View
216
Download
1
Tags:
Embed Size (px)
Citation preview
Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion DrumDrumGal BadishiGal Badishi
Exposing and Eliminating Exposing and Eliminating Vulnerabilities to Denial of Vulnerabilities to Denial of Service Attacks in SecureService Attacks in SecureGossip-Based MulticastGossip-Based Multicast
Exposing and Eliminating Exposing and Eliminating Vulnerabilities to Denial of Vulnerabilities to Denial of Service Attacks in SecureService Attacks in SecureGossip-Based MulticastGossip-Based Multicast
Gal Badishi, Idit Keidar, Amir Gal Badishi, Idit Keidar, Amir SassonSasson
Gal Badishi, Idit Keidar, Amir Gal Badishi, Idit Keidar, Amir SassonSasson
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (22))
AgendaAgendaAgendaAgenda
• The problemThe problem
• Overview of gossip-based multicastOverview of gossip-based multicast
• Proposed solution - DrumProposed solution - Drum
• Analysis and simulationsAnalysis and simulations
• Implementation and measurementsImplementation and measurements
• More DoS-mitigation techniquesMore DoS-mitigation techniques
• ConclusionsConclusions
• The problemThe problem
• Overview of gossip-based multicastOverview of gossip-based multicast
• Proposed solution - DrumProposed solution - Drum
• Analysis and simulationsAnalysis and simulations
• Implementation and measurementsImplementation and measurements
• More DoS-mitigation techniquesMore DoS-mitigation techniques
• ConclusionsConclusions
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (33))
Denial of Service (DoS)Denial of Service (DoS)Denial of Service (DoS)Denial of Service (DoS)
• Unavailability of serviceUnavailability of service– Exhausting resourcesExhausting resources
• Remote attacksRemote attacks– Network levelNetwork level
•Solutions do not solve all application Solutions do not solve all application problemsproblems
– Application levelApplication level•Got little attentionGot little attention•Quantitative analysis of impact on application Quantitative analysis of impact on application
and identification of vulnerabilities neededand identification of vulnerabilities needed
• Unavailability of serviceUnavailability of service– Exhausting resourcesExhausting resources
• Remote attacksRemote attacks– Network levelNetwork level
•Solutions do not solve all application Solutions do not solve all application problemsproblems
– Application levelApplication level•Got little attentionGot little attention•Quantitative analysis of impact on application Quantitative analysis of impact on application
and identification of vulnerabilities neededand identification of vulnerabilities needed
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (44))
Dollar Amount of Losses by TypeDollar Amount of Losses by TypeDollar Amount of Losses by TypeDollar Amount of Losses by Type
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (55))
Remote Application-Level Remote Application-Level DoSDoS
Remote Application-Level Remote Application-Level DoSDoS
Valid RequestValid Request
Bogus RequestBogus Request
No AttackNo Attack
DoS AttackDoS Attack
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (66))
ChallengesChallengesChallengesChallenges
• Quantify the effect of DoS at the Quantify the effect of DoS at the application levelapplication level
• Expose vulnerabilitiesExpose vulnerabilities
• Find effective DoS-mitigation Find effective DoS-mitigation techniquestechniques– Prove their usefulness using the found Prove their usefulness using the found
metricmetric
• Quantify the effect of DoS at the Quantify the effect of DoS at the application levelapplication level
• Expose vulnerabilitiesExpose vulnerabilities
• Find effective DoS-mitigation Find effective DoS-mitigation techniquestechniques– Prove their usefulness using the found Prove their usefulness using the found
metricmetric
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (77))
MulticastMulticastMulticastMulticast
• A group of membersA group of members
• At least one member is a At least one member is a sourcesource – – generates messagesgenerates messages
• Messages should arrive to all of the Messages should arrive to all of the group members in a timely fashiongroup members in a timely fashion
• Network level vs. application level Network level vs. application level (ALM)(ALM)
• A group of membersA group of members
• At least one member is a At least one member is a sourcesource – – generates messagesgenerates messages
• Messages should arrive to all of the Messages should arrive to all of the group members in a timely fashiongroup members in a timely fashion
• Network level vs. application level Network level vs. application level (ALM)(ALM)
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (88))
