IRIS: A Robust Information System Against Insider DoS-Attacks · 2015. 7. 29. · IRIS: A Robust Information System Against Insider DoS-Attacks Research Group Theory of Distributed

1 IRIS: A Robust Information System Against Insider DoS-Attacks

IRIS: A Robust Information System Against InsiderDoS-AttacksResearch Group Theory of Distributed Systems

Martina Eikel, Christian Scheideler

Goal of a Denial-of-Service (DoS)-attack: make a machine or network resourceunavailable to its intended users

Example from the real world:

October 21, 2002: DoS-attack on all 13 DNS root name servers

due to data replication, root server lookups were still possible, but significantly delayed

Motivation


Problem: complete data replication in huge storage systems is too inefficient

DoS-resistant storage systems


Scalabe storage systemes: We want to limit the storage overhead to a logarithmic factor.

DoS-resistant storage systems


Scalability: minimize replication of information

Robustness: maximize resources needed by the attacker

Fundamental dilemma


Past Insider:

knows everything about the system until an unknown time t0

can shutdown any constant fraction of the servers (for some specific constant > 0)

can create any legal set of requests

Scheideler et al. presented a storage system with the following capabilities:

Each set of requests for data items that were inserted after t0 can be served correctly(w.h.p.)The system is robust against any DoS-attack, in which at most a constant fraction of theservers is blocked (for a specific constant)

Baruch Awerbuch and Christian ScheidelerA denial-of-service resistant DHTIn: Proceedings of the 21st International Symposium on Distributed Computing (DISC), pp. 33–47,2007.

Matthias Baumgart, Christian Scheideler and Stefan SchmidA DoS-Resilient Information System for Dynamic Data ManagementIn: Proceedings of the 21st ACM Symposium on Parallelism in Algorithms and Architectures (SPAA),pp. 300–309, 2009.

Previous protocols


IRIS: An I nsider R esistant I nformation S ystem

A Denial-of-Service (DoS) insider attacker . . .

. . . knows everything about the system

. . . has the abilitiy to block a specific fraction of the servers

. . . may choose any valid set of lookup requests (one per non-blocked server) to be handledby the systems

IRIS is the first distributed information system with the following capabilities:

it is provably robust against any DoS-attack by a current insider, in which at most a constantfraction of the servers is blocked, i.e. each set of lookup requests for data items is servedcorrectly (w.h.p.)

it requires only a low redundancy (Basic IRIS: constant, Enhanced IRIS: logarithmic)

handling all lookup requests (one per non-blocked server) only takes a polylogarithmicnumber of rounds

Idea of IRIS: use distributed coding strategy to “smear” all data items over all servers

Our new protocol


1 Motivation

2 The IRIS SystemStorage strategyThe Lookup ProtocolAnalysis

3 Conclusion

Overview


n servers that know each other

set of m data items to store in the system

synchronous round model

DoS-attacker enters and inspects the entire system after its setup

attacker chooses an ε-fraction of the servers to be blocked

attacker may select an arbitrary collection of lookup requests(one per non-blocked server)

task of the system: serve all lookup requests correctly and efficiently

Our Model


Given: k data items d1, . . . ,dk ∈ {0,1}z

d1 dk. . .

�

. . .

d1 dk�1. . .

�dk

Example:

d1 = 010d2 = 110d3 = 001d4 = 111⊕

010

d′1 = 0100d′2 = 1101d′3 = 0010

⊕1d′4 = 1111

Assume: Sever that holds d2 is blocked

Goal: Restore d2 using information in d′1,d′3,d′4.

d′1 = 0 1 0 0d′2 =d′3 = 0 0 1 0d′4 = 1 1 1 1

Encoding of data items, k = logn



d1 dk. . .

�

. . .

d1 dk�1. . .

�dk

Example:

d1 = 010d2 = 110d3 = 001d4 = 111⊕

010

d′1 = 0100d′2 = 1101d′3 = 0010

⊕1d′4 = 1111



d′1 = 0 1 0 0d′2 = ? ? ? ?d′3 = 0 0 1 0d′4 = 1 1 1 1




d1 dk. . .

�

. . .

d1 dk�1. . .

