Upload
trinhkiet
View
217
Download
0
Embed Size (px)
Citation preview
http://www.cs.bu.edu/groups/wing
Exploiting the Transients of Adaptation for RoQ Attacks on Internet Resources
Ibrahim Matta
Joint work with
Mina Guirguis & Azer Bestavros
Computer Science DepartmentBoston University
Old Dominion UniversityNovember 9, 2004
http://www.cs.bu.edu/groups/wing
RoQ & RoLAdversarial Exploits of System Adaptation
Ibrahim Matta
Joint work with
Mina Guirguis & Azer Bestavros
Computer Science DepartmentBoston University
Old Dominion UniversityNovember 9, 2004
2004.11.08 RoQ Attacks @ ODU 3
Denial of Service (DoS) Attacks
How: Subject a service to a load that exceeds its capacity!
Goal: Make resource unavailable to legitimate users…
2004.11.08 RoQ Attacks @ ODU 4
Denial of Service Attacks
Most Recent Example: Attack on SCO’sWeb site on 2/2/04 courtesy of MyDoom
A nuisance? Freedom of Expression?Act of Patriotism?How about $26.1B of lost productivity!!!
2004.11.08 RoQ Attacks @ ODU 5
DoS: The Good News
Takes lots of resources to mount such an attack
Attack can be anticipated. There is a Red Sox Game; stay home ☺
Easy to determine that a resource is under attack
When was the last time you saw elephants crossing the BU Bridge? ☺
Theoretically can trace back perpetratorsIf nothing else, getting a ticket is a deterrent—maybe ☺
2004.11.08 RoQ Attacks @ ODU 6
What If…
It does not take a lot of resources to mount such an attack
Attack cannot be anticipated; it’s just another gridlock on the BU Bridge ☺
It is hard to determine that a resource is under an attack
All you see on the gridlocked bridge are average beaten up student cars ☺
It is hard to trace back perpetratorsAttack goal is “Reduction of Quality & Reduction of Liability” RoQ & RoL ☺
2004.11.08 RoQ Attacks @ ODU 7
Say Welcome to RoQ Attacks
Goal: “Bleed” the system of its capacity by forcing it to operate in its most inefficient region—with minimal exposure
How: “Exploit” built-in load adaptation mechanisms to make the system perpetually operate in a transient state—unstable
Hint: Make other drivers brake when they should accelerate and accelerate when they should brake. Just be a Boston driver ☺
2004.11.08 RoQ Attacks @ ODU 8
Adversarial Exploits of Adaptation
Adaptation mechanisms are built under an assumption of a non-adversarial load
Examples: random traffic patterns, random arrival processes, etc.
Questions:What load patterns would be most virulent to a given adaptation scheme?How much adversarial load would it take to make adaptation harmful?…
2004.11.08 RoQ Attacks @ ODU 9
RoQ Attack: Definition
RoQ Attacks maximize the marginal utility of attack traffic Potency
Many Possible Instantiations Damage = Rejected requests, response time, wasted BWCost = Injected requests, # of attackers, attack BWAggressiveness = Tolerance to exposure
Large Omega Largest level of aggressionSmall Omega Minimal exposure
2004.11.08 RoQ Attacks @ ODU 10
Adversarial Exploits of Adaptation
We considered two examples of RoQ:Congestion Control in NetworksAdmission Control for Web Servers
Many other vulnerabilities existDynamic routing (e.g., BGP)Power conservation in sensor networksLoad balancing in CDNs
Hard to find systems that would be safe!
2004.11.08 RoQ Attacks @ ODU 11
Network Adaptation: Part I
A packet loss = congestion signalAIMD Control
No packet lossincrease sending rate linearly
Packet lossdecrease sending rate exponentially
TimeoutNothing is going through
shut off for exponentially longer periods of time
2004.11.08 RoQ Attacks @ ODU 12
Network Adaptation: Part II
What generates a loss?No space in router queue (a.k.a. DropTail)Drop packet if queue builds up (a.k.a. RED)
RED as example of Active Queue MgmtTries to avoid “herding behavior” by randomizing packet losses across flows and by relating loss probability to queue length
2004.11.08 RoQ Attacks @ ODU 13
Premise of a RoQ & RoL Attack
1. RoQ: Attacker sends packets at high rate—enough to cause lots of flows to slow down exponentially fast (e.g., by halving their sending rate)
2. RoL: Attacker shuts off
3. Resource will be underutilized until flows “rev-up” their sending rate, which is a slow linear process by design
4. Go back to 1…
2004.11.08 RoQ Attacks @ ODU 14
A simple “square wave”
Values of δ, τ, and T will depend on setting—stay tuned…
Attack Pattern
tT » ττ
y(t)δ
2004.11.08 RoQ Attacks @ ODU 15
Modeled as a set of differential equations for a set of m flows, each subject to a feedback control loop
Network Adaptation: RED+TCP
2004.11.08 RoQ Attacks @ ODU 16
Network Adaptation: Router
Instantaneous buffer size
S RC
b(t)
αiDi
xi(t)
2004.11.08 RoQ Attacks @ ODU 19
Link price functions reflect prices fed back to sources as the load on the links varies
Convergence and stability can be proved through Lyapunov function [K99]
Network Model + RoQ Exploits
Load/Demand
Pric
e
CapacitySources’ algorithms iterate over rates
Links’ algorithms iterate over prices
2004.11.08 RoQ Attacks @ ODU 20
RoQ attacks will hinder convergence
Can destroy the “contractive mapping” of the pricing function
Network Model + RoQ Exploits
Load/Demand
Pric
e
Capacity
Without attack
During attack
2004.11.08 RoQ Attacks @ ODU 21
Network Adaptation: RED+TCP
Model can be instantiated and numerical results obtained
Attack Starts Here Attack Period
2004.11.08 RoQ Attacks @ ODU 25
“Really”, How Bad Is It?