Tree-Based MulticastTree-Based MulticastTree-Based MulticastTree-Based Multicast
• Use a spanning tree – most common Use a spanning tree – most common solutionsolution
• No duplicates (optimal BW when network-No duplicates (optimal BW when network-level)level)
• Single points of failureSingle points of failure
• Use a spanning tree – most common Use a spanning tree – most common solutionsolution
• No duplicates (optimal BW when network-No duplicates (optimal BW when network-level)level)
• Single points of failureSingle points of failure
Source
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (99))
Gossip-Based MulticastGossip-Based MulticastGossip-Based MulticastGossip-Based Multicast
• Progresses in roundsProgresses in rounds• Every roundEvery round
– Choose random partners (Choose random partners (view view ))– Send or receive messagesSend or receive messages– Discard old msgs from bufferDiscard old msgs from buffer
• Probabilistic reliabilityProbabilistic reliability• Uses redundancy to achieve robustnessUses redundancy to achieve robustness• Two methodsTwo methods
– PushPush– PullPull
• Progresses in roundsProgresses in rounds• Every roundEvery round
– Choose random partners (Choose random partners (view view ))– Send or receive messagesSend or receive messages– Discard old msgs from bufferDiscard old msgs from buffer
• Probabilistic reliabilityProbabilistic reliability• Uses redundancy to achieve robustnessUses redundancy to achieve robustness• Two methodsTwo methods
– PushPush– PullPull
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (1010))
PushPushPushPush
Source
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (1111))
PullPullPullPull
Source
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (1212))
Effects of DoS on GossipEffects of DoS on GossipEffects of DoS on GossipEffects of DoS on Gossip
• Reasonable to assume that source is Reasonable to assume that source is attackedattacked
• Surprisingly, we show that naïve gossip Surprisingly, we show that naïve gossip is vulnerable to DoS attacksis vulnerable to DoS attacks
• Attacking a process in pull-based gossip Attacking a process in pull-based gossip may prevent it from may prevent it from sendingsending messages messages
• Attacking a process in push-based Attacking a process in push-based gossip may prevent it from gossip may prevent it from receivingreceiving messagesmessages
• Reasonable to assume that source is Reasonable to assume that source is attackedattacked
• Surprisingly, we show that naïve gossip Surprisingly, we show that naïve gossip is vulnerable to DoS attacksis vulnerable to DoS attacks
• Attacking a process in pull-based gossip Attacking a process in pull-based gossip may prevent it from may prevent it from sendingsending messages messages
• Attacking a process in push-based Attacking a process in push-based gossip may prevent it from gossip may prevent it from receivingreceiving messagesmessages
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (1313))
DrumDrumDrumDrum
• A new gossip-based ALM protocolA new gossip-based ALM protocol• Utilizes DoS-mitigation techniquesUtilizes DoS-mitigation techniques
– Using random one-time ports to Using random one-time ports to communicatecommunicate
– Combining both push and pullCombining both push and pull– Separating and bounding resourcesSeparating and bounding resources
• Eliminates vulnerabilities to DoSEliminates vulnerabilities to DoS• Proven robust using formal analysis Proven robust using formal analysis
and quantitative evaluationand quantitative evaluation
• A new gossip-based ALM protocolA new gossip-based ALM protocol• Utilizes DoS-mitigation techniquesUtilizes DoS-mitigation techniques
– Using random one-time ports to Using random one-time ports to communicatecommunicate
– Combining both push and pullCombining both push and pull– Separating and bounding resourcesSeparating and bounding resources
• Eliminates vulnerabilities to DoSEliminates vulnerabilities to DoS• Proven robust using formal analysis Proven robust using formal analysis
and quantitative evaluationand quantitative evaluation
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (1414))
Random PortsRandom PortsRandom PortsRandom Ports
• Any request necessitating a reply Any request necessitating a reply contains a random port numbercontains a random port number– ““Invisible” to the attacker (e.g., encrypted)Invisible” to the attacker (e.g., encrypted)
• The reply is sent to that random portThe reply is sent to that random port
• Assumption: attacking other ports does Assumption: attacking other ports does not affect the random port’s queue (i.e., not affect the random port’s queue (i.e., there is no BW exhaustion)there is no BW exhaustion)