�dk

Example:

d1 = 010d2 = 110d3 = 001d4 = 111⊕

010

d′1 = 0100d′2 = 1101d′3 = 0010

⊕1d′4 = 1111



d′1 = 0 1 0 0d′2 = ? ? ? 1d′3 = 0 0 1 0d′4 = 1 1 1 1




d1 dk. . .

�

. . .

d1 dk�1. . .

�dk

Example:

d1 = 010d2 = 110d3 = 001d4 = 111⊕

010

d′1 = 0100d′2 = 1101d′3 = 0010

⊕1d′4 = 1111



d′1 = 0 1 0 0d′2 = ? ? ? 1d′3 = 0 0 1 0d′4 = 1 1 1 1

⊕ 0 1 0




d1 dk. . .

�

. . .

d1 dk�1. . .

�dk

Example:

d1 = 010d2 = 110d3 = 001d4 = 111⊕

010

d′1 = 0100d′2 = 1101d′3 = 0010

⊕1d′4 = 1111



d′1 = 0 1 0 0d′2 = 1 1 0 1d′3 = 0 0 1 0d′4 = 1 1 1 1

⊕ 0 1 0



cut data items into c = Θ(logm) pieces

map data items via c hash functions to the servers

hash functions need to satisfy certain expansion properties

(randomly chosen hash functions satisfy these properties, w.h.p.)

c/4 pieces are sufficient for recovering a data item (e.g. Reed-Solomon Coding)

encode each n-tuple of data items with each other using a k-ary butterfly as underlyingtopology

Initial distribution of the data items in the system


n columns of nodes

logk n+1 levels

n/k disjoint complete bipartite subgraphs between level ` and `+1

k-ary butterfly


For each server introduce logk n+1 (virtual) nodes

Each server is responsible for the nodes in its colum

In the following:

Server: actual/real server that is part of the distributed system

Node: Artificial entities that point to servers

. . .

. . .

. . .

. . .

. . .

. . . logkn

. . .

0

Level

1 Place data items in nodes on level 0.2 Encode data items in k-blocks between level 0 and 1.3 For each level ` encode data item in k-blocks between level ` and `+1

Encoding of n data items over a k-ary butterfly, k = logn


. . .

. . .

. . .

. . .

logkn

. . .

0

Level

Each two levels contain n/k disjoint k-blocks

k-blocks of each two levels form n/k complete k-bipartite graphs

1 Place data items in nodes on level 0.

2 Encode data items in k-blocks between level 0 and 1.

3 For each level ` encode data item in k-blocks between level ` and `+1



. . .

. . .

. . .

. . .

logkn

. . .

0

Level

1 Place data items in nodes on level 0.

2 Encode data items in k-blocks between level 0 and 1.

3 For each level ` encode data item in k-blocks between level ` and `+1



data items are spread over all nodes

encoding easily possible in a distributed fashion

when using Reed-Solomon codes, the IRIS system has a constant redundancy

Storage Strategy Properties


1 Motivation


3 Conclusion

Overview


Divided into three stages:

1 Preprocessing stage

2 Probing stage

3 Decoding stage

The Lookup Protocol


Divided into two stages:

1 Butterfly completion

non-blocked servers determine a unique representative for each blocked server

Result: for each blocked server a unique non-blocked server is determined that will takeover the role of the blocked server⇒ we can route in the k-ary butterfly as if all servers are still non-blockedPossible in O(logn) rounds

2 Decoding depth computation

Preprocessing Stage


1 Butterfly completion X


Goal: For each sub butterfly compute the decoding overhead

Preprocessing Stage





0

1

2

3

Preprocessing Stage





0

1

2

3

butterfly node pointing to a non-blocked server

butterfly node pointing to a blocked server

Preprocessing Stage





0 0 0

1 1 1 1 1 1 1 1 11

0

1

2

3



u := (`,x) butterfly node on level ` incolumn x

Decoding depth dd`(u) of u on level `:

dd`(u)=

0 u not blocked∞ ` last level & u blocked

Preprocessing Stage





0 0 0

1 1 1 1 1 1 1 1 11

1111 1 1

0

1

2

3





dd`(u)=

0 u not blocked∞ ` last level & u blockedmaxv∈C(v){dd`(v)}+1 else

Preprocessing Stage





0 0 0

1 1 1 1 1 1 1 1 11

1111 1 1

2 2 1

30

1

2

3





dd`(u)=


Preprocessing Stage





0 0 0

1 1 1 1 1 1 1 1 11

1111 1 1

2 2 1

30

1

2

3





dd`(u)=


dd(u) = dd0(u)

