Embed Size (px)
DESCRIPTION
What’s a DDoS? Focuses on specific target or targets Floods targets with bogus traffic from many hosts which are likely to be compromised nodes Are generally quite difficult to defend against
Citation preview
SOS: An Architecture For SOS: An Architecture For Mitigating DDoS AttacksMitigating DDoS Attacks
Authors: Angelos D. Keromytis, Vishal Misra, Dan Rubenstein. Authors: Angelos D. Keromytis, Vishal Misra, Dan Rubenstein.
Published: ACM SIGCOMM 2002 Published: ACM SIGCOMM 2002
Presenter: Jerome HarringtonPresenter: Jerome Harrington
OverviewOverview
The main purpose of the paper is to The main purpose of the paper is to propose a system which can be used to propose a system which can be used to thwart Distributed Denial-of-Service thwart Distributed Denial-of-Service attacks in a proactive mannerattacks in a proactive manner
What’s a DDoS?What’s a DDoS?
Focuses on specific target or targetsFocuses on specific target or targetsFloods targets with bogus traffic from Floods targets with bogus traffic from many hosts which are likely to be many hosts which are likely to be compromised nodescompromised nodesAre generally quite difficult to defend Are generally quite difficult to defend againstagainst
Why so hard to defend?Why so hard to defend?
Large number of zombie nodes can Large number of zombie nodes can exhaust resources in a very short amount exhaust resources in a very short amount of time, making quick detection difficultof time, making quick detection difficultSource IP address on attack packets are Source IP address on attack packets are often spoofed, making it impractical or often spoofed, making it impractical or impossible to block traffic from the sourceimpossible to block traffic from the sourceBacktracing to the origin of the attack Backtracing to the origin of the attack requires cooperation from many ISPs and requires cooperation from many ISPs and is too time consuming to be effectiveis too time consuming to be effective
What’s the basis for SOS?What’s the basis for SOS?
Be proactive, rather than reactiveBe proactive, rather than reactiveUse a distributed, self-healing system to Use a distributed, self-healing system to limit the effects of DDoS attacks against limit the effects of DDoS attacks against the system itselfthe system itselfEliminate communication “pinch-points” Eliminate communication “pinch-points” because they are attractive DDoS targetsbecause they are attractive DDoS targets
SOS High Level ArchitectureSOS High Level Architecture
Somewhat similar to Somewhat similar to tortorTop-Level SchematicTop-Level Schematic
SOS Architecture ComponentsSOS Architecture Components
Secure Overlay Access Points (SOAPs)Secure Overlay Access Points (SOAPs)BeaconsBeaconsSecret ServletsSecret ServletsAny physical system can contain any Any physical system can contain any combination of these componentscombination of these components
SOS Architecture ProcessSOS Architecture Process
A SOAP receives traffic from an external source A SOAP receives traffic from an external source and verifies the traffic as legitimate using an and verifies the traffic as legitimate using an arbitrary means of verificationarbitrary means of verificationThe SOAP routes traffic to an easily reachable The SOAP routes traffic to an easily reachable beacon within the SOSbeacon within the SOSThe beacon then forwards the packet to a secret The beacon then forwards the packet to a secret servlet node whose identity is known to only a servlet node whose identity is known to only a few members of SOSfew members of SOSThe secret servlet forwards the packet to the The secret servlet forwards the packet to the targettarget
SOS Architecture ProcessSOS Architecture Process
A filter is placed around the target that A filter is placed around the target that only allows traffic from a specific set of only allows traffic from a specific set of secret servletssecret servletsIdeally, the filter should be at the network Ideally, the filter should be at the network edge where core routers can handle edge where core routers can handle massive amounts of traffic easilymassive amounts of traffic easilyNeeded filtering rules are minimal and Needed filtering rules are minimal and therefore not resource-intensivetherefore not resource-intensive
Routing through SOSRouting through SOS
The system uses a hash-based routing The system uses a hash-based routing method to provide information on the next method to provide information on the next hop within the overlay to route traffic to the hop within the overlay to route traffic to the appropriate beacon and associated secret appropriate beacon and associated secret servlet(s)servlet(s)The authors used The authors used ChordChord (from a 2001 (from a 2001 ACM SIGCOMM paper) in their ACM SIGCOMM paper) in their implementationimplementation
Experimental ResultsExperimental Results
Amazingly effective in Amazingly effective in experimentation!experimentation!Attacks that target Attacks that target approximately 50% of approximately 50% of the nodes in the the nodes in the overlay have about a overlay have about a 1 in 1000 chance of 1 in 1000 chance of causing an actual causing an actual Denial-of-ServiceDenial-of-ServiceEven better as the Even better as the overlay scalesoverlay scales
Performance IssuesPerformance Issues
The base system takes a considerable The base system takes a considerable performance hit as the system scales upperformance hit as the system scales upA modified system was implemented such that A modified system was implemented such that SOAPs do a lookup through the beacon for the SOAPs do a lookup through the beacon for the address of the secret servlet, cache its location address of the secret servlet, cache its location and forward traffic directly to the secret servletand forward traffic directly to the secret servletThis leads to a latency hit around factor 2This leads to a latency hit around factor 2If a node is actually downed, the system can If a node is actually downed, the system can heal itself within 10 secondsheal itself within 10 seconds
Contributions & StrengthsContributions & Strengths
An intriguing and effective proactive An intriguing and effective proactive means of defense against DDoS attacksmeans of defense against DDoS attacksBuilt on lots of previous work avoiding Built on lots of previous work avoiding “reinventing the wheel”“reinventing the wheel”Written plainly and succinctly; an easy Written plainly and succinctly; an easy readread
WeaknessesWeaknesses
Testing was done in a clean-room Testing was done in a clean-room environment, it would be interesting to see environment, it would be interesting to see this in the wildthis in the wildTradeoff in performance versus security Tradeoff in performance versus security regarding caching the location of secret regarding caching the location of secret servlets at the SOAP layerservlets at the SOAP layer
