Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based Multicast Gal Badishi, Idit Keidar, Amir Sasson

Agenda The problem Overview of gossip-based multicast Proposed solution - Drum Analysis and simulations Implementation and measurements More DoS-mitigation techniques Conclusions

The problem

Overview of gossip-based multicast

Proposed solution - Drum

Analysis and simulations

Implementation and measurements

More DoS-mitigation techniques

Conclusions

Denial of Service (DoS) Unavailability of service Exhausting resources Remote attacks Network level Solutions do not solve all application problems Application level Got little attention Quantitative analysis of impact on application and identification of vulnerabilities needed

Unavailability of service

Exhausting resources

Remote attacks

Network level

Solutions do not solve all application problems

Application level

Got little attention

Quantitative analysis of impact on application and identification of vulnerabilities needed

Dollar Amount of Losses by Type

Remote Application-Level DoS No Attack DoS Attack Valid Request Bogus Request

Challenges Quantify the effect of DoS at the application level Expose vulnerabilities Find effective DoS-mitigation techniques Prove their usefulness using the found metric

Quantify the effect of DoS at the application level

Expose vulnerabilities

Find effective DoS-mitigation techniques

Prove their usefulness using the found metric

Multicast A group of members At least one member is a source – generates messages Messages should arrive to all of the group members in a timely fashion Network level vs. application level (ALM)

A group of members

At least one member is a source – generates messages

Messages should arrive to all of the group members in a timely fashion

Network level vs. application level (ALM)

Tree-Based Multicast Use a spanning tree – most common solution No duplicates (optimal BW when network-level) Single points of failure Source

Use a spanning tree – most common solution

No duplicates (optimal BW when network-level)

Single points of failure

Gossip-Based Multicast Progresses in rounds Every round Choose random partners ( view ) Send or receive messages Discard old msgs from buffer Probabilistic reliability Uses redundancy to achieve robustness Two methods Push Pull

Progresses in rounds

Every round

Choose random partners ( view )

Send or receive messages

Discard old msgs from buffer

Probabilistic reliability

Uses redundancy to achieve robustness

Two methods

Push

Pull

Push Source

Pull Source

Effects of DoS on Gossip Reasonable to assume that source is attacked Surprisingly, we show that naïve gossip is vulnerable to DoS attacks Attacking a process in pull-based gossip may prevent it from sending messages Attacking a process in push-based gossip may prevent it from receiving messages

Reasonable to assume that source is attacked

Surprisingly, we show that naïve gossip is vulnerable to DoS attacks

Attacking a process in pull-based gossip may prevent it from sending messages

Attacking a process in push-based gossip may prevent it from receiving messages

Drum A new gossip-based ALM protocol Utilizes DoS-mitigation techniques Using random one-time ports to communicate Combining both push and pull Separating and bounding resources Eliminates vulnerabilities to DoS Proven robust using formal analysis and quantitative evaluation

A new gossip-based ALM protocol

Utilizes DoS-mitigation techniques

Using random one-time ports to communicate

Combining both push and pull

Separating and bounding resources

Eliminates vulnerabilities to DoS

Proven robust using formal analysis and quantitative evaluation

Random Ports Any request necessitating a reply contains a random port number “Invisible” to the attacker (e.g., encrypted) The reply is sent to that random port Assumption: attacking other ports does not affect the random port’s queue (i.e., there is no BW exhaustion)

Any request necessitating a reply contains a random port number

“Invisible” to the attacker (e.g., encrypted)

The reply is sent to that random port

Assumption: attacking other ports does not affect the random port’s queue (i.e., there is no BW exhaustion)

Combining Push and Pull Attacking push cannot prevent receiving messages via pull (random ports) Attacking pull cannot prevent sending via push Each process has some control over the processes it communicates with

Attacking push cannot prevent receiving messages via pull (random ports)

Attacking pull cannot prevent sending via push

Each process has some control over the processes it communicates with

Bounding Resources Motivation: prevent resource exhaustion Each round process a random subset of the arriving messages and discard the rest Separate resources for orthogonal operations Valid Request Bogus Request Round Duration