Preprocessing Stage





0 0 0

1 1 1 1 1 1 1 1 11

1111 1 1

2 2 1

30

1

2

3





dd`(u)=


dd(u) = dd0(u)

BF(u): subbutterfly of depth ` u iscontained in

Preprocessing Stage





0 0 0

1 1 1 1 1 1 1 1 11

1111 1 1

2 2 1

30

1

2

3





dd`(u)=


dd(u) = dd0(u)

BF(u): subbutterfly of depth ` u iscontained in

dd(BF(u)) = maxv∈BF(u) dd(v)

Preprocessing Stage




Lemmadd(BF)> logk n⇔ exists complete depth logk n bintree of blocked nodes in BF

Example:

n = 27,

k = 3,

logk n = 3,

2logk n = 8 | {z }27 servers, 8 blocked

1111 11 11

0 0

0

0001 1 1 1

11

1

Corollary

Less than 2logk n servers blocked⇒ all data items are recoverable

Preprocessing Stage


Three stages:

1 Preprocessing stage X

2 Probing stage

3 Decoding stage

Lookup Protocol Overview


Remember:

Each data item d was splitted into c = Θ(logm) pieces.

The c pieces were stored in the servers responsible for h1(d), . . . ,hc(d).

Using Reed-Solomon codes c/4 pieces are sufficient for recovering d.

There is a unique path from each butterfly node on level logk n to each hi(d).

Probing Stage


Remember:

Each data item d was splitted into c = Θ(logm) pieces.

The c pieces were stored in the servers responsible for h1(d), . . . ,hc(d).

Using Reed-Solomon codes c/4 pieces are sufficient for recovering d.

There is a unique path from each butterfly node on level logk n to each hi(d).

. . . . . .

hi(d)h1(d) hc(d)

. . . . . .

logk n

0

Probing Stage


Idea:

Each server s that received a lookup request for a data item d chooses c non blocked servers

Forward lookup request for d along the c unique paths Pi(d) from to

. . . . . .

hi(d)h1(d) hc(d)

. . . . . .

logk n

0

s1(d) si(d) sc(d)

(s, d)

Probing Stage


Idea:

Each server s that received a lookup request for a data item d chooses c non blocked servers

Forward lookup request for d along the c unique paths Pi(d) from to

. . . . . .

hi(d)h1(d) hc(d)

. . . . . .

logk n

0

Pi(d)

s1(d) si(d) sc(d)

(s, d)

Probing Stage


Lookup forwarding proceeds in O(logk n) rounds

In round r the r-th node of each path Pi(d) determines whether

it received “too many” messages for different lookup requests (node congested)

the decoding depths of its subbutterfly is exceeded (node blocked)

node congested or block⇒ inform origin of lookup request and deactivate requestforwarding along the corresponding path

. . . . . .

hi(d)h1(d) hc(d)

. . . . . .

logk n

0

Pi(d)

s1(d) si(d) sc(d)

(s, d)

Probing Stage


After O(logk n) rounds:each server that received a lookup request knows the number of deactivated requests

computes smallest level ` such that at least c/2 request were active

if `= 0: lookup successful

else: request is said to belong to level ` and further handled in the decoding stage

. . . . . .

hi(d)h1(d) hc(d)

. . . . . .

logk n

0

s1(d) si(d) sc(d)

(s, d)

`

Probing Stage


Three stages:

1 Preprocessing stage X

2 Probing stage X

3 Decoding stage

Lookup Protocol Overview


Goal: Decoding of remaining requests

Proceeds in phases from 0 to logk n

Phase `: Handle requests belonging to level `

Decoding Stage


Phase `:

Divided into Θ(logk n) rounds.

