Mayday: Distributed Filtering for Internet Services David G. Andersen MIT Laboratory for Computer Sc

1
Mayday Distributed Filtering for Internet
ServicesDavid G. AndersenMIT Laboratory for
Computer SciencealsoWebSOS Protecting Web
Servers From DDoS AttacksDebra L. Cook, William
G. Morein, Angelos D. Keromytis, Vishal Misra and
Daniel Rubensteiny Columbia University, New York
City, NY

• Presented by Stephen Karg
• November, 21 2005

2
The Problem

• Both papers address DDoS link-congestion or
  flooding attacks on web servers.
• Backscatter analysis suggests hundreds of these
  attacks take place every day.
• Attackers identify network pinch points and flood
  them with traffic.
• Filtering of unauthorized traffic needed, but
  where?
• Just pushing away bottleneck to traditional
  firewall or uplink router only displaces the
  problem.
• Many different solutions proposed.

3
Other Solutions

• Trace-back and filtering, often network-wide
  solutions.
• Both papers argue that such methods have their
  flaws
• Have not been implemented in real world because
  they require too much global participation.
• Hesitance to adopt due to false-positive
  potential (algorithms often heuristic).
• Too slow to react (require router table updates
  etc.)
• Too much router state required (end-to-end
  protocol?).
• Even if traceback successful, difficult to
  enforce filtering at source (uncooperative ISPs,
  foreign countries, politics, etc.)

4
SOS Secure Overlay Services

• Combines overlay networking with content-based
  routing and aggressive packet filtering.
• Approach has two primary goals
• Eliminate communication pinch-points.
• Obscure identity of target servers.
• Idea is to distribute filtering and push it away
  from the target.
• Preferably an agile, self-healing network.

5
Mayday vs. WebSOS

• WebSOS
• Paper presents a working prototype to defend
  against blind DDoS attacks (admittedly, the most
  common).
• Cryptographic authentication and transport
  (SSL,HTTPS).
• Weak on potential attack analysis, lacks
  customization.
• Mayday
• Generalizes the idea (no implementation).
• Assesses potential counter-attacks.
• Analyses protocol options based on security/cost
  tradeoff.
• Explores lightweight authentication methods.

6
Basic Architecture

• Filter-ring of routers around host.
• Talk to egress nodes only.
• Distributed set of overlay nodes
• Ingress nodes talk to clients.
• Egress nodes talk to server.
• Intermediary router nodes also.
• Can add additional layers of indirection.
• WebSOS beacon nodes.
• Adds some more security, scalability and of
  course latency.
• Ideally, a single node can perform any of these
  functions.
• Redundant, self-healing, and more agile
  (randomized).

7
General Algorithm

• Client requests access to server through ingress
  nodes.
• Client authentication here.
• Valid requests forwarded by ingress node to
  applicable egress node.
• May hop downstream via intermediary nodes.
• Egress node has proper authenticator, forwards
  request through filter ring.
• If not in secure mode, no filter ring
  authentication required, so any ingress node has
  access (Mayday).
• Mayday discusses rapid, pre-configured
  mode-switching methods with little to no
  interruption of service (TCP Migrate). Also
  applies to changes in overlay node configuration.

8
Performance
WebSOS uses cryptographic authentication - more
of a high-security model. Significant increases
in latency.
9
Lightweight Authenticators

• Used by Mayday to validate communication between
  overlay nodes and server (through Filter Ring).
• Mayday considers more high-performance, low-sec.
  commercial needs and explores cheaper
  alternatives.
• Proposes tokens that can be filtered by commodity
  routers at line-speed (i.e. header data).
• Try to avoid anything requiring router to
  maintain state (ACLs) or perform complex
  operations (database lookup, crypto, etc.)
• a.k.a. Filter Keys

10
Authentication Tokens

• Egress Source Address
• Server Destination Port
• Server Destination Address
• If netblock used by server (e.g. 192.168.0.0/24)
• Advantage Rapid filter changing using standard
  routing mechanisms.
• Better key freshness.
• Easily switchable between normal and secure mode.
• Disadvantage Lots of wasted IP space.
• Other header fields.
• Above can be combined for larger key space.

11
Overlay Routing

• Choice of overlay routing can greatly reduce
  and/or obfuscate access to egress nodes.
• Choice of lightweight authenticator effects this
  decision.
• Combine authenticator and routing scheme
  depending on security/speed tradeoff desired.
• Defines the following categories.

