sustaining availability of web services under distributed denial of service attacks
DESCRIPTION
Sustaining Availability of Web Services under Distributed Denial of Service Attacks. Jun Xu, Member, IEEE, and Wooyong Lee (Georgia Institute of Technology, Atlanta, GA). Presented by Oleg Rekutin. Overview. Web defense focus Two stages of defense Game theory proof Measurements. Overview. - PowerPoint PPT PresentationTRANSCRIPT
Sustaining Availability of Web Services under Distributed Denial
of Service AttacksJun Xu, Member, IEEE, and Wooyong Lee
(Georgia Institute of Technology, Atlanta, GA)
Presented by Oleg Rekutin
April 22, 2023Sustaining Availability of Web Services under DDoS 2
Overview• Web defense focus• Two stages of defense• Game theory proof• Measurements
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 3
System Model
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 4
Normal Flow• Connect to victim.com:80
– Receive an HTTP redirect to an IP:port pair:• 123.34.56.[MAC]:[MAC]
– MAC based on source IP– Randomly drop SYN packets under attack
• Connect to 123.34.56.[MAC]:[MAC] – from correct source IP:
• Normal HTTP browsing occurs– from incorrect source IP:
• Drop packets
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 5
System Model
- Public IP
- Pseudo-IP set
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 6
First Redirect Protection• Use SYN cookie in TCP seqnum• Extend cookie to all redirect packets
MAC xor source port
22 bits
0000000000
10 bits
Fits first redirect packets
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 7
Spoofed IP protectionclient server
SYN src: srcIP:port dst: vicitm:80
SYN-ACK dst: srcIP,
MAC:0000 in seqno
ACK src: srcIP:port dst: vicitm:80 ackno: MAC:0001
HTTP redirect uses MAC no’ssrc: srcIP:port dst: vicitm:80
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 8
Pseudo-IP MAC• IP address:
• Port:
• Replay attack– Change key based on timestamp in header
Subnet belonging to web site
28 bits
MAC
4 bits
Is MAC?
1
Is SSL?
1
MAC
14 bitsMAC( srcIP, key )
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 9
Rate Limiting• Fair bandwidth for all legit IP users
– Uses Deficit Round Robin• Complexity O(1)• Tight fairness
• Detect attackers• Regular users class:
– fair share• Attacking users class:
– much smaller share (1/10th)
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 10
Detecting Attackers: Flooding• DRR drops packets
– count them per flow• If # of dropped packets > threshold H
– Attacker that does not obey TCP congestion control
• What if many attackers using fair share?
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 11
Detecting Attackers: Loitering• Regular transactions:
– 100’s to 1000’s packets
• Q – maximum legit packets quota– Low probability of legit transaction using
more than Q packets• If client uses > Q, attacker
Site Action Packets sent
cnn.com read 3 pieces of headline news 1387
delta.com search, reserve & purchase a ticket 513
etrade.com look up 5 stock quotes & account balance 523
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 12
Game Theory• Model effectiveness• Guide design• Minmax utility
– Performance of the system under all possible attacks
• Minmax sound– maximizes minmax utility
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 13
Guide Design• Most effective strategies for adversary:
– TCP SYN flood using spoofed IPs• (unprivileged traffic)
– Many attackers consume fair share with legit IPs
• (privileged traffic)
• Not effective:– Frame innocent IPs– Flood with legitimate IP
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 14
Predict Performance• System utility function
– (# new clients per second) * (average satisfaction of each client)
• X - # of attackers: unprivileged traffic• Z - # of attackers: privileged traffic• Y - bandwidth allocated to unprivileged
traffic• Minmax utility:
),,(,minmax
ZYXgZXY
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 15
System Utility Function
• f(p)– Tolerate 4 consecutive packet losses,
because delay is less than 8 seconds– p percentage of unprivileged traffic
• U(r)– r = average download rate
g(X, Y, Z) = f(p) * A * U(r)
percentage of new clients that get service
arrival rate of new clients
user-perceived utility
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 16
Choosing Utility Function• Naïve/folkore:
– U1(r) = c * r c > 0
• Empirical study-based
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 17
Empirical Utility Curve
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 18
Numerical Simulation• g(X, Y, Z)• Adversary optimal strategy:
– Constraints: X<=N, Z<=N/10– X=N and Z=N/10
• Defense: maximize g(N, Y, N/10)• Example numerical simulation:
• B = 400,000 pps• W = 1,000 p• Average effective bandwidth = 40 pps• Attacker sending rate = 1,000 pps
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 19
Numerical Results
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 20
Simulation• Simulate using ns-2• Goals:
– Verify that fair scheduling (DRR) works• (privileged traffic limitation)
– Study dynamics (change over time):• Client bandwidth• Page retrieval time• Packet drop probability
• Non-goals:– Does not verify unprivileged vs privileged
dynamics
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 21
Simulation Setup• Topology:
• DRR applied to outgoing bandwidth• Use HTTP/1.0• Clients: web-like behavior, 1000 packets• Loitering threshold Q is 3000 packets
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 22
Simulation Scenarios• Severe attack, light load• Moderate attack, heavy load• Severe attack, heavy load
– Severe attack = 300 attackers– Moderate attack = 100 attackers– Light load = 25%– Heavy load = 75%
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 23
Severe Attack, Light Load
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 24
Moderate Attack, Heavy Load
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 25
Severe Attack, Heavy Load
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 26
Conclusion• Simulation results show DRR works and
show dynamics• Sustains web services under severe
attacks• Practically deployable• Game theory framework models
performance of system
Overview
2-Step Protection
Game Theory
Simulation
Conclusion
April 22, 2023Sustaining Availability of Web Services under DDoS 27
Acknowledgements• Charts used from original article
Overview
2-Step Protection
Game Theory
Simulation
Conclusion