Motivation: prevent resource exhaustion

Each round process a random subset of the arriving messages and discard the rest

Separate resources for orthogonal operations

Drum’s Push Mechanism Alice sends Bob a push-offer Bob replies with a digest of messages he has already received Alice only sends Bob messages missing from his digest Random ports

Alice sends Bob a push-offer

Bob replies with a digest of messages he has already received

Alice only sends Bob messages missing from his digest

Random ports

Evaluation Methodology Compare 3 protocols Push (push-based with bounded resources) Pull (pull-based with bounded resources) Drum Under various DoS attacks Increasing strength (shows trend under DoS) Fixed strength (exposes vulnerabilities) Source is always attacked Evaluates combination of Push and Pull Separately evaluate the other two techniques

Compare 3 protocols

Push (push-based with bounded resources)

Pull (pull-based with bounded resources)

Drum

Under various DoS attacks

Increasing strength (shows trend under DoS)

Fixed strength (exposes vulnerabilities)

Source is always attacked

Evaluates combination of Push and Pull

Separately evaluate the other two techniques

Evaluation Methodology (cont.) Measure propagation time – expected number of rounds it takes a message to reach all of the correct processes 99% in the simulations and actual measurements Use real implementation to measure actual latency and throughput

Measure propagation time – expected number of rounds it takes a message to reach all of the correct processes

99% in the simulations and actual measurements

Use real implementation to measure actual latency and throughput

Analysis/Simulation Assumptions Static group with complete connectivity Processes have complete group knowledge Propagation of a single message M But simulate situation where all procs have msgs to send M is never purged from local buffers Rounds are synchronized All round operations complete within the same round All processes are correct (analysis) or 10% of them perform a DoS attack (simulation)

Static group with complete connectivity

Processes have complete group knowledge

Propagation of a single message M

But simulate situation where all procs have msgs to send

M is never purged from local buffers

Rounds are synchronized

All round operations complete within the same round

All processes are correct (analysis) or 10% of them perform a DoS attack (simulation)

Validating Known Results The propagation time of gossip-based multicast protocols is O(log n) [P87, KSSV00]

The propagation time of gossip-based multicast protocols is O(log n) [P87, KSSV00]

Validating Known Results (cont.) The performance of gossip-based multicast protocols degrades gracefully as failures amount [LMM00, GvRB01]

The performance of gossip-based multicast protocols degrades gracefully as failures amount [LMM00, GvRB01]

Definitions n – number of processes in the group F – size of view , and max # of requests to process in a round ( F = 4 )  – percentage of attacked processes x – number of bogus messages an attacked process receives in a round B – total attack strength ( B =  nx )

n – number of processes in the group

F – size of view , and max # of requests to process in a round ( F = 4 )

 – percentage of attacked processes

x – number of bogus messages an attacked process receives in a round

B – total attack strength ( B =  nx )

Analysis – Increasing Strength Lemma 1: Fix  < 1 and n . Drum’s propagation time is bounded from above by a constant independent of x Proof idea Define effective fan-in and effective fan-out Both have an element independent of x When x   this element is dominant The effective fans are bounded from below

Lemma 1: Fix  < 1 and n . Drum’s propagation time is bounded from above by a constant independent of x

Proof idea

Define effective fan-in and effective fan-out

Both have an element independent of x

When x   this element is dominant

The effective fans are bounded from below

Analysis – Increasing Strength Lemma 2: Fix  and n . The propagation time of Push grows at least linearly with x Proof idea Assume all non-attacked processes already have the message (and so does the source) Bound the expected number of processes having M at round k from above Find the minimal k in which all processes have M Reaching all attacked processes takes at least a time linear in x

Lemma 2: Fix  and n . The propagation time of Push grows at least linearly with x

Proof idea

Assume all non-attacked processes already have the message (and so does the source)

