Evaluation of the Impact of DoS Attacks on System Performances

1. Introduction

According to the security analysis of Chapter II.G and Chapter III.G, it is not possible for a malicious user observing the system and analysing all the exchanged discovery messages to build a software attack in order to corrupt the correct behaviour of a service discovery system. Software attacks usually relies on a partial or total knowledge of the message parameters like the service profile, the WSDL file, or the requested attributes in order to exploit these information for an illegal use. For instance accessing a WSDL file provides information about the service access functions and their parameters, with the possibility to detect holes in the service like buffer overflow risks. The unique attack that remains to the malicious user is the brute force DoS attack that consists in sending huge amounts of fake messages to the servers (or the clients) in order to force them to spend useless CPU time while processing bogus requests specially for a computing intensive operation based on cryptographic algorithms like the one implemented in the decentralized secure solution. DoS attacks persistently emulate several sources by either setting bogus source addresses in requests generated by a single intruder, or by having recourse to several sources as distributed intruders. The first approach used by DoS prevention methods consists of screening requests with bogus source identification. A second approach to DoS prevention consists in challenging the attacker with an anti-clogging mechanism[WAN03] in order to first add a processing cost to the requester (if the attacks are generated from a single source) and verify the validity of the requester (if the attacks are generated from distributed zombies machines).

In this section we present two DoS attack models for centralized and decentralised service discovery that analyses the performance impact of brute force DoS attacks on such discovery systems.

2. Attack Model

As detailed in the previous section, the attacks are limited to a brute force DoS attacks that consist of injecting fake messages on the system in order to perturb its normal behaviour. We compare two strategies: the first one we suppose that anti-clogging mechanisms are not activated and we measure the performance parameters of an increasing fake request rate, the second one we add a delay due to the anti-clogging mechanism also by increasing the fake request rate. The bogus traffic is modelled with an additional traffic class with a rate attack

melt to the clean one. This malicious traffic enters the system like other traffic, until the authentication phase in which all the corrupted messages will be dropped from the system. We try with this comparison to observe in which conditions the anti-clogging mechanism will be efficient in terms of performance measurements.

In the decentralized model (Figure 60) the corrupted traffic goes through all the available services before being dropped from the system.

Figure 60: Attack Model for a Decentralized Architecture

The new traffic request rate generated by the attacker will impact on the global traffic request rate to be treated by the system and also on the positive matching probability of the requests. In the last section the matching provability q1 as detailed in section Chapter V.E depends on

the vocabulary size, the number of services, and the number of attributes related to the requested services but not on the request traffic rate. This is no more accurate with the addition of the new malicious traffic that will be automatically rejected during the matching process as described in Figure 59 and Figure 60 for this reason the matching probability that we note qattack is dependent on the probability q1 and the proportion of clean traffic compared

to the whole traffic:

attack attack

q

q 1

Equation 14

3. Impact of a DoS Attack for a Protected and non Protected System

In order to study the impact of such DoS brute force attack we fixed the clean request traffic rate to 8 for both models. The processing time values are kept as the same as used in section Chapter V.G.1 for a non protected system, the number of servers and the buffer size (in the centralized model) are fixed to 5 with a vocabulary size of 10 and q1 is equal to 0.5. We vary

the attack rate attack from 0.5 to 40 and finally we observe the variation of the rejection rate,

the sojourn time and the success matching probability of a request. The use of anti-clogging mechanism like puzzle auction[WAN03] introduces an overhead for the request processing at the entry of the system estimated by Wang et al. [WAN03] to 4.6 ms that added to the processing time at the entry of the system.

We compare the performance parameters obtained for a protected system that uses an anti- clogging mechanism with those obtained with a non protected system.

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0 5 10 15 20 25 30 35 40 Rej ec ti on Ra te Attack Rate Rejection Rate Decentralized-Attack Centralized-Attack Decentralized-Clean Centralized-Clean

Figure 61 : Rejection rate

Figure 61 shows the impact of the malicious traffic on the rejection rate at the entry of the system that raises with the raise of the amount of corrupted requests.

0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0 5 10 15 20 25 30 35 40 A v er ag e S o jo ur n Ti m e Attack Rate Average Sojourn Time

Decentralized-Attack Centralized-Attack Decentralized-Clean Centralized-Clean

Figure 62: Total sojourn time of a request in the system

Figure 62 shows the impact of a DoS attack on the total sojourn time of a request in the system. We notice for the decentralized model that the sojourn time decreases when the attack rate increases and this is due to life time of a corrupted request that is less important than a life time of a clean request. The more there is fake requests on the system the more theses packets are rejected from the system after the authentication and the less the sojourn time is important. Concerning the centralized model when the malicious traffic is not important (less than 18) the sojourn time of the clean model is low, but when the malicious traffic raises, the number of fake requests rejected during the authentication raises and the growth of the average sojourn time slows down. This is the reason why the curves related to the centralised model intersect for a rate value equal to 18.

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0 5 10 15 20 25 30 35 40 Ma tch ing R ate Attack Rate

Request Matching Success Rate

Decentralized-Attack Centralized-Attack Decentralized-Clean Centralized-Clean

Figure 63 : Request successful matching probabilities

Figure 63 describes the variation of the successful matching probabilities for all the requests generated in the system. We notice that the impact of a DoS attack critically affects the matching probability with a difference of more than 22% between the different models. This is due to the impact of the corrupted traffic on the reject rate and on the matching probability described in above.

4. Summary

Adding a new traffic class representing corrupted request messages to the service discovery performance model enable us to predict the performance degradation of the system in case of DoS attack leaded against the service discovery system. The performance model presented in this thesis takes also into account the overhead generated by the deployment of anti-clogging mechanisms to counter DoS attacks.

I. Conclusion

In this chapter we introduced two analytical models to assess the impact of security mechanisms used in both centralized and decentralized secure service discovery architectures. This is the first such analytical study of this problem to our knowledge. Results provided by our Markovian models are extremely important to determine whether a centralized or decentralized strategy should be used to deploy services. They make it possible to undertake a systematic study of the robustness, efficiency, resource consumption, availability, message size, or acceptance rate in a SOA architecture, these performance parameters being easily computed thanks to the analytic approach. An important issue of this performance model was to extend the modelling tool in order to assess the impact of DoS attacks that could be addressed against the service discovery system. This extension permits to analyse the behaviour of the system in case of attacks and estimate the performance overhead generated if any anti-clogging mechanism is added to the system to counter these attacks.