• Any request necessitating a reply Any request necessitating a reply contains a random port numbercontains a random port number– ““Invisible” to the attacker (e.g., encrypted)Invisible” to the attacker (e.g., encrypted)
• The reply is sent to that random portThe reply is sent to that random port
• Assumption: attacking other ports does Assumption: attacking other ports does not affect the random port’s queue (i.e., not affect the random port’s queue (i.e., there is no BW exhaustion)there is no BW exhaustion)
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (1515))
Combining Push and PullCombining Push and PullCombining Push and PullCombining Push and Pull
• Attacking push cannot prevent Attacking push cannot prevent receiving messages via pull (random receiving messages via pull (random ports)ports)
• Attacking pull cannot prevent Attacking pull cannot prevent sending via pushsending via push
• Each process has some control over Each process has some control over the processes it communicates withthe processes it communicates with
• Attacking push cannot prevent Attacking push cannot prevent receiving messages via pull (random receiving messages via pull (random ports)ports)
• Attacking pull cannot prevent Attacking pull cannot prevent sending via pushsending via push
• Each process has some control over Each process has some control over the processes it communicates withthe processes it communicates with
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (1616))
Bounding ResourcesBounding ResourcesBounding ResourcesBounding Resources
• Motivation: prevent resource Motivation: prevent resource exhaustionexhaustion
• Each round process a random subset Each round process a random subset of the arriving messages and discard of the arriving messages and discard the restthe rest
• Separate resources for orthogonal Separate resources for orthogonal operationsoperations
• Motivation: prevent resource Motivation: prevent resource exhaustionexhaustion
• Each round process a random subset Each round process a random subset of the arriving messages and discard of the arriving messages and discard the restthe rest
• Separate resources for orthogonal Separate resources for orthogonal operationsoperations
Valid RequestValid Request
Bogus RequestBogus Request
Round DurationRound Duration
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (1717))
Drum’s Push MechanismDrum’s Push MechanismDrum’s Push MechanismDrum’s Push Mechanism
• Alice sends Bob a push-offerAlice sends Bob a push-offer
• Bob replies with a digest of Bob replies with a digest of messages he has already receivedmessages he has already received
• Alice only sends Bob messages Alice only sends Bob messages missing from his digestmissing from his digest
• Random portsRandom ports
• Alice sends Bob a push-offerAlice sends Bob a push-offer
• Bob replies with a digest of Bob replies with a digest of messages he has already receivedmessages he has already received
• Alice only sends Bob messages Alice only sends Bob messages missing from his digestmissing from his digest
• Random portsRandom ports
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (1818))
Evaluation MethodologyEvaluation MethodologyEvaluation MethodologyEvaluation Methodology
• Compare 3 protocolsCompare 3 protocols– Push (push-based with bounded resources)Push (push-based with bounded resources)– Pull (pull-based with bounded resources)Pull (pull-based with bounded resources)– DrumDrum
• Under various DoS attacksUnder various DoS attacks– Increasing strength (shows trend under DoS)Increasing strength (shows trend under DoS)– Fixed strength (exposes vulnerabilities)Fixed strength (exposes vulnerabilities)
• Source is always attackedSource is always attacked• Evaluates combination of Push and PullEvaluates combination of Push and Pull• Separately evaluate the other two Separately evaluate the other two
techniquestechniques
• Compare 3 protocolsCompare 3 protocols– Push (push-based with bounded resources)Push (push-based with bounded resources)– Pull (pull-based with bounded resources)Pull (pull-based with bounded resources)– DrumDrum
• Under various DoS attacksUnder various DoS attacks– Increasing strength (shows trend under DoS)Increasing strength (shows trend under DoS)– Fixed strength (exposes vulnerabilities)Fixed strength (exposes vulnerabilities)
• Source is always attackedSource is always attacked• Evaluates combination of Push and PullEvaluates combination of Push and Pull• Separately evaluate the other two Separately evaluate the other two
techniquestechniques
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (1919))
Evaluation Methodology Evaluation Methodology (cont.)(cont.)
Evaluation Methodology Evaluation Methodology (cont.)(cont.)