Bound the expected number of processes having M at round k from above

Find the minimal k in which all processes have M

Reaching all attacked processes takes at least a time linear in x

Analysis – Increasing Strength Lemma 3: Fix  and n . The propagation time of Pull grows at least linearly with x Proof idea Denote by p the probability that the source reads a valid pull request in a round # of rounds for M to leave the source is geometrically distributed with p The expectation is 1/p 1/p is at least linear in x

Lemma 3: Fix  and n . The propagation time of Pull grows at least linearly with x

Proof idea

Denote by p the probability that the source reads a valid pull request in a round

# of rounds for M to leave the source is geometrically distributed with p

The expectation is 1/p

1/p is at least linear in x

Analysis – Fixed Strength Define c = B/nF (total attack strength divided by total system capacity) Lemma 4: For c > 5, Drum’s expected propagation time is monotonically increasing with  Proof idea Effective fan-in and effective fan-out are monotonically decreasing with 

Define c = B/nF (total attack strength divided by total system capacity)

Lemma 4: For c > 5, Drum’s expected propagation time is monotonically increasing with 

Proof idea

Effective fan-in and effective fan-out are monotonically decreasing with 

Implementation and Measurements Multithreaded processes in Java Operations are not synchronized Rounds are not synchronized among processes 50 machines on a 100Mbit LAN (Emulab) One process per machine 5 processes (10%) perform a DoS attack

Multithreaded processes in Java

Operations are not synchronized

Rounds are not synchronized among processes

50 machines on a 100Mbit LAN (Emulab)

One process per machine

5 processes (10%) perform a DoS attack

Validating the Simulations Evaluate the protocols in the same scenarios tested by simulation High correlation shows that the simplifying assumptions have little effect on the results

Evaluate the protocols in the same scenarios tested by simulation

High correlation shows that the simplifying assumptions have little effect on the results

High-Throughput Experiments Single source Creates 40 messages per second Round duration = 1 second Messages are purged after 10 rounds Each process sends at most 80 data messages to another process in a round Throughput and latency are measured at the 44 correct receiving processes

Single source

Creates 40 messages per second

Round duration = 1 second

Messages are purged after 10 rounds

Each process sends at most 80 data messages to another process in a round

Throughput and latency are measured at the 44 correct receiving processes

Evaluating Random Ports Analyze Drum using simulations Assume pull-replies are returned to a well-known port Different than the port for pull-requests Both ports are now being attacked Original attack on pull channels is equally divided between these ports

Analyze Drum using simulations

Assume pull-replies are returned to a well-known port

Different than the port for pull-requests

Both ports are now being attacked

Original attack on pull channels is equally divided between these ports

Evaluating Resource Separation Analyze Drum using actual measurements Merge all bounds on reception of control messages Push-offers, push-replies, pull-requests Originally, allow reception of F/2 (= 2) messages/round on each listening control msgs port Now, allow reception of 3F/2 (= 6) messages/round in total, for all control messages

Analyze Drum using actual measurements

Merge all bounds on reception of control messages

Push-offers, push-replies, pull-requests

Originally, allow reception of F/2 (= 2) messages/round on each listening control msgs port

Now, allow reception of 3F/2 (= 6) messages/round in total, for all control messages

Summary Gossip-based protocols are very robust, but… naïve gossip-based protocols are vulnerable to targeted DoS attacks Drum uses simple techniques to mitigate the effects of DoS attacks Evaluations show Drum’s resistance to DoS The most effective attack against Drum is a broad one

Gossip-based protocols are very robust, but…

naïve gossip-based protocols are vulnerable to targeted DoS attacks

Drum uses simple techniques to mitigate the effects of DoS attacks

Evaluations show Drum’s resistance to DoS

The most effective attack against Drum is a broad one

General Principles DoS-mitigation techniques: random ports neighbor-selection by local choices separate resource bounds Design goal: eliminate vulnerabilities The most effective attack is a broad one Analysis and quantitative evaluation of impact of DoS

DoS-mitigation techniques:

random ports

neighbor-selection by local choices

separate resource bounds

Design goal: eliminate vulnerabilities

The most effective attack is a broad one

Analysis and quantitative evaluation of impact of DoS

The End