analysis

Security Analysis Socially-engineered Attacks

Copy Attacks Including IP address in one-way hash does not deal well with

proxies and mobile users

Replay Attacks Time information in the cookie hash

DoS attacks on the authentication mechanism No connection state for unauthenticated clients

In-kernel HTTP header processing HTTP headers not parsed Pattern match arguments to GET and Cookie fields Cost : less than 8 s

System Architecture

System Architecture

Evaluation – Experimental Setup

Evaluation

Evaluation - Microbenchmarks

Evaluation- CyberSlam attacks

Evaluation- CyberSlam attacks

Evaluation – Flash Crowds

Evaluation – Flash Crowds

On Admission Control

Authentication is not sufficient Good performance requires admission

control

Threat Model

Bandwidth floods, DNS entries, routing entries not considered

Attacker cannot sniff legitimate users’ packets

Attacker cannot access server’s local network Zombies are not as smart as humans Attacker does not have a large number of

humans aiding his evil plans