• Measure Measure propagation timepropagation time – – expected number of rounds it takes a expected number of rounds it takes a message to reach all of the correct message to reach all of the correct processesprocesses– 99% in the simulations and actual 99% in the simulations and actual
measurementsmeasurements
• Use real implementation to measure Use real implementation to measure actual latency and throughputactual latency and throughput
• Measure Measure propagation timepropagation time – – expected number of rounds it takes a expected number of rounds it takes a message to reach all of the correct message to reach all of the correct processesprocesses– 99% in the simulations and actual 99% in the simulations and actual
measurementsmeasurements
• Use real implementation to measure Use real implementation to measure actual latency and throughputactual latency and throughput
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (2020))
Analysis/Simulation Analysis/Simulation AssumptionsAssumptions
Analysis/Simulation Analysis/Simulation AssumptionsAssumptions
• Static group with complete connectivityStatic group with complete connectivity• Processes have complete group knowledgeProcesses have complete group knowledge• Propagation of a single message Propagation of a single message MM
– But simulate situation where all procs have msgs to But simulate situation where all procs have msgs to sendsend
• MM is never purged from local buffers is never purged from local buffers• Rounds are synchronizedRounds are synchronized• All round operations complete within the same All round operations complete within the same
roundround• All processes are correct (analysis) or 10% of All processes are correct (analysis) or 10% of
them perform a DoS attack (simulation)them perform a DoS attack (simulation)
• Static group with complete connectivityStatic group with complete connectivity• Processes have complete group knowledgeProcesses have complete group knowledge• Propagation of a single message Propagation of a single message MM
– But simulate situation where all procs have msgs to But simulate situation where all procs have msgs to sendsend
• MM is never purged from local buffers is never purged from local buffers• Rounds are synchronizedRounds are synchronized• All round operations complete within the same All round operations complete within the same
roundround• All processes are correct (analysis) or 10% of All processes are correct (analysis) or 10% of
them perform a DoS attack (simulation)them perform a DoS attack (simulation)
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (2121))
Validating Known ResultsValidating Known ResultsValidating Known ResultsValidating Known Results
• The propagation time of gossip-The propagation time of gossip-based multicast protocols is O(log n) based multicast protocols is O(log n) [P87, KSSV00][P87, KSSV00]
• The propagation time of gossip-The propagation time of gossip-based multicast protocols is O(log n) based multicast protocols is O(log n) [P87, KSSV00][P87, KSSV00]
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (2222))
102
103
1
2
3
4
5
6
7
8
9
10#
rou
nd
s
# processes (log scale)
Expected Propagation Time
PushPullDrum
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (2323))
Validating Known Results Validating Known Results (cont.)(cont.)
Validating Known Results Validating Known Results (cont.)(cont.)
• The performance of gossip-based The performance of gossip-based multicast protocols degrades multicast protocols degrades gracefully as failures amount gracefully as failures amount [LMM00, GvRB01][LMM00, GvRB01]
• The performance of gossip-based The performance of gossip-based multicast protocols degrades multicast protocols degrades gracefully as failures amount gracefully as failures amount [LMM00, GvRB01][LMM00, GvRB01]
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (2424))
0 10 20 30 40 50 60 70 80 900
5
10
15
20
25
30
% failed processes
# ro
un
ds
Expected Propagation Time, n = 1000
PushPullDrum
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (2525))
DefinitionsDefinitionsDefinitionsDefinitions
• nn – number of processes in the group – number of processes in the group
• FF – size of – size of viewview, and max # of , and max # of requests to process in a round (requests to process in a round (F = 4 F = 4 ))
– – percentage of attacked processespercentage of attacked processes
• xx – number of bogus messages an – number of bogus messages an attacked process receives in a roundattacked process receives in a round
• BB – total attack strength ( – total attack strength (B = B = nx nx ))
• nn – number of processes in the group – number of processes in the group
• FF – size of – size of viewview, and max # of , and max # of requests to process in a round (requests to process in a round (F = 4 F = 4 ))
– – percentage of attacked processespercentage of attacked processes
• xx – number of bogus messages an – number of bogus messages an attacked process receives in a roundattacked process receives in a round
• BB – total attack strength ( – total attack strength (B = B = nx nx ))
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (2626))
Analysis – Increasing Analysis – Increasing StrengthStrength
