Mayday: Distributed Filtering for Internet

ServicesDavid G. Andersen

MIT Laboratory for Computer Science

also

WebSOS: Protecting Web Servers From DDoS Attacks

Debra L. Cook, William G. Morein, Angelos D. Keromytis, Vishal Misra and Daniel Rubensteiny

Columbia University, New York City, NY

Presented by Stephen KargPresented by Stephen Karg

November, 21 2005November, 21 2005

The ProblemThe Problem Both papers address DDoS link-congestion or Both papers address DDoS link-congestion or

floodingflooding attacks on web servers. attacks on web servers. Backscatter analysis suggests hundreds of Backscatter analysis suggests hundreds of

these attacks take place every day.these attacks take place every day. Attackers identify network Attackers identify network pinch pointspinch points and and

flood them with traffic.flood them with traffic. Filtering of unauthorized traffic needed, but Filtering of unauthorized traffic needed, but

where?where? Just pushing away bottleneck to traditional Just pushing away bottleneck to traditional

firewall or uplink router only displaces the firewall or uplink router only displaces the problem.problem.

Many different solutions proposed.Many different solutions proposed.

Other SolutionsOther Solutions Trace-back and filtering, often network-wide Trace-back and filtering, often network-wide

solutions.solutions. Both papers argue that such methods have their Both papers argue that such methods have their

flaws:flaws: Have not been implemented in real world because they Have not been implemented in real world because they

require too much global participation.require too much global participation. Hesitance to adopt due to false-positive potential Hesitance to adopt due to false-positive potential

(algorithms often heuristic).(algorithms often heuristic). Too slow to react (require router table updates etc.) Too slow to react (require router table updates etc.) Too much router state required (end-to-end protocol?).Too much router state required (end-to-end protocol?). Even if traceback successful, difficult to enforce filtering Even if traceback successful, difficult to enforce filtering

at source (uncooperative ISP’s, foreign countries, politics, at source (uncooperative ISP’s, foreign countries, politics, etc.)etc.)

SOS: Secure Overlay SOS: Secure Overlay ServicesServices

Combines overlay networking with Combines overlay networking with content-based routing and aggressive content-based routing and aggressive packet filtering.packet filtering.

Approach has two primary goals:Approach has two primary goals:1.1. Eliminate communication pinch-points.Eliminate communication pinch-points.

2.2. Obscure identity of target servers. Obscure identity of target servers. Idea is to distribute filtering and push it Idea is to distribute filtering and push it

away from the target.away from the target. Preferably an agile, self-healing network.Preferably an agile, self-healing network.

Mayday vs. WebSOSMayday vs. WebSOS WebSOS: WebSOS:

Paper presents a working prototype to defend against Paper presents a working prototype to defend against blindblind DDoS attacks (admittedly, the most common). DDoS attacks (admittedly, the most common).

Cryptographic authentication and transport Cryptographic authentication and transport (SSL,HTTPS).(SSL,HTTPS).

Weak on potential attack analysis, lacks customization.Weak on potential attack analysis, lacks customization. Mayday:Mayday:

Generalizes the idea (no implementation).Generalizes the idea (no implementation). Assesses potential counter-attacks. Assesses potential counter-attacks. Analyses protocol options based on security/cost Analyses protocol options based on security/cost

tradeoff.tradeoff. Explores Explores lightweightlightweight authentication methods. authentication methods.

Basic ArchitectureBasic Architecture Filter-ring of routers Filter-ring of routers

around host.around host. Talk to egress nodes only.Talk to egress nodes only.

Distributed set of overlay Distributed set of overlay nodes:nodes: Ingress nodesIngress nodes talk to clients. talk to clients. Egress nodesEgress nodes talk to server. talk to server. Intermediary router nodes also.Intermediary router nodes also.

Can add additional layers of Can add additional layers of indirection. indirection.

WebSOS: beacon nodes.WebSOS: beacon nodes. Adds some more security, Adds some more security,

scalability and of course scalability and of course latency.latency.

