Denial-of-Service Flooding Detectionin Anonymity Networks

Computer Networks & Communications GroupInstitute for IT-Security and Security LawUniversity of PassauGermany

Performance Measurement and Management for Two-Level Optimization of Networks and Peer-to-Peer Applications (GR/S69009/01)

Network of Excellence: Design and Engineering of the Future Generation Internet(IST-028022)

Jens Oberender Melanie VolkamerHermann de Meer

MonAM 2007LAAS-CNRS,

Toulouse, France5. November 2007

jens.oberender@

uni-passau.d

e

Attacks in Anonymity Networks

Chaum’s Mixer A sender remains anonymous,

if an adversary catches no evidence on sender identity

How to protect receivers from anonymous flooding attacks?

1. Enable traffic flow detection DoS attack detection2. Prevent anonymity breach protect sender identity Message Tagging

20.04.23 DoS Flooding Detection in Anonymity Networks 2

DoS Detection ReceiverSender

Anonymity Network

Gateway

ApplicationTransportNetwork

Data Link

Attacks

AccessControlEntity

DoS Detection ReceiverSender

Anonymity Network

jens.oberender@

uni-passau.d

e

Linkability Continuum

Two messages are linkable by an adversary,if evidence on their relation can be provided.

Pseudonyms– Adversary links all messages malicious profiling

Unobservability+ Observer cannot link any messages together

Limited Linkability Restricted number of linkable messages Enables traffic flow clustering

20.04.23 DoS Flooding Detection in Anonymity Networks 3

1

None Lifelong

# Messages per Profile

Message Linkability Limited

jens.oberender@

uni-passau.d

eAttacker Model

Security Objectives1. Limited linkability2. Linkability resistant

to malicious influence

20.04.23 DoS Flooding Detection in Anonymity Networks 4

Privacy Adversary• Aim: disclose sender anonymity• Observe incoming tags• Collude with other DoS engines

Message Flooding Attacker• Aim: Denial-of-Service• Exhausts victim resources

DoS Mitigation

AdversaryAccess Control

Attacker Anonymity NetworkAccess Control

Adversary ReceiverAccess Control Adversary Receiver

Assumptions Anonymity Network unbroken Access Control Entity trusted

by sender & receivers

jens.oberender@

uni-passau.d

e

Message tagging

Fast, local traffic flow cluster criteria Hash from characteristic strings (key derivation function)

Values not comparable with fresh salt Linkability control

Tag properties

Sender differentiate senders

Receiver disables cross-server profiling

Time Frame disables lifelong linkability

20.04.23 DoS Flooding Detection in Anonymity Networks 5

h(Sender, ... ) 4 Xà R 4 Yà R¹

h(..., Receiver, ... ) 4 Xà R1 4 Xà R2¹

jens.oberender@

uni-passau.d

e

DoS Detection

MixerAccessControlEntity

Ingress EgressMixer

DoS Detection

Mixer EgressMixerMalicious Ingress

Collude with Adversary

Internal vs. External Tags

Anonymity Attack using external tags Collude to learn anonymous paths

Proposed internal Message Tagging Tags reside within encrypted channel

20.04.23 DoS Flooding Detection in Anonymity Networks 6

h(SenderX, Receiver, )¹

jens.oberender@

uni-passau.d

e

Clustering of Anonymous Traffic Flows

Anonymous Messages Header data stripped off, application level analysis needed

Message tags enable flow clustering

Clusters of [ Sender, ] at Engine Detection frames cluster partial message flows Arrival rate

20.04.23 DoS Flooding Detection in Anonymity Networks 7

h(SenderX, Receiver, )¹

Time

Mes

sage

Tag

DtDt Dtat Access Control Entity

Detection Frames

DoS Detection

Time

Flooding

Regular Use

jens.oberender@

uni-passau.d

e

Clustering of time-based Tags

20.04.23 DoS Flooding Detection in Anonymity Networks 8

jens.oberender@

uni-passau.d

e

Scalability Issues

Clock skew in distributed systems misuse degrades linkability

Access control entity Counts messages

per sender Logarithm

effects on tag

20.04.23 DoS Flooding Detection in Anonymity Networks 9

DoS Detection Receiver

Anonymity Network

Traffic flow classification Arrival rate per message tag

Activity profiling

DoS Detection

Anonymity NetworkCounters

Counters

Flooding

Regular Use

Time

Mes

sage

Tag

SenderX

SenderY

coun

t

SenderX

22

22

22

22

22

22

2021

22

23

¹¹

¹

...

jens.oberender@

uni-passau.d

e

Sender Linkability

Scales with message volume Depends on arrival rate towards each receiver Message tags collisions

Flow splitting increases linkability

Incentive mechanism Strategic players’ goal: maximize privacy Inoffensive communication encouraged

20.04.23 DoS Flooding Detection in Anonymity Networks 10

Offset Flooding

Time

Mes

sage

Tag

Access Control Entity 1 Entity 2

Atta

cker

DoS Detection

Malicious Senders

MalfunctioningApplicationsp p

jens.oberender@

uni-passau.d

e

Multiple sender identities

Equivalent to DDoS No defense against attacks from different sender identities,

but…

Example BotNets Anonymity for attacker only Proxy functionality Yet these don’t spy SMTP authentication

Anonymity networks No need to operate a BotNet Anonymous attacks using real identity Hard-to-detect without add-ons

Benefits the privacy of the broad public!

20.04.23 DoS Flooding Detection in Anonymity Networks 11

jens.oberender@

uni-passau.d

e

Conclusions

Partial traffic flows Ability to detect Anonymous DoS Flooding Attacks

state-of-the-art techniques applicable Sender Anonymity maintained Sender Privacy

Defense of cross-server profiling Restricted amount of message linkable Arrival Rate Linkability

20.04.23 DoS Flooding Detection in Anonymity Networks 12

Message Tag g

Jens Oberender <jens.oberender@uni-passau.de>