a taxonomy for denial of service attacks in content-based publish/subscribe systems
DESCRIPTION
A Taxonomy for Denial of Service Attacks in Content-based Publish/Subscribe Systems. Alex Wun, Alex Cheung, Hans-Arno Jacobsen Department of Electrical and Computer Engineering Department of Computer Science University of Toronto. Current State of Denial of Service. - PowerPoint PPT PresentationTRANSCRIPT
MIDDLEWARE SYSTEMSRESEARCH GROUP
A Taxonomy for Denial of Service Attacks in Content-based
Publish/Subscribe Systems
Alex Wun, Alex Cheung, Hans-Arno JacobsenDepartment of Electrical and Computer Engineering
Department of Computer ScienceUniversity of Toronto
Current State of Denial of Service
Prominent DoS news in 2007: 6 of 13 Root DNS servers attacked
[ICANN2007] DC++ P2P networks used in attacks
[DCPP2007] Estonian sites: government, bank, police
[Yahoo2007] Plenty more …
DoS problems are not going away
Research Goals
Stimulate discussion about DoS in CPS Avoid repeating old DoS weaknesses (e.g.,
IPv6 source routing)
Identify new DoS Concerns Will DoS attacks in CPS systems be any
different? What are the prominent issues? How can potential DoS attacks be classified?
Our Contributions
Study impact of CPS features on DoS effects Distributed event delivery Content-based processing overhead State maintenance
Classify potential DoS attack characteristics
Identify CPS concepts with DoS implications
Messaging Middleware
S SP
Publishers
P
SubscribersEnterpriseServers
EmbeddedDevices
SensorNetworks A B
C
Content-based Publish/Subscribe
DoS Taxonomy
Message Propagation Effects
Multi-hop routing Localization Transmission
Propagation
Localized
Single-Hop
Multi-Hop
Global
• Non-matching message injection• Malicious unsubscribe• Edge broker access control• Local clients• Co-operative detection not helpful• Effects may still be distributed
• Broker multicast• Per-hop security schemes• Client location
• Matching message injection• Rendezvous routing• Remote clients• Transmitting DoS effects remotely
• Flooding• Global client interest• May span organizations
State Management Effects
Assumptions on distribution message type
Cumulative effects
Statefulness
Stateless
Stateful
Soft-state
Persistent
• Recovery through normal processing• Unretained publication injections• Connection attempts
• Effects continue due to state change• Malicious unsubscriptions• Subscription injections• Publications retained for CEP
• Recovery through normal maintenance• Expiry mechanisms• Periodic optimizations
• Recovered state causes DoS• DB-based Fault-tolerance• Historic data• Configuration corruptions
Time
Attack
Effects
Attack stops
Time
Attack
Effects
Attack stops
Time
Attack
Effects
Attack stops
Periodiccleanup
Time
Effects
Load frompersistent storage
Content-based Processing EffectsLowcontentcomplexity
Highcontentcomplexity
Content-based Processing Effects
Performance variability highly dependent on workload complexity Response times System recovery
Content-dependence
Independent
Proportional
Inverselyproportional
• Severity of DoS effects are the same regardless of content complexity• ID-based filter removal
• Higher complexity content produces more severe DoS effects• Inducing matching load
• Lower complexity content produces more sever DoS effects• Filter-based filter removal
Content complexity
Load# of Victims# of TargetsDowntime
Techniques - Thrashing
DoS from processing repeated state changes
Subscription cover thrashing example: Many non-covering subscriptions exist from other client(s) Adversary issues covering subscription (triggers removal) Adversary removes covering subscription (triggers
restoration) Repeat …
Techniques - Stockpiling Store malicious state for use in future attack(s) Can be low rate to avoid detection
Subscription flood example: Stockpile subscription state Issue advertisement to attract subscriptions
Techniques - Traffic Amplification
Malicious traffic of adversary multiplied Known to be a problem in traditional Internet
Smurf attack Source routing Reflection (connection retries)
Fundamental to many CPS features? Highly generic subscriptions and advertisements Uncovering and Unmerging Historic data
Filter versus ID State Removal
Related Work
Mirkovic and Reiher [Mirkovic2004] DDoS taxonomy in traditional Internet domain
Srivatsa and Liu [Srivatsa2005] Authentication to limit flooding-based DoS
Wang et al. [Wang2002] Discussed DoS briefly along with other security
concerns
Conclusion
CPS characteristics with DoS implications Message propagation (remote attacks) Content complexity (highly variable performance) State maintenance (assumptions on message type
distribution)
Abusing features for DoS Stockpiling Traffic Amplification Filter Removal (Thrashing, Victims)
References [ICANN2007]
http://icann.org/announcements/factsheet-dns-attack-08mar07_v1.1.pdf [DCPP2007]
http://dcpp.wordpress.com/2007/05/22/denying-distributed-attacks/ [Yahoo2007]
http://fe48.news.sp1.yahoo.com/s/infoworld/20070517/tc_infoworld/88610
[Mirkovic2004] A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, ACM
SIGCOMM [Srivatsa2005]
Securing Publish-Subscribe Overlay Services with EventGuard, ACM Conference on Computer and Communications Security
[Wang2002] Security Issues and Requirements for Internet-Scale Publish-Subscribe
Systems, Hawaii International Conference on System Sciences
MIDDLEWARE SYSTEMSRESEARCH GROUP
Extra Slides
Messaging Middleware
Publishers SubscribersEnterpriseServers
EmbeddedDevices
SensorNetworks
xxxxxxxxxx
xxxxxxxxxx
xxxxxxxxxx
Distributed broker federationsSubscription state managementContent-based processing
S SP
Publishers
P
Subscribers
Content-based Publish/Subscribe