Can This Really Happen? It Did…
Attack Sink Attack Source
2004.11.08 RoQ Attacks @ ODU 27
Implementation Results
Long RTT = 120 msecHarder to time-out [shrew]
Short RTT = 15 mec
Shrew Attack [KK03]8.08 Mbps -> 1.25 Mbps
with 1.58 P = 4.3
2004.11.08 RoQ Attacks @ ODU 28
Long RTT = 120 msecHarder to time-out [shrew]
Short RTT = 15 mec
Implementation Results
Shrew Attack [KK03]8.08 Mbps -> 1.25 Mbps
with 1.58 P = 4.3
RoQ Attack8.08 Mbps -> 3.6 Mbps
with 0.37P = 12
2004.11.08 RoQ Attacks @ ODU 29
It is even scarier…
Could be mounted as a distributed RoQUsing zombie sources in round-robin fashion
Trace-back is that much harder than traditional DDoS due to:
Spoofing source addressesAttack sink does not even have to exist!
Any source!Any source! Any Destination!
Any Destination!
Victim Link
2004.11.08 RoQ Attacks @ ODU 31
Tuning Attack Parameters
Can be done using an on-line controller
tτ
y(t)δ
T
Tδτ =5
δm=20
δδτ =5
Pote
ncy
2004.11.08 RoQ Attacks @ ODU 32
Adversarial Exploits of Adaptation
We considered two examples of RoQ:Congestion Control in Networks
Good News: Hard to achieve high Potency on high bandwidth/high multiplexed linkBad News: Attacker can still achieve high Potency on a “subset of flows”, especially long RTT flows
Admission Control for Web Servers
Many other vulnerabilities existDynamic routing (e.g., BGP)Power conservation in sensor networksLoad balancing in CDNs
Hard to find systems that would be safe!
2004.11.08 RoQ Attacks @ ODU 33
Admission Control
A “Gate” used to protect from overloadAdmit (cross the bridge ☺)Reject (into the river )Postpone
2004.11.08 RoQ Attacks @ ODU 34
Admission Control Adaptation
Admission ControllerWhat percentage of requests should be admitted?Calculated based on the deviation between the server’s state and a target valuePI Controller, AIMD Controller, etc…
Feedback MonitorMeasures the server’s state and report it back to the ControllerFeedback delay
2004.11.08 RoQ Attacks @ ODU 36
Admission Control: Model
Controller: Proportional Integrative (PI)
GateError Signal
2004.11.08 RoQ Attacks @ ODU 37
Server: Model
Pending requests
Load/Utilization Utilization/Service Rate
Thrashing Index
2004.11.08 RoQ Attacks @ ODU 38
RoQ Attack Premise
1. RoQ: Attacker sends requests at high rate in a very small period of time, enough to push the server into overload
2. RoL: Attacker shuts off
3. Admission control will shut off subsequent legitimate requests. Since the system is thrashing, recovery will take a longer time
4. Go back to 1…
2004.11.08 RoQ Attacks @ ODU 40
Model can be instantiated and solved
Large potencies possible “theoretically”
Admission Control Adaptation
2004.11.08 RoQ Attacks @ ODU 41
Implementation Setup
Server: MinihttpdAdmission ControlForks a cgi script
Access 1MB~ 20 msec
Clients: Httperf
UtilizationMemory utilization = Used / Total
2004.11.08 RoQ Attacks @ ODU 42
Implementation Results
Attack Start at 120 (, 740, …) with 800 requests; system recovers only
at time 500 (, 1120, …)
Potency depends on controller settings (e.g., gain) and other system
characteristics
2004.11.08 RoQ Attacks @ ODU 43
Implementation Results
Effect of Feedback DelayReal DelayAveraging (EWMA)
LimitationsLinux alleviates thrashing: It kills threads making collecting of data real hardOnly able to cause moderate thrashingLimitation on number of open connections generated by HttperfOnly used 4 machines
2004.11.08 RoQ Attacks @ ODU 44
Take Home Messages
RoQ Attacks Exploit Dynamics: It is NOT capitalizing on a static property of a protocol—unlike the “shrew” attack which causes perpetual timeouts
RoQ Attacks Trade off Damage and Cost:It is NOT aiming to take a resource down at any cost, but rather it is aiming to get the maximum damage per attack byte
2004.11.08 RoQ Attacks @ ODU 45
Food For Thought…
More elaborate attacksComplex attack patterns
Are there fundamental tradeoffs?RoQ tolerance versus utilization/delay/fairness
Other adaptation susceptibilitiesLoad balancers, routing algorithms, sensor nets
CountermeasuresRandomized adaptationIntrusion DetectionTraceback
http://www.cs.bu.edu/groups/wing
Exploiting the Transients of Adaptation for RoQ Attacks on Internet Resources
More information available from WING Publicationshttp://www.cs.bu.edu/groups/wing
Mina Guirguis, Azer Bestavros, and Ibrahim Matta. Exploiting the Transients of Adaptation for RoQ Attacks on Internet Resources. In IEEE ICNP 2004: Proceedings of the 12th IEEE International Conference on Network Protocols, Berlin, Germany, October 2004.
Mina Guirguis, Azer Bestavros, Ibrahim Matta, and Yuting Zhang. Reduction of Quality (RoQ) Attacks on Internet End-Systems. To appear in IEEE INFOCOM 2005.