Analysis – Increasing Analysis – Increasing StrengthStrength
• Lemma 1: Fix Lemma 1: Fix < 1 and < 1 and nn. . Drum’s Drum’s propagation time is bounded from propagation time is bounded from above by a constant independent of xabove by a constant independent of x
• Proof ideaProof idea– Define Define effective fan-ineffective fan-in and and effective fan-outeffective fan-out– Both have an element independent of Both have an element independent of xx– When When x x this element is dominant this element is dominant– The effective fans are bounded from belowThe effective fans are bounded from below
• Lemma 1: Fix Lemma 1: Fix < 1 and < 1 and nn. . Drum’s Drum’s propagation time is bounded from propagation time is bounded from above by a constant independent of xabove by a constant independent of x
• Proof ideaProof idea– Define Define effective fan-ineffective fan-in and and effective fan-outeffective fan-out– Both have an element independent of Both have an element independent of xx– When When x x this element is dominant this element is dominant– The effective fans are bounded from belowThe effective fans are bounded from below
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (2727))
Analysis – Increasing Analysis – Increasing StrengthStrength
Analysis – Increasing Analysis – Increasing StrengthStrength
• Lemma 2: Fix Lemma 2: Fix and and nn. . The propagation The propagation time of Push grows at least linearly with xtime of Push grows at least linearly with x
• Proof ideaProof idea– Assume all non-attacked processes already Assume all non-attacked processes already
have the message (and so does the source)have the message (and so does the source)– Bound the expected number of processes Bound the expected number of processes
having having MM at round at round kk from above from above– Find the minimal Find the minimal kk in which all processes have in which all processes have
MM– Reaching all attacked processes takes at least Reaching all attacked processes takes at least
a time linear in a time linear in xx
• Lemma 2: Fix Lemma 2: Fix and and nn. . The propagation The propagation time of Push grows at least linearly with xtime of Push grows at least linearly with x
• Proof ideaProof idea– Assume all non-attacked processes already Assume all non-attacked processes already
have the message (and so does the source)have the message (and so does the source)– Bound the expected number of processes Bound the expected number of processes
having having MM at round at round kk from above from above– Find the minimal Find the minimal kk in which all processes have in which all processes have
MM– Reaching all attacked processes takes at least Reaching all attacked processes takes at least
a time linear in a time linear in xx
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (2828))
Analysis – Increasing Analysis – Increasing StrengthStrength
Analysis – Increasing Analysis – Increasing StrengthStrength
• Lemma 3: Fix Lemma 3: Fix and and nn. . The propagation The propagation time of Pull grows at least linearly with xtime of Pull grows at least linearly with x
• Proof ideaProof idea– Denote by Denote by pp the probability that the source the probability that the source
reads a valid pull request in a roundreads a valid pull request in a round– # of rounds for # of rounds for MM to leave the source is to leave the source is
geometrically distributed with geometrically distributed with pp– The expectation is The expectation is 1/p1/p– 1/p1/p is at least linear in is at least linear in xx
• Lemma 3: Fix Lemma 3: Fix and and nn. . The propagation The propagation time of Pull grows at least linearly with xtime of Pull grows at least linearly with x
• Proof ideaProof idea– Denote by Denote by pp the probability that the source the probability that the source
reads a valid pull request in a roundreads a valid pull request in a round– # of rounds for # of rounds for MM to leave the source is to leave the source is
geometrically distributed with geometrically distributed with pp– The expectation is The expectation is 1/p1/p– 1/p1/p is at least linear in is at least linear in xx
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (2929))
0 20 40 60 80 100 120 1400
5
10
15
20
25
30
Attack Rate
# ro
un
ds
Expected Propagation Time, 10% Attacked
Push, n = 1000Push, n = 120Pull, n = 1000Pull, n = 120Drum, n = 1000Drum, n = 120
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (3030))
10 20 30 40 50 60 70 800
10
20
30
40
50
60
70
80#
rou
nd
s
% attacked processes
Expected Propagation Time, Rate = 128
Push, n = 1000Push, n = 120Pull, n = 1000Pull, n = 120Drum, n = 1000Drum, n = 120
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (3131))
Analysis – Fixed StrengthAnalysis – Fixed StrengthAnalysis – Fixed StrengthAnalysis – Fixed Strength
• Define Define c = B/nFc = B/nF (total attack (total attack strength divided by total system strength divided by total system capacity)capacity)
• Lemma 4: Lemma 4: For c > 5, Drum’s For c > 5, Drum’s expected propagation time is expected propagation time is monotonically increasing with monotonically increasing with
• Proof ideaProof idea– Effective fan-inEffective fan-in and and effective fan-outeffective fan-out are are