12
Overlay Routing

• Speed
• Security

• Proximity Routing
• Akin to normal overlay protocol, shortest hop.
  Every ingress node is an egress node, so IPs no
  mystery.
• Defends against blind DoS attack only.
• Single-Indirect Routing
• Basic ingress ? egress algorithm given earlier
• Doubly-Indirect Routing (extra hop)
• Ingress ? Beacon ? Egress (WebSOS)
• Only subset of ingress nodes know who egress are.
• Random Routing
• Message propagated randomly until intended node
  reached.
• O(N) and generally inferior to below.
• Mix Routing
• Encrypted tunnels between nodes, each only know
  next hop.
• Can add cover traffic to obfuscate pathway
  analysis.
• Extra hops, very secure, very slow.

13
Adversaries

• In considering potential attacks, Mayday
  identifies following types of adversaries
• Client eavesdropper can view traffic between
  overlay nodes and clients only, not within.
• Legitimate Client Attacker authorized to use
  service or in control of authorized client.
• Random/Targeted Eavesdropper can monitor traffic
  between one or more random/targeted overlay nodes
  (but not all).
• Random/Targeted Compromise Attacker can
  compromise one or more random/targeted nodes (but
  not all).

• Weaker
• Stronger

14
Recommended Combinations

• Mayday author identifies some ideal pairings for
  certain speed/security needs
• High Performance Proximity routing with any
  authenticator except source address.
• Vulnerable to Random Eavesdropper.
• Moderate Performance, Eavesdropper-Resistant
  Singly-indirect routing with any authenticator
  other than source address.
• Resistance to random eavesdropper and random
  compromise, because authentication key known by
  smaller number of nodes.
• SOS Claim doubly-indirect model provides
  equivalent security as single-indirect but at
  cost of addition hop.

15
Recommended Combinations

• Agility Single-indirect routing with
  dest.-address authenticator.
• Can use fast router updates (not manual
  configuration), to change authenticator, allowing
  for better randomness and resistance to adaptive
  key space attacks.
• Can add dest.-port to increase key space.
• Maximum Security Mix-style routing with
  destination-based authentication (as above).
• Highly adaptive, highly randomized.
• Resistance against targeted compromise attacker
  (e.g. with 3-hop Tarzan routing, attacker must
  compromise 24 nodes to reach egress node.)

16
Attacks and Defenses

• Lightweight authentication has its
  vulnerabilities.
• Assumed Environment

17
Probing Attack

• Vulnerable to simple port scanning.
• Target server will reply to any packet with
  lightweight authenticator.
• Trivial to scan 65K destination ports or 256
  addresses in /24 netblock.
• Counter-Measure add secondary key and filter at
  server firewall.
• This has its own counter-attack (Firewalking),
  and counter-counter-measures (ICMP blocking at
  filter ring).
• 11 seconds on 100 Mbps ethernet (in 2002)

18
Indirect Probing

• If source port authenticator used, can use tools
  such as Nmap to infer which hosts are reaching
  server.
• Technique depends on low or predictable traffic.
• Next-hop scanning another variant on this (when
  have internal routers).
• A 1000 pps attacker (top 30 seen) can discover
  dest. Port key in 5 min.

19
Adaptive Flooding

• Need substantial DDoS resources. Attack with
  multiple spoofed authenticators concurrently.
• If service slows down, know which half of key
  space getting though.
• Gives attacker binary-search progression through
  key-space O(log N).
• Victim on T1 line using source-IP authentication
  only can be compromised by major attack in under
  8 rounds.
• Counter-measure
• You guessed it, bigger keys. Will dilute attack
  traffic.
• Key agility also very beneficial reactive measure
  if under attack.
• Capable of mounting 10,000 pps attack (top 5
  seen).

20
Other Attacks

• Timing Attack
• Latency analysis of requests to various overlay
  nodes could be used to determine identity of
  egress nodes (fast reply).
• Will only work if weaker configuration that
  allows some ingress nodes to also act egress node
  (Proximity routing).
• Counter-measure is to require egress node to
  forward any direct request to another egress
  node.
• Compromised Overlay Nodes
• Doubly-Indirect provides some protection, but may
  only delay attack if common node-flaw being
  exploited.
• Can use reverse adaptive flooding attack to zero
  in on compromised node by partitioning key space.

21
Conclusions

• Author feels Mayday type system could be
  practically deployed because uses existing
  technology
• Overlay network routing
• Line-speed filtering
• Can implement at ISP level and share centralized
  resources, amortizing cost over many customers.
• Both papers agree more realistic than global
  solutions.
• High-security systems add lots of latency during
  DoS attack, but better than no service at all,
  right?
• Lots of room for improvement though.