Ideally, a single node can Ideally, a single node can perform perform anyany of these functions. of these functions.

Redundant, self-healing, and Redundant, self-healing, and more agile (randomized).more agile (randomized).

General AlgorithmGeneral Algorithm1.1. Client requests access to server through ingress Client requests access to server through ingress

nodes. nodes. Client authentication here.Client authentication here.

2.2. Valid requests forwarded by ingress node to Valid requests forwarded by ingress node to applicable egress node. applicable egress node.

3.3. May hop downstream via intermediary nodes.May hop downstream via intermediary nodes.4.4. Egress node has proper authenticator, forwards Egress node has proper authenticator, forwards

request through filter ring.request through filter ring.

• If not in secure mode, no filter ring authentication If not in secure mode, no filter ring authentication required, so any ingress node has access (Mayday).required, so any ingress node has access (Mayday).

• Mayday discusses rapid, pre-configured mode-Mayday discusses rapid, pre-configured mode-switching methods with little to no interruption of switching methods with little to no interruption of service (TCP Migrate). service (TCP Migrate). *Also applies to changes in overlay *Also applies to changes in overlay node configuration.node configuration.

PerformancePerformanceWebSOS uses cryptographic authentication WebSOS uses cryptographic authentication - more of a high-security model. Significant - more of a high-security model. Significant increases in latency.increases in latency.

Lightweight Lightweight Authenticators*Authenticators*

Used by Mayday to validate communication Used by Mayday to validate communication between overlay nodes and server (through Filter between overlay nodes and server (through Filter Ring).Ring).

Mayday considers more high-performance, low-Mayday considers more high-performance, low-sec. commercial needs and explores cheaper sec. commercial needs and explores cheaper alternatives.alternatives.

Proposes tokens that can be filtered by commodity Proposes tokens that can be filtered by commodity routers at line-speed (i.e. header data). routers at line-speed (i.e. header data).

Try to avoid anything requiring router to maintain Try to avoid anything requiring router to maintain state (ACL’s) or perform complex operations state (ACL’s) or perform complex operations (database lookup, crypto, etc.)(database lookup, crypto, etc.)

* a.k.a. Filter Keys* a.k.a. Filter Keys

Authentication TokensAuthentication Tokens

Egress Source AddressEgress Source Address Server Destination PortServer Destination Port Server Destination AddressServer Destination Address

If netblock used by server (e.g. 192.168.0.0/24)If netblock used by server (e.g. 192.168.0.0/24) AdvantageAdvantage: Rapid filter changing using standard : Rapid filter changing using standard

routing mechanisms.routing mechanisms. Better key freshness. Better key freshness. Easily switchable between Easily switchable between normalnormal and and securesecure mode. mode.

DisadvantageDisadvantage: Lots of wasted IP space.: Lots of wasted IP space.

Other header fields.Other header fields.

* Above can be * Above can be combinedcombined for larger key space. for larger key space.

Overlay RoutingOverlay Routing

Choice of overlay routing can greatly Choice of overlay routing can greatly reduce and/or obfuscate access to reduce and/or obfuscate access to egress nodes.egress nodes.

Choice of lightweight authenticator Choice of lightweight authenticator effects this decision.effects this decision.

Combine authenticator and routing Combine authenticator and routing scheme depending on security/speed scheme depending on security/speed tradeoff desired.tradeoff desired.

Defines the following categories.Defines the following categories.

Overlay RoutingOverlay RoutingSpeedSpeed

SecuritySecurity

Proximity RoutingProximity Routing Akin to normal overlay protocol, shortest hop. Every Akin to normal overlay protocol, shortest hop. Every

ingress node is an egress node, so IP’s no mystery. ingress node is an egress node, so IP’s no mystery. Defends against Defends against blind blind DoS attack only.DoS attack only.