Round 0: Each server s with request for d belonging to level `:

1 Choose set A(d) of c/2 indices from [c] such that the corresponding lookup requests for dwere active in level ` of the probing stage

2 For all i ∈ A(d): initiate spreading of decode(d, i) messages in UT(v)

Remaining Rounds: determine whether “too many” nodes in UT(v) are congested

Decoding Stage


Phase `:






s1(d) si(d) sc(d)

(s, d)

hi(d)h1(d) hc(d)

`

logk n

0

Decoding Stage


Phase `:






v

UT (v)

s1(d) si(d) sc(d)

(s, d)

hi(d)h1(d) hc(d)

`

logk n

0

Decoding Stage


At the end of phase `:

each node on level 0 of UT(v) knows whether a node from BF(v) was congested

v sends this information to s

If ≤ c/4 sub-butterflies are congested: s initiates decoding of c/4 sub-butterfliesIf > c/4 sub-butterflies are congested: lookup for d declared to belong to level `+1

Remember: c/4 pieces are sufficient for recovering d (Reed-Solomon)

UT (v)

BF (v)

v

s1(d) si(d) sc(d)

(s, d)

hi(d)h1(d) hc(d)

`

logk n

0

Decoding Stage



each node on level 0 of UT(v) knows whether a node from BF(v) was congested⇒ v knows whether a node from BF(v) was congestedv sends this information to s⇒ s knows how many of its sub-butterflies are congested

If ≤ c/4 sub-butterflies are congested: s initiates decoding of c/4 sub-butterfliesIf > c/4 sub-butterflies are congested: lookup for d declared to belong to level `+1


UT (v)

BF (v)

v

s1(d) si(d) sc(d)

(s, d)

hi(d)h1(d) hc(d)

`

logk n

0

Decoding Stage



each node on level 0 of UT(v) knows whether a node from BF(v) was congested⇒ v knows whether a node from BF(v) was congestedv sends this information to s⇒ s knows how many of its sub-butterflies are congestedIf ≤ c/4 sub-butterflies are congested: s initiates decoding of c/4 sub-butterfliesIf > c/4 sub-butterflies are congested: lookup for d declared to belong to level `+1


UT (v)

BF (v)

v

s1(d) si(d) sc(d)

(s, d)

hi(d)h1(d) hc(d)

`

logk n

0

Decoding Stage


1 Motivation


3 Conclusion

Overview


LemmaNumber of lookup requests belonging to level r ∈ {0, . . . , logk n} is ≤ ϕn/kr, ϕ = Θ(k).

⇒ ϕ = Θ(k) lookup requests have to be handled in the last phase of the decoding stage.⇒ No node will be congested in the last phase.⇒ All remaining lookup requests served after the last phase.

LemmaThe lookup protocol of IRIS takes at most O(log2 n) communication rounds with at mostO(log3 n) congestion in every round at each node, w.h.p.

Correctness and Efficiency


1 Motivation


3 Conclusion

Overview


What we did:

Development of the first distributed information system that can serve any set of lookuprequests (one per non-blocked node) even under a running insider DoS-attack thatblocks an ε-fraction of the servers efficiently (polylogarithmic time) and correctly.

Basic IRIS

Maximum # of blocked servers 2logk n

Storage Overhead constant

Conclusion


What we did:


Basic IRIS Enhanced IRIS

Maximum # of blocked servers 2logk n εn, ε < 1 arbitrary

Storage Overhead constant logarithmic

Conclusion


What we did:


Basic IRIS Enhanced IRIS

Maximum # of blocked servers 2logk n εn, ε < 1 arbitrary

Storage Overhead constant logarithmic

Main Differences to Basic IRIS:

use coding strategy that can recover from any two blocked servers within a k-block(e.g. coding strategy EVENODD [1])

k-blocks are no longer organized in a k-ary butterfly, but we make use of permutationswith certain expansion properties

[1] Blaum, Brady, Bruck, Menon: “EVENODD: an optimal scheme for tolerating double disk failures in raidarchitectures.” (SIGARCH Comput. Archit. News, 22(2):245–254, April 1994)

Conclusion


Thank you for the attention. Questions?



Martina Eikel, Christian Scheideler

Sonderforschungsbereich 901Universität PaderbornFürstenallee 1133102 Paderborn

http://sfb901.uni-paderborn.de

MotivationThe IRIS SystemStorage strategyThe Lookup ProtocolAnalysis

Conclusion

Documents

IRIS: A Robust Information System Against Insider DoS-Attacks · 2015. 7. 29. · IRIS: A Robust Information System Against Insider DoS-Attacks Research Group Theory of Distributed