monotonically decreasing with monotonically decreasing with
• Define Define c = B/nFc = B/nF (total attack (total attack strength divided by total system strength divided by total system capacity)capacity)
• Lemma 4: Lemma 4: For c > 5, Drum’s For c > 5, Drum’s expected propagation time is expected propagation time is monotonically increasing with monotonically increasing with
• Proof ideaProof idea– Effective fan-inEffective fan-in and and effective fan-outeffective fan-out are are
monotonically decreasing with monotonically decreasing with
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (3232))
0 10 20 30 40 50 60 70 80 900
10
20
30
40
50
60
70
80
90
100#
rou
nd
s
% attacked processes
Expected Propagation Time, Fixed Strength (c = 10)
Push, n = 120Push, n = 500Pull, n = 120Pull, n = 500Drum, n = 120Drum, n = 500
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (3333))
Implementation and Implementation and MeasurementsMeasurements
Implementation and Implementation and MeasurementsMeasurements
• Multithreaded processes in JavaMultithreaded processes in Java
• Operations are not synchronizedOperations are not synchronized
• Rounds are not synchronized among Rounds are not synchronized among processesprocesses
• 50 machines on a 100Mbit LAN (Emulab)50 machines on a 100Mbit LAN (Emulab)
• One process per machineOne process per machine
• 5 processes (10%) perform a DoS attack5 processes (10%) perform a DoS attack
• Multithreaded processes in JavaMultithreaded processes in Java
• Operations are not synchronizedOperations are not synchronized
• Rounds are not synchronized among Rounds are not synchronized among processesprocesses
• 50 machines on a 100Mbit LAN (Emulab)50 machines on a 100Mbit LAN (Emulab)
• One process per machineOne process per machine
• 5 processes (10%) perform a DoS attack5 processes (10%) perform a DoS attack
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (3434))
Validating the SimulationsValidating the SimulationsValidating the SimulationsValidating the Simulations
• Evaluate the protocols in the same Evaluate the protocols in the same scenarios tested by simulationscenarios tested by simulation
• High correlation shows that the High correlation shows that the simplifying assumptions have little simplifying assumptions have little effect on the resultseffect on the results
• Evaluate the protocols in the same Evaluate the protocols in the same scenarios tested by simulationscenarios tested by simulation
• High correlation shows that the High correlation shows that the simplifying assumptions have little simplifying assumptions have little effect on the resultseffect on the results
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (3535))
0 20 40 60 80 100 120 1400
5
10
15
20
25
Attack Rate
# ro
un
ds
Expected Propagation Time, 10% Attacked
Push measurementsPush simulationPull measurementsPull simulationDrum measurementsDrum simulation
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (3636))
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.80
10
20
30
40
50
60
70
80
% attacked processes
# ro
un
ds
Expected Propagation Time, Rate = 128
Push measurementsPush simulationPull measurementsPull simulationDrum measurementsDrum simulation
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (3737))
High-Throughput High-Throughput ExperimentsExperiments
High-Throughput High-Throughput ExperimentsExperiments
• Single sourceSingle source• Creates 40 messages per secondCreates 40 messages per second• Round duration = 1 secondRound duration = 1 second• Messages are purged after 10 roundsMessages are purged after 10 rounds• Each process sends at most 80 data Each process sends at most 80 data
messages to another process in a roundmessages to another process in a round• Throughput and latency are measured Throughput and latency are measured
at the 44 correct receiving processesat the 44 correct receiving processes
• Single sourceSingle source• Creates 40 messages per secondCreates 40 messages per second• Round duration = 1 secondRound duration = 1 second• Messages are purged after 10 roundsMessages are purged after 10 rounds• Each process sends at most 80 data Each process sends at most 80 data
messages to another process in a roundmessages to another process in a round• Throughput and latency are measured Throughput and latency are measured
at the 44 correct receiving processesat the 44 correct receiving processes
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (3838))
0 20 40 60 80 100 120 1405
10
15
20
25
30
35
40
45
Attack Rate
Ave
rag
e T
hro
ug
hp
ut
(msg
s/se
c)
Average Received Throughput, 10% Attacked
DrumPushPull
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (3939))
0 10 20 30 40 50 60 70 800
5
10
15
20
25
30
35
40
45
% attacked processes
Ave
rag
e T
hro
ug
hp
ut
(msg
s/se
c)
Average Received Throughput, Rate = 128
DrumPushPull
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (4040))
1000 2000 3000 4000 5000 6000 7000 8000 9000 100000
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Average Latency (msecs)
% o
f C
orr
ect
Pro
cess
es
CDF: Average Latency of Received Messages, 40% Attacked, Rate = 128
DrumPushPull