Single-Indirect RoutingSingle-Indirect Routing Basic ingress Basic ingress egress algorithm given earlier egress algorithm given earlier

Doubly-Indirect Routing (extra hop)Doubly-Indirect Routing (extra hop) Ingress Ingress Beacon Beacon Egress (WebSOS) Egress (WebSOS) Only subset of ingress nodes know who egress are.Only subset of ingress nodes know who egress are.

Random RoutingRandom Routing Message propagated randomly until intended node Message propagated randomly until intended node

reached. reached. O(N) and generally inferior to below.O(N) and generally inferior to below.

Mix RoutingMix Routing Encrypted tunnels between nodes, each only know Encrypted tunnels between nodes, each only know

next hop.next hop. Can add Can add cover trafficcover traffic to obfuscate pathway analysis. to obfuscate pathway analysis. Extra hops, very secure, very slow.Extra hops, very secure, very slow.

AdversariesAdversaries In considering potential attacks, In considering potential attacks,

Mayday identifies following types of Mayday identifies following types of adversaries:adversaries:

1.1. Client eavesdropperClient eavesdropper: can view traffic : can view traffic between overlay nodes and clients only, between overlay nodes and clients only, not within.not within.

2.2. Legitimate Client AttackerLegitimate Client Attacker: authorized to : authorized to use service or in control of authorized use service or in control of authorized client.client.

3.3. Random/Targeted EavesdropperRandom/Targeted Eavesdropper: can : can monitor traffic monitor traffic betweenbetween one or more one or more random/targeted overlay nodes (but not random/targeted overlay nodes (but not all).all).

4.4. Random/Targeted Compromise AttackerRandom/Targeted Compromise Attacker: : can compromise one or more can compromise one or more random/targeted nodes (but not all).random/targeted nodes (but not all).

WeakerWeaker

StrongerStronger

Recommended Recommended CombinationsCombinations

Mayday author identifies some ideal pairings Mayday author identifies some ideal pairings for certain speed/security needs:for certain speed/security needs:

1.1. High PerformanceHigh Performance: Proximity routing with any : Proximity routing with any authenticator authenticator except except source address.source address.

Vulnerable to Random Eavesdropper.Vulnerable to Random Eavesdropper.

2.2. Moderate Performance, Eavesdropper-ResistantModerate Performance, Eavesdropper-Resistant: : Singly-indirect routing with any authenticator Singly-indirect routing with any authenticator other than source address.other than source address.

Resistance to random eavesdropper and random Resistance to random eavesdropper and random compromise, because authentication key known by compromise, because authentication key known by smaller number of nodes.smaller number of nodes.

3.3. SOSSOS: Claim doubly-indirect model provides : Claim doubly-indirect model provides equivalent securityequivalent security as single-indirect but at cost as single-indirect but at cost of addition hop. of addition hop.

Recommended Recommended CombinationsCombinations

4.4. AgilityAgility: Single-indirect routing with dest.-: Single-indirect routing with dest.-address authenticator.address authenticator.

Can use fast router updates (not manual Can use fast router updates (not manual configuration), to change authenticator, allowing configuration), to change authenticator, allowing for better randomness and resistance to adaptive for better randomness and resistance to adaptive key space attacks. key space attacks.

Can add dest.-port to increase key space.Can add dest.-port to increase key space.

5.5. Maximum SecurityMaximum Security: Mix-style routing with : Mix-style routing with destination-based authentication (as above). destination-based authentication (as above).

Highly adaptive, highly randomized. Highly adaptive, highly randomized. Resistance against targeted compromise attacker Resistance against targeted compromise attacker

(e.g. with 3-hop (e.g. with 3-hop TarzanTarzan routing, attacker must routing, attacker must compromise 24 nodes to reach egress node.)compromise 24 nodes to reach egress node.)

Attacks and DefensesAttacks and Defenses

Lightweight authentication has its Lightweight authentication has its vulnerabilities.vulnerabilities.

