Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based Multicast Prof Mort Anvari Strayer University at Arlington, VA August 2004 Agenda • Overview of gossip-based multicast • The problem • Proposed solution • Analysis and simulations • Implementation and measurements • Conclusions Prof Mort Anvari Strayer University at Arlington, VA August 2004 Multicast • A group of members • At least one member is a source – generates messages • Messages should arrive to all of the group members in a timely fashion • Network level vs application level (ALM) Prof Mort Anvari Strayer University at Arlington, VA August 2004 Tree-Based Multicast • Use a spanning tree – most common solution • No duplicates (optimal BW when networkSource level) • Single points of failure Prof Mort Anvari Strayer University at Arlington, VA August 2004 Gossip-Based Multicast • Progresses in rounds • Every round – – – Choose random partners (view ) Send or receive messages Discard old msgs from buffer – – Push Pull • Probabilistic reliability • Trades latency and BW for redundancy • Two methods Prof Mort Anvari Strayer University at Arlington, VA August 2004 Push Source Prof Mort Anvari Strayer University at Arlington, VA August 2004 Pull Source Prof Mort Anvari Strayer University at Arlington, VA August 2004 Hostility over the Internet • Forgery/spoofing • Penetration • Denial of Service (DoS) Prof Mort Anvari Strayer University at Arlington, VA August 2004 Denial of Service • Unavailability of service • Methods – Exploiting bugs – Exhausting resources • Remote attacks – Network level – Application level • Got little attention • No quantitative analysis of impact on application Prof Mort Anvari Strayer University at Arlington, VA August 2004 Dollar Amount of Losses by Type Prof Mort Anvari Strayer University at Arlington, VA August 2004 10 Analysis – Increasing Strength • Lemma 3: Fix  and n The propagation time of Pull grows at least linearly with x • Proof idea – Denote by p the probability that the source reads a valid pull request in a round – # of rounds for M to leave the source is geometrically distributed with p – The expectation is 1/p – 1/p is at least linear in x Prof Mort Anvari Strayer University at Arlington, VA August 2004 28 Expected Propagation Time,    = 10% 30 Push, n = 1000 Push, n = 120 Pull, n = 1000 Pull, n = 120 Drum, n = 1000 Drum, n = 120 25 # rounds 20 15 10 0 Prof Mort Anvari 20 40 60 80 100 Strayer Universityxat Arlington, VA 120 140 August 2004 29 80 Expected Propagation Time, x = 128 70 # rounds 60 50 Push, 1000 Push, 120 Pull, 1000 Pull, 120 Drum, 1000 Drum, 120 40 30 20 10 10 Prof Mort Anvari 20 30 40 50 Strayer Universityat Arlington, VA 60 70 80 August 2004 30 Analysis – Fixed Strength • Define c = B/nF (total attack strength divided by total system capacity) • Lemma 4: For c > 5, Drum’s expected propagation time is monotonically increasing with  • Proof idea – Effective fan-in and effective fan-out are monotonically decreasing with  Prof Mort Anvari Strayer University at Arlington, VA August 2004 31 Expected Propagation Time, B = 7.2n (c = 2) 30 Push, n = 120 Push, n = 500 Pull, n = 120 Pull, n = 500 Drum, n = 120 Drum, n = 500 # rounds 25 20 15 10 0 10 Prof Mort Anvari 20 30 40 50 60 Strayer Universityat Arlington, VA 70 80 90 August 2004 32 Implementation and Measurements • Uses the Java programming language • Multithreaded processes • Operations are not synchronized • Rounds are not synchronized among processes • 50 machines on a 100Mbit LAN (Emulab) • One process per machine • processes (10%) perform a DoS attack Prof Mort Anvari Strayer University at Arlington, VA August 2004 33 Validating the Simulations • Evaluate the protocols in the same scenarios tested by simulation • High correlation shows that the simplifying assumptions have little effect on the results Prof Mort Anvari Strayer University at Arlington, VA August 2004 34 Expected Propagation Time,    = 10%, n = 50 25 Push measurements Push simulation Pull measurements Pull simulation Drum measurements Drum simulation # rounds 20 15 10 0 Prof Mort Anvari 20 40 60 80 100 Strayer Universityxat Arlington, VA 120 140 August 2004 35 Expected Propagation Time, x = 128, n = 50 80 70 60 # rounds 50 Push measurements Push simulation Pull measurements Pull simulation Drum measurements Drum simulation 40 30 20 10 10 Prof Mort Anvari 20 30 40 50 60  at Arlington, Strayer University VA 70 80 August 2004 36 High-Throughput Experiments • Single source • Creates 40 messages (50 bytes long) per second • Total of 10,000 messages • Round duration = second • Messages are purged after 10 rounds • Each process sends at most 80 data messages to another process in a round • Throughput and latency are measured at the 44 correct receiving processes Prof Mort Anvari Strayer University at Arlington, VA August 2004 37 Average Throughput (msgs/sec) Average Received Throughput,    = 10%, n = 50 45 40 35 30 Drum Push Pull 25 20 15 10 Prof Mort Anvari 20 40 60 80 100 Strayer Universityxat Arlington, VA 120 140 August 2004 38 Average Throughput (msgs/sec) Average Received Throughput, x = 128, n = 50 45 Drum Push Pull 40 35 30 25 20 15 10 0 Prof Mort Anvari 10 20 30 40 50 Strayer Universityat Arlington, VA 60 70 80 August 2004 39 CDF: Average Latency of Received Messages, x = 128,   = 40%, n = 50 # of Correct Processes (Normalized) 0.9 Drum Push Pull 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 1000 2000 Prof Mort Anvari 3000 4000 5000 6000 7000 Average Latency (msecs) Strayer University at Arlington, VA 8000 9000 10000 August 2004 40 Conclusions • • • • • • • • DoS attacks are a real problem Gossip-based protocols have no single points of failure However, naïve gossip-based protocols are vulnerable to targeted DoS attacks Drum uses simple techniques to mitigate the effects of DoS attacks Evaluations show Drum’s resistance to DoS The most effective attack against Drum is a broad one General DoS-mitigation techniques: random ports and neighbor-selection Analysis and quantitative evaluation techniques may be applicable to other systems as well Prof Mort Anvari Strayer University at Arlington, VA August 2004 41 Prof Mort Anvari Strayer University at Arlington, VA August 2004 42 ... Application-Level DoS No Attack DoS Attack Valid Request Prof Mort Anvari Bogus Strayer University at Arlington, Request VA August 2004 11 Effects of DoS on Gossip • Reasonable to assume that source is attacked... Surprisingly, we show that naïve gossip is vulnerable to DoS attacks • Attacking a process in pull-based gossip may prevent it from sending messages • Attacking a process in push-based gossip may prevent... Pull (pull-based with bounded resources) Drum • Under various DoS attacks – – Fixed strength Increasing strength • Source is always attacked • Evaluates combination of Push and Pull Prof Mort Anvari