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (4141))
Evaluating Random PortsEvaluating Random PortsEvaluating Random PortsEvaluating Random Ports
• Analyze Drum using simulationsAnalyze Drum using simulations
• Assume pull-replies are returned to a Assume pull-replies are returned to a well-known portwell-known port– Different than the port for pull-requestsDifferent than the port for pull-requests– Both ports are now being attackedBoth ports are now being attacked– Original attack on pull channels is Original attack on pull channels is
equally divided between these portsequally divided between these ports
• Analyze Drum using simulationsAnalyze Drum using simulations
• Assume pull-replies are returned to a Assume pull-replies are returned to a well-known portwell-known port– Different than the port for pull-requestsDifferent than the port for pull-requests– Both ports are now being attackedBoth ports are now being attacked– Original attack on pull channels is Original attack on pull channels is
equally divided between these portsequally divided between these ports
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (4242))
0 20 40 60 80 100 120 1400
5
10
15
20
25
30Expected Propagation Time, 10% Attacked (of 1000)
Attack Rate
# ro
un
ds
Drum - Known PortsDrum - Random Ports
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (4343))
Evaluating Resource Evaluating Resource SeparationSeparation
Evaluating Resource Evaluating Resource SeparationSeparation
• Analyze Drum using actual measurementsAnalyze Drum using actual measurements
• Merge all bounds on reception of control Merge all bounds on reception of control messagesmessages– Push-offers, push-replies, pull-requestsPush-offers, push-replies, pull-requests– Originally, allow reception of F/2 (= 2) Originally, allow reception of F/2 (= 2)
messages/round on each listening control msgs messages/round on each listening control msgs portport
– Now, allow reception of 3F/2 (= 6) Now, allow reception of 3F/2 (= 6) messages/round in total, for all control messages/round in total, for all control messagesmessages
• Analyze Drum using actual measurementsAnalyze Drum using actual measurements
• Merge all bounds on reception of control Merge all bounds on reception of control messagesmessages– Push-offers, push-replies, pull-requestsPush-offers, push-replies, pull-requests– Originally, allow reception of F/2 (= 2) Originally, allow reception of F/2 (= 2)
messages/round on each listening control msgs messages/round on each listening control msgs portport
– Now, allow reception of 3F/2 (= 6) Now, allow reception of 3F/2 (= 6) messages/round in total, for all control messages/round in total, for all control messagesmessages
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (4444))
0 20 40 60 80 100 120 1400
2
4
6
8
10
12
Attack Rate
# ro
un
ds
Expected Propagation Time, 10% Attacked (of 50)
Drum - Shared BoundsDrum - Separate Bounds
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (4545))
SummarySummarySummarySummary
• Gossip-based protocols are very robust, Gossip-based protocols are very robust, but…but…– naïve gossip-based protocols are vulnerable to naïve gossip-based protocols are vulnerable to
targeted DoS attackstargeted DoS attacks
• Drum uses simple techniques to mitigate Drum uses simple techniques to mitigate the effects of DoS attacksthe effects of DoS attacks
• Evaluations show Drum’s resistance to DoSEvaluations show Drum’s resistance to DoS
• The most effective attack against Drum is The most effective attack against Drum is a broad onea broad one
• Gossip-based protocols are very robust, Gossip-based protocols are very robust, but…but…– naïve gossip-based protocols are vulnerable to naïve gossip-based protocols are vulnerable to
targeted DoS attackstargeted DoS attacks
• Drum uses simple techniques to mitigate Drum uses simple techniques to mitigate the effects of DoS attacksthe effects of DoS attacks
• Evaluations show Drum’s resistance to DoSEvaluations show Drum’s resistance to DoS
• The most effective attack against Drum is The most effective attack against Drum is a broad onea broad one
Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion Drum (Drum (4646))
General PrinciplesGeneral PrinciplesGeneral PrinciplesGeneral Principles
• DoS-mitigation techniques: DoS-mitigation techniques: – random portsrandom ports– neighbor-selection by local choicesneighbor-selection by local choices– separate resource boundsseparate resource bounds
• Design goal: eliminate vulnerabilities Design goal: eliminate vulnerabilities – The most effective attack is a broad oneThe most effective attack is a broad one
• Analysis and quantitative evaluation Analysis and quantitative evaluation of impact of DoSof impact of DoS
• DoS-mitigation techniques: DoS-mitigation techniques: – random portsrandom ports– neighbor-selection by local choicesneighbor-selection by local choices– separate resource boundsseparate resource bounds
• Design goal: eliminate vulnerabilities Design goal: eliminate vulnerabilities – The most effective attack is a broad oneThe most effective attack is a broad one
• Analysis and quantitative evaluation Analysis and quantitative evaluation of impact of DoSof impact of DoS