Assumed Environment:Assumed Environment:

Probing AttackProbing Attack Vulnerable to simple port scanning.Vulnerable to simple port scanning. Target server will reply to any packet with Target server will reply to any packet with

lightweight authenticator.lightweight authenticator. Trivial to scan 65K destination ports* or Trivial to scan 65K destination ports* or

256 addresses in /24 netblock.256 addresses in /24 netblock. Counter-MeasureCounter-Measure: add secondary key and : add secondary key and

filter at server firewall.filter at server firewall. This has its own counter-attack (Firewalking), This has its own counter-attack (Firewalking),

and counter-counter-measures (ICMP blocking and counter-counter-measures (ICMP blocking at filter ring).at filter ring).

* ~11 seconds on 100 Mbps ethernet (in 2002)* ~11 seconds on 100 Mbps ethernet (in 2002)

Indirect ProbingIndirect Probing If source port If source port

authenticator used, can authenticator used, can use tools such as Nmap use tools such as Nmap to infer which hosts are to infer which hosts are reaching server.reaching server.

Technique depends on Technique depends on low or predictable traffic.low or predictable traffic.

Next-hop scanningNext-hop scanning another variant on this another variant on this (when have internal (when have internal routers).routers).

A 1000 pps attacker (top A 1000 pps attacker (top 30% seen) can discover 30% seen) can discover dest. Port key in ~5 min.dest. Port key in ~5 min.

Adaptive FloodingAdaptive Flooding Need substantial DDoS resources. Attack with Need substantial DDoS resources. Attack with

multiple spoofed authenticators concurrently. multiple spoofed authenticators concurrently. If service slows down, know which half of key space If service slows down, know which half of key space

getting though.getting though. Gives attacker binary-search progression through Gives attacker binary-search progression through

key-space O(log key-space O(log NN).). Victim on T1 line using source-IP authentication only Victim on T1 line using source-IP authentication only

can be compromised by major attack* in under 8 can be compromised by major attack* in under 8 rounds.rounds.

Counter-measureCounter-measure: : You guessed it, bigger keys. Will dilute attack traffic.You guessed it, bigger keys. Will dilute attack traffic. Key agility also very beneficial reactive measure if under Key agility also very beneficial reactive measure if under

attack.attack.

* Capable of mounting 10,000 pps attack (top 5% seen).* Capable of mounting 10,000 pps attack (top 5% seen).

Other AttacksOther Attacks Timing AttackTiming Attack

Latency analysis of requests to various overlay Latency analysis of requests to various overlay nodes could be used to determine identity of egress nodes could be used to determine identity of egress nodes (fast reply).nodes (fast reply).

Will only work if weaker configuration that allows Will only work if weaker configuration that allows some ingress nodes to also act egress node some ingress nodes to also act egress node (Proximity routing).(Proximity routing).

Counter-measure is to require egress node to Counter-measure is to require egress node to forward any direct request to another egress node.forward any direct request to another egress node.

Compromised Overlay NodesCompromised Overlay Nodes Doubly-Indirect provides some protection, but may Doubly-Indirect provides some protection, but may

only only delaydelay attack if common node-flaw being attack if common node-flaw being exploited.exploited.

Can use reverse adaptive flooding attack to zero in Can use reverse adaptive flooding attack to zero in on compromised node by partitioning key space.on compromised node by partitioning key space.

ConclusionsConclusions Author feels Mayday type system could be Author feels Mayday type system could be

practically deployed because uses existing practically deployed because uses existing technology:technology: Overlay network routingOverlay network routing Line-speed filteringLine-speed filtering

Can implement at ISP level and share centralized Can implement at ISP level and share centralized resources, amortizing cost over many customers.resources, amortizing cost over many customers.

Both papers agree more realistic than global Both papers agree more realistic than global solutions.solutions.

High-security systems add lots of latency during High-security systems add lots of latency during DoS attack, but better than no service at all, DoS attack, but better than no service at all, right?right?

Lots of room for improvement though.Lots of room for improvement though.